US and global sanctions enforcement and compliance expectations for digital currencies

The Department of Treasury’s Office of Foreign Assets Control (OFAC) has entered the whole-of-government effort to pursue enforcement action against all companies in the virtual currency industry, including technology companies, exchangers, administrators, miners, wallet providers, and traditional financial institutions that may have exposure to virtual currencies or their service providers. OFAC is increasing resources that will focus on violations of US sanctions laws against the industry. US sanctions are a strict-liability regime that trigger severe consequences for unknowing and unintentional violations.

OFAC actions

In its most recent action, on November 28, 2022, OFAC announced a settlement with Delaware-incorporated currency exchange Payward (dba Kraken) for violating US sanctions against Iran.

OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry, issued in 2021, emphasizes that "members of the virtual currency industry are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions" and should incorporate these essential components into their compliance program: (1) management commitment; (2) periodic risk assessment; (3) internal controls; (4) testing and auditing; (5) training; (6) reporting procedures; and (7) record-keeping. Controls should include the deployment of (a) geolocation tools, (b) IP address blocking controls, (c) customer, end-user, and transaction monitoring and investigation software, (d) monitoring OFAC lists of known virtual currency addresses tied to sanctioned parties, (e) blockchain analysis tools, and (f) compliance-related training on blockchain analytics.

Counsel who understand the inter-agency process for sanctions implementation and the granting of license exceptions, which includes significant participation and leadership by the Department of State, can help clients establish an adequate and efficient risk-based compliance program, seek government guidance and license where appropriate, and create lines of communication with key government officials to both mitigate risk and encourage business growth with confidence.

Businesses in the digital currency world are under-educated about regulatory expectations that traditional financial institutions have learned to appreciate, including blocking IP addresses associated with sanctioned countries, installing sophisticated automated software with correct calibration to screen for bad actors, establishing a dedicated compliance team, and conducting Know Your Customer Due Diligence.

US AML legislation

The US views digital currencies as a threat to countering illicit finance, money laundering and sanctions evasion, and is working to obtain a better regulatory and enforcement foothold over the industry. The US Anti Money Laundering Act of 2020 addresses digital currencies in some respects by amending the Bank Secrecy Act (BSA) to state that those who exchange or transmit value that substitutes for currency (eg, cryptocurrency) are subject to BSA registration and compliance requirements. The 2020 Act also codifies prior guidance by the US Financial Crimes Enforcement Network (FinCen) that certain cryptocurrency exchanges, wallets, and other entities are subject to the BSA. But there is still much more to expect from US regulators to address the totality of risks.

As with other countries, the preexisting US AML regime was written for an analog world. For example, regulations apply to entities, and it is unclear what the target is with a decentralized blockchain platform. Fed Chairman Jerome Powell compared cryptocurrency to money market funds and bank deposits but without the regulations both must follow.

Determining one's obligations to abide by regulatory requirements can be complex and depends on the business model used to transmit digital currencies. Obligations can depend on (1) who owns the value of the currency; (2) how the currency is stored; (3) if the owner directly interacts with the payment system; and (4) if there is an intermediary that has independent control over the value of the currency. Encrypted digital currencies that hide the identity of the owners do not escape BSA obligations.

Unregistered Money Services Businesses (MSBs) are at particular risk if they attempt to evade supervision and fail to implement appropriate AML and sanctions controls. MSBs provide transfer of funds services, including transmitting payments by those initiating a transaction, and include companies outside the US that do business in the US.

FinCen issued guidance indicating that domestic and foreign-located digital currencies doing business in the US, even if they have no physical US address, must register with FinCen and comply with AML, recordkeeping, monitoring, and reporting requirements. BSA rules are also applicable to exchanges (those that accept and transmit digital currencies) and issuers of digital currencies and businesses that can redeem them.

Global regulatory and compliance efforts

In addition to being used for money laundering and fraud, digital currencies have been implicated in acts that threaten the national securities of the US and its allies. For example, North Korean-linked cyber hackers have stolen hundreds of millions of dollars in digital currencies, digital currencies have helped finance ballistic missile and weapons of mass destruction programs, and they have facilitated sanctions evasion. Accordingly, there is wide international support for a robust and wholistic regulatory framework that addresses digital currencies.

Cryptocurrencies and stablecoins are currently regulated by many jurisdictions to require adherence with Know Your Customer rules and adequate due diligence mandated by versions of the US Bank Secrecy Act and similar laws in other jurisdictions. However, these laws are designed for "traditional" banking and fiat transactions, and do not account for new actors and processes in the digital currency world. Many digital currency issuers and exchange platforms are not registered with, and thus not supervised by, relevant financial authorities.

Proposed legislation seeks to capture all "Service Providers" which include those that: (1) facilitate exchanges between virtual assets and fiat currencies; (2) facilitate exchanges between one or more forms of virtual asset; (3) help transfer virtual assets; (4) safekeep and/or administer virtual assets or instruments enabling control over virtual assets; and (5) participate in or provide financial services related to an issuer’s offering and/or sale of a virtual asset.

Key provisions of guidance issued by the Financial Action Task Force (FATF), the world’s global money laundering watchdog, include: (1) conducting national risk assessments to understand how digital currencies and services function and fit within regulatory frameworks; (2) requiring licensing and registration of Service Providers and implementation of AML controls and KYC by Service Providers; (3) implementing the "travel rule" which requires Service Providers to (a) identify and share data on all virtual asset transactions over a certain amount, (b) obtain and maintain accurate information about an originator and the recipient of a transaction and beneficiary information, and (c) screen for sanctions; and (4) regulations for peer to peer exchanges of digital currencies that do not touch Service Providers.

According to the Interpretive Note to FATF Recommendation 16, Service Providers should collect the name and account number of the originator and benefactor, the originator's physical address, national identity numbers and/or dates and places of birth.

The European Commission (EC) is strengthening the EU’s anti-money laundering and countering terrorism financing rules to bring the "full application of the EU AML/CFT rules to the crypto sector" designed to capture all service providers and oblige them to conduct due diligence on their customers and fully trace transfers of crypto assets. At the heart of a proposed legislative package is the creation of a new "EU-level Anti-Money Laundering Authority (AMLA)" as "the central authority coordinating national authorities to ensure the private sector correctly and consistently applies EU rules." The AMLA and the legislative package aim to be operational by 2024.

The UK FCA pulled no punches when it said "crypto-tokens can become very difficult to sell or may significantly reduce in value – and consumers that invest in them should be prepared to lose all their money." The FCA created a "temporary register" of firms that can trade in digital currencies while they are being assessed on their compliance with UK anti-money laundering and terrorist financing laws. The FCA warned that issuers require registration and authorization before issuances or fundraising for cryptocurrencies and has brought enforcement actions against those that have failed to register.