On October 19, 2023, the U.S. Department of the Treasury’s (“Treasury”) Financial Crimes Enforcement Network (FinCEN) announced a Notice of Proposed Rulemaking (NPRM) that would implement new recordkeeping and reporting requirements on domestic financial institutions and domestic financial agencies, related to transactions that they know, suspect, or have reason to suspect involve convertible virtual currency (CVC) mixing within or involving a non-U.S. jurisdiction. 

FinCEN issued the NPRM pursuant to Section 311 of the USA PATRIOT Act, which provides the Secretary of the Treasury (the “Secretary”) the authority to require domestic financial institutions and domestic financial agencies to take “special measures” where the Secretary finds reasonable grounds to conclude that a class of transactions, institution, account, or foreign jurisdiction is of “primary money laundering concern.”  The NPRM identifies international CVC mixing as a class of transactions of primary money laundering concern, highlighting the use of CVC mixing services by illicit actors including cyber criminals and terrorist groups.  According to FinCEN’s press release, the NPRM represents FinCEN’s first use of Section 311 to target a class of transactions.

Requirements Contained in the Proposed Rule

The proposed rule defines “CVC mixer” as any person, group, service, code, tool, or function that facilitates CVC mixing.  “CVC mixing” is defined as the facilitation of CVC transactions in a manner that obfuscates the source, destination, or amount involved in one or more transactions, regardless of the type of protocol or service used, such as: (1) pooling or aggregating CVC from multiple persons, wallets, addresses, or accounts; (2) using programmatic or algorithmic code to coordinate, manage, or manipulate the structure of a transaction; (3) splitting CVC for transmittal and transmitting the CVC through a series of independent transactions; (4) creating and using single-use wallets, addresses, or accounts, and sending CVC through such wallets, addresses, or accounts through a series of independent transactions; (5) exchanging between types of CVC or other digital assets; or (6) facilitating user-initiated delays in transactional activity. 

The definition of CVC mixing excludes “the use of internal protocols or processes to execute transactions by banks, broker-dealers, or money services businesses, including virtual asset service providers that would otherwise constitute CVC mixing, provided that these financial institutions preserve records of the source and destination of CVC transactions when using such internal protocols and processes; and provide such records to regulators and law enforcement, where required by law.”

The proposed rule would require financial institutions to report information regarding transactions involving CVC mixing in or involving a non-U.S. jurisdiction and the customer associated with any such transaction, including:

  • Amount of any CVC transferred, in both CVC and its U.S. dollar equivalent when the transaction was initiated;
  • CVC type;
  • CVC mixer used, if known;
  • CVC wallet address associated with the mixer;
  • CVC wallet address associated with the customer;
  • Transaction hash;
  • Date of transaction;
  • IP address and time stamps associated with the transaction;
  • Narrative description of the activity observed by the financial institution, including summary of investigative steps taken;
  • Customer’s full name;
  • Customer’s date of birth;
  • Customer’s address;
  • Email address associated with any and all accounts from which or to which the CVC was transferred; and
  • Unique identifying number for the customer (Taxpayer Identification Number, meaning an Employer Identification Number or Social Security Number, or the foreign equivalent).

The proposed rule would require the foregoing information to be reported to FinCEN within 30 days of initial detection of a reportable transaction.

Significantly, the NPRM indicates FinCEN’s expectation that both direct exposure and indirect exposure to CVC mixing involving a non-U.S. jurisdiction would trigger the reporting requirement under the proposed rule.  For example, if CVC were sent from a mixer to an intermediate wallet and then to a covered financial institution, the rule’s reporting obligation would be triggered; and the same would be true if CVC were sent from a covered financial institution to an intermediary wallet and then to a CVC mixer.  But transactions that are only indirectly related to CVC – such as a transfer of the fiat currency proceeds from an exchange of CVC that was previously processed through a CVC mixer – would fall outside the scope of the proposed rule.

Implications of the Proposed Rule

Should the rule be adopted as proposed, covered financial institutions will need to ensure that they collect the above-listed reportable information, or prevent transactions involving CVC mixers.  Many financial institutions may already collect some or all of the required information, but others would need to adjust their data collection and retention practices.  Some financial institutions may simply decline to engage in transactions involving CVC mixers.

Whether for the purpose of ensuring compliance with the rule’s reporting obligation or for the purpose of declining transactions involving CVC mixers, covered financial institutions may also need to enhance their transaction surveillance frameworks to identify direct and indirect exposure to non-U.S. CVC mixing, if the proposed rule is adopted.  According to the NPRM, “FinCEN would expect covered financial institutions to employ a risk-based approach” to compliance with the proposed rule, “including by using the variously available free and paid blockchain analytic tools commonly available.”

Another key issue is likely to be which platforms qualify as a CVC mixer.  The definition in the proposed rule is quite broad and could capture a wide range of platforms that are not typically considered mixers.  For example, exchanging between types of CVC or other digital assets would capture an array of decentralized protocols, many of which would not fall into the exemption for virtual asset service providers because they are not licensed or registered as such.  Additionally, if financial institutions (which include most digital asset custodial exchanges and platforms, among many other digital asset business models) decline to deal with CVC mixers to ease their compliance burden, that could have a significant impact on the liquidity and, potentially, viability of those CVC mixers.

The Treasury has shown an increased interest in addressing sanctions and money laundering-related concerns arising from CVC mixing over the past two years.  In 2022, the Treasury’s Office of Foreign Assets Control (OFAC) designated virtual currency mixers Blender.io and Tornado Cash as Specially Designated Nationals (SDNs) (see Steptoe’s blog post on the designation of Tornado Cash for more information).

Comment Period and Topics

In addition to inviting comments on all aspects of the proposed rule, the NPRM posits a number of specific matters for commenters to address, including, for example:

  1. What impact would this proposed rule have on legitimate activity conducted by persons in the course of conducting financial transactions?
  2. Does the proposed definition of CVC mixing adequately capture the activity of concern? If not, please provide suggested revisions to the proposed definition that would better capture such activity. Where possible, please provide information or examples to illustrate how the recommended revisions would improve upon the definition as proposed.
  3. Does the proposed exception to the definition of CVC mixing adequately account for legitimate activity conducted by VASPs and other financial institutions?

The comment period for the NPRM closes on January 21, 2024.

* * *

For additional information on this proposed rulemaking or assistance in preparing a comment, please contact a member of Steptoe’s AML and Sanctions Practice or Blockchain and Cryptocurrency Practice.

On September 1, 2023, the Financial Conduct Authority (“FCA”) set out its expectations for cryptoasset businesses in the UK’s compliance with the “Travel Rule”, introduced by The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 (the “Amended MLRs”).  The Travel Rule requires cryptoasset businesses to gather, authenticate, and share information concerning cryptoasset transfers.  Ultimately, the Travel Rule seeks to raise the level of transparency associated with cryptoasset transfers, bringing them into line with practices common in other areas of financial services, a feature that will have broader relevance to the future of the UK crypto industry.

