I am very pleased to co-chair again the Practicing Law Institute’s 2023 Anti-Money Laundering Conference on May 16, 2023, starting at 9 a.m. in New York City (the event also will be virtual).
I am also really fortunate to be working with co-chair Elizabeth (Liz) Boison
On April 13, the State of Wyoming took the extraordinary step of filing a request for permission to intervene in the ongoing dispute between Custodia Bank, Inc. (“Custodia”) and the Board of Governors of the Federal Reserve System (“the Fed”) and the Federal Reserve Bank of Kansas City. This dispute involves a complaint (now amended) filed by Custodia – a state-chartered special purpose depository institution (“SPDI”) based in Cheyenne, Wyoming – against the Fed and the Federal Reserve Bank of Kansas City, alleging that the defendants improperly denied Custodia’s application for a “master account” with the Fed. Generalizing greatly, having a master account allows financial institutions to operate in the normal course as a custodial bank in the U.S. Having a Fed master account is therefore critical to any institution looking to operate in the U.S. financial system.
In a nutshell, Wyoming’s request to intervene critiques the defendants because of their “view of perceived inadequacies in Wyoming’s laws and regulations for SPDIs, [which are] partially responsible” for the denial of Custodia’s master account application. More specifically, Wyoming accuses the defendants of seeking to treat Wyoming SPDIs in an inequitable manner, thereby “treating state-chartered non-federally regulated banks as second-class banks ineligible to compete with federally-regulated ones.”
This blog post focuses on an important issue referenced seemingly in passing in Wyoming’s request for permission to intervene, which is clearly motivating in part the filing by Wyoming: on March 24, 2023, the Fed made public its January 27, 2023 Order Denying Application for Membership (the “Order”) by Custodia, which had requested the Fed’s approval under Section 9 of the Federal Reserve Act to become a member of the Federal Reserve System. According to Wyoming, the Fed’s decision to deny Custodia’s application has the effect of preventing Custodia and other Wyoming SPDIs from ever being able to attain the status of federal regulation. We focus here on the Order because of its much broader anti-money laundering (“AML”) and sanctions implications for any banks which are contemplating targeted services for the digital asset industry. The 86-page Order is very detailed, and often also discusses safety and soundness concerns, as well as other issues.
As we discuss, the Order suggests that any bank will have a hard time convincing the Fed that crypto-heavy banking services can comply with the requirements of the Bank Secrecy Act (“BSA”) and U.S. sanctions law. Likewise, the Fed has expressed its skepticism in the Order that blockchain analytics services, even when applied skillfully and with the best of intentions, actually can satisfy the BSA and U.S. sanctions law due to limitations inherent in crypto transactions relating to knowing with confidence who is actually conducting the transactions. This same issue was also noted by the recent report by the U.S. Treasury regarding perceived AML and sanctions vulnerabilities in decentralized finance providers.
On April 6, 2023, the U.S. Department of the Treasury released a report examining vulnerabilities in decentralized finance (“DeFi”), including potential gaps in the United States’ anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) regulatory, supervisory, and enforcement regimes for DeFi. The report concludes by making a series of recommendations, including the closing of “gaps” in the application of the Bank Secrecy Act (“BSA”) to the extent that certain DeFi services currently fall outside the scope of the BSA’s definition of a “financial institution” covered by the BSA. The report cautions that it does not alter any existing legal obligations, issue any new regulatory interpretations, or establish any new supervisory expectations.
The U.S. Department of Justice (“DOJ”) announced on March 15, 2023 that in a coordinated effort between U.S. Federal Bureau of Investigations, Europol, and German police, the darknet cryptocurrency mixing service ChipMixer has been shut down. The operation involved the U.S. government’s court-authorized seizure of two domains that directed users to the ChipMixer service and one Github account. In addition, German authorities seized $46 million in cryptocurrency, as well as ChipMixer’s back-end servers used to run the site.
