In case it was not already clear, the U.S. Department of Justice recently confirmed that ensuring the use of cryptocurrency “is safe, and does not imperil our public safety or our national security, is vitally important to America and its allies.” With the U.S. Attorney General’s Cyber-Digital Task Force’s Oct. 7 publication of the Cryptocurrency Enforcement Framework, we now know a lot more about how the DOJ views the threats cryptocurrency may pose, the regulatory tools at the government’s disposal to confront those threats and the challenges the government faces in cryptocurrency enforcement.
The Enforcement Framework contains three sections that provide a detailed report of the threats to public safety as we move toward Web 3.0 and the DOJ’s role within cryptocurrency and blockchain technology’s regulatory ecosystem. Part I of the Enforcement Framework provides a primer on the basics of blockchain technology and cryptocurrency and a detailed report on the illicit uses and crimes that involve the use of cryptocurrency. Part II describes the various cross-disciplinary and transnational regulations and authorities that work together to combat crimes related to the misuse of cryptocurrency. Part III sets out the task force’s challenges and strategies for addressing emerging threats involving money services businesses (MSBs), virtual asset service providers (VASPs) and cryptocurrency in general.
Interspersed throughout the Enforcement Framework are cases the DOJ has brought against VASPs that have used cryptocurrency in connection with activities impacting national security or violating established regulations. While these matters are not an exhaustive list of actions brought against VASPs, they bring a general insight into the types of issues that the DOJ and other regulatory bodies will likely be focused on going forward.
Former U.S. Attorney General Jeff Sessions formed the task force with the goal to undertake a comprehensive assessment of the DOJ’s work in the cyber area and identify how federal law enforcement can even more effectively accomplish its mission in this vital and evolving space. The task force includes representatives of relevant DOJ components, including the Federal Bureau of Investigation, and is chaired by Associate Deputy Attorney General Sujit Raman.
Part I: Threat Overview
In Part I of the Enforcement Framework, the task force details the basics of cryptocurrencies, including the attributes of a virtual currency, the anatomy of a cryptocurrency transaction and the key terms around bitcoin. After discussing the legitimate uses for cryptocurrencies, the Enforcement Framework expands on the actual and potential illicit uses. The key threats are bad actors using cryptocurrency to engage in financial transactions associated with crimes, such as buying illicit goods or arms on the dark web; engaging in money laundering; and crimes impacting the cryptocurrency marketplace, including stealing cryptocurrency from an exchange.
Part II: Law and Regulation
Part II of the Enforcement Framework describes the regulatory authority of state and federal agencies who have jurisdiction over VASPs and cryptocurrency transactions. Following is a summary of the key takeaways of the who, what, where and how of cryptocurrency regulations.
What federal criminal laws can be triggered?
Following is a summary of some of the key federal laws that may be implicated in the cryptocurrency world:
Wire Fraud, 18 U.S.C § 1343
Any scheme to defraud someone else by means of electronic communication.
Money Laundering, 18 U.S.C § 1956
Any scheme to conceal the illicit origins of funds through a sequence of commercial transactions.
Violating the Bank Secrecy Act, 31 U.S.C § 5311
Includes failure to implement anti-money laundering procedures, including failure to conduct know your customer (KYC) due diligence.
Operating an Unlicensed Money Services Business, 18 U.S.C § 1960
Failure to comply with registration and licensing procedures required for those providing money transmission services.
Securities and Commodities Fraud, 18 U.S.C. § 1348
Knowingly executing, or attempting to execute, a scheme or artifice to defraud any person in connection with any commodity for future delivery, or any option on a commodity for future delivery.
Tax Evasion, 26 U.S.C. § 7201
Willful attempt to evade or defeat any tax imposed by the Internal Revenue Code.
Who enforces the laws?
The DOJ has broad authority to investigate misconduct involving cryptocurrency and works with a number of other regulatory agencies who also have authority to enforce the laws and regulations applicable to value asset-related activities. The other regulatory agencies are: FinCEN, OFAC, OCC, SEC, CFTC, IRS, and state agencies and international consortiums, such as the FATF. Below is a summary based on the Enforcement Framework of the purview for each of these agencies and some of the key questions you should ask. Many of these issues, like who is an MSB and what is a security, are not straightforward and require complex fact-based analysis. You should contact experienced counsel to assist with this.
Financial Crimes Enforcement Network (FinCEN), U.S. Department of the Treasury: FinCEN serves as the Financial Intelligence Unit for the U.S., which means that its critical responsibility is to monitor suspicious transactions as well as other information related to money laundering and the financing of terrorism. FinCEN’s relationship with the DOJ and other local, state, or federal law enforcement agencies generally falls into crime prevention and investigatory assistance.
