The Financial Crimes Enforcement Network (“FinCEN”) and the Office of Foreign Assets Control (“OFAC”) have recently stepped up the pressure on virtual currency companies. Increased regulatory scrutiny has largely taken the form of agency guidances, rulings and enforcement actions. Speeches from key agency officials and updates to agency websites have also shed light on what regulators expect from virtual currency companies. Regardless of form, the message for virtual currency companies, from initial coin offering (“ICO”) operators to virtual-currency exchanges, is clear: a FinCEN and OFAC compliance program is important for virtual-currency companies.
FinCEN has regulated virtual currencies since 2011. Pursuant to a 2013 guidance, FinCEN separates virtual currency actors into three categories: “users,” “exchangers” and “administrators.” A user “is a person that obtains virtual currency to purchase goods or services.” An exchanger “is a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency.” An administrator is a person that puts virtual currency into circulation and has the authority to withdraw virtual currency from circulation. Users are not subject to FinCEN’s regulations. By contrast, administrators and exchangers are subject to FinCEN’s regulations if they “(1) accept and transmit a convertible virtual currency or (2) buy or sell convertible virtual currency for any reason.”
In May 2019, FinCEN issued a second virtual currency guidance. According to FinCEN, the May 2019 guidance did not establish new regulatory obligations, but instead “consolidate[d]” current regulations, administrative rulings and guidance. FinCEN’s claim that the May 2019 guidance represented continuity rather than change is questionable, given the general absence of formal virtual currency regulation and the fluid state of virtual currency technologies and business models. Nevertheless, the guidance does clarify how FinCEN views certain virtual currency businesses, such as wallet providers (hosted and unhosted), decentralized applications (DApps) and payment-processing services.
Of late, FinCEN and the IRS, which conducts FinCEN’s money services business examinations, appear to be focusing more of their resources on virtual currency companies. The increased focus on virtual-currency companies has been reflected in numerous speeches by the Director of FinCEN, Kenneth Blanco. For example, in a recent speech, Mr. Blanco discussed FinCEN’s concerns regarding the use of virtual currencies to further criminal acts. He also discussed the importance FinCEN places on proper recordkeeping, and implied that certain recordkeeping requirements, such as the Travel Rule, present challenges for industry compliance.
OFAC has also taken the position that its compliance obligations extend to virtual currency companies. In general, OFAC will treat virtual-currency-denominated transactions the same way that it treats fiat (regular) currency transactions. OFAC stated on its “OFAC FAQs” webpage that administrators, exchangers, and users of virtual currency “should develop a tailored, risk-based compliance program, which generally should include sanctions list screening and other appropriate measures.” The agency also stated that it would begin listing digital currency addresses associated with sanctioned individuals on the SDN List. However, OFAC noted that “digital currency address listings are not likely to be exhaustive.” Indeed, OFAC did not publish a digital currency address on the SDN List until November 28, 2018, when it published the digital currency addresses of two designated individuals from Iran.
Takeaways for Virtual Currency Companies
The bottom line for most virtual currency companies is that they should consider having AML/CFT/OFAC compliance programs in place before they receive an examination notice from regulators. Implementing a compliance program after an examination has begun may not suffice. While assessing their compliance obligations, companies may also want to determine whether their activities subject them to the regulation of other agencies, such as the SEC.
In determining their compliance obligations, virtual currency companies should also note that regulators have provided some clarity regarding the scope of their compliance obligations. FinCEN, for instance, has addressed the compliance obligations of certain virtual currency business models and taken the position that foreign companies and ICO operators are subject to its regulations. Similarly, by stating that its digital currency address listings will not be exhaustive, OFAC has signaled that screening users against its list of digital currency addresses is a necessary, but insufficient, element of compliance.
Finally, the penalties for failing to comply with FinCEN’s regulations can be steep. Accordingly, virtual companies should consider reviewing their compliance obligations and stay up to date on the newest compliance technologies.