The detailed guidance from the UK may also serve as an example for other jurisdictions that continue to struggle with implementation of the Travel Rule for cryptoassets.  For example, although US regulators have long asserted the Travel Rule applies to cryptoassets, there has been no specific guidance on how to apply the rule in that context.  A proposed rule from the US Department of the Treasury was published in October 2020 and would have provided some clarity on the topic, but was never finalized.

The Travel Rule Explained

The goal of the Travel Rule is to enhance transparency in cryptoasset transfers, thereby curbing the potential misuse of cryptoassets for illicit activities.  In particular, the Travel Rule is designed to advance anti-money laundering (“AML”) and counter-terrorist financing (“CTF”) efforts by equipping cryptoasset businesses to detect suspicious transactions and conduct effective sanctions screening.

The Travel Rule was introduced by the Amended MLRs as a new Part 7A of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLRs”) and, according to Regulation 1(3) of the Amended MLRs, comes into effect on September 1, 2023.

The FCA has stated that the introduction of the Travel Rule aligns with its dedication to consumer protection and market integrity, and epitomises its commitment to elevating standards within the cryptoasset sector.  Together with the FCA’s impending financial promotions regime for cryptoassets in October 2023, the Travel Rule is intended to contribute to safeguarding individuals, preserving market integrity, and nurturing the sustained competitiveness of the UK’s cryptoasset sector.

The impetus behind this regulatory shift stems from the Financial Action Task Force (“FATF”), an international body focussed on AML and CTF.  The FATF has not only urged the UK to embrace the Travel Rule, but also has called upon other countries to promptly adopt this standard, with the aim of standardizing the procedures for cryptoasset businesses across jurisdictions and ensuring uniformity in sending and receiving transactions – a move particularly pertinent due to the interconnected nature of the financial industry.

FCA Expectations for Implementation of the Travel Rule

Recognizing the potential roadblocks posed by varying adoption timelines and enforcement delays across different jurisdictions, the FATF has emphasized the need for a unified approach.  Consequently, in collaboration with industry players, the FCA has laid out guidelines for compliance with the Travel Rule.  These guidelines detail the expectations the FCA has for cryptoasset firms moving forward, including:

  1. Exercising Due Diligence: Cryptoasset firms are expected to diligently adhere to the Travel Rule by taking all reasonable steps, including conducting due diligence to ensure compliance.
  2. Third-party Responsibility: Even when collaborating with third-party suppliers, cryptoasset firms remain accountable for achieving Travel Rule compliance.
  3. Comprehensive Compliance: Cryptoasset firms must fully comply with the Travel Rule when sending or receiving cryptoasset transfers from entities located within the UK or other jurisdictions that have implemented the Travel Rule.
  4. Adapting to International Changes: Cryptoasset firms must regularly assess the implementation status of the Travel Rule in other jurisdictions and adapt their business processes accordingly to ensure ongoing compliance.

When a cryptoasset transfer is destined for a jurisdiction without the Travel Rule, the FCA expects cryptoasset firms to adhere to the following protocols:

  1. Verification Efforts: A cryptoasset firm must take all reasonable steps to determine whether the receiving entity can obtain the requisite information.
  2. Absence of Information: In cases where the necessary information cannot be obtained, UK cryptoasset businesses are still obligated to collect and validate the data as mandated by the MLRs.  This information should be stored prior to executing the cryptoasset transfer.

Conversely, when a cryptoasset transfer is received from a jurisdiction without the Travel Rule, the FCA expects cryptoasset firms to consider the following:

  1. Incomplete Data Considerations: In instances where the received cryptoasset transfer lacks complete or accurate information, UK cryptoasset businesses should evaluate the countries in which it operates and the status of the Travel Rule in those countries.
  2. Risk-based Assessment: The factors in 1. above should be taken into account as part of a risk-based assessment of whether the cryptoassets should be made available to the beneficiary.

The FCA have stated that this framework will remain dynamic as global adoption of the Travel Rule progresses, with any alterations to its expectations being communicated to the industry. To support cryptoasset businesses in complying with the Travel Rule, the FCA has collaborated closely with industry stakeholders, the Joint Money Laundering Steering Group, and HM Treasury to develop guidance, on which cryptoasset businesses have had an opportunity to provide feedback.  For more information on these developments, contact the authors of this post, Alexandra Melia or Elliot Letts in London.

After months of anticipation, a federal judge has finally ruled in the closely watched case of Joseph Van Loon, et al. v. Department of Treasury, et al.  This important case addressed challenges to the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) decision to impose sanctions on Tornado Cash as a Specially Designated National and Blocked Person (SDN).  The judge granted summary judgement in favor of OFAC, finding it had sufficient legal authority to designate Tornado Cash, and denied summary judgement on the plaintiffs’ claims.  Shortly after that ruling, OFAC announced the SDN designation of Roman Semenov, one of three alleged co-founders of Tornado Cash, and the Department of Justice (DOJ) charged Semenov and Roman Storm, another Tornado Cash founder, with multiple alleged criminal violations related to anti-money laundering (AML) and economic sanctions laws. 

Continue Reading Critical Tornado Cash Developments Have Significant Implications for DeFi AML and Sanctions Compliance

Cash method taxpayers that stake cryptocurrency native to a proof-of-stake blockchain and receive additional units of cryptocurrency as rewards when validation occurs must include the fair market value of the rewards in income in the year in which the taxpayer gains dominion and control of the rewards, according to the IRS.  Revenue Ruling 2023-14 (the “Ruling”), issued on July 31, explains the IRS’s position that those cryptocurrency rewards over which the taxpayer has dominion and control are income for purposes of Section 61[1] and the regulations thereunder.  The fair market value is determined as of the date and time the taxpayer gains dominion and control over the rewards.  Taxpayers have dominion and control over the rewards when they have the ability to sell, exchange, or otherwise dispose of the cryptocurrency received as rewards.  The Ruling also clarified that the result is the same if the taxpayer receives cryptocurrency rewards by staking cryptocurrency native to a proof-of-stake blockchain through a cryptocurrency exchange. 

The guidance is narrowly tailored to advise only on whether staking rewards are gross income, and does not provide guidance on other important open questions regarding the tax treatment of staking, such as the treatment of delegated staking, whether operating a validation node is a trade or business, or how to source income from staking rewards.

In addition, the factual scenario that the Ruling addresses is silent as to whether the staking rewards at issue involve newly-created tokens or pre-existing tokens.  However, the background discussion acknowledges that “validation rewards typically consist of one or more newly created units of the cryptocurrency native to that blockchain.”  This context suggests that the IRS disagrees with the position that has been taken by certain industry participants that staking rewards consisting of newly-created tokens are taxable only on a subsequent sale or disposition.  Although not law, the amended Lummis-Gillibrand Responsible Financial Innovation bill also reflects this perspective and, if enacted, would provide that rewards produced or received from staking activities are only includable in gross income at the time of sale or disposition. 

