Two recent federal enforcement actions—announced the same day—have underlined the need for crypto companies to carefully consider their anti-money laundering (AML) obligations or else risk significant penalties.
First, on August 8, 2022, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) added Tornado Cash (Tornado) to the Specially Designated Nationals (SDN) list. Accordingly, Tornado generally will not be able to engage in transactions with U.S. persons.
Tornado is a virtual currency mixer that, according to OFAC, has been utilized to launder over $7 billion since its creation in 2019. Currency mixers collect digital assets in a pool, often obscuring their destination and origin. While this may be a legitimate way to protect crypto users' privacy, the practice also can be used to obfuscate illicit activity. In its announcement of the sanctions against Tornado, OFAC stated that mixers should generally be considered "high-risk" until they have "appropriate controls in place" to mitigate money laundering concerns.
Tornado is not the first virtual currency mixer that OFAC has sanctioned because of a weak or nonexistent AML program. The first mixer OFAC sanctioned was Blender.io, which OFAC said was used extensively by a hacking group sponsored by the Democratic People's Republic of Korea. In a press release addressing the Blender.io case, OFAC indicated that it will continue to "investigate the use of mixers for illicit purposes and consider the range of authorities [it] has to respond to illicit financing risks in the virtual currency ecosystem." More information about the risks associated with anonymity-enhancing technologies can be found in the 2022 National Money Laundering Risk Assessment.
The second enforcement action involved another money services business found to have weaknesses in its AML program. The United States Attorney for the Southern District of New York announced that Gregory Dwyer, the former head of business development at BitMEX, pleaded guilty to violating the Bank Secrecy Act (BSA). Prosecutors stated that BitMEX's failure to implement know-your-customer (KYC) requirements made it "in effect a money laundering platform" and that Dwyer's deliberate failure to "establish, implement, or maintain an anti-money laundering program" constituted a violation of the BSA. This is the fourth time that a high-ranking employee at BitMEX, an offshore crypto derivatives trading platform, has been held liable for such a violation.
The BSA requires covered entities to maintain effective AML policies, including a Customer Identification Program (commonly referred to as a KYC requirement). Specifically, financial institutions must collect certain identifying information from clients that use their services, verify that information to form a reasonable belief as to the identity of the client, and maintain relevant records. MSBs and other financial institutions that fail to implement and maintain an effective AML program risk liability for violating the BSA.
The U.S. Department of Justice and other regulators, such as the Financial Crimes Enforcement Network (FinCEN), have the authority to investigate and penalize violations of the BSA—and, as the BitMEX charges show, individual employees of these money services businesses also can be liable for such violations. In addition to KYC, an AML program generally must also include, among other things, a designated compliance officer to oversee the AML program, suspicious activity reporting, employee training, and an independent review or audit of the AML program.
The Tornado designation and BitMEX convictions serve as reminders that a financial institution must have and follow a robust AML program that is tailored to its operations, size, and risks—and periodically review the program to ensure that it remains sufficient in view of any changes to size and scope of the financial institution.
Covered "financial institutions" include traditional types, such as banks and broker-dealers, and non-traditional types, such as money services businesses, a category that subsumes "money transmitters." A crypto company that provides digital finance or banking products should consider its role in the flow of funds to determine whether it is considered a money services business. If a business is unsure whether it is a money transmitter or other type of money services business, please review our previous publication, "MSB or not MSB? That Is the Question."