FinCEN has primary responsibility for enforcing the Bank Secrecy Act (BSA), which regulates MSB including cryptocurrency exchanges. Issuers should be careful to follow the rules and regulations set forth by FinCEN, including, among others, anti-money laundering (AML) and know your customer (KYC) compliance, as well as strict adherence to the BSA.
How do I know if I’m a money services business?
The threshold question in determining whether your business qualifies as an MSB is whether you may be deemed a “money transmitter.” In 2011, FinCEN issued a final rule defining an MSB to include a “person that provides money transmission services” defined as “the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.”
FinCEN has also stated that a person that obtains convertible virtual currency (CVC) to purchase goods or services is not an MSB, but that an administrator or exchanger of CVC that “(1) accepts and transmits CVC or (2) buys or sells CVC for any reason is a money transmitter” and an MSB under FinCEN’s regulations.
For purposes of the foregoing, an exchanger is “a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency” and an administrator is “a person engaged as a business in issuing (putting into circulation) a virtual currency, and who has the authority to redeem (to withdraw from circulation) such virtual currency.”
Importantly, certain foreign-located persons engaging in MSB activities within the U.S. fall within FinCEN's definition of an MSB, and therefore, must comply with FinCEN requirements.
Nonetheless, there are a number of exemptions from BSA requirements, and we recommend contacting experienced counsel to determine whether you qualify for an exemption from registration.
How can I ensure that my business is compliant with anti-money laundering and know your customer rules and regulations?
The BSA and its implementing regulations require MSBs to develop, implement and maintain an effective written anti-money laundering program that is reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities. The AML program must, at a minimum: (a) incorporate policies, procedures and internal controls reasonably designed to assure ongoing compliance (including verifying customer identification, filing reports, creating and retaining records, and responding to law enforcement requests); (b) designate an individual responsible to assure day-to-day compliance with the program and BSA requirements; (c) provide training for appropriate personnel, including training in the detection of suspicious transactions; and, (d) provide for independent review to monitor and maintain an adequate program.
Office of Foreign Assets Control (OFAC), U.S. Department of the Treasury: OFAC administers and enforces economic and trade sanctions against targeted foreign countries and regimes; terrorist groups; international narcotics traffickers; those engaged in activities related to the proliferation of weapons of mass destruction; those engaged in malicious cyber activities; and other entities that present threats to the national security, foreign policy or economy of the United States based on U.S. foreign policy and national security goals.
In general, issuers of virtual currencies should ensure that they do not engage in transactions that would otherwise be prohibited by OFAC sanctions, which includes transactions with persons on the blocked persons list, as well as transactions with certain jurisdictions.
What countries are on OFAC’s sanctions list?
OFAC administers a number of different sanctions programs. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals. The current sanctions program can be found here; however, we advise you contact experienced counsel to ensure compliance with all OFAC requirements.
How do I determine which individuals are on the OFAC list?
OFAC requires covered entities to ensure that they block the property and interests in property of anyone named on OFAC’s Specifically Designated Nationals and Blocked Persons (SDN) List, or any entity owned in the aggregate, directly or indirectly, 50% or more by one or more blocked persons. This list can be found here.
Office of the Comptroller of the Currency (OCC), U.S. Department of the Treasury: The OCC is charged with regulation and supervision of banks and federal savings associations. In July 2020, the OCC released an interpretive letter providing that national banks and federal savings associations are permitted to provide virtual asset custodial services to their customers.
Securities and Exchange Commission (SEC): The SEC is charged generally with investor protection in the trading markets. Further, the SEC seeks to “maintain fair, orderly, and efficient markets; and to facilitate capital formation.”
Is my cryptographic token or digital asset a “security”?
The issuance of a digital asset may fall under the purview of the SEC if such digital asset is deemed a “security.” While digital assets are not enumerated under the Securities Act’s definition of “security,” they may be deemed an “investment contract” and, thus, subject to federal and state securities laws. In an effort to help VASPs determine whether their digital asset may be deemed an investment contract, the SEC’s Strategic Hub for Innovation and Financial Technology (FinHub) previously introduced their Framework for "Investment Contract" Analysis of Digital Assets. However, because the factors are so malleable, it is often difficult for a digital asset issuer or other interested party to determine whether a given token would qualify as a security and we recommend consulting experienced counsel to assist with the analysis.
The Commodity Futures Trading Commission (CFTC): The mission of the CFTC, like the SEC, is to engage in investor protection. However, in the case of the CFTC, its regulatory focus is on the derivatives markets, which include options, swaps and futures contracts. The CFTC’s jurisdiction is implicated when a virtual currency is the underlying asset in a derivatives contract, or if there is fraud or manipulation involving a virtual currency traded in interstate commerce.