The IRS issued the Ruling on the heels of oral arguments in Jarrett v. United States[2], which took place in the Sixth Circuit on July 26.  In Jarrett, the taxpayers petitioned a district court for a refund of federal income taxes, alleging that the Tezos tokens the taxpayers earned from staking activities were newly-created property, akin to a baker combining ingredients to bake a cake, and therefore, the tokens were only taxable at sale.[3]  The government ultimately issued a refund check to the Jarretts before a decision was rendered and, despite the Jarretts’ best efforts to continue to litigate the case to gain certainty on the treatment of staking rewards, the district court dismissed the case as moot. 

Some cryptocurrency stakeholders celebrated the result believing that the refund symbolized a concession by the government that staking rewards are taxable only at sale or disposition.  Tax professionals, on the other hand, were more hesitant to read the government’s response as any sort of indication of how the rewards will ultimately be treated.  It appears that by paying the Jarretts’ $4,000 refund, the IRS was able to ensure the district court did not issue a ruling against their position and buy itself more time to issue guidance in this area.

This Ruling is unlikely to be the final word on the taxation of staking rewards.  Some taxpayers can be expected to continue to challenge the ability of the IRS to subject staking rewards to immediate taxation.  A revenue ruling is an official interpretation by the IRS of the Internal Revenue Code, related statutes, tax treaties and regulations.  However, it only represents the IRS’s conclusion on how the law is applied to a specific set of facts, so the Ruling is effectively retroactive but is not binding on courts.  Ultimately, it will be up to Congress (or the courts) to decide this issue.

[1] Unless otherwise specified, all “section” or “§” references are to sections of the Internal Revenue Code of 1986, as amended.

[2] Brief for Appellants, Joshua Jarrett v. United States, No. 22-6023 (6th Cir. Filed Feb. 7, 2023).

[3] Complaint, Joshua Jarrett v. United States, No. 3:21-CV-00419 (M.D. Tenn. May 26, 2021).

Earlier this year, the European Union (EU) voted in favour of the Markets in Crypto-Assets (“MiCA”) bill, which aims to regulate the crypto industry within the EU. The bill is seen as a major step towards establishing a comprehensive regulatory framework for cryptocurrencies and other digital assets in the EU that will undoubtedly make the EU an attractive destination for crypto firms. As the United Kingdom (UK) continues to navigate its post-Brexit regulatory landscape, the passing of the MiCA bill notably puts renewed and “significant jurisdictional pressure” on the UK to pass its own framework. The recent publication of the Law Commission of England & Wales’ (Law Commission) report, “Digital Assets: Final report”, has only exacerbated this pressure by highlighting how parts of the UK are already ripe for crypto regulation. Yet, before making any further moves, there are a number of lessons that can be learned first from the passing of the MiCA bill that can positively impact the UK’s crypto industry, which continues to lie in wait for some form of regulation to propel it into action.  However, as the UK looks to reaffirm its status as a key global financial hub, it also faces the challenge of implementing an appropriate level of crypto regulation without stifling innovation in the sector.     


The UK government has been actively considering the regulation of the UK crypto industry for several years. A timeline of significant events and legislation in relation to the UK government’s position on the industry can be summarized as follows:

These developments demonstrate the UK government’s increasing focus on the regulation of the crypto industry and the need for companies operating in the industry to comply with existing financial services regulation. However, as the UK government continues to develop its regulatory framework for the industry, there are several lessons that it can learn from the passing of the MiCA bill and its potential impact on the UK’s future regulation of the crypto industry.

Lesson 1: Embrace comprehensive regulation

The passing of the MiCA bill demonstrates that regulators in the EU are taking a proactive approach to regulating the crypto industry. The bill seeks to establish clear rules for the issuance and trading of digital assets, as well as address issues such as market abuse, cybersecurity, and investor protection. By establishing a comprehensive regulatory framework, the EU is sending a signal to the industry that it is serious about promoting innovation while also protecting consumers and maintaining financial stability.

The UK can learn from this approach and seek to establish its own comprehensive regulatory framework for the crypto industry. Currently, the FCA only requires certain crypto assets to be regulated under existing financial services legislation. However, with the growth of the crypto industry and many crypto businesses looking to the UK as a base for expanding operations, the need for a more comprehensive regulatory framework is becoming increasingly apparent. The MiCA bill provides a useful roadmap for the UK in this regard.

Lesson 2: Promote international co-operation

The MiCA bill also highlights the importance of international co-operation in regulating the crypto industry. The bill includes provisions for cross-border trading and co-operation between national regulators, reflecting the global nature of the crypto industry. By promoting international co-operation, the EU is seeking to establish a level playing field for all market participants and to avoid regulatory arbitrage.

The UK can learn from this approach by seeking to co-operate with other jurisdictions in regulating the crypto industry. The UK has already taken steps in this direction by joining the Global Financial Innovation Network (GFIN), a group of international regulators seeking to promote innovation in financial services while ensuring consumer protection. As the crypto industry continues to grow, it will become increasingly important for regulators to work together to establish a consistent regulatory framework.

Lesson 3: Strike a balance between innovation and regulation

Finally, the passing of the MiCA bill highlights the need to strike a balance between promoting innovation and maintaining regulatory oversight. The bill seeks to establish clear rules for the issuance and trading of digital assets while also providing a supportive environment for innovation. By striking this balance, the EU is seeking to ensure that the crypto industry can continue to grow and innovate while also minimizing risks to consumers and financial stability. The UK can learn from this approach by seeking to strike a similar balance in its own regulatory framework.

So far, in the absence of any clear regulatory framework, the US has opted for a more punitive approach to crypto regulation, which has caused many US-based crypto businesses to consider investing more overseas, or even relocating. Some of these crypto businesses have taken issue with the US’ seemingly haphazard approach when it comes to targeting large crypto businesses with enforcement actions, causing many innovators in this field to believe that the US does not have a clear rule book for the crypto industry. The UK will likely attempt to avoid similar action in order to prevent the stifling of innovation, as it aims to reaffirm its reputation as a global hub for fintech innovation. The growth of the crypto industry presents an opportunity for the UK to continue to lead in this area. However, embracing innovation must be balanced against the need for effective regulation to protect consumers and maintain financial stability.

Recent UK Developments

In March, 2020, the Ministry of Justice asked the Law Commission to review the law on crypto-tokens and other digital assets and to consider how the principles of private law, specifically personal property law, apply to digital assets and what regulatory changes may need to be made to accommodate such assets.

On June 28, 2023, the Law Commission published its final report, which found/recommended the following:

  1. There will likely be a tripartite approach to law reform in this area involving: (i) targeted legislative reform, (ii) continued development of the common law; and (iii) guidance from a panel of industry specific technical experts;
  2. Statutory reform will be necessary to confirm the existence of a third category of personal property rights of “things” to include digital objects, but without strict definitions or boundaries, which should instead be developed by common law;
  3. The concept of “control” in the case of digital assets can be highly complex and may differ between factual and legal control such that this is an area where non-binding guidance from a technical expert group would be of assistance;
  4. The introduction of a bespoke statutory legal framework that facilitates entering into, operating, and enforcing certain crypto-token and cryptoasset collateral arrangements will be necessary; and
  5. The Financial Collateral Arrangements (No 2) Regulations 2003 will need to be amended to clarify the treatment of collateral arrangements involving certain cryptoassets (including Central Bank Digital Currencies (CBDCs), stablecoins, equity and debt securities and credit claims).

