First Post in a Two-Part Series
Recent actions in the crypto realm demonstrate that authorities and regulators have not slackened their commitment to applying and enforcing Anti-Money Laundering (“AML”) laws and regulations in the crypto industry. These actions serve as reminders that not only is the government keeping a close eye on cryptocurrency, but its oversight and enforcement can and will come from many angles. What’s more, the government’s recent various proactive and reactive compliance efforts relating to cryptocurrency illustrate the policy principles behind its compliance initiatives from the theoretical to the stark, real world consequences they are intended to avoid.
In this post, we address recent major developments across a spectrum of regulatory, civil, and criminal enforcement cases involving cryptocurrencies, AML and money laundering – courtesy of the combined efforts of the Financial Crimes Enforcement Network (“FinCEN”), the New York Department of Financial Services (“NYDFS”), and the U.S. Department of Justice.
In our next post, we will discuss a 30-page Guidance just issued today by FinCEN, entitled “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies” – which was accompanied by a 12-page FinCEN Advisory entitled “Advisory on Illicit Activity Involving Convertible Virtual Currency.”
The Regulatory Angle: the NYDFS
As we have blogged, New York State imposes stringent requirements for cryptocurrency exchanges to conduct business in the state. Obtaining a New York Bitlicense entails a lengthy application and examination process. Bittrex, Inc. (“Bittrex”) initiated this process by filing its Bitlicense application in August of 2015. On April 10, 2019, it received a decision from the NYDFS that left it “saddened and disappointed.” NYDSF denied Bittrex’s Bitlicense application, citing: “deficiencies in Bittrex’s BSA/AML/OFAC compliance program; a deficiency in meeting the Department’s capital requirement; and deficient due diligence and control over Bittrex’s token and product launches.” In its letter denying Bittrex’s Bitlicense application, NYDFS set forth in detail the deficiencies it found in Bittrex’s AML/BSA/OFAC compliance program, noting that Bittrex’s compliance policies and procedures “are either non-existent or inadequate.”
NYDFS explained that Bittrex’s policies and procedures lack “controls and monitoring to timely detect and report suspicious activities,” “clear guidance for selecting transactions for review” and a process for reviewing “an alert for Suspicious Activity Report (SAR) filing or closing of an account.” Overall, Bittrex’s compliance policies and procedures were undercut by what NYDFS found as the lack of “a comprehensive risk assessment of an entity’s operations, customers and geographies.” It continued that “Bittrex’s risk assessment does not comprehensively assess the risks associated with its cryptocurrency activities, products offered, nor its customer base or geographies of operation.”
Expanding on these deficiencies, NYDFS cited examples of Bittrex’s compliance failures discovered during its reviews of Bittrex’s operations. Specifically, NYDFS noted that Bittrex processed transactions for customers domiciled in sanctioned countries (allegedly including Iran and North Korea). Furthermore, NYDFS found Bittrex’s policies and procedures deficient because its sanction compliance program “is based on manual processes rather than readily available automated processes.” It noted that while Bittrex had developed 21 filtering or detection scenarios to monitor for suspicious activity, its manual transaction monitoring did not incorporate all 21 in its alert review process. Moreover, manually applied processes for making decisions concerning SAR filings and closing of accounts were “inconsistently applied and a sample of SARs filed demonstrated clear deficiencies.”
Derivative of the significant deficiencies found in Bittrex’s compliance policies and procedures, NYDFS found Bittrex lacking an effective compliance officer and lacking adequate training for employees. It explained that “[t]he severity of the deficiencies in Bittrex’s BSA/AML/OFAC compliance program raises significant concerns for the Department as to the experience, level of authority and effectiveness of the Compliance Officer in discharging his responsibilities; and “[t]he severity of the deficiencies in Bittrex’s BSA/AML/OFAC compliance program is indicative of a lack of a comprehensive training program.”
Bittrex’s alleged compliance failures were exacerbated by its failure to adequately independently test its program. NYDFS noted that, while Bittrex retained an external firm to conduct independent testing of its program, “the report failed to reflect the audit review period and failed to assess and evaluate the overall integrity and effectiveness of Bittrex’s compliance program.” This deficiency was highlighted in the eyes of the NYDFS by Bittrex’s refusal to permit NYDFS examiners to review the engagement letter between the external audit firm and Bittrex, which “would likely have shed additional light on such independent testing, including the scope of the audit.”
Finally, NYDFS cited Bittrex’s failures to conduct adequate customer due diligence. It found that numerous Bittrex transactions “were missing required tax identification numbers, customer names, or birthdate related information” and “[o]thers reflected missing or inaccurate addresses or contained foreign references without corresponding translations.” In addition, “a substantial number” of accounts were identified at Bittrex only with aliases “and obscene terms and phrases.” Lastly, Bittrex’s policies inadequately identified the ultimate beneficial owners of corporate accounts.
