On January 10, 2024, the Securities and Exchange Commission (“SEC” or the “Commission”) approved the listing and trading of eleven spot bitcoin exchange traded products (“ETPs”). [1]  The Commission declared effective the registration statements for ten of the ETPs on the same date.  This long-awaited approval stands in contrast to the SEC’s sixteen prior denials of similarly situated spot bitcoin ETP applications between 2018 and 2023.  In this post, we highlight five observations on the immediate, near term, and post-2024 impact this decision will have on the SEC’s regulatory approach to crypto.    

First, the approval of these ETP applications does not signal a shift in posture by the SEC towards the crypto industry.  Absent the D.C. Circuit’s Grayscale decision, the applications would not have been approved. 

The approval vote was comprised of an unusual, and undoubtedly short-lived, alliance among Chair Gensler and the two Republican SEC Commissioners: Hester Peirce and Mark Uyeda. Two Democratic Commissioners, Caroline Crenshaw and Jaimie Lizarraga, dissented in this decision.  The Commissioners’ public statements all make clear that the approval was the direct result of the August 2023 decision by the U.S. Court of Appeals for the District of Columbia Circuit (“D.C. Circuit”) in Grayscale v. SEC.[2]  In Grayscale, the D.C. Circuit vacated the Commission’s 2023 order denying an application for the listing and trading of the Grayscale Bitcoin Trust.  In a unanimous decision, the three judge D.C. Circuit panel determined that the SEC’s denial of the Grayscale application was arbitrary and capricious because the Commission failed to reasonably explain why it approved the listing and trading of two bitcoin futures ETPs but not Grayscale’s similar proposed bitcoin ETP.   

Chair Gensler’s statement suggests that he felt compelled to vote in favor of the now-approved applications due to the D.C. Circuit’s Grayscale decision.[3]   Commissioner Peirce, who has long argued that bitcoin ETP applications should have been approved, including those previously denied, explained the catalyst for the recent approval as “D.C. Circuit-ex-machina.”  Commissioner Crenshaw expressed disagreement with the D.C. Circuit’s reasoning, but acknowledged that the only factor that has changed since the Commission’s last denial of a spot bitcoin ETP is the Grayscale decision. 

While the Grayscale decision led Chair Gensler to determine that “the most sustainable path forward is to approve,”[4] he clearly remains wary of bitcoin and crypto more generally.  For example, Chair Gensler warned that “bitcoin is primarily a speculative, volatile asset that’s also used for illicit activity including ransomware, money laundering, sanction evasion, and terrorist financing.”  These concerns were echoed and amplified in Commissioner Crenshaw’s statement.  Chair Gensler’s fundamental concerns with crypto clearly remain front of mind and will continue to guide his decision-making when approaching the crypto industry.   

Second, the outcome will not affect the SEC’s enforcement strategy against crypto trading platforms. 

 Chair Gensler directly addressed this issue, stating the Approval Order “should in no way signal the Commission’s willingness to approve listing standards for crypto asset securities. Nor does the approval signal anything about the Commission’s views as to the status of other crypto assets under the federal securities laws or about the current state of non-compliance of certain crypto asset market participants with the federal securities laws.”[5]

Notably, the Commission avoids making findings in the Approval Order regarding the ability of spot crypto trading platforms to address market manipulation or fraud.  With respect to the applications that originally identified surveillance-sharing agreements with Coinbase, the Commission noted that the amended applications “no longer reference these agreements,” and that such agreements “are not a basis for approval.”[6]  It is unclear whether the SEC requested the applications to remove references to the surveillance-sharing agreements.  Regardless, there is nothing in the Approval Order that suggests a change in the SEC’s enforcement strategy against crypto trading platforms is forthcoming. 

Third, the Commission is unlikely to expand the analysis underlying the approval to other spot crypto ETPs during the rest of Chair Gensler’s tenure. 

 While the Commissioners disagreed on whether the applications should be approved, they shared bipartisan dissatisfaction with the SEC’s shifting standards used to evaluate spot bitcoin ETPs. 

For context, Section 6(b)(5) of the Securities Exchange Act of 1934 (“Exchange Act”) requires that a national securities exchange’s rules be designed to “prevent fraudulent and manipulative acts and practices.”[7]  In prior denials of spot bitcoin ETP applications, the Commission stated that this obligation could be met by demonstrating that the exchange has a comprehensive surveillance-sharing agreement with a regulated market of significant size related to the underlying bitcoin.  The Commission has determined that every application has failed this test, including the applications approved on January 10, 2024.  Only twice has the Commission determined the significant market test to be satisfied: in the context of bitcoin futures ETP applications.  As noted above, the different treatment by the Commission of these two similar products (the bitcoin futures ETPs and spot bitcoin ETPs) was the basis for the D.C. Circuit’s Grayscale decision. 