While the recommendations within this report will serve only as a guideline for UK legislators, the report highlights that UK laws have already proven themselves to be sufficiently resilient and flexible in their recognition of digital assets as things to which personal property rights can relate. These findings should empower legislators to act more decisively in establishing a regulatory framework for the crypto industry sooner rather than later.


The passing of the MiCA bill represents a major milestone in the regulation of the crypto industry in the EU. As the UK government continues to develop its regulatory framework for the industry, there are several lessons that it can take from the passing of the MiCA bill, which could ultimately see the EU offering a trading environment that is more permissive and looks more attractive to institutions and to innovators when compared to the UK. By embracing comprehensive regulation, promoting international co-operation, and striking an appropriate balance between innovation and regulation, the UK can establish a regulatory framework that promotes innovation while also protecting consumers and maintaining financial stability. With the findings of recent research suggesting that the UK regulatory landscape is ripe and ready for the introduction of definitive crypto-related legislation, there has never been a better time for the UK government to capitalize on this momentum. However, as the UK crypto industry continues to evolve, it will still be important for regulators to remain proactive and adaptive to ensure that the benefits of this technology can be realised while minimizing the risks.

For more information on how these developments could impact your organization, contact the authors of this post, Alexandra Melia or Elliot Letts, in Steptoe’s Economic Sanctions team in London.

The Department of the Treasury’s recently issued Illicit Finance Risk Assessment of Decentralized Finance is principally intended to provide insight on how illicit actors are abusing decentralized finance (DeFi) services, as well as anti-money laundering (AML) and countering the financing of terrorism (CFT) vulnerabilities unique to DeFi.  However, the report also contains critical insight on how Treasury, and, presumably, the Financial Crimes Enforcement Network (FinCEN) within Treasury, view the applicability of existing US AML/CFT regulations, issued pursuant to the Bank Secrecy Act (BSA), to DeFi projects. 

FinCEN has previously issued two guidance documents regarding what it calls “convertible virtual currency” or “CVC,” as well as a number of administrative rulings.  The 2013 guidance did not specifically discuss DeFi.  The 2019 guidance briefly addresses decentralized applications (“DApps”) and decentralized exchanges, but dedicates only a couple of pages to the topic. 

The Risk Assessment dedicates significantly more text to the topic of when a DeFi project might be subject to FinCEN’s rules, particularly as a money transmitter, a type of money services business (MSB).  The Risk Assessment states that it “does not alter any existing legal obligations, issue any new regulatory interpretations, or establish any new supervisory expectations.”  However, it does make explicit a number of important points that are at best implied in FinCEN’s 2019 guidance and introduces critical new terminology that does not appear in the prior FinCEN guidance.  For example, the Risk Assessment draws a sharp distinction between the concept of “decentralization,” which it states is not relevant to assessing a DeFi project’s status under the BSA, and “disintermediation,” which it states is relevant (albeit as a gap in existing rules that should be filled).  Notably, “disintermediation” is a term that is never used in FinCEN’s prior guidance.

Therefore, while the Risk Assessment is purportedly not intended to provide “new regulatory interpretations” it is a key new document in understanding how the BSA applies to DeFi projects.

FinCEN’s 2019 Guidance on DeFi

To understand the intersection of the Risk Assessment and FinCEN’s prior guidance, it is worth briefly revisiting that guidance.  As noted above, FinCEN’s 2019 guidance addresses DApps and decentralized exchanges.  FinCEN’s 2019 guidance describes DApps as, “software programs that operate on a P2P network of computers running a blockchain platform (a type of distributed public ledger that allows the development of secondary blockchains), designed such that they are not controlled by a single person or group of persons (that is, they do not have an identifiable administrator).”

The guidance explains “when DApps perform money transmission, the definition of money transmitter will apply to the DApp, the owners/operators of the DApp, or both.”  However, it adds that “the developer of a DApp is not a money transmitter for the mere act of creating the application, even if the purpose of the DApp is to issue a CVC or otherwise facilitate financial activities denominated in CVC,” provided the developer does not use or deploy the DApp to engage in money transmission.  FinCEN rules may also apply to third parties that use the DApp to engage in money transmission.

With respect to decentralized exchanges, FinCEN explains:

[I] f a CVC trading platform only provides a forum where buyers and sellers of CVC post their bids and offers (with or without automatic matching of counterparties), and the parties themselves settle any matched transactions through an outside venue (either through individual wallets or other wallets not hosted by the trading platform), the trading platform does not qualify as a money transmitter under FinCEN regulations.

Conversely, FinCEN rules do apply if, “when transactions are matched, a trading platform purchases the CVC from the seller and sells it to the buyer.”

Risk Assessment

The Risk Assessment builds on the rather sparse discussion of DeFi in the 2019 guidance in a number of significant manners. 

First, the Risk Assessment states that the centralized or decentralized status of a given DeFi project is not relevant to its status under the BSA.  For example, it explains “a DeFi service that functions as a financial institution as defined by the BSA, regardless of whether the service is centralized or decentralized, will be required to comply with BSA obligations, including AML/CFT obligations.  A DeFi service’s claim that it is or plans to be ‘fully decentralized’ does not impact its status as a financial institution under the BSA.”  While such a view is arguably implied in the 2019 guidance’s discussion of DApps it is not explicitly stated.  Nor does either the 2019 guidance or the Risk Assessment explain who FinCEN would expect to carry out AML/CFT compliance obligations in a fully decentralized model.  The creators that coded the project?  Each individual participant in the project?  Governance token holders or a DAO (if such a thing exists for the given project)?  Each potential answer raises a host of additional questions and complications not addressed in the guidance or Risk Assessment.

Second, the Risk Assessment discusses the concept of “disintermediation,” a term that never appears in FinCEN’s prior guidance.  According to the Risk Assessment, disintermediation refers to “virtual assets [that] can be self-custodied and transferred without the involvement of an intermediary financial institution.”  For example, disintermediation includes “users of unhosted wallets [that] can retain custody of and transfer their virtual assets without the involvement of a regulated financial institution.”  The Risk Assessment notes, “Many DeFi services claim to be disintermediated by enabling automated P2P transactions without the need for an account or custodial relationship.”  The Risk Assessment acknowledges that such disintermediated projects currently fall outside FinCEN rules, but suggests the rules should be updated to address that gap.  Therefore, the Risk Assessment draws a sharp line between “decentralization,” which is not relevant to an entity’s BSA status, and “disintermediation,” which is a key consideration.  This distinction does not appear in FinCEN’s prior guidance, at least not in any explicit manner.  As noted above, the word “disintermediation” never even appears in the prior guidance.

