Agencies Issue “Crypto Asset Roadmap” for 2022 Guidance, and OCC Confirms Prior Interpretive Letters on Crypto – So Long as Supervisory Regulators Do Not Object

The Board of Governors of the Federal Reserve System (“Federal Reserve”), the Federal Deposit Insurance Corporation (“FDIC”) and the Office of the Comptroller of the Currency (“OCC”) (collectively, the “Agencies”) issued on November 23 a short Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps (“Joint Statement”), which announced – without further concrete detail – that they had assembled a “crypto asset roadmap” in order to provide greater clarity in 2022 to banks on the permissibility of certain crypto-asset activities.  Only the week before, the Chief Counsel for the OCC issued Interpretive Letter #1179, which confirmed that a bank could engage in certain cryptocurrency, distributed ledger and stablecoin activities – consistent with prior OCC letters – so long as a bank shows that it has sufficient controls in place, and first obtains written notice of “non objection” by its supervisory office.  This post will discuss both publications.

There is great overlap between the bank activities referenced in the Joint Statement and Interpretive Letter #1179.  The 2022 clarity promised by the “roadmap” presumably will supersede, once issued, Interpretive Letter #1179, which appears to function as a general stop-gap until the 2022 publications hopefully provide more detail regarding exactly how banks can attain compliance.

Federal banking regulators have been busy in this space.  These pronouncements come closely on the heels of a Report on Stablecoins issued earlier in November by the Agencies and the U.S. President’s Working Group on Financial Markets, which delineated perceived risks associated with the increased use of stablecoins and highlighted three concerns: risks to rules governing anti-money laundering (“AML”) compliance, risks to market integrity, and general prudential risks.
Continue Reading Federal Bank Regulators Focus on Crypto Assets and Blockchain Activities

Travel Rule and Beneficiary Information Continues to Challenge Virtual Asset Service Providers

In late October, the Financial Action Task Force issued its long-awaited updated guidance on Virtual Assets and Virtual Asset Service Providers (“FATF Guidance”), an extremely lengthy and detailed document setting forth how virtual asset service providers (“VASPs”) and related virtual asset activities fall within the scope of FATF standards for anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”).  The FATF Guidance is important to VASPs worldwide, as well as the more traditional financial institutions (“FIs”) doing business with them.  Because of its great breadth, we focus here only on its comments regarding implementation of the so-called “Travel Rule” for virtual assets.  This portion of the FATF Guidance is particularly relevant to the U.S. because, as we have blogged, the Financial Crimes Enforcement Network (“FinCEN”) proposed regulations in 2020 – still pending – which would change the Travel Rule by lowering the monetary threshold for FIs from $3,000 to $250 for collecting, retaining, and transmitting information related to international funds transfers, and explicitly would make the Travel Rule apply to transfers involving convertible virtual currencies.

The FATF Guidance has additional relevance to U.S. VASPs and FIs because, this month, the U.S. President’s Working Group on Financial Markets (“PWG”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller (“OCC”) (together, “the U.S. Agencies”) issued a Report on Stablecoins (the “Report”).  Stablecoins are digital assets designed to maintain stable value as related to other reference assets, such as the U.S. Dollar.  In the Report, the U.S. Agencies delineate perceived risks associated with the increased use of stablecoins and highlight three types of concerns: risks to rules governing AML compliance, risks to market integrity, and general prudential risks.  We of course will focus here on the Report’s discussion of AML risks, particularly because it repeatedly invokes the FATF Guidance, thereby illustrating the increasing efforts by governments to seek a global and relatively coordinated approach to addressing AML/CFT concerns regarding virtual assets.
Continue Reading Global Developments in AML and Virtual Assets:  FATF Guidance and the Travel Rule, and U.S. Pronouncements on Stablecoins

On October 15, 2021, the Financial Crimes Enforcement Network (“FinCEN”) issued a financial trend analysis on ransomware relating to Suspicious Activity Reports (“SARs”) filed in the first half of this year (“Analysis”).  According to the Analysis, U.S. banks and financial institutions reported $590 million in suspected ransomware payments in SARs filed between January and June 2021, more than the total for all of 2020.  FinCEN found that ransomware payments are often made using virtual currency, such as Bitcoin (“BTC”).  The Office of Foreign Assets Control (“OFAC”) also released guidance in tandem with the FinCEN Analysis, addressing how the virtual currency industry can address sanctions-related risks.