In the Approval Order, the Commission adopted an “other means” test for determining that a national securities exchange’s rules are designed to prevent fraudulent and manipulative acts and practices under Section 6(b)(5) of the Exchange Act.  Despite referencing “other means,” the Commission’s new test continues to focus on the adequacy of the surveillance-sharing agreement.  The Commission evaluated a correlation analysis in the record and conducted its own correlation analysis to conclude that “fraud or manipulation that impacts prices in spot bitcoin markets would likely similarly impact [Chicago Mercantile Exchange (“CME”)] bitcoin futures prices.  And because the CME’s surveillance can assist in detecting those impacts on the CME bitcoin futures prices, the Exchanges’ comprehensive surveillance-sharing agreement with the CME . . can be reasonably expected to assist in surveilling for fraudulent and manipulative acts and practices.”[8]

Commissioner Uyeda lamented that the Commission “decided to disregard the D.C. Circuit” by failing to address the shortcomings of the significant market test and invented a new, previously unarticulated standard.[9]  Commissioner Peirce commented that the SEC “offers a weak explanation” for the change in outcome and urges the Commission to simply use the same standard applied to all other commodity-based ETPs.[10]  Commissioner Crenshaw highlighted  that “we are creating a new standard—but it is not clear exactly what this standard is.”[11] 

The bottom line is that the Commission’s new standard is just as malleable and unpredictable as its initial “significant market” test.  Applicants for spot ethereum ETPs can expect to spend significant resources to re-create the Commission’s correlation analysis in the Approval Order.  Given the shifting standards applied since 2018 and the vociferous opposition to the current tests by three Commissioners, applicants for ethereum- and other crypto asset ETPs should not assume that the standards in the Approval Order will be the only applicable standard in the future. 

Fourth, the Commissioner statements reveal a deep divide over the Commission’s mission and previews the starkly different stances towards crypto that the SEC may adopt after the 2024 election. 

Commissioner Peirce summarized the last decade of denial orders as demonstrating the failure of the Commission to do its job.  Specifically, Commissioner Peirce asserted that the experience has resulted in “diminished trust from the public,” and that the SEC “alienated a generation of product innovators.”[12]  Declining to endorse bitcoin or bitcoin-related products, Commissioner Peirce celebrated “the right of American investors to express their thoughts on bitcoin by buying and selling spot bitcoin ETPs.”[13] 

In contrast, Commissioner Crenshaw voiced deep concern with the Approval Order, particularly “that these products will flood the markets and land squarely in the retirement accounts of U.S. households who can least afford to lose their savings to the fraud and manipulation that appears prevalent in the spot bitcoin markets and will impact the ETPs.”[14]  In addition to these investor protection concerns, Commissioner Crenshaw argued that the SEC did not adequately address whether the rules were designed to protect the public interest, noting the use of bitcoin by criminals to evade sanctions, to demand ransom payments, and to fund our geopolitical rivals or adversaries.[15] 

Regardless of the outcome of the upcoming Presidential election, it will likely result in a new SEC Chair being appointed in 2025.  Whomever the next Chair is, there will be tremendous pressure to adhere to one or the other end of the spectrum: either adopting a regulatory philosophy towards crypto rooted in investor choice, innovation, and liberty, or a regulatory philosophy towards crypto that is hyper focused on investor protection and the implementation of merits-based oversight.    

Fifth, the approval marks the formal arrival of traditional financial institutions to the crypto industry. 

Household names of asset managers, national securities exchanges, and broker-dealers appear throughout the spot bitcoin ETP filings.  To the extent these bitcoin ETPs prove to be popular products with investors over time, these financial institutions’ interest in the products and expanding to other crypto investment vehicles will only grow.  While it will take time, eventually these institutions will begin taking greater interest in policy debates surrounding crypto in Washington, D.C.  This will introduce a different dynamic and could have consequential effects on crypto regulatory policy in the years to come.    

[1] See Sec. & Exch. Comm’n, Order Granting Accelerated Approval of Proposed Rule Changes, as Modified by Amendments Thereto, to List and Trade Bitcoin-Based Commodity-Based Trust Shares and Trust Units, Release No. 34-00306 (Jan. 10, 2024), available athttps://www.sec.gov/files/rules/sro/nysearca/2024/34-99306.pdf (hereinafter the “Approval Order”)

[2] See Grayscale Invs., LLC v. Sec. & Exch. Comm’n, No. 22-1142 (D.C. Cir. Aug. 29, 2023), available at https://www.cadc.uscourts.gov/internet/opinions.nsf/32C91E3A96E9442285258A1A004FD576/$file/22-1142-2014527.pdf.

[3] See Statement, Sec. & Exch. Comm’n Chair Gary Gensler, Statement on the Approval of Spot Bitcoin Exchange-Traded Products (Jan. 10, 2024), available athttps://www.sec.gov/news/statement/gensler-statement-spot-bitcoin-011023. 

[4] Id.

[5] Id.

[6] Approval Order at 10–11, fn 41. 

[7] 15 U.S.C. 78f(b)(5).

[8] Approval Order at 10.

[9] See Statement, Sec. & Exch. Comm’n Commissioner Mark Uyeda, Statement Regarding the Commission’s Approval of Proposed Rule Changes to List and Trade Shares of Spot Bitcoin Exchange-Traded Products (Jan. 10, 2024), available at https://www.sec.gov/news/statement/uyeda-statement-spot-bitcoin-011023.

