FinCEN Crypto & Ransomware Advice: Will 2022 Bring More Changes? | Torres Law, LLC

The U.S. Department of the Treasury’s (“Treasury”) Financial Crimes Enforcement Network (“FinCEN”) has made it clear that companies that engage in certain activities involving virtual currencies are subject to the registration, reporting, maintenance records and other anti-money laundering (“AML”) measures under the Bank Secrecy Act and its regulations (collectively, “BSA”). In response to recent developments in the area of ​​financial technology (“fintech”), FinCEN has issued new guidance and notices related specifically to activities involving virtual currencies and ransomware payments.

This article introduces FinCEN and BSA, identifies AML risks associated with virtual currencies and ransomware that businesses may encounter in 2022 and beyond, and discusses best practices for navigating the complex and rapidly changing BSA landscape. .

What is FinCEN and what is BSA?

In the United States, FinCEN is an office of the Treasury responsible for protecting the United States financial system from illicit uses and promoting American national security through the strategic use of financial authorities and the collection, analysis and dissemination of intelligence financial. As administrator of the BSA, FinCEN regulates virtual currencies and other digital assets for AML purposes.

The BSA aims to prevent criminals from using financial institutions to facilitate money laundering, terrorist financing and other financial crimes.² Under the BSA, certain financial institutions known as “money services businesses” (“MSBs”) are subject to mandatory registration, program, record keeping and reporting requirements.

Virtual currency.

FinCEN defines the term “virtual currency” as “a medium of exchange that may function as currency but does not have all the attributes of ‘real’ currency…including legal tender”. FinCEN uses the term “convertible virtual currency” (“CVC”) to refer to a type of virtual currency that (i) has equivalent value as “real” currency or (ii) acts as a substitute for “real” currency. Essentially, CVCs are virtual currencies that can be exchanged for “real” currencies. Examples of CVCs include most cryptocurrencies (digital assets maintained by a decentralized system and secured by cryptography), such as Bitcoin, Ether, and Monero, as well as most stablecoins (digital assets designed to maintain a stable market price by approximating their value to an external benchmark such as fiat currency), such as Tether and Dai. Note, however, that legal tender (“LTDA”) digital assets, such as the Chinese digital yuan, are not virtual currencies.

As malicious actors seek to exploit the latest fintech innovations for illicit purposes, FinCEN has responded by issuing guidance, notices, and other publications clarifying the application of BSA to emerging business models and new factual circumstances. On March 18, 2013, FinCEN became the first U.S. regulator publish interpretation tips on virtual currencies clarifying the applicability of the BSA to “users”, “administrators” and “exchangers” of virtual currency. On May 9, 2019, FinCEN published comprehensive HVAC guidancewhich compiled guidance and related administrative decisions from 2011 to 2019 and applied its interpretation of the BSA to various activities involving HVAC.

Ransomware.

On October 15, 2021, FinCEN published a report analyze trends in BSA data collected in the first six months of 2021 regarding cyber ransomware attacks and associated payments. According to the report, the severity and sophistication of ransomware attacks are rapidly increasing, and ransomware perpetrators are taking new steps to obscure their financial trails and bolster their anonymity. On November 8, 2021, FinCEN released an updated ransomware advisory providing specific instructions to detect, prevent and report suspicious transactions associated with ransomware attacks. In 2022, businesses should be well aware of the risks posed by ransomware and the regulatory obligations that can be triggered by a cyberattack or related transaction (for more information, see our previous article, Ransomware attacks are on the rise; Are you ready?).

***

As virtual currencies become more popular and prevalent in society, companies will need to carefully consider the regulatory implications of engaging in activities involving virtual currencies. Here are some important considerations:

1. Determine if your business is a money services business under the BSA.

The BSA defines a “money services business” (“MSB”) as “a person wherever located carrying on business, whether or not on a regular basis or as an organized or licensed commercial enterprise, wholly or substantially in part in the United States”. operating in one or more of the listed capacities, including as a “money transmitter”.³ Generally, a “money transmitter” is a “person who provides money transfer services” including “acceptance of currency, funds or other value that replaces the currency of a person and the transmission of currency, funds or other value that replaces the currency to another location or to another person by any means.⁴ The BSA also provides that certain persons, such as natural persons occasionally acting as money transmitters and not-for-profit, are exempt from ESM status.

