In April, the Financial Crimes Enforcement Network (FinCEN) assessed a civil money penalty for willful violations of the Bank Secrecy Act’s registration, program, and reporting requirements.

The money services business, which operated as a peer-to-peer exchanger of convertible virtual currency, had no written policies or procedures for ensuring compliance with the BSA and failed to report suspicious transactions and currency transactions.

One month later, the agency is now adding guidance and clarification to affirm its regulatory framework for virtual currencies and “provide regulatory certainty for businesses and individuals engaged in expanding fields of financial activity.”

The guidance, it says, is in response to questions raised by financial institutions, law enforcement, and regulators concerning the regulatory treatment of multiple variations of businesses dealing in convertible virtual currencies (CVCs).

On May 10, it also issued an “Advisory on Illicit Activity Involving Convertible Virtual Currency” to assist financial institutions in identifying and reporting suspicious activity related to criminal exploitation of CVCs for money laundering, sanctions evasion, and other illicit financing purposes. It highlights prominent typologies, associated “red flags,” and identifies information that would be most valuable to law enforcement if contained in suspicious activity reports (SARs).

“FinCEN was the first financial regulator to address virtual currency and the first to assign obligations to related businesses to guard against financial crime,” said FinCEN Director Kenneth Blanco. “Our regulatory approach has been consistent and despite dynamic waves of new financial technologies, products, and services, our original concepts continue to hold true. Simply stated, those who accept and transfer value, by any means, must comply with our regulations and the criminal misuse of any methodology remains our fundamental concern.”

The guidance does not establish any new regulatory expectations. Rather, it consolidates current FinCEN regulations, guidance, and administrative rulings that relate to money transmission involving virtual currency and applies the same interpretive criteria to other common business models.

FinCEN’s rules define certain businesses or individuals involved with CVCs as money transmitters subject to the same registration requirements and a range of anti-money laundering, program, recordkeeping, and reporting responsibilities as other money services businesses.

Highlights on the compliance advisory include:

  • “Virtual currencies, particularly CVCs, are increasingly used as alternatives to traditional payment and money transmission systems. As with other payment and money transmission methods, financial institutions should carefully assess and mitigate any potential money laundering, terrorist financing, and other illicit financing risks associated with CVCs.
  • “The risks posed by CVCs may create illicit finance vulnerabilities due to the global nature, distributed structure, limited transparency, and speed of the most widely utilized virtual currency systems.
  • “New types of anonymity-enhanced CVCs have emerged that further reduce the transparency of transactions and identities as well as obscure the source of the CVC through the incorporation of anonymizing features, such as mixing and cryptographic enhancements.

“Some CVCs appear to be designed with the express purpose of circumventing anti-money laundering/countering the financing of terrorism (AML/CFT) controls. All of these factors increase the difficulty for law enforcement and other national security agencies’ efforts to combat money laundering, terrorist financing, and other financial crimes facilitated through CVCs.

  • “A financial institution that fails to comply with its AML/CFT program, recordkeeping and reporting obligations, as well as other regulatory obligations, such as those administered by the Office of Foreign Assets Control (OFAC), risks exposing the financial system to greater illicit finance risks. This is particularly true among unregistered MSBs that may be attempting to evade supervision and fail to implement appropriate controls to prevent their services from being leveraged in money laundering, terrorist financing, and other related illicit activities.
  • “According to FinCEN’s analysis of BSA and other data, illicit actors have used CVCs to facilitate criminal activity such as human trafficking, child exploitation, fraud, extortion, cyber-crime, drug trafficking, money laundering, terrorist financing, and to support rogue regimes and facilitate sanctions evasion.

“Of particular concern is that CVC has come to be one of the principal payment and money transmission methods used in online darknet marketplaces that facilitate the cyber-crime economy.

  • “Mixing or tumbling involves the use of mechanisms to break the connection between an address sending CVC and the addresses receiving CVC. The use of CVC in conjunction with darknet market activity may indicate drug purchases or sales, child exploitation, cyber-crime, or other criminal activity. Accordingly, detectable darknet marketplace linkages, such as through a customer’s online behavior, may indicate CVC use in support of illicit activity.
  • “Entities facilitating the transmission of CVCs are required to register with FinCEN as an MSB. If such an entity has not registered with FinCEN, it may be operating illegally as an unregistered MSB.
  • “Foreign-located MSBs seeking to avoid regulatory coverage generally choose to operate in jurisdictions that lack or have limited AML/CFT laws governing the use of CVC. These foreign-located MSBs often do not comply with the AML/CFT regime of the United States, despite doing business wholly or in substantial part within the U.S.

“CVC kiosks are ATM-like devices or electronic terminals that allow users to exchange cash and virtual currency. CVC kiosks generally facilitate money transmission between a CVC exchange and a customer’s wallet or operate as a CVC exchange themselves. While some operators have registered and implemented AML/CFT controls, other kiosks have operated in ways that suggest a willful effort to evade BSA requirements.

  • “Some kiosk operators have assisted in structuring transactions, failed to collect and retain required customer identification information, or falsely represented the nature of their business—for instance by claiming involvement in cash-intensive activities—to their CVC exchange and depository institutions.
  • “When evaluating potential suspicious activity, institutions should be mindful that some red flags might be more readily observable during general transactional screening, while others may be more readily observable during transaction- specific reviews.
  • “Because some red flags associated with abuse of CVC may reflect legitimate financial activities, financial institutions should evaluate indicators of potential CVC misuse in combination with other red flags and the expected transaction activity before determining that a particular transaction is suspicious. Due to the technical nature of blockchain analysis and other frameworks of analyzing CVC activity, FinCEN encourages communication within financial institutions among AML, fraud, and information technology.”

When filing SARs, financial institutions should provide all pertinent available information in the SAR form and narrative, the guidance says. The following information is particularly helpful to law enforcement: virtual currency wallet addresses; account information; transaction details (including virtual currency transaction hash and information on the originator and the recipient); relevant transaction history; available login information (including IP addresses); mobile device information; and information obtained from analysis of the customer’s public online profile and communications.

FinCEN encourages communication among financial institutions in determining transactions’ potential suspiciousness related to terrorist financing or money laundering activities and in filing SARs, as appropriate.

The advisory also notes that Office of Foreign Assets Control sanctions requirements include not only screening against its Specially Designated Nationals (SDN) list, but also undertaking appropriate steps to prohibit persons in sanctioned countries and jurisdictions from opening accounts and trading in digital currency.

Businesses and entities dealing in digital currency should implement policies and procedures that allow them to: block IP addresses associated with a sanctioned country or region; disable the accounts of all holders identified from a sanctioned country or region; install a dedicated compliance officer with authority to ensure compliance with all OFAC-administered sanctions programs; screen all prospective users to ensure they are not from geographic regions subject to U.S. sanctions; and ensure OFAC compliance training for all relevant personnel.