Third, the Risk Assessment states that FinCEN takes a different approach than the Financial Action Task Force (FATF) with respect to DeFi.  FATF is an international AML/CFT standards-setting body that establishes a series of recommendations for AML/CFT compliance, which, while not strictly obligatory, most jurisdictions seek to follow.  As outlined in FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, software programs themselves are not subject to AML/CFT requirements under the FATF standards and, therefore, fully decentralized DeFi projects are not subject to those obligations.  With that said, FATF notes that in practice most DeFi projects do have some elements of centralization and, therefore, may not in fact be fully decentralized, despite representations to that effect. 

FATF’s updated guidance was published in October 2021 and the United States was widely understood to be involved in that update.  No US government agency or official had publicly stated that the US disagreed with FATF’s approach to DeFi until the Risk Assessment.  The Risk Assessment criticizes FATF’s approach noting it “could lead to potential gaps for DeFi services in other jurisdictions” and contrasts it against the US approach in which, according to the Risk Assessment, the decentralized status of a project is not relevant to the applicability of the BSA.

Finally, the Risk Assessment highlights a number of ways in which projects claiming to be decentralized may in fact be largely or partially centralized.  Among other examples, the Risk Assessment cites:  a concentration of governance tokens or voting power, a concentration of nodes or validators, retention of an administrative key or similar back door to amend a protocol, and a centralized front-end that is necessary to access the protocol (or without which protocol access is very difficult).  However, as noted above, because the Risk Assessment states that the level of decentralization of a project is not relevant under the BSA, these factors should not impact the overall analysis of whether a project falls within the BSA. 

The Path Ahead

While the Risk Assessment is not intended to change regulatory interpretations, it contains the US government’s most extensive comments to date on the applicability of the BSA to DeFi and, as such, will undoubtedly shape how industry understands FinCEN’s rules and guidance.  The Risk Assessment’s introduction of new terminology and concepts that are, at best, only implied in FinCEN’s prior guidance will further heighten the importance of the document. 

The Risk Assessment indicates Treasury is open to receiving industry comments, including on the following questions:

  • What factors should be considered to determine whether DeFi services are a financial institution under the BSA? 
  • How can the U.S. government encourage the adoption of measures to mitigate illicit finance risks … including by DeFi services that fall outside of the BSA definition of financial institution?
  • The assessment finds that non-compliance by covered DeFi services with AML/CFT obligations may be partially attributable to a lack of understanding of how AML/CFT regulations apply to DeFi services.  Are there additional recommendations for ways to clarify and remind DeFi services that fall under the BSA definition of a financial institution of their existing AML/CFT regulatory obligations?
  • How can the U.S. AML/CFT regulatory framework effectively mitigate the risks of DeFi services that currently fall outside of the BSA definition of a financial institution?
  • How should AML/CFT obligations vary based on the different types of services offered by DeFi services?

Entities involved in the DeFi space may wish to carefully review the Risk Assessment and to provide comments to Treasury.  Steptoe is available to assist companies in preparing and submitting comments.  For assistance regarding this topic please contact a member of our Anti-Money Laundering Practice or Blockchain and Cryptocurrency Practice

On January 18, 2023, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an order identifying the virtual currency exchange Bitzlato Limited (Bitzlato) as a “primary money laundering concern” in connection with Russian illicit finance.  The order, which is the first of its kind, was issued pursuant to Section 9714(a) of the Combating Russian Money Laundering Act. 

Section 9714(a) is a relatively new provision that authorizes the Secretary of the Treasury to identify a financial institution operating outside the United States as a “primary money laundering concern” and to impose various restrictions on covered financial institutions from dealing with such entities.  The restrictions can vary widely, from heightened recordkeeping and reporting requirements to a prohibition on transmittals of funds between covered financial institutions and the institution of primary money laundering concern.  In this instance, FinCEN opted for the latter by prohibiting covered financial institutions from “engaging in a transmittal of funds from or to Bitzlato, or from or to any account or CVC address administered by or on behalf of Bitzlato.”  (FinCEN refers to most digital assets as “convertible virtual currency” or “CVC”.)

In a related action, the Department of Justice (DOJ) arrested the co-founder and majority owner of Bitzlato in Miami based on a criminal complaint for his alleged operation of an unlicensed “money transmitting business that transported and transmitted illicit funds and that failed to meet U.S. regulatory safeguards, including anti-money laundering requirements.”

About Bitzlato

As described in FinCEN’s press release, Bitzlato is a “virtual currency exchange” that provides traditional exchange and “Peer-to-Peer (P2P services).”  While Bitzlato is incorporated in Hong Kong it allegedly “maintains significant operations in Russia” where it appears to be headquartered.  FinCEN asserts that based on its investigation, including information provided to FinCEN from a blockchain analytics company, Bitzlato was engaged in the “facilitation of deposits and funds transfers by Russia-affiliated ransomware groups or affiliates, and transactions with Russia-connected darknet markets.”  It also allegedly engaged in a number of dealings with entities subject to US sanctions, including the darknet market Hydra. 

FinCEN added that Bitzlato did not take “meaningful steps to identify and disrupt illicit use and abuse of its services” and “advertised a lack of such policies, procedures, or internal controls.”  FinCEN further noted that even if Bitzlato did not knowingly engage in transactions with ransomware groups, “it provides an enabling environment for such ransomware criminals” due to its deficient anti-money laundering controls.

Conduct Prohibited Under the Order

Pursuant to FinCEN’s order, “A covered financial institution is prohibited from engaging in a transmittal of funds from or to Bitzlato, or from or to any account or CVC address administered by or on behalf of Bitzlato.”  The order defines “covered financial institution” as coterminous with the definition of “financial institution” in FinCEN’s rules, enumerated at 31 CFR § 1010.100(t).  Among other types of financial institutions, this includes banks, brokers or dealers in securities, and money services businesses (MSBs), a category that includes many digital asset platforms.

The order explains that a covered financial institution will not be deemed to have violated the order if, “upon determining that it received CVC that originated from Bitzlato or from an account or CVC address administered by or on behalf of Bitzlato, that covered financial institution rejects the transaction, preventing the intended recipient from accessing such CVC and returning the CVC to Bitzlato, or to the account or CVC address from which the CVC originated.” 

The order is effective beginning February 1, 2023 and has no expiration date. 

Comparison to Section 311

Section 9714(a) is similar to, and builds upon, Section 311 of the USA PATRIOT Act.  Under Section 311, the Secretary of the Treasury can identify a foreign jurisdiction, institution, class of transaction, or type of account as being of primary money laundering concern and require domestic financial institutions and domestic financial agencies to comply with certain “special measures.”  Such special measures may include one or more of the following:

  • Recordkeeping and reporting for certain transactions;
  • Collection of information relating to beneficial ownership;
  • Collection of information relating to certain payable-through accounts; 
  • Collection of information relating to certain correspondent accounts; and
  • Prohibition or conditions on the opening or maintaining of correspondent or payable-through accounts. 

