On May 9th, 2019, FinCEN released interpretive guidance on how existing regulations impact cryptocurrencies, which are referred to as Convertible Virtual Currencies. While the “guidance does not establish any new regulatory expectations or requirements,” it does clarify existing regulations and the obligations of many crypto businesses.
The guidance serves to explain which types of businesses must register as Money Services Businesses (MSBs) and thereby comply with FinCEN MSB regulations, including compliance with the Bank Secrecy Act (BSA). Compliance with the BSA requires businesses to screen their customers, third party relationships, and transactions to mitigate money laundering or terrorist financing risk. These regulations also require the filing of Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) when those risks have been identified. The guidance does not however cover regulatory obligations associated with securities, commodities, taxes, or other possible government regulations which are managed by other government entities such as the SEC, OCC, CFTC, IRS, and others.
FinCEN’s policy on what constitutes an MSB is clear: “whether a person qualifies as an MSB subject to BSA regulation depends on the person’s activities and not its formal business status.” Put more simply, it is the function of the business, not the form it takes or the name it is given. The same policy applies to all types of currencies: money is considered “currency, funds, or other value that substitutes for currency.”
FinCEN has clarified that organizations that do business “in whole or in substantial part within the United States,” are subject to BSA regulations, even if they have no physical presence in the United States. This will make it more difficult for companies headquartered overseas to skirt AML obligations if they are doing business in the US. However there are cases where an individual or business may not be subject to MSB requirements, and that is if they perform certain MSB activities, but do so infrequently and not for gain or profit.
Key Takeaways:
- Exchanges, whether crypto-to-crypto or fiat-to-crypto, must register as an MSB and comply with the BSA (including having a complete AML program and SAR/CTR reporting).
- Hosted Wallets must comply fully with BSA requirements. Unhosted Wallet providers, such as deployed software or hardware wallets, are not required to comply with BSA and FinCEN AML requirements.
- Cryptocurrency ATM providers must comply with BSA and FinCEN AML requirements.
- DApps (decentralized apps such as Ethereum Smart Contracts) may or may not be required to comply with the BSA depending on whether the DApp performs money transmission (31 CFR § 1010.100(ff)(5)(i)(A)).
- Privacy Coins (zCash, Monero, etc.) and anonymization services (such as mixers or tumblers) must comply with BSA and FinCEN AML requirements.
- Cryptocurrency Payment Processors (also known as Fiat Gateways) do not qualify for the BSA exemptions provided to fiat payment processors as they may process payments from individual wallets, unlike fiat payment processors who only process payments from financial institutions through credit card payments or bank transfers. Because of this, cryptocurrency payment processors must comply with BSA and FinCEN AML requirements.
- Decentralized Exchanges (DeX) do not need to comply with BSA and FinCEN AML requirements as long as the DeX does not facilitate the transfer of funds or hold any user funds.
- Mining Pools may have to comply with BSA and FinCEN AML requirements if the pool hosts the wallets that receive the proceeds of the mining. If there is no wallet hosting provided by the mining pool, they most likely do not have to comply with BSA/AML requirements.
- Token Offerings (Initial Coin Offerings, Initial Exchange Offerings, Security Token Offerings, et al) provide the most complex scenarios for determining AML/BSA requirements. Based on the organization type of the issuer, intermediary, or investor, the FinCEN obligations may align more closely with a bank, broker-dealer, futures commission merchant, commodity dealer, or mutual fund. Each of these types of institutions have different AML/BSA requirements and will differ from those of an MSB.
Organizations issuing ICOs should work closely with trusted issuance vendors, accountants, and lawyers to determine the appropriate regulatory compliance based on the type of issuance and the potential investor pool.
While the guidance does clearly outline how the US Department of Treasury views many virtual asset business models, it does not cover all possible crypto businesses. It is important to consider that just because a business does not fall neatly into one of the categories described does not mean it does not have FinCEN compliance obligations. Where things may be unclear, the business should reach out to an experienced compliance lawyer or reach out directly to FinCEN.
Compliance obligations are not going away. BSA requirements, including AML/KYC are a critical component of reducing crimes such as terrorist financing, money laundering, fraud, sexual exploitation, slavery, and many other crimes. Financial institutions working with regulators are a critical component to reducing the impact of bad actors. As early movers in the industry that will one day take over traditional financial markets, it is critical for us to work together to ensure the solutions, businesses, and technology we build are creating a future we can look forward to living in.
About the author: Greg Pinn, Head of Product Strategy at iComply Investor Services, has over a decade of experience leading global best practices in the anti-money laundering (AML) and know-your-customer (KYC) industry. Greg specializes in building industry leading products, including Thomson Reuter’s World-Check – now Refinitiv, to help financial institutions, both traditional and crypto, to scale operations, reduce risk and ensure compliance with global regulations. At iComply, Greg works to with industry leading virtual asset service providers to develop, build, and maintain best-in-class compliance programs.