Two recent federal enforcement actions, announced on the same day, underscored the need for cryptocurrency companies to carefully consider their anti-money laundering (AML) obligations otherwise they risk significant penalties.
First, on August 8, 2022, the US Treasury Department’s Office of Foreign Assets Control (OFAC) added Tornado Cash (Tornado) to the Specially Designated Nationals (SDN) list. As a result, Tornado will generally not be able to transact with US persons.
Tornado is a virtual currency mixer that, according to OFAC, has been used to launder over $ 7 billion since its creation in 2019. Currency mixers collect digital assets in a pool, often obscuring their destination and origin. While this may be a legitimate way to protect the privacy of cryptocurrency users, the practice can also be used to obfuscate illegal activity. In its announcement of the Tornado sanctions, OFAC said blenders should generally be considered “high risk” until they have “appropriate controls in place” to mitigate money laundering problems.
Tornado is not the first virtual currency mixer that OFAC has sanctioned due to a weak or non-existent AML program. The first mixer sanctioned by OFAC was Blender.io, which OFAC says was used extensively by a group of hackers sponsored by the Democratic People’s Republic of Korea. In a press release related to the Blender.io case, OFAC indicated that it will continue to “investigate the use of mixers for illegal purposes and consider the range of authority [it] must respond to the risks of illicit financing in the virtual currency ecosystem. “More information on the risks associated with technologies that enhance anonymity can be found in the National Money Laundering Risk Assessment 2022.
The second executive action involved another money services firm that found weaknesses in its AML program. The United States Attorney for the Southern District of New York announced that Gregory Dwyer, the former head of business development at BitMEX, has pleaded guilty to violating the Bank Secrecy Act (BSA). Prosecutors declared it that BitMEX’s inability to implement know-your-customer (KYC) requirements made it “de facto a money laundering platform” and that Dwyer’s deliberate inability to “establish, implement or maintain an anti-money laundering program “constituted a violation of the BSA. This is the fourth time that a high-ranking employee of BitMEX, an offshore crypto derivatives trading platform, has been found responsible for such a breach.
The BSA requires covered entities to maintain effective anti-money laundering policies, including a customer identification program (commonly referred to as the KYC requirement). In particular, financial institutions must collect certain identifying information from clients using their services, verify that information to form a reasonable belief about the client’s identity, and maintain relevant records. MSBs and other financial institutions that do not implement and maintain an effective anti-money laundering program risk liability for violating the BSA.
The United States Department of Justice and other regulators, such as the Financial Crimes Enforcement Network (FinCEN), have the authority to investigate and sanction violations of the BSA and, as BitMEX allegations show, individual employees of these activities also show. money services may be responsible for such violations. In addition to KYC, an AML program generally must also include, among other things, a designated compliance officer to oversee the AML program, reports of suspicious activity, employee training, and an independent review or verification of the AML program.
The Tornado designation and BitMEX beliefs serve as a reminder that a financial institution must have and follow a robust AML program tailored to its operations, size and risks and periodically review the program to ensure it remains sufficient in view of any size and scope changes financial institution.
Covered “financial institutions” include traditional types, such as banks and broker-dealers, and non-traditional types, such as money services businesses, a category that includes “money transmitters”. A cryptocurrency company that provides digital financial or banking products should consider its role in the flow of funds to determine whether it is considered a money services business. If a business is unsure whether it is a money transmitter or other type of money service business, see our previous publication, “MSB or not MSB? That’s the question.”
For more information on money laundering statutes and regulations, contact Wilson Sonsini attorneys Stefano Heifetz, Troy Jenkins, Jonathan Davey, or any member of the national security practice.