Section 9714(a) authorizes the Secretary of the Treasury to impose one or more of the special measures listed above or to “prohibit, or impose conditions upon, certain transmittals of funds (to be defined by the Secretary) by any domestic financial institution or domestic financial agency, if such transmittal of funds involves any [identified] institution, class of transaction, or type of account.”  Therefore, Section 9714(a) is broader than Section 311 (although it is only available in the context of “Russian illicit finance”). 

Treasury has previously used Section 311 against virtual currency entities, including against Liberty Reserve in 2013.  However, it has not been a primary tool in Treasury’s arsenal when targeting virtual currency entities because the restrictions authorized under Section 311 are less effective in the virtual currency context.  As FinCEN’s Acting Director Himamauli Das recently told the House Committee on Financial Services, “Section 311 was enacted in a time when most financial relationships and transactions were done through the traditional banking system where there are traditional correspondent account relationships …. Currently, the Section 311 authority is not right-sized for the types of threats that we’re seeing through the use of cryptocurrency.” 

The FinCEN order also notes that Section 311 would have been inadequate to address the risks from Bitzlato because recordkeeping, information collection, and reporting requirements would be “insufficient” measures and because “[t]he types of CVC transactions that Bitzlato facilitates do not rely on correspondent or payable-through accounts between domestic financial institutions and foreign banks.”

Compliance Guidance

In addition to the press release and order, discussed above, FinCEN issued a Frequently Asked Questions (FAQ) document to provide additional guidance to industry. 

Prohibited Activities

The FAQs explain that covered financial institutions should “cease any and all transmittals of funds, including CVC, from or to Bitzlato, or from or to any account or CVC address administered by Bitzlato” and “incorporate the determination that Bitzlato is of primary money laundering concern into their Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) compliance programs.”  It adds that “FinCEN expects covered financial institutions, including, but not limited to, convertible virtual currency (CVC) exchangers, to implement procedures reasonably designed to ensure compliance with the terms of the Order and exercise reasonable due diligence to prevent it (or its subsidiaries) from engaging in transmittals of funds involving Bitzlato.”

Identifying Transactions Linked to Bitzlato

FinCEN does not provide a list of wallet addresses known to be associated with Bitzlato and instead recommends that covered financial institutions use “traditional compliance screening and blockchain tracing software, to identify their customers and determine whether they are involved in a transmittal of funds involving Bitzlato.”  This approach is notably different from that of the Department of the Treasury’s Office of Foreign Assets Controls (OFAC), which has begun routinely identifying certain wallet addresses associated with sanctioned persons (although dealings with a wallet address not specifically identified by OFAC can be still be prohibited or sanctionable, when the wallet address is associated with a sanctioned person).

Receipt of Unsolicited Funds from Bitzlato

The FAQs also address situations in which covered financial institutions receive unsolicited transfers from Bitzlato, including “dusting and/or spam attacks.”  Such attacks occurred after OFAC’s recent designation of Tornado Cash, and FinCEN “anticipates this will occur after the Bitzlato action” as certain persons may seek to “make a statement on the public blockchain.”  FinCEN acknowledges that given the nature of blockchain technology it may not be possible for covered financial institutions to decline or preemptively reject incoming CVC transfers.  Therefore, the FAQs explain that no violation will occur if a covered financial institution determines it has received CVC from Bitzlato and (1) prevents the intended recipient from accessing such CVC and (2) returns the CVC to Bitzlato or to the address from which the CVC originated. 

The return of the funds is only permitted when (1) doing so would not violate other laws, including OFAC rules, and (2) the funds are transferred in CVC (if the funds are transferred in fiat they must be preemptively rejected without accepting the funds). 

A covered financial institution returning funds may, upon establishing a process that can be referenced in an audit, elect to either pay any transaction fee itself or withhold a portion of the original CVC to “facilitate the rejection transaction in accordance with its accounting policies and procedures.”

This approach differs from OFAC rules which require the blocking of the property and interests in property of certain sanctioned persons when within the United States or the possession or control of a US person.  Returning previously received blocked funds to the sender would typically be considered a violation of OFAC’s rules and the obligations of the recipient to block (i.e., freeze) such funds.  The approach in FinCEN’s FAQs also differs from the OFAC rules regarding rejected transactions:  OFAC regulations require or authorize US persons to “reject” certain transactions by refusing to process the transaction, but such a rejection must occur before the rejecting party receives the funds.  To the extent that OFAC rules may require rejecting a transaction involving CVC, OFAC has not issued guidance indicating that covered financial institutions or other US persons are permitted to return the CVC to the sender after receiving it.

Timing for Rejection and Return

While there is no explicit time limit in which a covered financial institution must identify and reject and return a transaction associated with Bitzlato, FinCEN states that such institutions are “expected to take such steps that a reasonable and prudent financial institution would take in order to identify and reject transactions” and to “exercise reasonable diligence and discretion in rejecting transactions and develop an established process for rejections that can be referenced in an audit.”

Late Discovery of Bitzlato Funds

The FAQs address situations in which a covered financial institution identifies funds that originated from Bitzlato only after the funds have been provided to an end customer or withdrawn from the platform.  FinCEN notes that it “recognizes that screening software may not immediately identify some transactions as involving Bitzlato,” but nonetheless “expects that covered financial institutions will take such steps that a reasonable and prudent financial institution would take to identify any transactions that are prohibited by the Order.”

Historical Dealings with Bitzlato

The FAQs clarify that past dealings with Bitzlato do not violate FinCEN’s order and that absent additional facts, such a dealing is “not necessarily indicative of a connection to Russian illicit finance, money laundering, or other illicit activity.”  It adds that covered financial institutions should exercise “ordinary due diligence” to determine the significance of such transactions.

SAR Filing Obligations

The FAQs explain that the order does not impose a SAR filing obligation, but that consistent with a financial institution’s existing SAR reporting requirements, such institutions “may consider, as warranted and appropriate, Bitzlato’s identification as a primary money laundering concern related to Russian illicit finance” when making SAR filing decisions.  SARs filed in relation to Bitzlato should contain the phrase “FIN-9714 Bitzlato” in Field 2 (Filing Institution Note to FinCEN).

Implications for Foreign-Located MSBs and Their Executives

The criminal complaint against Bitzlato’s co-founder charges him with operating an “unlicensed money services business” in violation of 18 USC § 1960.  Charges against an individual defendant are illustrative of DOJ’s general policy of pursuing individual accountability in connection with corporate criminal conduct.  While evidence of criminal intent is often challenging for DOJ to muster in such cases, the complaint alleges that the defendant and others at the company viewed the unlicensed nature of the company’s activities and absence of any meaningful AML compliance program as essential features of Bitzlato’s offering and marketed it as such to platforms and users that were well understood to be engaging in criminal activities ranging from drug trafficking to laundering proceeds of ransomware attacks.  As asserted in DOJ’s press release, “Bitzlato sold itself to criminals as a no-questions-asked cryptocurrency exchange.”    

