On May 9, 2019, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) published long-awaited guidance addressing how FinCEN regulations apply to what the agency calls “convertible virtual currency” (CVC), which covers most types of cryptocurrencies and crypto-tokens. The guidance focuses on:

  • Platforms engaged in exchange transactions involving securities, commodities, or futures contracts and fiat currency, CVC, or other value that substitute for currency;
  • Natural persons providing CVC money transmission as person-to-person (P2P) exchangers;
  • CVC wallets (differentiating among hosted, unhosted, and multiple signature wallet providers);
  • CVC provided through electronic terminals, kiosks, or automated teller machines;
  • CVC services provided through decentralized (software) applications (DApps), including anonymizing services;
  • Payment processing services;
  • Internet casinos;
  • Initial Coin Offerings (ICOs) and the status of creators of CVC;
  • DApp developers, users conducting financial activities, and DApps conducting CVC transactions; and
  • Mining pools and cloud miners.

In conjunction with this guidance, FinCEN issued an advisory to assist financial institutions in “identifying and reporting suspicious activity related to criminal exploitation of CVCs for money laundering, sanctions evasion, and other illicit financing purposes.” The advisory also highlights virtual currency abuse typologies and associated red flags, and identifies valuable information in filing suspicious activity reports (SARs) for activity involving CVC.

In a press release issued simultaneously with the guidance and advisory, FinCEN notes that these documents do not establish new regulatory expectations. Instead, they consolidate current regulations, guidance, and administrative rulings and apply the same “interpretive criteria to other common business models involving CVC.” These documents are not intended to be exhaustive, and business models not covered under the guidance and advisory may still be subject to certain Banks Secrecy Act/anti-money laundering (BSA/AML) obligations.

Unless exempt under certain specified limitations, persons engaging in a business to accept CVC from one person and transmit CVC to another person or location, in any manner, are generally required to register with FinCEN as a money services business (MSB) and to comply with AML program requirements to reduce exposure to money laundering and terrorism financing risks and to implement internal controls to promote compliance with recordkeeping, monitoring and reporting requirements – including filing SARs and currency transaction reports (CTRs), among other requirements. FinCEN’s guidance makes clear that these requirements “apply equally” to domestic and foreign-located CVC money transmitters doing business wholly or in substantial part within the United States, regardless of the form of coin (physical or digital), the type of ledger used, or the type of technology utilized.

FinCEN’s advisory also highlights the risks associated with certain virtual currency abuse typologies – including darknet marketplaces, peer-to-peer exchangers, unregistered foreign-located MSBs, and CVC kiosks – and associated red flags. FinCEN notes that, because some red flags may reflect legitimate financial activity, financial institutions “should evaluate indicators of potential CVC misuse in combination with other red flags and the expected transaction activity before determining that a particular transaction is suspicious.” FinCEN also encourages that financial institutions work with their AML, fraud, and information technology departments in analyzing CVC activity due to the complex nature of the underlying technology.

With respect to sanctions requirements, the advisory states that businesses and entities dealing in digital currency should implement policies and procedures that allow them to:

  • Block IP addresses associated with a sanctioned country or region;
  • Disable the accounts of all holders identified from a sanctioned country or region;
  • Install a dedicated Compliance Officer with authority to ensure compliance with all OFAC administered sanctions programs;
  • Screen all prospective users to ensure they are not from geographic regions subject to US sanctions; and
  • Ensure OFAC compliance training for all relevant personnel.

The advisory also identifies information valuable to law enforcement in investigating potential illicit conduct involving CVC transactions, including:

  • Virtual currency wallet addresses;
  • Account information;
  • Transaction details (including virtual currency transaction hash and information on the originator and the recipient);
  • Relevant transaction history;
  • Available login information (including IP addresses);
  • Mobile device information (such as device IMEI); and
  • Information obtained from analysis of the customer’s public online profile and communications.

For more information regarding FinCEN’s action, Steptoe is issuing a forthcoming advisory on FinCEN’s guidance and advisory documents.