Insights
FinCEN Crypto & Ransomware Guidance: Will 2022 Bring More Changes?
The Financial Crimes Enforcement Network (“FinCEN”) of the U.S. Department of the Treasury (“Treasury”) has made clear that businesses engaging in certain activities involving virtual currencies are subject to registration, reporting, recordkeeping, and other anti-money laundering (“AML”) requirements under the Bank Secrecy Act and its implementing regulations (collectively, “BSA”). In response to recent developments in the field of financial technology (“fintech”), FinCEN has issued new guidance and advisories related specifically to activities involving virtual currencies and ransomware payments.
This article introduces FinCEN and the BSA, identifies AML risks associated with virtual currencies and ransomware that businesses may encounter in 2022 and beyond, and discusses best practices for navigating the complex and rapidly evolving BSA landscape.
What is FinCEN and what is the BSA?
In the United States, FinCEN is a bureau within Treasury tasked with safeguarding the U.S. financial system from illicit use and promoting U.S. national security through the strategic use of financial authorities and the collection, analysis, and dissemination of financial intelligence. As administrator of the BSA, FinCEN regulates virtual currencies and other digital assets for AML purposes.
The BSA aims to prevent criminals from using financial institutions to facilitate money laundering, terrorist financing, and other financial crimes.2 Under the BSA, certain financial institutions called “money services businesses” (“MSBs”) are subject to mandatory registration, program, recordkeeping, and reporting requirements.
Virtual currency.
FinCEN defines the term “virtual currency” as “a medium of exchange that can operate like currency but does not have all the attributes of ‘real’ currency… including legal tender status.” FinCEN uses the term “convertible virtual currency” (“CVC”) to refer to a type of virtual currency that either (i) has an equivalent value as ‘real’ currency or (ii) acts as a substitute for ‘real’ currency. Essentially, CVCs are virtual currencies that can be exchanged for ‘real’ currencies. Examples of CVCs include most cryptocurrencies (digital assets maintained by a decentralized system and secured by cryptography), such as Bitcoin, Ether, and Monero, as well as most stablecoins (digital assets designed to maintain a stable market price by pegging their value to an external reference like fiat currency), such as Tether and Dai. Note, however, that digital assets with legal tender status (“LTDAs”), such as China’s digital yuan, are not virtual currencies.
As bad actors seek to exploit the latest fintech innovations for illicit purposes, FinCEN has responded by issuing guidance, advisories, and other publications clarifying the BSA’s application to emerging business models and novel factual circumstances. On March 18, 2013, FinCEN became the first U.S. regulatory agency to issue interpretive guidance on virtual currencies by clarifying the BSA’s applicability to “users,” “administrators,” and “exchangers” of virtual currency. On May 9, 2019, FinCEN issued comprehensive guidance on CVCs, which consolidated related guidance and administrative rulings from 2011 to 2019 and applied its interpretation of the BSA to various activities involving CVCs.
Ransomware.
On October 15, 2021, FinCEN published a report analyzing trends in BSA data collected in the first six months of 2021 concerning ransomware cyber-attacks and related payments. According to the report, the severity and sophistication of ransomware attacks are increasing rapidly, and perpetrators of ransomware are taking new measures to obfuscate their financial trails and enhance their anonymity. On November 8, 2021, FinCEN published an updated Ransomware Advisory providing specific instructions for detecting, preventing, and reporting suspicious transactions associated with ransomware attacks. In 2022, companies should be well aware of the risks posed by ransomware and the regulatory obligations that may be triggered by a cyber-attack or related transaction (for more information, see our previous article, Ransomware Attacks Are on the Rise; Are You Ready?).
***
As virtual currencies become more popular and widespread in society, companies will need to carefully consider the regulatory implications of engaging in activities involving virtual currencies. Some important considerations include:
1. Determining whether your company is a Money Services Business under the BSA.
The BSA defines a “money services business” (“MSB”) as “a person wherever located doing business, whether or not on a regular basis or as an organized or licensed business concern, wholly or in substantial part within the United States,” operating in one or more enumerated capacities, including as a “money transmitter.”3 Generally, a “money transmitter” is a “person that provides money transmission services,” including “the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.”4 The BSA also provides that certain persons, such as natural persons acting as money transmitters on an infrequent basis and not for profit, are exempt from MSB status.