The apparent basis for US jurisdiction over the conduct of an executive at a non-US cryptocurrency exchange is also notable.  Although Bitzlato is organized in Hong Kong and purportedly operated from Russia and China, foreign-located MSBs are required to register with FinCEN and comply with FinCEN rules if they operate in “substantial part” within the United States.  There is relatively limited guidance as to what constitutes “substantial part” and only a handful of past enforcement actions dig into this issue. 

The complaint contains a fairly lengthy discussion of how Bitzlato satisfied the “substantial part” requirement and points to (1) knowingly servicing US customers, (2) conducting transactions with US-based exchanges, (3) using US “online infrastructure,” and (4) being managed by the defendant while he was in the United States.  The complaint does not state whether, in the view of DOJ, any of these factors alone would be sufficient to establish the required nexus or whether it is only in combination that the “substantial part” threshold is reached.  Past enforcement actions, including FinCEN and DOJ actions against BTC-E and BitMEX, have focused on servicing US customers, having US offices, and using US-based servers.  But those actions have not specifically focused on the location of individuals in management or on transactions between those platforms and US-based exchanges.  Therefore, while the complaint provides additional data points for companies seeking to understand the “substantial part” test, it may raise additional questions for some entities as well.

If you have questions regarding these actions please contact a member of Steptoe’s Anti-Money Laundering Practice or Blockchain and Cryptocurrency Practice.

On December 16, FinCEN issued a notice of proposed rulemaking (NPRM) entitled “Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities.” The NPRM is intended to implement the Corporate Transparency Act (CTA) and, in particular, to govern which entities may access corporate beneficial ownership information (BOI) that certain entities will soon be required to report to FinCEN under the CTA. Steptoe previously summarized FinCEN’s final rule on BOI reporting here. The NPRM has important implications for regulated financial institutions in the blockchain industry and would exclude many blockchain companies from accessing BOI.

What Happened

The new NPRM outlines the specific situations in which FinCEN will share BOI with third parties. The majority of these situations relate to requests by other governmental entities, including: (1) US federal, state, local, and tribal government agencies requesting BOI in furtherance of national security, intelligence, or law enforcement activity; (2) certain foreign governmental entities, including law enforcement agencies, judges, and prosecutors, among others; (3) federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence (CDD) requirements; and (4) the Department of the Treasury itself.

Certain private entities will also be able to access BOI in specific circumstances. More specifically, under proposed Section 1010.955(b)(4), “financial institution[s] subject to customer due diligence requirements under applicable law” may request BOI information to be used in facilitating compliance with FinCEN’s CDD rule. The CDD rule requires certain financial institutions to collect and retain information regarding the ownership and control of legal entity customers.

Under the CTA, FinCEN may disclose BOI to a financial institution only if “each reporting company that reported such information consents to such disclosure.”  Under the proposed rule, the relevant financial institution is responsible for obtaining and documenting the consent of the reporting company and must certify to FinCEN that it is a financial institution seeking to comply with the CDD rule and has obtained the required consent.

Finally, the NPRM requires financial institutions receiving BOI to take a number of measures to ensure the provided information is maintained in a secure manner, only used for authorized purposes, and only disclosed to authorized persons. Individuals working at financial institutions that receive BOI are permitted to share BOI with other individuals in the same financial institution so long as such persons are “within the United States.”  The inability of financial institutions to share BOI with non-US affiliates, or with other non-US persons who support customer due diligence functions, has potentially significant operational ramifications for international financial institutions.  

What it Means

Unlike some other jurisdictions, which make some BOI public (e.g., Companies House in the UK), the FinCEN BOI database will be confidential and accessible only by the above categories of actors. This means it will not be available to some financial institutions or to non-financial institutions seeking to conduct due diligence on their customers or suppliers. Nor will it be available to due diligence firms or software providers offering commercial screening tools.

It is notable that the NPRM treats financial institutions with CDD rule compliance requirements differently from those without, by only allowing financial institutions covered by the CDD rule to have access to the BOI in FinCEN’s database. Financial institutions subject to the CDD rule include banks, trust companies, credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities. (Historically certain state-chartered trust companies were not subject to the CDD rule, but this changed in September 2020.)  However, a number of other types of financial institutions, including money services businesses (MSBs) and dealers in precious metals, precious stones, and jewels, are not subject to the CDD rule. This means that, under the proposed rule, these types of financial institutions would not be able to access the FinCEN-reported BOI information for compliance purposes.

Many blockchain platforms, such as exchanges, hosted wallet providers, and dealers, are regulated as MSBs, meaning they would be excluded from BOI access. However, a small number of blockchain entities are regulated as trust companies or other entities covered by the CDD rule.

The CTA authorizes FinCEN to disclose BOI to financial institutions seeking to comply with “customer due diligence requirements under applicable law.”  The NPRM acknowledges that the CTA leaves the phrase “customer due diligence requirements” undefined and, as such, FinCEN chose to define that term narrowly to mean FinCEN’s CDD rule contained at 31 CFR § 1010.230. It explains that FinCEN considered taking a broader approach, but ultimately determined “a more tailored approach will be easier to administer, reduce uncertainty about what FIs may access BOI under this provision, and better protect the security and confidentiality of sensitive BOI by limiting the circumstances under which FIs may access BOI.”  Nonetheless, the NPRM specifically solicits comments on “whether a broader reading of the phrase ‘customer due diligence requirements’ is warranted under the framework of the CTA, and, if so, how customer due diligence requirements should be defined in order to provide regulatory clarity, protect the security and confidentiality of BOI, and minimize the risk of abuse.”

Exclusion from access to BOI for financial institutions not subject to the CDD rule has a number of implications. On one hand, such institutions will not be able to access a potentially useful and important tool in conducting know your customer (KYC) reviews and related compliance measures, potentially placing them at a disadvantage as compared to other financial institutions. On the other hand, not having access to BOI will eliminate any extra compliance burdens that may be generated by obtaining customer consent and submitting requests for BOI to FinCEN. It will also prevent scenarios in which a financial institution’s decision not to seek BOI is later questioned by a regulator.

The Path Ahead

FinCEN welcomes comments on the NPRM through February 14, 2023. The NPRM lists a number of specific questions on topics including the clarity of the rule, the disclosure limitations, limitations on the use of BOI by recipients, and the security and confidentiality requirements, among other topics. Steptoe’s Anti-Money Laundering Practice is available to assist entities in preparing comments on the NPRM.

Reports of FTX Group’s demise has been inescapable since news first broke of potential insolvency and misuse of customer funds. This blog post provides some background on the situation as well as some thoughts on what is likely to come next. Please see our blog post here on the enforcement storm that is about to hit the cryptocurrency industry—we will be posting additional blog posts on related topics here as well.