Ransomware appears to be top-of-mind at the U.S. Treasury, as we have blogged.  FinCEN’s Analysis and OFAC’s guidance came quickly on the heels of OFAC issuing on September 21 a six-page Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which states that OFAC will consider self-reporting, cooperation with the government and strong cybersecurity measures to be mitigating factors in any contemplated enforcement action against a ransomware victim that halts an attack by making the demanded payment to attackers who were sanctioned or otherwise had a sanctions nexus.  Also on September 21, 2021, OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange “for its part in facilitating financial transactions for ransomware variants.”
Continue Reading FinCEN Reports Spiraling SARs Relating to Ransomware

On October 6, the Department of Justice (“DOJ”) announced the creation of a National Cryptocurrency Enforcement Team (“NCET”).  The DOJ press release is set forth in part below, without further commentary, other than to observe that the NCET’s stated goals are to address issues on which we repeatedly have blogged:  crypto exchangers and their AML

Global AML Compliance Faces Challenges Relating to Regulator Expertise, the Travel Rule, Decentralized Finance, and “Regulator Shopping”

Today we are very pleased to welcome guest blogger Federico Paesano from the Basel Institute on Governance (“Basel Institute”). The Basel Institute recently issued its Basel AML Index for 2021 (“Basel AML Index”). This data-rich and fascinating annual publication, one of several online tools developed by the Basel Institute to help both public- and private-sector practitioners tackle financial crime, is a research-based ranking that assesses countries’ risk exposure to money laundering and terrorist financing. This year, we will focus on the section of the Basel AML Index which analyzes data from the Financial Action Task Force (“FATF”) on how jurisdictions are responding to money laundering and terrorist financing threats related to virtual assets.  The Basel AML Index concludes: “not well at all.”

Federico Paesano is a Senior Financial Investigation Specialist at the Basel Institute’s International Centre for Asset Recovery, and leads its Cryptocurrencies and Anti-Money Laundering Compliance Training.  For 14 years, Federico worked for the Italian Financial Police, ending his career as Chief Investigator, leading and conducting judicial and financial investigations, focusing in particular on economic crimes such as corruption and money laundering.  In July 2009, he was seconded by the Italian Government to the European Union Police Mission in Afghanistan (“EUPOL”) as Mentor to the Minister of Interior on Anticorruption.  Along with Europol and Interpol, Federico and the Basel Institute are co-organizing on December 7–8, 2021 the 5th Global Conference on Criminal Finances and Cryptocurrencies, which focuses on the emerging threat posed by criminals using new payment methods to conceal the proceeds of their crimes. His Quick Guide to Cryptocurrencies and Money Laundering Investigations may be found here.

The Basel Institute is a not-for-profit Swiss foundation dedicated to working with public and private partners around the world to prevent and combat corruption, and is an Associated Institute of the University of Basel. The Basel Institute’s work involves action, advice, and research on issues including anti-corruption collective action, asset recovery, corporate governance and compliance, and green corruption.  Money Laundering Watch was pleased to have Gretta Fenner and Dr. Kateryna Boguslavska of the Basel Institute guest blog on the Basel AML Indices for 2020 and 2019.

This blog post again takes the form of a Q & A session, in which Federico responds to questions posed by Money Laundering Watch about the Basel AML Index 2021 and wider debates on the topic. We hope you enjoy this discussion of money laundering risks and virtual assets — which addresses regulators’ frequent lack of expertise, tracing of cryptocurrency transactions, the Travel Rule, the challenges posed by decentralized finance, “regulator shopping,” and more.  —Peter Hardy and Andrew D’Aversa
Continue Reading The Basel AML Index 2021: Virtual Assets and Money Laundering. A Guest Blog.

OFAC Updates Advisory on Enforcement Risks Relating to Agreeing to Pay Ransomware

First Post in a Two-Part Series on Recent OFAC Designations

On September 21, 2021 OFAC issued its first sanctions designation against a virtual currency exchange by designating the virtual currency exchange, SUEX OTC, S.R.O. (SUEX) “for its part in facilitating financial transactions for ransomware variants.”  Although this is a unique development, the broader and more important issue for any financial institution or company facing a ransomware attack is the continuing problem encapsulated in OFAC’s six-page Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, which OFAC released in conjunction with the announcement of the SUEX designation.  The Updated Advisory illustrates a “Catch 22” scenario, in which a victim that halts a ransomware attack by making the demanded payment then may find itself under scrutiny from OFAC on a strict-liability basis if it turns out that the attackers were sanctioned or otherwise had a sanctions nexus.  The Updated Advisory states that OFAC will consider self-reporting, cooperation with the government and strong cybersecurity measures to be mitigating factors in any contemplated enforcement action.