According to FinCEN’s 2013 VC Guidance, users of virtual currency that obtain CVCs to purchase goods or services are not MSBs, whereas administrators or exchangers of virtual currency that (i) accept and transmit CVCs or (ii) buy or sell CVCs are determined to be money transmitters subject to the BSA requirements for MSBs. Moreover, FinCEN’s 2019 CVC Guidance provides that whether a person qualifies as an MSB generally depends on the person’s activities and not its formal business status. Although the 2019 CVC Guidance describes the BSA’s applicability to several common business models, such as peer-to-peer (“P2P”) exchangers, CVC kiosks, and certain decentralized applications (“DApps”), it does not resolve all ambiguities. Answering the threshold question of whether a company qualifies as an MSB is crucial, yet seldom straightforward.
2. Ensuring that your MSB has properly and timely registered with FinCEN.
The first step for an MSB operating in the United States in establishing its BSA compliance framework is registering as an MSB with FinCEN using FinCEN’s BSA E-Filing system by submitting FinCEN Form 107.5 An MSB’s registration with FinCEN must be renewed every two years.
An entity acting as an MSB that fails to register as required by the BSA is subject to civil money penalties and possible criminal prosecution. In fact, FinCEN’s first enforcement action against a virtual currency exchanger – the 2015 Ripple Labs case – involved a determination by FinCEN that the respondents willfully violated the mandatory registration requirement for MSBs, among other violations.6 On May 5, 2015, FinCEN assessed a $700,000 civil money penalty against Ripple Labs Inc. and its wholly owned subsidiary, XRP II LLC, for multiple violations of the BSA relating to operating as an unregistered virtual currency exchanger and selling its virtual currency known as XRP. FinCEN also referred the matter to the U.S. Attorney’s Office for the Northern District of California, which eventually resolved possible criminal charges for related conduct.
3. Ensuring that your MSB has an effective, written AML program.
MSBs must implement an effective, written, risk-based AML program that meets certain minimum requirements. MSBs are required to develop, implement, and maintain an AML program that is reasonably designed to prevent the MSB from being used to facilitate money laundering and to finance terrorist activities.7 AML programs for MSBs must be commensurate with the unique money-laundering risks associated with the specific factual circumstances of the MSB, such as the composition of its customer base, geographies served, and financial products or services offered. In the context of reviewing risk-based policies, procedures, and practices, MSBs should consult the most recent list of jurisdictions with strategic deficiencies in their AML regimes published by the Financial Action Task Force (“FATF”), an intergovernmental standard-setting body in which the U.S. government, through the Treasury, actively participates.8 AML programs for MSBs must also meet other “minimum” requirements, such as providing training on AML responsibilities for appropriate personnel, designating an AML compliance officer, and establishing an independent audit function to review the adequacy of the AML program.
4. Ensuring that your MSB is complying with its reporting and recordkeeping requirements.
MSBs are subject to many reporting and recordkeeping requirements under the BSA. One example is the requirement that most MSBs must file a suspicious activity report (“SAR”) using FinCEN Form 111 for certain activities or transactions relevant to a possible violation of law or regulation.9 Transactions that are conducted or attempted by, at, or through an MSB that involve or aggregate funds or other assets of $2,000 or more (or, in certain circumstances, $5,000 or more), and that the MSB knows, suspects, or has reason to suspect are suspicious must be reported by filing a SAR. Per FinCEN’s 2021 Ransomware Advisory, when a SAR filing is required for a suspicious transaction involving ransomware, all relevant information available, including cyber-related information and technical indicators, must be included in both the SAR form and narrative.