The Background

In late 2017, Sam Bankman-Fried founded Alameda Research (Alameda), a quantitative cryptocurrency trading firm headquartered in Hong Kong. Alameda provided a platform for trading in every cryptocurrency market, and was known for pursuing aggressive trading strategies. In 2019, Bankman-Fried founded FTX, a cryptocurrency exchange currently headquartered in the Bahamas, out of Alameda. Bankman-Fried built significant wealth through Alameda and FTX—in early 2022, FTX was reportedly worth $32 billion. While it was known early on that Alameda traded on FTX, industry understanding was that the two entities were distinct aside from common ownership. Shortly after Bankman-Fried founded FTX, the CEO of Binance, Changpeng Zhao (CZ), purchased a controlling stake in the company. FTX bought out Binance’s stake in 2021, for which Binance received over $2 billion, much of which was in FTT, the native token of FTX.

On November 2, 2022, Coindesk published an article discussing a report that revealed that a significant portion of Alameda’s assets were held in FTT. The article observed that “Alameda rests on a foundation largely made up of a coin that a sister company invented, not an independent asset like a fiat currency or another crypto.” Specifically, of the $14.6 billion in assets indicated on the Alameda balance sheet, $3.66 billion was in unlocked FTT and $2.16 billion was in FTT collateral.

The Collapse

On November 6, 2022, CZ announced on Twitter that Binance planned to liquidate its remaining FTT, citing “post-exit risk management.” In response, Alameda offered to purchase all of Binance’s FTT at $22 per coin, which Binance refused. Instead, Binance began to sell its FTT on the open market, resulting in a significant price drop for FTT. While FTX had already seen an increase in withdrawals since the Coindesk article was published, withdrawals rose dramatically following CZ’s announcement and the subsequent rejection of the Alameda offer—that evening, Bankman-Fried posted on Twitter that FTX “had already processed billions of dollars of deposits/withdrawals” that day. By the evening of November 6, fears arose among FTX customers about the solvency of FTX and Alameda.

On November 7, 2022, Bankman-Fried once again took to Twitter, this time stating (in now-deleted tweets) that FTX and customer assets were fine, that FTX had “enough to cover all client holdings,” and that FTX did not invest client assets. However, by the morning of November 8, 2022, customer withdrawals were taking longer to complete, and soon FTX stopped processing them. Reuters reported that FTX had seen $6 billion in withdrawals in the 72 hours prior, which appeared to cause a liquidity crisis for FTX. Later that morning, Bankman-Fried announced an agreement to sell FTX to Binance, pending due diligence, which was non-binding on Binance. In the same thread of tweets, Bankman-Fried highlighted that “the important thing is that customers are protected.” Much of the industry was, however, skeptical of the FTX-Binance deal.

On November 9, 2022, Binance backed away from the agreement to acquire FTX after reviewing FTX’s financial records. That day, Bankman-Fried sought help from Wall Street investors, stating during a call that FTX needed $8 billion in emergency funding to meet demand for client withdrawals. It was soon revealed that Bankman-Fried allegedly transferred at least $4 billion from FTX to Alameda when the trading firm suffered losses during the industry downturn of summer 2022, some of which was customer funds. Some reports indicated that Alameda owed FTX upwards of $10 billion—FTX had $16 billion in customer funds, and reportedly loaned half of those funds to Alameda. Notably, loaning customer funds was explicitly forbidden in the FTX terms of service, which stated that title to assets remained with the customer. Apparently, Bankman-Fried moved the funds through a “back door” built into FTX’s bookkeeping system that allowed him to alter the company’s financial records without alerting internal compliance.

On November 11, 2022, FTX filed for Chapter 11 bankruptcy protection, along with Alameda and over 130 other FTX-affiliated entities. Bankman-Fried also resigned as CEO of FTX. FTX could owe money to over 1 million customers.

What’s Next?

The collapse of FTX has shaken the crypto industry, particularly because FTX was viewed as one of the most trusted exchanges in the sector. FTX customers are most directly affected by the situation. The only potential reprieve for FTX customers is through bankruptcy proceedings. After filing for Chapter 11 bankruptcy, a business must submit a reorganization plan to the bankruptcy court, agreed upon by the debtor and its major creditors, and the court must confirm the plan. Typically, the goal should be to maximize recovery for creditors. This will not be a typical bankruptcy proceeding, however. Looming jurisdictional disputes between the Bahamas and the United States are likely to add to the complications. 

Following the bankruptcy proceedings, FTX customers should, in theory, receive some portion of the company’s remaining assets. However, it remains unclear what assets, if any, will remain to be disbursed given the recordkeeping discrepancies reported in the press. Another issue arises with respect to who owns the customer deposits. If deemed to be owned by FTX, the deposits would be pooled with the total remaining assets to be divided to pay all creditors, resulting in much lower payments for customers.             

Policymakers in Washington, D.C. are shocked by the apparent deception displayed by one of the most vocal advocates for a new crypto regulatory regime. Hearings are beginning to be scheduled to learn the details of what exactly happened and why in the FTX collapse, and it can be assured that more hearings and potential legislation will be discussed in the new Congress. Finally, federal prosecutors in New York are reportedly investigating the FTX collapse, and specifically the company’s handling of customer funds. This probe joins investigations by the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and law enforcement in the Bahamas.

With the collapse of FTX and Alameda so close on the heels of Celsius, one thing is clear – the regulatory and enforcement storm so many anticipated coming to crypto is now here.  Unfortunately, regardless of what the facts surrounding FTX and Alameda ultimately turn out to be, incidents like this serve to reinforce the biases of enforcement agencies against all crypto companies, regardless of their construction, design, operation, or leadership. For some prosecutors and investigators, this incident will be seen as validation of the view that everything and everyone in the crypto space is dirty, or a scam (or both).

That’s not true, and it’s not fair, but it’s the reality crypto companies are facing.  And these effects will linger long after the fall of FTX is a memory. 

Even in the best of times, it’s hard to get enforcement agencies not to paint all crypto companies with the same brush. These are not the best of times – and all it takes is one or two high-profile incidents to undo years of progress, and we’ve now had more than that just in the past few months.

So what should crypto companies be doing now, with these storm clouds clearly on the horizon?

First, line up counsel now, so you are prepared for the day when subpoenas arrive and agents start knocking on doors to interview your people. Decisions made in the initial moments of an investigation can have far-reaching consequences, so it’s important to think through those scenarios and issues in advance.  

Second, this is the time for a “wellness check” of sorts – a review of the areas of your business that are most likely to draw interest from DOJ and other agencies. AML/KYC.  Sanctions. Disclosures to customers or counterparties. Lending arrangements.  Arrangements among companies with shared or overlapping ownership. All of these should be scrutinized by your company now, because agencies will scrutinize them later.  And to be most useful, this type of review should be done by a different firm than the one that helped design your systems or drafted your policies. In these circumstances, a fresh set of eyes is better, and more credible with the government, than having a firm check its own work. This doesn’t mean displacing that firm – it means making sure you have covered all of your bases. Doing this type of review won’t prevent a company from being targeted, just as storm shutters can’t prevent a hurricane. But it will increase the chances that the company can mitigate the pain associated with any such investigation and put the company in a stronger position to get through it successfully.

Exchanges and other VASPs, decentralized exchanges and decentralized finance platforms, and others in the digital asset space would be wise to prepare now – the calm before the storm is over, and the storm will be with us for quite some time.