How US authorities are using old AML tools to crack down on crypto
The ease of laundering money in the U.S. before 1970 boggles the mind. Prior to the Bank Secrecy Act (BSA) of that year, there were no federal standards for banks to keep records on activity that fell under the category of “suspicious.” There were also no consistent reporting requirements — it was the BSA that established the $10,000 threshold that stands to this day.
But it’s not like the BSA banished money laundering from U.S. shores. It wouldn’t even be until 1986 that money laundering was classified as a federal crime — a landmark in global anti-money laundering. Despite that classification, America’s proud tradition of illicit financing continues to this day.
The technology behind banking was making huge advances long before the word “fintech” got mouths watering in boardrooms around the world. And obviously, since 1970, the globalization movement has picked up a fair bit of steam, opening up new opportunities for international shell companies to house money stripped of any identifying or incriminating information about the funds’ actual, original owner.
And then came Bitcoin, and a host of other tokens on its heels.
Enter FinCEN
For a long time it was unclear whether any of the traditional rules — like the BSA — were going to apply to crypto. As early as 2013, the Financial Crimes Enforcement Network (FinCEN) assured the industry that anyone exchanging “convertible virtual currencies,” i.e. those that are readily exchangeable, qualified as a money services business. Such firms need to register as an MSB and generally fall under the purview of the BSA.
In 2013, however, regulators were still lost when it came to the technology behind Bitcoin. Last year, FinCEN made it clear that it was still paying attention. This year has seen the regulator ramping up its capabilities to follow through with that declared authority.
FinCEN hit Larry Dean Harmon, the operator of several Bitcoin mixing services, with precedent-setting fines earlier this week. The Department of Justice is pressing criminal charges against BitMEX’s executive team over the exchange’s facilitation of money laundering. And on Friday, FinCEN indicated that it was looking to expand the requirement for financial institutions to share customer information to international transactions as small as $250, explicitly citing crypto businesses as subject to the same rules. We are witnessing a major push. Authorities mean business when it comes to the BSA.
All U.S. AML law all descends from the BSA of 1970, which was really the first of its kind anywhere in the world. The Money Laundering Control act of 1986 made violations a federal criminal offense, thereby involving the DoJ and sometimes the FBI.
FinCEN itself did not come into being until 1990. It handles the civil side of AML law, charging fines and making financial institutions report on their systems in a way that the DoJ does not get involved in. FinCEN became a full Treasury bureau as part of the PATRIOT Act of 2001, when cutting off illicit funds to terrorism became a top priority. In this capacity, FinCEN’s work can overlap with the Office of Foreign Asset Control (OFAC), which spearheads sanction enforcement, as well as the Internal Revenue Service (IRS), which handles tax investigations.
In its own words: “FinCEN’s mission is to safeguard the financial system from illicit use and combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.”
At the most mundane level, that mission entails a host of filings from financial institutions operating in the U.S., including registering money services businesses and foreign bank accounts. Most relevant to illicit funding is the Suspicious Activity Report (SAR).
The SARs-collection system came under fire at the end of September, as a leak of FinCEN’s files showed colossal flows of suspicious money that received no follow-up. Some commentators saw the bureau’s heightened focus on crypto as hypocritical.
Enforcing BSA in crypto
Regarding recent actions like those mentioned above against BitMEX and Larry Dean Harmon, it’s clear that regulators and enforcers are culling especially egregious examples of firms willingly engaging with illicit money.
Attorney Braddock Stevenson of law firm O’Melveny left FinCEN’s enforcement division in January of this year. He described what we are witnessing as an effort “to drive commerce into the regulated sector, into the exchanges, because that's where the transparency is and that's where FinCEN's able to get the reporting.”
Emphasis on reporting fits with FinCEN’s overall mission. The leak of SARs from September demonstrated the reality that FinCEN is not following up — cannot, in fact, follow up — on every report it receives. Back in 2018, Director Kenneth Blanco said that the bureau gets 1,500 SARs each month related to cryptocurrency. In 2019, FinCEN reported over 850,000 SARs filed by money services businesses alone — not including other sorts of financial institutions.
The nature of FinCEN’s work is to make sure financial institutions are maintaining some sort of record-keeping policy. “The point of having to file something is to ensure that accountability is baked into the system,” said Casey Jennings, an attorney in Seward & Kissel’s blockchain and cryptocurrency group. Jennings noted that intentionality actually matters a great deal in FinCEN’s determinations of who to pursue:
“If FinCEN looked at the financial institutions compliance program and they determined, ‘ok, this bank did their best and for whatever reason, something slipped through the cracks.’ Money laundering happened. As long as the financial institution did their best then they're probably not going to get penalized. And if they are, it's not going to be a very big fine.”