***
One final consideration for companies engaged in activities involving virtual currencies: the BSA/AML regulatory landscape is characterized by uncertainty. FinCEN’s efforts to refine the existing BSA regime to address modern challenges are ongoing, as evidenced by FinCEN’s Request for Information (“RFI”), published on December 15, 2021, seeking “ways to streamline, modernize, and update the anti-money laundering and countering the financing of terrorism (AML/CFT) regime of the United States” to protect U.S. national security “in a cost-effective and efficient manner” on a continuing basis.10
This RFI comes approximately one year after several of FinCEN’s proposed amendments to the BSA concerning virtual currencies were met with significant backlash from industry leaders, underscoring the uncertain future of FinCEN’s forthcoming reforms.11 Moreover, with Treasury expected to address issues like stablecoins and LTDAs in its report to Congress due sometime in January 2022, the regulatory landscape surrounding virtual currencies and other digital assets remains under active construction.12
If you have questions concerning FinCEN’s regulation of virtual currencies or ransomware or need assistance with determining your company’s BSA obligations, assessing your AML/CFT risks, or coordinating with FinCEN or other government agencies, feel free to contact the attorneys at Torres Law, PLLC.
1 I would like to thank our Law Clerk, Alexander Dieter, for his contributions to this article.
2 The Bank Secrecy Act statute is codified at 12 U.S.C. §§ 1829b, 1951-1959, and 31 U.S.C. §§ 5311-5314, 5316-5332. Regulations implementing the BSA statute appear at 31 C.F.R. Chapter X (formerly 31 C.F.R. Part 103).
3 31 C.F.R. § 1010.100(ff).
4 31 C.F.R. § 1010.100(ff)(5)(i)(A) (emphasis added).
5 31 C.F.R. § 1022.380; 31 U.S.C. § 5330.
6 See In the Matter of Ripple Labs Inc., Assessment of Civil Money Penalty, Number 2015-05 (May 5, 2015), available at https://www.fincen.gov/sites/default/files/shared/Ripple_Assessment.pdf. See also In the Matter of Ripple Labs Inc., Statement of Facts and Violations, Attachment A (May 5, 2015), available at https://www.fincen.gov/sites/default/files/shared/Ripple_Facts.pdf; In the Matter of Ripple Labs, Remedial Framework, Attachment B (May 5, 2015), available at https://www.fincen.gov/sites/default/files/shared/Ripple_Remedial_Measures.pdf; FinCEN Fines Ripple Labs Inc. in First Civil Enforcement Action Against a Virtual Currency Exchanger, News Release (May 5, 2015), available at https://www.fincen.gov/sites/default/files/2016-08/20150505.pdf.
7 31 C.F.R. § 1022.210.
8 See FATF, “Jurisdictions under Increased Monitoring – October 2021” (Oct. 21, 2021), available at http://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/increased-monitoring-october-2021.html.
9 31 C.F.R. § 1022.320.
10 See Review of Bank Secrecy Act Regulations and Guidance, 86 Fed. Reg. 71,201 (Dec. 15, 2021), available at https://www.federalregister.gov/documents/2021/12/15/2021-27081/review-of-bank-secrecy-act-regulations-and-guidance (announcing the deadline for submitting comments on this RFI is February 14, 2022).
11 See Threshold for the Requirement To Collect, Retain, and Transmit Information on Funds Transfers and Transmittals of Funds That Begin or End Outside the United States, and Clarification of the Requirement To Collect, Retain, and Transmit Information on Transactions Involving Convertible Virtual Currencies and Digital Assets With Legal Tender Status, 85 Fed. Reg. 68,005 (Oct. 27, 2020), available at https://www.federalregister.gov/documents/2020/10/27/2020-23756/threshold-for-the-requirement-to-collect-retain-and-transmit-information-on-funds-transfers-and; Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets, 85 Fed. Reg. 83,840 (Dec. 23, 2020), available at https://www.federalregister.gov/documents/2020/12/23/2020-28437/requirements-for-certain-transactions-involving-convertible-virtual-currency-or-digital-assets.
12 See Interagency Report on Stablecoins (Nov. 1, 2021), at 21, available at https://home.treasury.gov/system/files/136/StableCoinReport_Nov1_508.pdf.