The past year has seen a flurry of new regulations, laws, and guidance documents on cryptocurrencies. The Office of Foreign Assets Control (OFAC), the European Union (EU), the Financial Action Task Force (FATF), and various other governments are actively trying to regulate the space.
For example, in July, FATF, a global money laundering watchdog, published Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Provider. This document clarifies how the FATF Recommendations should be applied to the cryptocurrency sector. It also added two new definitions as follows:
A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities, and other financial assets that are already covered elsewhere in the FATF Recommendations.
Virtual asset service provider means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
- exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer of virtual assets;
- safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
- participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
FATF recommends that all cryptocurrencies be licensed, that they should screen for designated persons as part of their compliance programs, and that all virtual asset transactions be considered as cross-border transactions and, therefore, subject to the same compliance obligations.
Another interesting note about the FATF guidance is that it states that, “It is important that FIs apply the risk-based approach properly and do not resort to the wholesale termination or exclusion of customer relationships within the VASP sector without a proper risk assessment.
Joe Cicollo, president of BitAML, is not surprised that FATF warned against the “wholesale exclusion” of the virtual asset industry. His firm advises cryptocurrency businesses on how to stay compliant with sanctions and AML regulations, so he is well aware of this unfortunate practice.
Many of his clients face difficulty when trying to find an institution that will offer them banking services due to cryptocurrency’s inherent risk, so he hopes that the FATF recommendations will help. “It is hard to imagine de-risking getting worse,” he said.
European Union’s new directive
Countries in the European Union are currently making changes to their laws and regulations to comply with the 5th Anti-Money Laundering Directive (AMLD5), which for the first time included virtual currencies in its regulatory framework and called on member countries to register them. A working paper published by the European Commission in July, however, points out that the AMLD5 definition of virtual currency is not as broad as the FATF’s.
The stakeholders the directive includes are custodian wallet providers, which is similar to a personal bank account and exchange platforms that exchange virtual currency for fiat currency and vice versa.
It does not include virtual currency to virtual currency exchanges, miners who solve complex math problems to earn small amounts of cryptocurrency, and initial coin offerors who offer coins to individuals when launching a new cryptocurrency (similar to when a company offers stock in an initial public offering). The commission says that it is assessing “suitable ways to complete its regulatory framework so as to ensure that VC/VAs and all VC/VA service providers are properly covered by anti-money laundering obligations.”
Complying with OFAC
The United States, through the Office of Foreign Assets Control has perhaps provided the most in-depth guidance regarding cryptocurrency sanctions compliance. OFAC has, on its site, a list of virtual currency-related FAQsthat are quite informative.
They clearly state that the compliance obligation is the same for fiat currency and digital currency. Firms that facilitate or engage in online commerce or process transactions in digital currency are responsible for ensuring that those transactions are not prohibited by U.S. sanctions.
Technology companies, payment processors, administrators, and cryptocurrency exchanges are expected to develop risk-based compliance programs, which should include processes to screen transactions against the OFAC Specially Designated Nationals and Blocked Persons (SDN) list.
Cicollosays that some of his clients use the OFAC online tool to screen against the SDN list. However, the process can be time-consuming and tedious, so he suggests that companies look into subscription-based screening tools.
Last year, OFAC made a statement to show its commitment to enforcing cryptocurrency compliance by adding two digital currency addresses to its list as part of an enforcement action against two Iranian nationals who were involved in the SamSam ransomware scheme. In August, the agency added more addresses to the list as part of an action taken against two Chinese individuals involved in fentanyl trafficking.
Institutions who have determined that they are holding cryptocurrency that is associated with an SDN should take steps to block the currency and file a report with OFAC that includes information on the wallet or digital currency address, including ownership.
State regulators and United Nations Security Council take notice, too
Virtual asset providers in the United States may also be required to register as a money services business in the state in which they do business. These regulators, such as the New York Department of Financial Services, have also been cracking down on cryptocurrency businesses. Take, for example, the virtual currency business Bittrex, Inc. – the NYDFS not only denied their application but also ordered the company to immediately cease operations. The regulator stated that one of the reasons for the action was that the company’s “OFAC compliance procedures lack a robust process to remain up-to-date with current OFAC lists.” Because of the inadequacies of its compliance program, examiners found that a large number of transactions for costumers in Iran and North Korea were not flagged and were thus processed.
A notable 2019 report from the North Korea sanctions Panel of experts from the United Nations says that “Democratic People’s Republic of Korea cyber actors have also engaged in the mining of cryptocurrency. A Member State informed the Panel that a professional branch of the Democratic People’s Republic of Korea military is engaging in such mining. One open source report noted a significant increase in Bitcoin and Monero mining activity within the Democratic People’s Republic of Korea, which it attributed to elites and others with Internet access within the country. Given the increased anonymity of cryptocurrencies, newly mined cryptocurrency can be used to facilitate sanctions-evasion activity.”
As the industry grows and the number of people who use cryptocurrency increases, bad actors will find new ways to take advantage of the rapidly evolving technology to evade sanctions.