According to FinCEN 2013 Venture Capital Guidelines, virtual currency users who obtain CVCs to purchase goods or services are not MSBs, while virtual currency administrators or exchangers who (i) accept and transmit CVCs or (ii) buy or sell CVCs are considered fund transmitters subject to the BSA requirements for ESMs. Additionally, FinCEN HVAC Guidelines 2019 provides that a person’s eligibility as an MSB generally depends on their Activities not its official corporate status. Although the 2019 CVC Guidelines describe the applicability of BSA to several common business models, such as peer-to-peer (“P2P”) exchanges, CVC kiosks, and certain decentralized applications (“DApps”), they do not address not all the ambiguities. Answering the preliminary question of whether a company qualifies as an MSB is crucial, but rarely straightforward.

2. Ensure that your ESM has registered correctly and in a timely manner with FinCEN.

The first step for an MSB operating in the United States in establishing its BSA compliance framework is to register as an MSB with FinCEN using FinCEN’s BSA electronic filing system by submitting FinCEN Form 107 .⁵ An ESM’s registration with FinCEN must be renewed every two years.

An entity acting as an ESM that fails to register as required by the BSA is subject to civil monetary penalties and possible criminal prosecution. In fact, FinCEN’s first enforcement action against a virtual currency exchange – the 2015 Ripple Labs case – involved a FinCEN ruling that defendants willfully violated the mandatory registration requirement for ESMs, between other violations.⁶ On May 5, 2015, FinCEN imposed a civil penalty of $700,000 on Ripple Labs Inc. and its wholly-owned subsidiary, XRP II LLC, for multiple BSA violations related to operating as a currency exchange. unregistered virtual currencies and the sale of its virtual currency known as XRP. FinCEN also referred the matter to the U.S. Attorney’s Office for the Northern District of California, which ultimately resolved possible criminal charges for related conduct.

3. Make sure your ESM has an effective, written AML program.

MSBs must implement an effective, written, risk-based AML program that meets certain minimum requirements. ESMs are required to develop, implement and maintain an AML program reasonably designed to prevent the ESM from being used to facilitate money laundering and terrorist activity financing.^seven AML programs for MSBs should be proportionate to the unique money laundering risks associated with the MSB’s specific factual circumstances, such as the composition of its customer base, geographic areas served, and financial products or services offered. As part of the review of risk-based policies, procedures and practices, MSBs should consult the most recent list of jurisdictions with strategic gaps in their anti-money laundering regimes published by the Group. Financial Action (“FATF”), an intergovernmental standards-setting body in which the US government, through the Treasury, is an active participant.⁸ AML programs for MSBs must also meet other “minimum” requirements, such as training on AML responsibilities for appropriate personnel, designation of an AML compliance officer, and establishment of a function independent audit to review the adequacy of the AML program.

4. Ensure your MSB meets its reporting and record keeping requirements.

ESMs are subject to numerous reporting and record keeping requirements under the BSA. One example is the requirement that most MSBs must file a Suspicious Activity Report (“SAR”) using FinCEN Form 111 for certain activities or transactions relevant to a possible violation of law or regulation.⁹ Transactions that are entered into or attempted by, to or through an MSB that involve or aggregate funds or other assets of $2,000 or more (or, in certain circumstances, $5,000 or more), and that the ESM knows, suspects or has reason to suspect are suspicious should be reported by filing an SAR. According to the 2021 FinCEN Ransomware Notice, when a SAR filing is required for a suspicious transaction involving ransomware, all available relevant information, including cybersecurity-related information and technical indicators, should be included in the both in the SAR form and in the narrative.

***

A final consideration for companies engaged in activities involving virtual currencies: the BSA/AML regulatory landscape is characterized by uncertainty. FinCEN’s efforts to refine the existing BSA regime to meet modern challenges continue, as evidenced by FinCEN’s Request for Information (“RFI”), issued on December 15, 2021, seeking “ways to streamline, modernize and update the anti-money laundering system”. and Countering the United States Counter Terrorist Financing (AML/CFT) Regime” to protect the national security of the United States “in a cost-effective and efficient manner” on an ongoing basis.^ten

This request for information comes about a year after several of FinCEN’s proposed changes to the BSA regarding virtual currencies drew significant backlash from industry leaders, underscoring the uncertain future of the upcoming reforms. of FinCEN.¹¹ Additionally, with the Treasury expected to address issues such as stablecoins and LTDAs in its report to Congress scheduled for January 2022, the regulatory landscape surrounding virtual currencies and other digital assets remains under active construction.¹²