ANALYSIS: Facebook Creating a Global SRO, Not a New AML Paradigm

In Facebook Hints at New AML/CFT Paradigm of Libra, I noted indications from Facebook’s public statements that it intended to create a new paradigm for anti-money laundering/combating the financing of terrorism (AML/CFT) and sanctions compliance for the Libra cryptocurrency and its Calibra subsidiary. Testimony before Congress by Calibra head David Marcus stated otherwise, but it also raised further issues that Facebook and the governing body for Libra, the Libra Association, should address.

One is that a self-regulatory organization (SRO) under U.S. authority may be necessary to enforce U.S. AML/CFT and sanctions requirements. Another is that the structure of the Libra Association may defeat attempts to enforce those requirements.

Great Scott!

Talk about AML/CFT and sanctions abounded in Mr. Marcus’s testimony before the Senate Committee on Banking, Housing, and Urban Affairs on July 16 and the House Committee on Financial Services on July 17, and in the questions asked by members of both houses.

Substantive discussion of them did not occur until more than an hour into the House hearing, however. Rep. David Scott (D-GA) then made the highly insightful observation—the same one made in Facebook Hints at New AML/CFT Paradigm of Libra—that Mr. Marcus’s July 3 blog post had discussed the ability of law enforcement and regulators to conduct their own analysis of Libra on chain activity but had not mentioned an entity’s responsibility to file suspicious activity reports (SARs), an apparent shift away from existing AML/CFT requirements.

The response from Mr. Marcus clarified that there is no intended paradigm shift away from existing AML/CFT requirements. Blockchain technology will enable additional visibility into Libra transactions for law enforcement and regulators, but it will not replace SAR reporting and other existing AML/CFT obligations. The Libra Association, although based in Switzerland, would register in the United States with the Financial Crimes Enforcement Network (FinCEN) as a money services business (MSB) and implement an AML/CFT program, including AML/CFT guidelines for Libra members. The Calibra wallet would implement its own AML/CFT program, including KYC procedures.

Weak Links in the Libra Chain

This description of Libra AML/CFT compliance brought up a further issue, however, and members of Congress and experts in the subsequent panel discussion repeatedly raised it: Calibra may follow U.S. AML/CFT requirements, being a subsidiary of U.S.-based Facebook, but other Libra wallet providers may not.

Reps. Brad Sherman (D-CA), Bill Foster (D-IL), and Denver Riggleman (R-VA), with varying backgrounds and interests, each discussed aspects of the problem that Libra wallets can be based in numerous jurisdictions internationally, and not all jurisdictions’ regulatory systems can be trusted. Professor Chris Brummer of Georgetown University Law Center and Professor Gary Gensler of MIT Sloan School of Management, a former Chairman of the Commodity Futures Trading Commission, Under Secretary of the Treasury for Domestic Finance, and Assistant Secretary of the Treasury, discussed it further.

The problem is not new or unique to Libra, but Libra could make it worse. Weak links in the international banking regulatory system led to the massive Russian money laundering through Danske Bank and Swedbank uncovered in 2017–19, described in Danske Bank, Swedbank, and Global AML Failures.

Those weak links existed in Denmark and Sweden even though their regulatory requirements met international standards on paper. Libra and other cryptocurrencies could make international regulatory fragmentation even worse, since national and international standards for them are still emerging. The international standard-setting body for AML/CFT, the Financial Action Task Force (FATF), announced standards for virtual assets on June 21, but how and when individual countries will adopt them remains to be seen.

A Global Self-Regulatory Organization for Libra

Protecting Libra from becoming a medium of exchange for illicit finance will require the Libra Association to take a proactive role in screening the wallet providers handling Libra transactions and in monitoring use of Libra.

Someone will have to conduct due diligence of non-Calibra entities that want to become Libra wallet providers, to keep out suspicious actors. Someone also will have to monitor Libra activity on an ongoing basis to detect individual suspicious transactions or trends that individual wallet providers may miss, or intentionally or recklessly fail to detect. The Libra Association is the only organization created by Facebook so far that will be in a position to perform those roles.

