The introduction and spread of cryptocurrencies has complicated the AML/CFT process in jurisdictions around the world. Reports suggest that around $2.8 billion was laundered through cryptocurrency exchanges in 2019, with further analysis revealing that over 50% of cryptocurrency exchanges have inadequate KYC protocols in place to stop criminal activity.
Over the past decade, cryptocurrency regulations in the United States have been inconsistent and have varied by state. More recently however, the US Department of Treasury has taken steps to introduce federal cryptocurrency regulations: in December 2020, the Financial Crimes Enforcement Network (FINCEN) set out a proposal for new Know Your Customer (KYC) AML crypto requirements for all banks and financial institutions operating in the United States.
FINCEN’s Requirements for Certain Transactions Involving Virtual Currency or Digital Assets – also known as the Proposed Rule – will have significant consequences for AML in cryptocurrency service providers across the United States. With the Proposed Rule’s commentary period now over, it’s important that US financial institutions understand their regulatory responsibilities for AML in cryptocurrency transactions, and how the Proposed Rule will change the compliance landscape.
In the context of cryptocurrencies (such as Ethereum or Bitcoin), AML compliance regulations in the US have historically been implemented at state level, leading to a degree of divergence and inconsistency.
In 2018, however, FINCEN released guidance on how US firms should deal with cryptocurrency assets under the Bank Secrecy Act (BSA). The publication, Application of FINCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies, specifically concerned the application of BSA AML/CFT rules to ‘hosted’ and ‘unhosted’ cryptocurrency wallets under the following circumstances:
- Hosted wallets: Service providers conduct cryptocurrency transactions on the blockchain on behalf of their users through ‘hosted wallets’ which are used to store digital tokens. FINCEN guidance points out that, in this context, service providers that use hosted wallets are subject to BSA compliance regulations because they are considered money transmitters. Those regulations include appropriate customer due diligence (CDD) and reporting obligations.
Unhosted wallets: Users that conduct cryptocurrency transactions on the blockchain directly, without the involvement of a service provider, may store their digital tokens in an ‘unhosted wallet’. Users that transact from unhosted wallets are not considered money transmitters and are not subject to the BSA compliance requirements that apply to hosted wallets.
The proposed new regulations set out by FINCEN on 23rd December 2020 would effectively extend BSA compliance requirements to unhosted wallets. In practice the rule would mean that banks, financial institutions, and other crypto service providers would be subject to a range of new AML/CFT record-keeping, reporting, and verification requirements.
The scope of the Proposed Rule would cover deposits, withdrawals, exchanges, or any other payments or transfers of cryptocurrencies, referred to as convertible virtual currencies (CVC) or legal tender digital assets (LTDA). The extension of compliance to unhosted wallets would also require crypto service providers to include ‘otherwise covered wallets’: a term referring to wallets held in foreign jurisdictions not subject to BSA regulation, including high-risk countries such as Iran and North Korea.
The Proposed Rule would introduce the following AML/CFT measures and controls for service providers dealing with unhosted wallets and otherwise covered wallets:
- FINCEN reporting: The Proposed Rule would introduce a requirement for banks and money services businesses to report to FINCEN within 15 days of a cryptocurrency transaction taking place. The report must contain specified details of the transaction and include counterparty information. Enhanced identity verification would be required for unhosted wallet transactions involving amounts over $10,000.
- Record keeping: Firms would be required to keep and maintain records of cryptocurrency transactions, including details of both their customers and counterparties’ information. Where transactions involve amounts over $3,000, and where the counterparty is using an unhosted wallet, enhanced verification measures are required.
Structuring: The anonymity of cryptocurrency services makes them vulnerable to structuring, a technique in which money launderers engage in multiple transactions to avoid reporting requirements. The Proposed Rule would introduce a new prohibition on structuring cryptocurrency transactions.
When it is implemented, the Proposed Rule will expand BSA compliance requirements for both cryptocurrency service providers and traditional banks and financial institutions that deal with cryptocurrencies. The rules will bring unhosted wallets and otherwise covered wallets into the scope of their risk-based AML/CFT programs with the following measures and controls:
- Customer due diligence: Firms must be able to accurately identify the customers that they do business with – and conduct enhanced due diligence for those customers that present a higher money laundering risk.
- Transaction monitoring: In order to detect unusual and suspicious activity indicative of money laundering, firms must monitor customer’s cryptocurrency transactions on an ongoing basis and implement a process for submitting suspicious activity reports (SAR) to FINCEN in a timely manner.
- Screening and monitoring: Firms must screen their customers to ensure they are not featured on international sanctions and watchlists, are not politically exposed persons (PEP), and are not subject to adverse media stories.
The initial commentary period for the Proposed Rule ended on 4th January 2021. Industry feedback highlighted a number of challenges for the procedural implementation of the new regime, including the possibility of cybersecurity threats to personal data, the administrative burden on compliance teams, and the potential negative effect on fintech innovation.
Industry observers have stressed the need for further legislative consideration of the new rules prior to their eventual implementation. In response to the perceived inadequate length of the initial commentary period, the Proposed Rule’s commentary period was reopened on 14th January 2021.