Further, the U.S. Attorney’s Office for the Eastern District of Pennsylvania filed a criminal complaint against ChipMixer’s suspected founder, Vietnamese national, Minh Quoc Nguyen (“Nguyen”), alleging that Nguyen openly flouted financial regulations and instructed users how to use ChipMixer to evade reporting requirements while obscuring his true name under a series of stolen and fictitious identities. The complaint also alleges that ChipMixer, described as a popular platform for laundering illicit funds gained from unlawful activities like drug trafficking, ransomware attacks (according to Europol, ransomware actors Zeppelin, SunCrypt, Mamba, Dharma, Lockbit have used ChipMixer), and payment card fraud, was used to launder more than $3 billion in cryptocurrency since 2017. Nguyen has been charged with money laundering, operating an unlicensed money transmitting business, and identity theft in connection with the operation of ChipMixer.
On August 8, the U.S. Department of the Office of Foreign Assets Control (“OFAC”) sanctioned “notorious” virtual currency “mixer” Tornado Cash, which allegedly has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. Tornado Cash is a virtual currency mixer that operates on the Ethereum blockchain. Tornado Cash receives a variety of transactions and mixes them together before transmitting them to their individual recipients. The stated purpose of such mixing is to increase privacy, but mixers are often used by illicit actors to launder funds because the process enhances anonymity and makes it very hard to track the flow of funds. According to the Treasury Department press release, “[d]espite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risk.” This statement seems to imply that Tornado Cash is run by actual people – an implication that is at the heart of the controversy over these sanctions, as we will discuss.
The sanctions against Tornado Cash have elicited enormous controversy in the crypto world because, some argue, (1) Tornado Cash is not an entity run by actual people, but is merely code; and (2) although OFAC has the legal authority to sanction people and entities, it lacks such authority to sanction code or a technology – or at the very least, such sanctions create many practical problems for innocent actors, including in ways which no one has foreseen fully. As we discuss, even a member of the U.S. House of Representatives has waded into the controversy this week, questioning the ability of OFAC to issue the sanctions and demanding answers. The controversy also reflects that, once again, whether one chooses to focus on the word “privacy” or on the word “anonymity” typically reflects an a priori value judgment predicting one’s conclusion as to whether something in the crypto world is good or bad.
Indisputably, the Tornado Cash sanctions are, to date, unique and unprecedented. Although they may turn out to be an outlier experiment by OFAC, public pronouncements by the U.S. Treasury Department strongly suggest that, to the contrary, they represent part of the future of crypto regulation, in which the enormous power of the U.S. government to issue broad sanctions obliterates legal and practical hurdles which could stymie other agencies, such as the Financial Crimes Enforcement Network (FinCEN). This may be because, ultimately, the government actually agrees that no person is in control of a powerful technology that has easy application for malicious uses, and that is precisely the problem.
Continue Reading OFAC Sanctions Virtual Currency “Mixer” Tornado Cash and Faces Crypto Backlash
On April 28, 2022 the New York Department of Financial Services (“NYDFS”) issued its Guidance on Use of Blockchain Analytics, a document directed to all virtual currency business entities that either have a NYDFS Bitlicense or are chartered as a limited purpose trust company under the New York Banking Law. The Guidance emphasizes “the importance of blockchain analytics to effective policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening.”
The NYDFS is stressing the role of blockchain analytics in anti-money laundering (“AML”) compliance because “virtual currencies such as Bitcoin and Ether can be transferred peer-to-peer directly from one individual or entity to another pseudonymously, absent the use of a regulated third party (e.g., between non-custodial wallets, or self-hosted wallets that allow users to maintain control of their private keys). . . . [T]hese wallet addresses are typically pseudonymous, with nothing on the face of the transfer tying back to the originator, beneficiary, or underlying beneficial owners.”
Given the potential compliance challenges presented by such characteristics, the NYDFS wants virtual currency entities to leverage the fact that virtual currencies also enable provenance tracing because “the blockchain ledger’s immutability typically allows a historical view of a virtual currency transmission between wallet addresses, providing the opportunity for greater visibility into transaction lineage than is typically found with traditional, fiat funds transfers.”
The Guidance provides that, ultimately, all risk mitigation strategies must account for an entity’s business profile to assess risk across types of virtual currencies and effectively address the specific characteristics of any particular virtual currency involved. If a virtual currency entity chooses to outsource its control functions to third-party service providers rather than use only internally developed blockchain analytics, it must have “clearly documented policies, processes, and procedures with regard to how the [third-party] blockchain analytics activity integrates into the [entity’s] overall control framework consistent with the [entity’s] risk profile.”