Bittrex responded to the NYDFS denial letter that day, broadly challenging NYDFS’s conclusions and defending its operations and compliance program. Bittrex explained that it “was responsive to all of DFS’ requests for information. However, [it] respectfully but vigorously challenged DFS’ attempts to apply traditional bank-centric regulatory rules to an entirely different model.” With that, Bittrex challenged both NYDFS’s conclusions and the stadards to which it was holding Bittrex. As to the former, Bittrex countered that its policies were evolving and effective, noting:
“Bittrex implemented transaction monitoring, and is in the process of fully automating that process”;
“Bittrex maintains a risk assessment framework, approved by outside counsel, and fully trains all company employees in its AML policies and procedures”;
“Bittrex screens for SDNs when a customer opens an account, and tracks all SDN updates from OFAC, checking our customer upon notice; we are enabling continuous automated screening with a new system going into effect this quarter”; and
“The Iranian customers referenced in the letter were reported to OFAC in January 2018; we do not have and have never had any North Korean customers.”
Notwithstanding its inability to continue operating in New York, Bittrex reaffirmed its business, emphasizing that “NYDFS’s decision is confined to New York state only, and is not a restriction on any other location in the United States or internationally.” Accordingly, “Bittrex will continue to mature its compliance program because we believe in being good corporate citizens, and because we believe in the rule of law.”
The Civil Enforcement Angle: FinCEN
On April 18, 2019, FinCEN announced “its first enforcement action against a peer-to-peer virtual currency exchanger and the first instance in which it has penalized an exchanger of virtual currency for failure to file CTRs.” According to the FinCEN release, Eric Powers operated a peer-to-peer exchange for convertible virtual currency. FinCEN regards such exchanges to be “money transmitters” and therefore required to register with FinCEN as “money services businesses,” or MSBs, under the BSA. As such, they must comply with all applicable BSA obligations, including developing, implementing and maintaining an effective AML program, filing SARs and Currency Transaction Reports (“CTRs”), and maintaining certain records of financial transactions. Mr. Powers allegedly performed none of these obligations.
Mr. Powers conducted approximately 160 purchases of bitcoin for an aggregate $5 million through in-person cash transactions, yet never filed a single CTR. In addition, he processed numerous suspicious transactions without ever filing a SAR, including doing business related to the “Silk Road” dark web marketplace, “as well as servicing customers through The Onion Router (TOR) without taking steps to determine customer identity and whether funds were derived from illegal activity.”
Charged with AML violations, Mr. Powers has been fully compliant and cooperative. He has paid a $35,000 fine and has agreed to an industry bar prohibiting him from providing any money transmitter services or engaging in any other activity that would make him a MSB for purposes of FinCEN regulations.
The Criminal Angle: the DOJ and the Darknet
Continuing our descent into the dark underbelly of virtual currency, on May 8, 2019, the United States Attorney’s Office for the Western District of Pennsylvania announced what it described as “the single most significant enforcement disruption of the Darknet to date.” Indicted were Tal Prihar, a 37-year old Isreali citizen residing in Brazil and Michael Phan, a 34-year old Israeli citizen residing in Israel. Together, they were charged with one count of conspiracy to commit money laundering under 18 U.S.C. § 1956(h).
According to the government, Prihar and Phan owned and operated DeepDotWeb (“DDW”), a site that provided users with direct access to numerous Darknet marketplaces where vendors sold assorted contraband, including narcotics, firearms, malicious software and identify theft apparatuses. As explained by the government, Darknet marketplaces operate on the TOR network (see Mr. Powers’ case, above), a computer network designed to facilitate anonymous communications over the internet. Because of its structure, users would need a site’s exact .onion address in order to access a Darket marketplace. DDW simplified this structure by providing users hyperlinks to various Darknet marketplaces.
Users clicking a hyperlink provided by DDW triggered a unique identifier that enabled the marketplace to provide DDW with a referral bonus for any purchases made by a DDW user. The referral bonuses – kickbacks – were a percentage of the profits of all of the activities conducted by DDW users and were paid in virtual currency deposited into a DDW-controlled bitcoin wallet. From there, Prihar and Phan transferred these proceeds – totaling over $15 million – from the DDW bitcoin wallet to other bitcoin accounts and to bank accounts they controlled in the names of shell companies. The government alleged that DDW users purchased “hundreds of millions’ of dollars worth of transactions, including purchases of illegal narcotics such as fentanyl, carfentanil, cocaine heroin, and crystal methamphetamine, firearms, including assault rifles, malicious software and hacking tools, stolen financial information and payment cards and numbers, access device-making equipment, and other illegal contraband.”
The case was brought in conjunction with the Hi-Tech Organized Crime Unit and Joint Criminal Opioid and Darknet Enforcement (J-CODE) Team. Arrests of Prihar and Phan were made by French authorities in Paris and Israeli authorities in Israel, respectively.