That all sounds very well-meaning. However, the BSA also provides for criminal charges, as we have seen. While the DoJ has been involved in prosecuting crypto crime for the better part of a decade, that’s usually been reserved for fraud, theft, sanctions evasion or terrorism funding. BitMEX was different. The executive team at BitMEX didn’t seem ideological — if anything just greedy. But their platform, the DoJ feared, can function as a playground for the worst sorts of actors.
When comparing the DoJ’s massive seizure of crypto funds from a terrorist funding network in August to the BitMEX action, Andrew Jacobson, also of Seward & Kissel’s blockchain and crypto group, said ideology and greed were largely the same problem to regulators when they lead to illegal underreporting:
“Both objectives can be gained on parallel tracks. If you're an exchange processing millions of transactions every week — potentially on a daily basis — and you don't have an AML program or you don't have a sufficient one, then you're helping facilitate those ideological actors’ bad acts. The fact that terrorists or others can get access to your platform just because you don't have proper controls in place, from the regulators’ point of view, is equally unacceptable.”Regarding the shift to more enforcement, a senior staffer for the Congressional Blockchain Caucus told Cointelegraph that it was not a clear-cut matter that the BSA’s AML provisions would hold sway in crypto: “A lot of commentators thought that new laws would have to be passed for these parties to be targeted.” He continued:
“Bringing in the Bank Secrecy Act is a big deal. With all the other things — the CFTC, SEC actions — those are all regulatory, which means they are all civil penalties. All money. With the BSA, you’re bringing in criminal punishment, and also different investigatory bodies.”FinCEN is not likely to start fining every crypto exchange that does not live up to the standards the BSA sets out for banks, and the DoJ is hardly going to start Arthur Hayes-level manhunts for the execs of every crypto exchange registered outside of the U.S. and not keeping BSA-level customer records. As Braddock Stevenson noted, “we haven't seen an action that's been based on just pure lack of transparency issues without an additional nexus to more suspicious activity.” Nonetheless, these regulators are wrangling the industry into tightening boundaries of acceptable behavior.
Mismatch between crypto and BSA reqs
Especially tricky for crypto is 31 CFR 1010.410(f) — known as the Travel Rule — which requires financial institutions to pass on information on transactions of greater than $3,000 in value — a threshold that, as mentioned before, may be on its way down to $250. That information includes the names and addresses of the people sending and receiving those funds. It makes sense if you are running a bank and there is account information readily accessible, but that back-and-forth is part of why bank transfers are slow.
Moreover, a core component of the crypto industry’s ethos is data privacy. Though U.S. regulators generally see emphasis on privacy as potentially indicative of illegal activities, it’s not just for concealing illicit funding. If an exchange is holding all the data for all of its customers — and most U.S.-based exchanges gather that already, rather than waiting for a client to exceed the $3,000 threshold on a transaction — that is a target to hack. That means importing the vulnerabilities of the traditional financial system onto crypto without necessarily guaranteeing the same protections.
Casey Jennings noted this mismatch, saying:
“The whole notion of crypto is that there are no gatekeepers and the BSA requires that there be gatekeepers. Those two notions are very much at odds with one another. But the BSA is the best system that we've got right now. [...] The other option would be for Congress to get involved and create a new regulatory scheme and I'm not sure that anyone in the industry wants to see that happen.”Right now, the BSA is what everyone is working from, and with the DoJ claiming authority over all crypto firms that touch American servers, it behooves everyone to pay attention.
As with so many of the interactions between crypto and regulators, there is an issue of negative PR — FinCEN and the DoJ are looking at crypto as first and foremost a tool for laundering money. But when you’re talking AML regulators, they have limited real incentive to look at the positive sides of crypto at all. The role of, say, the Securities and Exchange Commission in crypto has been controversial, but the highest ranks of the SEC have conceded that the technology could be a huge boon for U.S. securities markets.
FinCEN and related AML authorities are, conversely, strictly risk-averse. That includes fellow Treasury branches like OFAC and the IRS, as well as the DoJ. The task before FinCEN is to hamper criminals trying to use their ill-gotten gains. The bureau doesn’t have institutional incentives to adopt any of the benefits of crypto technology, and indeed that is not really their job. Similarly, it is not the mission of the DoJ to streamline transactions, nor the aim of the IRS to ensure data privacy. At best, these entities tolerate crypto as a mission.
For now, this is what the crypto industry is working with if it wants to work with the United States. There doesn’t seem to be any pending legislation on the horizon to shift the duties of the BSA in crypto, and the authorities that maintain it have doubled down on enforcement in the industry.
We’ll likely be seeing FinCEN and the DoJ build out their authority in the cryptosphere with more prosecutions in the near future. At the same time, they will be communicating with exchanges operating within what they determine to be their jurisdiction. There is, consequently, no reason to doubt an impending rise in user data collection and inter-exchange communication unless something dramatic shakes the landscape.