Explaining the impact of new US Guidelines regarding Cryptocurrency and money laundering concerns.
My name is Steve Hart, and I am a contributing journalist for Compliance Mitigation. I am a Partner at Conformity 360, a compliance consulting firm, serving as the resident subject matter-expert in buy-side Compliance. Prior to joining Conformity360, I was Chief Compliance Officer (“CCO”) for the prestigious firm Allen & Company, and prior to that, served as the Global Chief Administrative Officer for Compliance at BlackRock, the world’s largest asset management company. I hold an Investment Adviser Core Certification, an M.S. in Banking and Financial Services from Boston University and a B.A. in Political Science from the University of Pennsylvania.
Having worked as the CCO for Registered Investment Advisors, I have been through numerous regulatory audits and examinations. Experience gives me insight into how the regulatory bodies, including but not limited to the DOJ, conduct investigations and attempt to obtain enforcement actions.
After completing this case study, the participants will be able to:
- Define the “Threat Overview” of the Framework.
- Define the “Laws and Regulations” of the Framework.
- Understand the “Ongoing Challenges and Future Strategies” of the Framework and the risk imposed for those who use and / or invest in cryptocurrency.
- Understand what prompts the DOJ to bring enforcement actions concerning cryptocurrency.
- Identify business models that help individuals and companies avoid government allegations of facilitating criminal activity.
DOJ, Cryptocurrency, Threat Overview, Law and Regulations, Ongoing Challenges and Future Strategies
The Cryptocurrency Enforcement Framework (the “Framework”) announced by the U.S. The Department of Justice (“DOJ”) is designed to address US policy applicable to a powerful new and evolving technological development. As the Framework references, the DOJ is not the only enforcement actor in this space, and many other agencies – including, among others, the U.S. Treasury Department, the Securities & Exchange Commission (“SEC”), the Commodity Futures Trading Commission (“CFTC”), and the Internal Revenue Service – have been actively enforcing violations by criminal cyber actors. “While the Framework is generally supportive of a broad, multi-pronged enforcement landscape, it highlights the difficulty of tracking and complying with an increasingly complex web of regulations created by these various agencies.”
Though the global nature of cryptocurrency might complicate investigations, the Framework makes clear it will not hinder the DOJ’s willingness or ability to prosecute cases, stating, “The Department also has robust authority to prosecute Virtual Asset Service Providers (“VASPs”) and other entities and individuals that violate U.S. law even when they are not located inside the United States. Where virtual asset transactions touch financial, data storage, or other computer systems within the United States, the Department generally has jurisdiction to prosecute actors who direct or conduct those transactions.”
Enforcement by the DOJ, among other regulatory bodies, in cryptocurrency will emphasize the Bank Secrecy Act (“BSA”) and Anti Money Laundering (“AML”) laws as primary tools of enforcement, particularly for actors who deal with “anonymity enhanced cryptocurrencies” and technology that obscures the ownership of particular assets. Obligations to safeguard systems, protect consumer data, and properly maintain customer information apply not only to conventional virtual asset exchanges, but also to peer-to-peer exchanges, kiosk operators, and virtual currency casinos.
It remains to be seen whether future presidential administrations will continue to take such an aggressive enforcement posture in the cryptocurrency space as that which currently exists.
The CFTC and the DOJ file enforcement actions against the entities and individuals that own and operate the Bitcoin Mercantile Exchange (BitMEX), a trading platform for cryptocurrency derivatives.
The CFTC alleges that BitMEX, for several years, operates an unregistered trading platform and violates CFTC regulations by, among other things, failing to implement required AML procedures. The DOJ in turn charges BitMEX’s three founders and its first employee with criminal violations of the Bank Secrecy Act (BSA) and conspiracy for willfully failing to establish, implement and maintain an adequate AML program.
The DOJ alleges BitMEX’s conduct constitutes a willful violation of the BSA. The CFTC and DOJ each assert jurisdiction over BitMEX based on allegations of defendants’ business in the U.S., and the soliciting and accepting of orders and funds from U.S. users. The government alleges the intent of BitMEX’s “maze” of offshore entities was to obscure its significant contacts with the U.S. Despite being registered in the Seychelles. While BitMEX represents that it has no physical presence in the U.S., many subsidiaries and affiliates are nonetheless located here. The CFTC also points out:
- Approximately half of BitMEX’s workforce is based in the U.S.
- It developed and runs its website in the U.S.
- One founder allegedly lived in the U.S.
- Another founder, while residing abroad, owns his interest through a Delaware LLC and has a U.S. bank account.
- BitMEX actively solicits and markets to U.S. residents through participation in industry events and the development of a bounty program for U.S. users.
The government alleges BitMEX’s withdrawal from the U.S. was a “ruse” and that U.S. residents’ continued access to BitMEX was an “open secret” because BitMEX only required IP verification upon creating an account and allowed users to sign in through the Tor Network and Virtual Private Networks.
“The government also alleges the defendants attempted to avoid U.S. law by incorporating in the Seychelles, allegedly barring – but knowingly allowing – U.S.-based users to participate, and deleting evidence of U.S.-based users.” The DOJ claims these steps to circumvent U.S. law reveal the defendants’ willful violation of the BSA.
Blockchain-based exchange platforms involved in both centralized and decentralized finance can learn the following from the BitMEX actions: “Offshore registration and living offshore are not enough to avoid the jurisdiction of U.S. law enforcement.” In assessing whether U.S. law applies to an exchange or platform, regulators will look beyond mere form to determine whether the substance of an individual’s or entity’s conduct provides sufficient jurisdictional basis.
“Avoiding U.S. markets is only effective if you actually avoid U.S. markets. Though tautological, a business can only avoid U.S. regulation by truly staying outside of U.S. markets.” According to the U.S. government, it is not enough to disclaim U.S. contacts and take half-measures to achieve that goal. Notably, the government focused in this case on BitMEX’s continued marketing efforts in the U.S.
Founders and employees may have civil and criminal exposure for a platform’s activity if steps are not taken to comply with applicable law. If a platform has contacts within the U.S. or has not taken affirmative, reasonable steps to exclude U.S. persons from the platform, U.S. regulators may seek to establish jurisdiction. Even absent centralized ownership or founder control, regulators may target individuals within the company, including those who developed or created the digital asset, protocol or platform, if it was designed and launched without taking into account compliance obligations.
The absence of immediate legal repercussions is not proof of an absence of liability. The DOJ and CFTC cite conduct from several years past. Law enforcement need not, and rarely will, charge a defendant at the first sign of potential illegality. Offenders who do not change their behavior in the face of clear warnings and guidance, however, may anticipate harsher treatment. Thus, compliance with applicable laws should be a continuing priority, regardless of whether a company faces immediate regulatory scrutiny.
BitMEX has developed a reputation as one the largest and most successful offshore digital currency exchanges. The government’s actions show how U.S. regulators will work together in bringing enforcement actions, raising scrutiny on even those that might initially appear beyond the reach of U.S. law.
Obligations to safeguard systems, protect consumer data, and properly maintain customer information apply not only to conventional virtual asset exchanges, but also to peer-to-peer exchanges, kiosk operators, and virtual currency casinos.
Cryptocurrency operators must understand that they are pioneering the creation of a new industry. While U.S. regulators may have tread lightly to date in the absence of clear guidance, that restraint will undoubtedly dissipate as and when cryptocurrency operators conduct business in contravention of more clearly defined rules and regulations.