Following a tumultuous year in digital assets, blockchain-based financial service providers should have their eye on the enforcement landscape. The government’s fight against financial crime and money laundering is squarely focused on the digital asset space, and law enforcement has something to prove.
Criminal prosecutors and financial regulators have long warned that cryptocurrency is popular among criminals, money launderers, hackers, and dark web illicit marketplaces. Before some of the more spectacular failures in the cryptocurrency market, there was a genuine debate about whether cryptocurrency transactions truly involved greater risk of illicit conduct than the fiat marketplace.
Whether justified or not, it’s hard to argue that digital assets don’t involve an overall higher level of risk, thus shining an enforcement spotlight on every cryptocurrency platform.
Borders Don’t Matter
On Jan. 18, the Department of Justice and the Financial Crimes Enforcement Network took simultaneous actions against Bitzlato, a Hong Kong-registered digital asset exchange operated by a Russian national alleged to have processed $700 million in illicit funds, including in connection with the notorious Hydra darknet marketplace.
The DOJ arrested the exchange owner and seized its website, stating, “Whether you break our laws from China or Europe or abuse our financial system from a tropical island—you can expect to answer for your crimes inside a United States courtroom.”
Additionally, under new authority designed to target cryptocurrency, FinCEN identified Bitzlato as a primary money laundering concern in connection with illicit Russian finance and prevented US institutions from transacting with Bitzlato and its successor entities.
The Bitzlato action, along with the DOJ’s recent seizure of $3.6 billion related to the Bitfinex hack and multiple seizures of accounts and funds related to North Korean hacks, reflects substantial successful cooperation of the National Cryptocurrency Enforcement Team and the Federal Bureau of Investigation’s Virtual Asset Exploitation Unit with foreign counterparts.
Foreign-located digital exchanges are subject to US extraterritorial enforcement tools, and blockchain analytics enable the US government to investigate foreign-located digital exchanges without going through a lengthy inter-jurisdictional process.
Therefore, even outside of US supervision, digital exchanges should monitor their exposure to illicit activity to ensure that their exposure remains within market norms.
Risky Ties to Ransomware
The US government is especially focused on use of cryptocurrency in ransomware attacks. The recent Bitzlato action stressed the relationship between the exchange and Russian state actors who perpetrate ransomware attacks against US persons. It highlights two reasons the US government will continue to prioritize actions on ransomware facilitators: ransomware’s use by state actors is a matter of national security, and ransomware represents use of cryptocurrency to facilitate crime against consumers.
The focus on ransomware attacks demonstrates that real-time monitoring for ransomware is key to avoiding regulatory scrutiny. FinCEN ransomware studies on statistical analysis and reporting systems and blockchain analytics found that foreign exchanges are primary cash-out points for ransomware actors. Therefore, US exchanges must limit their exposure to foreign counterparty exchanges, such as Bitzlato, that are hubs for ransomware activity.
Compliance Program Risks
Very few criminal enforcement actions have focused on mainstream digital asset platforms. Rather, the DOJ has pursued a seemingly endless number of egregious criminal actors using cryptocurrency to facilitate open and notorious illegal conduct, as well as for laundering proceeds of less blatant criminal activity.
We are aware of only one criminal case for anti-money laundering compliance violations—the BitMex prosecution in 2020.
US cryptocurrency platforms face the greatest risk from findings by their regulators of compliance program failures. Recent enforcement actions by the Office of Foreign Assets Control, FinCEN, and the New York Department of Financial Services highlight themes of alleged failures: business growth outpacing compliance spending, deficiencies in transaction monitoring, unqualified and inexperienced compliance staff, insufficient assessment of crypto-specific risks, problematic third-party relationships, and insufficient commitment to compliance by executives and board members.
Cryptocurrency products and services require brand new policies, processes, and tools. Government enforcers and regulators are looking for proof—policies, testing, record-keeping, sophisticated and properly-tuned technological resources, and robust suspicious transaction reporting—that a cryptocurrency platform knows what it needs to do and is doing it.
Relationships Under Scrutiny
The government is also highly focused on how digital asset companies manage the risks related to their partners and service providers. FinCEN has repeatedly cited institutions for conducting transactions with high-risk exchanges, such as BTC-e, and not filing suspicious activity reports. FinCEN’s message is clear: It will hold US persons accountable for their activity with foreign exchanges outside of US jurisdiction.
A focus on third-party relationships is top of mind for many regulators. The Office of the Comptroller of the Currency has repeatedly included third-party relationships at the top of its areas for supervisory focus, and FinCEN, the OCC, and New York’s DFS cited failures to mitigate risk of third-party relationships in many recent enforcement actions.
Compliant exchanges must review the exposure of their third-party relationships and be confident in their partners’ compliance program and processes. Facilitating transactions with risky third parties could draw scrutiny to an institution’s third-party management policies and procedures.
Regulators are looking for an updated risk assessment of the relationship, clear roles and responsibilities in writing, processes for real-time and periodic monitoring, and plans to address weaknesses—including an exit strategy—if needed.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for Us: Author Guidelines
Laurel Loomis Rimon is a partner in Paul Hastings’ fintech and payments practice. A former federal prosecutor, she advises financial institutions, fintech companies, and government entities on compliance issues, enforcement actions, and internal and government investigations.
Braddock Stevenson is of counsel in the fintech and payments and investigations and white collar defense practices at Paul Hastings. He spent more than a decade at FinCEN, most recently serving as deputy associate director of its enforcement division.