August 3rd, 2020
Key to understanding how US regulation for bitcoin exchanges and bitcoin ATM operators works is to start with the Bank Secrecy Act (BSA) first introduced in 1970. Also known as the Currency and Foreign Transactions Reporting Act, it’s defined in Wikipedia as a law “requiring financial institutions in the United States to assist U.S. government agencies in detecting and preventing money laundering”. For practical business purposes this boils down to three key aspects, and the associated acronyms AML and KYC. BSA is the principal regulation which details Anti-Money Laundering (AML), including Know Your Customer (KYC) and Transaction Monitoring. It’s also for this reason that BSA is occasionally called the anti-money laundering law (AML) or simply referred to as BSA/AML.
How in practice the law is applied to crypto-centric businesses is no different than other financial businesses that come under BSA regulations. Both non-crypto and crypto businesses share the need to create BSA-complaint policies and practices that are proportionate to the risk involved in transactions. Which means as a rule of thumb that smaller crypto businesses with only local customers for example require fewer AML safeguards than large financial institutions. But whatever the size of the business the impact of regulation can be reduced to two basic points, that crypto businesses must both have a robust AML/KYC program, which stands up to independent scrutiny – and that the business complies with four practical requirements of AML regulation.
The first of the four requirements of AML involves implementing a system of internal controls, from ensuring the business meets all regulatory requirements, to implementing controls and monitoring systems to detect and report suspicious transactions. It was these systems which Bitcoin of America used to ensure timely reporting of an illegal attempt to avoid a restitution judgement. The second main element is that crypto businesses need to ensure they have independent verification of compliance. Thirdly, there should be a professional who is responsible for managing this compliance system within the business. As well as possessing the necessary capabilities and resources, the regulation makes it clear there should be no ‘conflict of interest’ for whoever is in that role. The fourth element of compliance is training within the business, with your directors and senior management promoting education, training, and AML compliance. As well as these four BSA main elements, how crypto businesses comply with KYC also requires a plan for customer identity and record keeping verification.
Finally, your crypto businesses system of compliance should include ‘transaction monitoring’ to ensure identification of suspicious activity, and a system to review identified transactions to determine if a Suspicious Activity Report (SAR) report should be filed. “Due to the technical nature of blockchain analysis and other frameworks of analyzing CVC activity, FinCEN encourages communication within financial institutions among AML, fraud and information technology departments, as appropriate.
The US agency responsible for enforcing these regulations is the Financial Crimes Enforcement Network (FinCEN) whose self-described motto is “follow the money”. In 2011 FinCEN added “other value that substitutes for currency” (crypto currency) to its definition of money services businesses (MSBs) in preparation to adapt the respective rules to virtual currencies. Following that, in March 2013 FinCEN issued guidance regarding virtual currencies (called ‘CVCs’ by FinCEN: Convertible Virtual Currencies) , according to which, exchangers and administrators are considered money transmitters, and therefore are bound by the rules to prevent money laundering/terrorist financing and other forms of financial crime, by record-keeping, reporting and registering with FinCEN. Jennifer Shasky Calvery, director of FinCEN said, “Virtual currencies are subject to the same rules as other currencies. … Basic money services business rules apply here.”
Last year in May 2019 FinCEN updated its advice with both guidance, in the form of the Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies (CVC) and advice in the form of the Advisory on Illicit Activity Involving Convertible Virtual Currency to “assist financial institutions in identifying and reporting suspicious activity related to criminal exploitation of CVCs for money laundering, sanctions evasion, and other illicit financing purposes. The advisory highlights prominent typologies, associated “red flags,” and identifies information that would be most valuable to law enforcement if contained in suspicious activity reports”.
The importance of this updated information was made clear in the advisory, that crypto businesses need robust controls in place, otherwise they “cannot reasonably assess and mitigate the potential risks posed by a customer’s source of funds or a customer’s counterparty, and criminals can exploit the U.S. financial system by engaging in illicit transactions”. This of course includes BTMs, or what the 2019 advisory document refers to as ‘CVC kiosks’: “While some kiosk operators have registered and implemented AML/CFT controls, other kiosks have operated in ways that suggest a willful effort to evade BSA requirements. For example, some kiosk operators have assisted in structuring transactions, failed to collect and retain required customer identification information, or falsely represented the nature of their business—for instance by claiming involvement in cash intensive activities—to their CVC exchange and depository institutions.”