OFAC has been busy.  Tomorrow, we will blog on a more traditional action announced by OFAC right before the SUEX designation:  OFAC’s designation of members of a network of financial conduits funding Hizballah and Iran’s Islamic Revolutionary Guard Corps-Qods Force.  This designation is notable for the targets’ alleged use of gold as a vehicle to launder illicit funds through front companies.
Continue Reading OFAC Targets Virtual Currency Exchange For Ransomware Attack

Today, the Financial Crimes Enforcement Network (“FinCEN”) issued a Notice regarding online child sexual exploitation.  Given its brevity, its text is set forth below in its entirety, without the footnotes.  There is a final section to the Notice, not included below, which provides filing instructions regarding related Suspicious Activity Reports, or SARs.  We offer no

Government Alleges Systemic and Deliberate AML Failures

Filings Describe Tools for CVC Exchanges to Use for Customer Due Diligence and Transaction Monitoring

The Financial Crimes Enforcement Network (“FinCEN”) and the Commodity Futures Trading Commission (“CFTC”) announced on August 10 (here and here) settlements with the operators of the BitMEX cryptocurrency trading platform for alleged anti-money laundering (“AML”) violations under the Bank Secrecy Act (“BSA”), and for allegedly failing to register with the CFTC.  More specifically, FinCEN’s assessment of a civil monetary penalty and the CFTC’s consent order both involved the five companies operating the BitMEX platform: HDR Global Trading Limited, 100x Holding Limited, ABS Global Trading Limited, Shine Effort Inc Limited, and HDR Global Services (Bermuda) Limited (collectively, “BitMEX”).

BitMEX will pay regulators up to a combined $100 million civil monetary penalty; perform a “lookback” regarding the potential need to file additional Suspicious Activity Reports (“SARs”); and hire an independent consultant to conduct two reviews of BitMEX’s operations, policies, procedures, and controls, in order to confirm that BitMEX is not operating in the U.S., and that no U.S. customers are able to trade with the BitMEX platform.

According to the government filings, BitMEX is one of the oldest cryptocurrency derivative exchanges, with 1.3 million user accounts and a collection of annual fees in excess of $1 billion.  Combined, the government filings allege that for a period of six years between November 2014 and October 1, 2020, BitMEX offered trading of cryptocurrency derivatives to retail and institutional customers in the U.S. and worldwide through BitMEX’s website. Customers in the U.S. placed orders to buy or sell contracts directly through the website and BitMEX was aware that U.S. customers could access the BitMEX platform via virtual private network (“VPN”).

The civil penalty will be split between FinCEN and the CFTC.  However, the settlement involves an interesting “carrot” offered by the regulators:  $20 million of the penalty is suspended pending the successful completion of the SAR lookback and the two independent consultant reviews.

According to the government’s allegations, BitMEX deliberately ignored for years the most basic AML requirements, resulting in multitudinous violations and inviting – and even encouraging – its customers to launder illicit funds.  As we will describe, the government has alleged that BitMEX operated on the announced pretext that it was not subject to the BSA or U.S. commodities laws because it had no U.S. customers or operations, when senior management knew otherwise.
Continue Reading FinCEN and CFTC Reach Groundbreaking $100 Million AML Settlement with BitMEX

European Commission Proposes EU-Level Supervisory Authority and Cryptocurrency Travel Rule

European Banking Authority Offers New Guidelines on AML Compliance Officers

Just as the United States has expanded significantly its anti-money laundering (“AML”) and countering the financing of terrorism (“CFT”) regulatory and enforcement regime through recent passage of the AML Act of 2020, the European Union (“EU”) has taken significant steps this summer towards implementing a rigorous new transnational AML enforcement framework.  Recent legislative proposals by the European Commission (the EU’s executive branch) aim to combat cross-border crime by ensuring uniform implementation and enforcement of AML/CFT principles, rules, and regulations, and by creating new recordkeeping requirement for certain cryptocurrency transactions.  Following the announcement of these legislative proposals, the European Banking Authority proposed in late July new EU-wide guidelines for AML/CFT compliance officers.  We examine each of these in turn.
Continue Reading European Union Round-Up:  A Summer of AML Enforcement and Compliance Proposals

Fourth and Final Post in a Series on the FATF Plenary Outcomes

As we have previously blogged (here, here and here), the Financial Action Task Force (“FATF”) held its fourth Plenary on June 21-25, inviting delegates from around the world to meet (virtually) and discuss a wide range of global financial crimes and ongoing risk areas. Following the Plenary, FATF issued reports to detail their findings on specific topics. This post highlights three takeaways from the report entitled Second 12-Month Review of the Revised FATF Standards on Virtual Assets (“Report”).

Background

In June 2019, the FATF issued guidance instructing its 180 international member governments to demand that virtual asset service providers (“VASPs), such as cryptocurrency exchanges and digital wallet providers, collect “accurate originator information and required beneficiary information” on transactions totaling $1,000 or more (see here for our detailed blog post on this subject).

The FATF also agreed to undertake a yearlong review documenting the progress that its member countries have made towards implementing its guidance on regulation of VASPs. It released the findings of that review in July 2020 and committed to a second 12-month review by June 2021. The Report, based on the findings of a self-assessment questionnaire provided to 128 jurisdictions, sets out the findings of the second 12-month review.
Continue Reading FATF Continues to Stress AML Risks From Virtual Asset Service Providers