Pseudo-anonymity and decentralization are main characteristics of cryptocurrencies. However, by offering capabilities such as increased privacy, illicit acts including fraud, trafficking, money laundering and more, become a serious financial and national security problem. Privacy attracts criminals and drives different typologies of nefarious activities. Regulatory agencies aim to protect both customers and their assets against illicit behaviors, and accordingly have increased scrutiny on the blockchain and digital assets space.
Arthur Hayes, a wealthy businessman and banker, is the former CEO of BitMEX, an opaque cryptocurrency exchange platform built out of thin air; he is one of three billionaire co-founders. On April 6, 2021, Hayes turned himself in to face U.S. charges for violating the Bank Secrecy Act (BSA). The BSA is designed to, by way of regulatory obligation, enlist U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering. The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) found that BitMEX failed to implement the appropriate policies, procedures, and internal controls to deny clients using virtual private networks from accessing trading platforms and bypassing Internet Protocol monitoring. [Full disclosure: I worked at FinCEN, the Treasury Department and the DOJ.]
Considering the regulatory scrutiny and risk of abuse that cryptocurrency businesses are exposed to by both the government and criminal actors,, entities involved in digital assets and blockchain technology would be well advised to review their compliance programs and best practices in order to insulate their businesses as the crypto world awaits new regulation spurred by an increase in cyber-enabled financial crime and governments reacting with zero tolerance.
The Genesis of a “Culture of Compliance”
Consequences of non-compliance can be severe, and range from civil money penalties and litigation to judicially-ordered cessation of business activities, and even imprisonment. Just as compliance obligations and potential penalties encourage businesses to conform, compliance also encourages employees to act appropriately and responsibly towards the business and embrace professionalism towards both the customer base and the sensitive data controlled by the employer. This professional and compliance-first mindset is accomplished by integrating compliance into the corporate culture itself, most importantly values and behaviors. It is critical that the behaviors of compliance are modeled starting at the top, by senior management and C-Suite executives.
The return on investment in a culture of compliance comes into play as the business grows. As with BitMEX, it may come as a surprise how unprepared a business is to comply with regulations as it grows. In the United States, the BSA is not the only regulatory program involving crypto, nor is FinCEN the only federal regulator with an interest in the digital assets space. To become and remain compliant, Virtual Asset Service Providers (VASPs) must adhere to the dynamic and evolving requirements of multiple regulatory authorities. Getting well-acquainted with the authorities regulating the region in which the business operates is essential to the robustness of its compliance. Indeed, the cultural fundamentals of compliance — impressed on employees — may help motivate them to fulfill the requirements, but the company may not be entirely equipped for it. Regulations of critical importance to the culture of compliance for VASPs are promulgated by the following authorities:
The Office of Foreign Assets Control (OFAC): An office within the U.S. Department of the Treasury in charge of administering and enforcing economic sanctions against specific foreign countries, geographic regions, entities, and individuals in order to advance U.S. foreign policy and national security objectives.
The Financial Crimes Enforcement Network (FinCEN): The mission of FinCEN is to protect the financial system from unlawful use, prevent money laundering, and enhance national security through the gathering, analysis, and dissemination of financial intelligence and the strategic use of financial authorities.
Securities and Exchange Commission (SEC): The mission of the SEC is to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation. The SEC strives to promote a market environment that is worthy of the public's trust.
Commodity Futures Trading Commission (CFTC): protects the public from fraud, manipulation, and abusive practices related to the sale of commodity and financial futures and options, and to foster open, competitive, and financially sound futures and option markets.
The aforementioned regulators govern a number of compliance obligations to achieve their mission, namely: Global Economic Sanctions, Anti-Money Laundering, Customer Identification and Know Your Customer programs, securities law, and commodities regulation. They hold crypto businesses and other financial institutions accountable for any breaches stemming from the transactions of their clients. Noted earlier, the consequences of non-compliance or failing to maintain a culture of compliance, is severe. In some cases, it can be the death-knell for a VASP. Accordingly, a Chief Compliance Officer, regular compliance training, awareness programs for employees, testing and monitoring of compliance controls, as well as a dedicated point of contact within the business’s legal department should be in place, to ensure the proper fulfillment of compliance obligations.
By Michael Fasanello, JD Director, Training and Regulatory Affairs Blockchain intelligence Group