As cryptocurrency creeps into mainstream, AML risks multiply

By now, our readers—like most of the world—likely divide into two camps: those with a fanatical zeal for the financial innovations (and potential profits) created by virtual currencies and those who see a modern version of “Tulip Mania,” poised to bubble and pop.

Regulators around the world are increasingly falling into the latter camp, especially as the trend starts to slowly go mainstream, fearing fraud and criminal activities.

Christine Lagarde, managing director of the International Monetary Fund, is among those to recently cite the threat of both money laundering and sanctions evasion for cryptocurrencies.

“We need to define the legal status of a virtual currency, or digital token,” she wrote on an IMF blog. “We need to combat money laundering and terrorist financing by figuring out how best to perform customer due diligence on virtual currency transfers. The regulatory challenges are just emerging. For instance, cryptocurrencies like Bitcoin can be used to make anonymous cross-border transfers—which increases the risk of money laundering and terrorist financing.”

The big question is how regulators can, or should, regulate virtual currencies and Initial Coin Offerings (ICOs), a public offering of sorts to raise money for a new cryptocurrency.

“It is difficult for U.S. regulators to regulate cryptocurrency projects for several reasons,” says Jeffrey Alberts, partner and head of the white-collar defense and Investigations practice at law firm Pryor Cashman. He previously held a post with the U.S. Attorney’s Office for the Southern District of New York.

“First, the decentralized organization of many such projects often results in the absence of any formal corporate entity on which the regulators can focus their attention,” he explains. Many participants are located outside the United States and, “many of the entities are so small that they do not have the infrastructure to respond to regulatory inquiries and attempts at oversight.”

These problems haven’t stopped government agencies from inching toward a regulatory regime. Guidance and enforcement actions have focused on investor fraud, Ponzi cons, and get-rich-quick schemes by penny stocks and other entities.

“We even see cases where there are celebrities hawking these things,” says Eric Sohn, director of business product at Dow Jones Risk & Compliance. “I even saw an advertisement the other day that suggested you should invest your retirement money—your 401k money—in ICOs, or taking out a home equity loan to invest in bitcoin. That is pretty scary given how relatively threadbare most ICOs are.”

As virtual currencies and ICOs gradually enter the mainstream, money laundering is poised to take its place alongside fraud as a top concern.

“ICOs are really good money laundering vehicles,” Sohn says. “They are similar to what we call a transit account. You open up an ICO. Then you get the people who are collecting your drug money across the United States to buy those coins. Then, you abscond with that money, look like any other failed business, and open another new line in another country. A lot of countries haven’t started doing any kind of regulation regarding virtual currencies and ICOs. The U.S. is very much the exception.”

Business debate risk, seek cautious adoption

Concerns of this sort are made all the more concerning as mainstream companies choose to either join the fray or retreat from the inherent risk. The latter group is starting to lament virtual currencies in their 10-K itemizations of risk factors.

Among them is Cardtronics, the world’s largest non-bank ATM operator, as well as investment banking giant Goldman Sachs. Bank of America, which once dabbled with patents for a cryptocurrency exchange, wrote in its 10-K: “The widespread adoption of new technologies, including internet services, cryptocurrencies, and payment systems, could require substantial expenditures to modify or adapt our existing products and services.”

Companies that have decided to block advertising related to ICOs and virtual currency include Google, Facebook, and Twitter (despite its founder’s exhortation that Bitcoin might eventually replace traditional fiat currencies).

JPMorgan Chase, Bank of America, and Citigroup have separately announced that they will no longer allow the purchase of Bitcoin and other virtual currencies using credit cards.

“The criminal element is very opportunistic and with E-gold, with no controls in place, they flooded into the platform. What you saw was a large portion of the transactions being conducted by people engaged in investment fraud, Ponzi schemes, child pornography, and credit card fraud.”
Laurel Loomis Rimon, Attorney, O’Melveny

Other entities, moving beyond the inherent risks, are embracing the new technology. Overstock.com was the first major online retailer to accept bitcoin payments. The payment technology company Square now allows Bitcoin trading for its users. PayPal added bitcoin to the list of currencies it will accept.

Shopify, a Canadian e-commerce company and cloud-based platform for online stores and retail point-of-sale systems, now gives merchants the option of bitcoin payments. Microsoft similarly allows bitcoin as a currency to purchase games, movies, and apps in the Windows and Xbox stores.

One-time photography giant Kodak recently announced the launch of the KODAKOne image rights management platform, “a photo-centric crypto-currency.” Chanticleer Holdings, a company that owns a minority stake in Hooters (and has a portfolio that includes other chain restaurants) moved its customer loyalty programs to blockchain, touting that “eating a burger is now a way to mine for cryptocoins.”

The Chicago Board Options Exchange jumped on the bandwagon and became the first exchange to allow bitcoin futures trading. CME Group followed suit and Nasdaq is said to be considering its options in the space.

Stressing sanctions screening

A notable regulatory move into the world of cryptocurrencies comes from the Treasury Department’s Office of Foreign Assets Control. On March 19, it released a “frequently asked questions” document that may serve as a prelude to including digital currency addresses on its Specially Designated Nationals list of blocked persons and companies.

OFAC compliance obligations are the same, regardless of whether a transaction is denominated in digital currency or traditional fiat currency, OFAC emphasized.

“Persons including technology companies, administrators, exchangers, and users of digital currencies, and other payment processors should develop a tailored, risk-based compliance program, which generally should include sanctions list screening and other appropriate measures,” OFAC adds. “An adequate compliance solution will depend on a variety of factors, including the type of business involved. There is no single compliance program or solution suitable for every circumstance.”