The CFTC has taken action against unregistered futures exchanges, as well as trading firms that offer margin or financed “retail” virtual currency transactions. On Oct. 1, 2020, in conjunction with parallel criminal charges by the DOJ, the CFTC filed a well-publicized action against BitMEX and its principals for, among other charges, failing with offering an unregistered derivatives trading platform to U.S. persons and failing to prevent money laundering. To ensure compliance with the rules and regulations established by the CFTC, we recommend contacting experienced counsel.
Internal Revenue Service (IRS): The IRS treats virtual currency as property for U.S. federal tax purposes. Thus, general tax principles apply to various virtual asset transactions. These principles include reporting capital gains or losses on the transacting in virtual assets and reporting and withholding for wages paid in cryptocurrency. On Oct. 9, 2019, the IRS issued additional guidance and FAQs for taxpayers who engage in virtual currency transactions, in an effort to help them better understand their reporting obligations.
State Authorities. In addition to the federal regulators provided above, each state has attorneys general, securities regulators and departments of financial services who are tasked with similar responsibilities as their federal-level counterparts.
International Regulation. The Financial Action Task Force (FATF) is an intergovernmental organization founded in 1989 with a mission to set standard and to promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing, proliferation of weapons of mass destruction, and other related threats to the integrity of the international financial system. In 2014, the FATF recognized the need to bring virtual asset-related activities within its scope and in 2015 issued global guidance as part of a staged approach to addressing the money-laundering and terrorist financing risks associated with virtual asset payment products and services.
In part, there are a number of domestic and global agencies that oversee the issuance and transacting in virtual currencies.
Part III: Ongoing Challenges and Future Strategies
In addition to recent enforcement actions, including the CFTC and DOJ’s allegations that BitMex and their executives illegally operated a cryptocurrency exchange, violated AML compliance requirements and violated the Bank Secrecy Act, Part III illustrates the legal positions the DOJ and other regulatory authorities take regarding applications of cryptocurrency and virtual assets. In particular, the Enforcement Framework describes how the DOJ is actively addressing situations where privacy and VASPs intersect. This includes (i) looking to global regulations to combat the use of privacy as a shield against complying with DOJ requests in criminal investigations, (ii) taking a closer look at VASPs who use cross-chain or multi-transaction methods to provide a transaction with greater anonymity and (iii) showing suspicion regarding the use of anonymity-enhanced cryptocurrency. The DOJ’s heightened scrutiny around matters involving privacy may affect how issuers of privacy-oriented cryptocurrencies structure their business model.
Does the DOJ have jurisdiction over activity that takes place outside of the U.S.?
Potentially. The DOJ has asserted authority over virtual asset activity conducted outside of the U.S. The Enforcement Framework discusses how the DOJ can establish jurisdiction when a virtual asset transaction touches financial, data storage and computer systems within the U.S. and has jurisdiction to prosecute actors who direct or conduct those transactions. Because of the DOJ’s jurisdictional reach, we recommend that VASPs and other participants in the cryptocurrency or virtual asset ecosystem structure their business model carefully such that they are either (i) in compliance with applicable regulations or (ii) do not have a U.S. presence at any level. Further, to prevent jurisdictional arbitrage and inconsistent global regulations, the DOJ is increasingly cooperating with authorities on state, national and international levels to ensure comprehensive and consistent regulation.
It is significant to note that, while the DOJ has stated in both its 2018 report and the Enforcement Framework that it does not intend to curtail innovation, the DOJ’s mission is ensuring safety and national security. The Enforcement Framework accordingly should be read through this lens. The DOJ emphasized that that it will “continue its aggressive investigation and prosecution of a wide range of malicious actors, including those who use cryptocurrencies to commit, facilitate, or conceal their crimes.”
What are the potential consequences for violating existing regulations?
VASPs and those involved with virtual asset transactions should be aware that regulators are cooperating with each other to prevent unlawful behavior by effecting criminal sanctions as well as monetary fines. However, while the DOJ and other authorities wish to target illicit behaviors, it is important to note that the regulatory regime reaches businesses who seek to engage in legitimate business activity and, therefore, any VASP should remain compliant with applicable laws, rules and regulations.
In the past, when the DOJ or other enforcement agencies have released comprehensive guidance like the Enforcement Framework, those agencies then ramp up enforcement activity in that particular space. For instance, the eight years following the first release of the DOJ and SEC Resource Guide to the U.S. Foreign Corrupt Practices Act in 2012 have seen a marked increase in DOJ and SEC investigations, resulting in over 110 FCPA enforcement cases and nearly $14 billion in monetary sanctions. Accordingly, we should expect that federal agencies with enforcement oversight in the cryptocurrency space will ramp up investigations and enforcement filings. The agencies regard formal guidance like the Enforcement Framework as a warning, and participants in the virtual asset markets should take heed. Virtual asset and cryptocurrency transactions cross a wide range of laws, rules and regulations, and participants should seek experienced legal counsel to ensure that they stay compliant with U.S. laws.