Registering the Switzerland-based Libra Association in the United States as an MSB would be an initial formal step toward giving it these roles. A registered MSB must implement an AML/CFT program, including a customer identification program and SAR filing program, under 31 CFR Part 1022. FinCEN established that virtual currency administrators and exchanges are subject to registration as MSBs in its 2013 Guidance on virtual currencies, re-stated as new FinCEN Guidance in May 2019, and the 2015 Ripple Labs enforcement action. Enforcement actions involving established international money transmitters Western Union and MoneyGram have established that MSBs are obligated to monitor their agents for compliance with AML/CFT requirements. These guidance statements and enforcement actions have established much of the foundation for AML/CFT compliance as a registered MSB by the Libra Association.

The Libra Association differs significantly from existing money transmitters and virtual currency payment processors, however, so treating it as an MSB may not be a good fit. The Libra Association consists of separate business entities in various geographic areas and lines of business, venture capital firms, and nonprofit organizations, each with a “validator node” responsible for securing the network and validating transactions, overseeing a blockchain-based system accessed through numerous wallets. It is not a singular business licensing its name and network to agents, like Western Union or MoneyGram. It may be comparable to the virtual currency payment processors discussed in FinCEN Guidance, but it is on a far larger scale than any previously considered by FinCEN. Libra will present different risks than those addressed by past cases, and the Libra Association may require significantly different treatment as a result.

A sign that lengthy discussions may be underway on this issue between Facebook, FinCEN, and other federal regulators is the lack of any Libra Association listing in the MSB registration database as of July 24, 2019, a month after the announcement of Libra. Calibra registered as an MSB in February 2019, months before the announcement. It is possible that aspects of the Libra Association’s role overseeing the Libra project are the subject of prolonged negotiations, which were not necessary for the more straightforward role of Calibra as a Libra wallet operator.

One issue may be that the Libra Association resembles an SRO more than an MSB. SROs are non-governmental organizations formed to establish and enforce regulations for an industry. The best known are the New York Stock Exchange, founded in 1792, and the Financial Industry Regulatory Authority (FINRA), formed in 2007, and there are numerous SEC-registered SROs regulating various sectors of the securities industry.

Like an SRO, the Libra Association is a private entity intended to develop regulatory compliance standards for an industry sector, created and funded by an association of companies in the industry. An enforcement function necessarily follows, regardless of whether Facebook intends it, because without the ability to expel noncompliant members, the Libra Association would not even be able to meet the AML/CFT obligations of an MSB.

It is no surprise that Facebook has avoided using the words “self-regulatory organization” or “self-regulation” publicly, since using them in the immediate aftermath of the major scandal and $5 billion settlement over data privacy would be astoundingly tone-deaf. Doing so would also suggest securities regulation, which no one in the cryptocurrency business would want to do now with discussion of the Howey test still ongoing.

Facebook and other founding members of the Libra Association may need to consider SRO status for the association, however, especially if FinCEN and other regulators do not agree that MSB status adequately addresses the AML/CFT issues created by Libra.

Libra Association Corporate Structure

The corporate structure of the Libra Association should be another source of concern. The Libra Association is a nonprofit organization with numerous members investing in it—28 at its foundation, with Facebook stating the membership goal to be 100 or more.

As a result, Facebook and other Libra Association members limit their potential liability for any failures by the association to comply with U.S. AML/CFT requirements, blunting the influence of potential U.S. regulatory enforcement action. Congressional scrutiny of the Libra Association fixated on the choice of Switzerland with its history of bank secrecy; Facebook’s reply emphasized the regulatory coherence and clarity that Switzerland offers for crypto businesses, and the benefit of limiting Facebook control over the venture. Avoidance of potential liability by organizing as a nonprofit organization with numerous members may be more significant than any of those concerns.

Federal regulators and members of Congress should question Facebook on this issue, if they are not already doing so, and Facebook should be ready to answer them.