Continue Reading NYDFS Stresses Use of Blockchain Analytics for AML Compliance by Virtual Currency Businesses
Sanctions involving Russia is a front-burner issue for all businesses, but particularly for financial institutions. As we previously blogged, the Financial Crimes Enforcement Network (“FinCEN”) issued on March 7 an alert calling for increased vigilance in the face of potential evasion of Russian sanctions. On March 16, FinCEN issued its second alert on the topic (the “Alert”), reiterating the need for increased vigilance and assisting financial institutions in detecting suspicious transactions involving high-value assets to evade sanctions.
We discuss here the Alert, which provides guidance to financial institutions on how to identify suspicious transactions relating to the use of certain high-value assets by Russian elites, their family members and their “proxies.” The Alert reminds financial institutions of the importance of quickly identifying suspicious activity related to the disposition of sanctioned Russian assets. The Alert also highlights the international and domestic task forces that were formed to effectuate the sanctions laws we describe below, emphasizing the need for cross-agency collaboration and information sharing to achieve the common goal of sanctioning Russia’s power players. However, and as we discuss, the Alert unfortunately offers no guidance on how “proxies” should be identified or defined.
Continue Reading Russian Sanctions Redux: FinCEN Issues Guidance on Suspicious Transactions and Evasion Using High-Value Assets
Federal law enforcement and regulators continue to focus on technology-driven financial crime — specifically, cyber-enabled fraud and the laundering of illicit funds through cryptocurrency. Last week, the Department of Justice (“DOJ”) announced that Eun Young Choi will serve as the first Director of the National Cryptocurrency Enforcement Team (“NCET”). As we have blogged, the DOJ created in 2021 the NCET in order to address issues on which we repeatedly have blogged: crypto exchangers and their AML obligations; the process of tracing digital asset transactions; ransomware; so-called “professional” money launderers; and the use of crypto to launder serious crimes such as drug trafficking and human trafficking. This attempt at a coordinated government approach to crypto enforcement followed the announcement earlier in 2021 by the Financial Crimes Enforcement Network (“FinCEN”) of appointing its first-ever Chief Digital Currency Advisor.
Meanwhile, FinCEN has stressed the need for, and utility of, specific information to be submitted by the victims of cyber-enabled financial crime schemes, or the financial institutions of those victims, to FinCEN’s Rapid Response Program, or RRP. The RRP seeks to share financial intelligence and recover the proceeds of crime.
Continue Reading DOJ, FBI and FinCEN Continue to Focus on Crypto and Cyber Financial Crime
On February 8, 2022, the Department of Justice announced the seizure of a record $3.6 billion in stolen BTC it alleges was tied to the 2016 hack of Bitfinex, a virtual currency exchange. A husband-wife duo, Ilya “Dutch” Lichtenstein and Heather Morgan of New York, New York were arrested the same day and charged via a criminal complaint with conspiracy to commit money laundering and conspiracy to defraud the United States. Lichtenstein and Morgan are being held on $5 million and $3 million in bail, respectively, and will be on house arrest pending trial.
The Statement of Facts by the government in support of the criminal complaint filed against the defendants reveals a vast and complicated web of transactions that allegedly permitted Lichtenstein and Morgan to transfer approximately 25,000 of the 119,754 BTC stolen by hackers—valued at “only” $71 million at the time of the theft but now worth about $4.5 billion—to various virtual currency exchangers. According to the Statement of Facts, the stolen BTC was shuttled to an unhosted wallet (i.e., a cryptocurrency wallet not controlled by a third-party but by the user) with over 2,000 BTC addresses, then to various accounts at the “darknet market AlphaBay,” later to a number of accounts at four different virtual currency exchangers, then to more unhosted BTC wallets, and finally to accounts at six more virtual currency exchangers where it was converted into fiat currency, gift cards, and precious metals. The defendants further allegedly liquidated BTC through a BTC ATM and purchasing non-fungible tokens.
As if the sheer volume and layers of accounts was not enough, the duo allegedly:
On October 6, the Department of Justice (“DOJ”) announced the creation of a National Cryptocurrency Enforcement Team (“NCET”). The DOJ press release is set forth in part below, without further commentary, other than to observe that the NCET’s stated goals are to address issues on which we repeatedly have blogged: crypto exchangers and their AML