The agency added that it “may add digital currency addresses to the SDN List to alert the public of specific digital currency identifiers associated with a blocked person.”

“Parties who identify digital currency identifiers or wallets that they believe are owned by, or otherwise associated with, an SDN and hold such property should take the necessary steps to block the relevant digital currency and file a report with OFAC that includes information about the wallet’s or address’s ownership, and any other relevant details,” it wrote.

Petro is a sovereign cryptocurrency issued by Venezuela and backed by oil assets. In March, President Trump issued an order banning U.S. purchases of the virtual currency.

The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) is also on the case, stressing money-laundering concerns.

“Probably the most significant question you will need to answer in relation to your anti-money laundering obligations as you prepare to undertake a token sale is whether your sale amounts to ‘money transmitting’ under federal law,” says O’Melveny attorney Laurel Loomis Rimon.

Money transmitting regulations apply to virtual currencies and ICOs, according to guidance from FinCEN, she points out. Operating a money transmitting business without meeting Bank Secrecy Act requirements could subject both your business and the individuals involved in it to civil and criminal penalties.

Rimon was previously the top lawyer for the Office of the Inspector General at the U.S. Department of Homeland Security. She also served as the assistant deputy enforcement director at the Consumer Financial Protection Bureau and held senior positions at the Department of Justice, including in the Asset Forfeiture and Money Laundering Section.

While an assistant United States attorney in the District of Columbia, she successfully handled the money laundering and money transmitting prosecution of the “E-gold” enterprise, one of the earliest digital currencies. It allowed users to open an account that exchanged cash for online commerce credits that were denoted in grams of gold and accepted by other e-gold accounts. For Rimon, the modern cryptocurency gold rush prompts déjà vu.

“I see a lot of similarities and many of the same challenges are out there,” Rimon says. “The activity (at E-gold) was money transmitting and that was clear in the government’s point of view [even before FinCEN codified the issue], but a lot of the issues that are of concern now are really the same. Avoiding money laundering is still a challenge. You have so many people rushing into this market right now and developing products that don’t have effective anti-money laundering programs.”

“The criminal element is very opportunistic and with E-gold, with no controls in place, they flooded into the platform. What you saw was a large portion of the transactions being conducted by people engaged in investment fraud, Ponzi schemes, child pornography, and credit card fraud.”

A key attraction of modern cryptocurrency offerings is their perceived anonymity. “You have a more advanced technology that is not necessarily anonymous, but tracing can be a challenge,” Rimon says. Like E-gold, many modern platforms invest little time or effort in verification. Although the former service required a name, there was no shortage of those claiming to be Mickey Mouse and Donald Duck.

Things are only slightly better today. “I see a lot of these offerings are doing some ‘Know Your Customer,’ but whether it is enough or not is still an open question,” Rimon says.

Even a legitimate product or offering can still be compromised, despite the warnings and lessons of E-gold.

“A lot of the focus right now is on being compliant, with a lot of consternation over all of the regulators that have jumped into this and overlapping jurisdictions,” Rimon says. “Nobody is quite sure: Are we a security, or a money services business? Are we both? There is a lack of clarity on the government’s side, and the developers are really scrambling to try to figure out what they need to do. But put all that regulatory stuff aside, even though it matters, you need to make sure that your platform doesn’t facilitate money laundering. That isn’t just a regulatory problem. It is a criminal problem.”

A recent development, Rimon says, is that those in the virtual currency space are seeking third parties that can provide KYC and anti-money laundering services, “but they may be relying on someone else who hasn’t fully built out their platform and product as thoroughly as they should have.”

“But that’s who they look to because that’s who they trust; they are looking for other developers like them who speak the same language,” she says. When it comes to sanctions compliance, however, OFAC has strict liability. “You can say you outsourced it to someone who said they did the screening, but you are still liable.”

Money laundering carries a similar gravity. “When you look at the Silicon Valley atmosphere, there may be a reluctance to go to what might be considered ‘your parent’s AML program,’ but it is something that takes some time and sophistication,” Rimon says, comparing the situation to pressures forcing banks to de-risk. “The regulators have really pushed the banks to push down to their customers the development of AML programs and other compliance programs.”

There are various red flags that can warn of money laundering risks.

“The key is to establish what is the pattern for your particular customer base. When you see anything that is different from what the routine pattern is, then you investigate that when it pops up,” Rimon says.

Another warning sign includes transactions structured to evade a $10,000 threshold, the amount that requires banks to file Suspicious Activity Reports.

These enterprises need to determine if they fall under the criteria demanding they register as a money services business. FinCEN has stated that, in its view, Initial Coin Offerings will be treated as money transmitting firms. As such, they must register as a money transmitting business within 180 days from the date the business was established.

As money transmitters, these firms must comply with both federal law (notably the Bank Secrecy Act and related recordkeeping requirements) on top of regulations imposed by every state in which they conduct business. On the federal front, they will be required to establish a formal AML program with written policies and procedures, training programs, a designated AML compliance officer, and independent monitoring of the program.

A challenge for these cutting-edge AML programs is customer identification.

“People use these keys, long chains of letters and numbers, and you can’t quickly identify who that is, which is the attraction for a lot of users,” Rimon says. “But for conventional businesses, the traceability is a sea change. If law enforcement comes to them and asks for a download of all their transactions, they are used to being asked to do that with some identification of their customers. Now they can’t.”