[10] See Statement, Sec. & Exch. Comm’n Commissioner Hester Peirce, Out, Damned Spot! Out, I Say!: Statement on Omnibus Approval Order for List and Trade Bitcoin-Based Commodity-Based Trust Shares and Trust Units (Jan. 10, 2024), available at https://www.sec.gov/news/statement/peirce-statement-spot-bitcoin-011023.

[11] See Statement, Sec. & Exch. Comm’n Commissioner Caroline Crenshaw, Statement Dissenting from Approval of Proposed Rule Changes to List and Trade Spot Bitcoin Exchange-Traded Products (Jan. 10, 2024), available at https://www.sec.gov/news/statement/crenshaw-statement-spot-bitcoin-011023.

[12] Commissioner Peirce Statement, supra note 10.

[13] Id.

[14] Commissioner Crenshaw Statement, supra note 11.

[15] Id.

On November 7, 2023, the Consumer Financial Protection Bureau (CFPB) announced a notice of proposed rulemaking (NPRM) that would establish CFPB supervisory authority over certain nonbank companies “participating in a market for ‘general-use digital consumer payment applications.'”


The CFPB seeks to subject nonbank companies that provide digital payment wallets and applications to the CFPB’s supervisory authority under the Consumer Financial Protection Act (CFPA), similar to the supervisory authority it currently exercises over banks, credit unions, and other traditional financial institutions. 

The CFPB’s press release on the NPRM notes the specific aims of ensuring that large nonbank companies adhere to applicable funds transfer, privacy, and other consumer protection laws, and fostering a level playing field among such companies and depository institutions when it comes to financial protection. The CFPB expresses particular concern over compliance with the CFPA’s prohibition on unfair, deceptive or abusive acts and practices (UDAAP), the privacy provisions of the Gramm-Leach-Bliley Act and its implementing Regulation P, and the Electronic Fund Transfer Act and its implementing Regulation E.

While covered entities were already required to comply with these and other applicable statutes and regulations, subjecting them to CFPB supervision would subject them to additional regulatory oversight. The supervisory authority would allow the CFPB to (1) assess compliance with consumer financial laws, (2) obtain information about such persons’ activities and compliance systems and procedures, and (3) detect and assess risks to consumer and consumer financial markets information. The CFPB would be permitted to conduct examinations of supervised entities, including on-site review of compliance policies, processes, and procedures; test transactions and accounts for compliance; and evaluate the company’s overall compliance management system. The NPRM warns that, “[e]xaminations may involve issuing confidential examination reports, supervisory letters, and compliance ratings.”

The NPRM would not impose new substantive restrictions on the entities subject to the CFPB’s expanded supervisory authority. However, the CFPB clarifies that its expanded supervisory jurisdiction would “enable [it] to monitor for new risks to both consumers and the market,” which is “critical as new product offerings blur the traditional lines of banking and commerce.” In other words, closer scrutiny of nonbank entities in the digital payments space could spur additional regulation, whether via UDAAP, revised or expanded implementing regulations, coercive non-binding guidance, or other means.

Accordingly, the NPRM will likely have significant implications for the digital payments industry. It will place an expanded burden on covered entities to maintain and provide compliance and related documentation to the CFPB, will subject them to the same supervisory authority as banks in this space, and may well provide the basis for expanded regulation over how applications function and over the various types of “funds” transferred among consumers, among other areas.

Key Definitions

Under the NPRM, a nonbank company would be subject to supervision by the CFPB as a “larger participant” if it:

  • has an annual volume of at least five million consumer payment transactions;
  • is not a small business, as defined by the Small Business Administration (SBA);
  • provides “a covered payment functionality” – i.e., a funds transfer functionality, a wallet functionality, or both – through a digital application; and
  • provides such payment functionality for consumers’ general use in making a “consumer payment transaction.”
  • it must result in a transfer of funds by or on behalf of the consumer. “Funds” include fiat currency, legal tender, and digital assets, including cryptocurrency (though, as noted below, the exchange of one type of funds for another, such as crypto for fiat, is not covered);
  • the consumer initiating the transaction must be physically located in the United States;
  • the funds transfer must be made to another person besides the consumer that initiated the transfer, which could be another consumer, a business, or some other type of entity. This would exclude, for example, ATM withdrawals; and
  • the funds transfer must be primarily for personal, family, or household purposes.
  • international money transfers (as defined in and regulated by the CFPB’s Remittances Rule);
  • a transfer of funds by a consumer that is linked to the consumer’s receipt of another form of funds, including the exchange of fiat currencies or digital assets or the purchase or sale of a digital asset with or for fiat currency, or that is not an “electronic funds transfer” as defined by Regulation E under 12 CFR § 1005.3(c)(4);
  • a transaction conducted by a person from their own online or physical store or marketplace for the sale or lease of goods or services; and
  • an extension of consumer credit made using a digital application provided by the person who is extending the credit or its affiliate.

Note on Digital Assets

The NPRM states that crypto-assets, including virtual currency, constitute “funds” under the CFPA, and therefore, the transfer of funds in the form of crypto-assets “by or on behalf of a consumer physically located in a State to another person primarily for personal, family, or household purposes” would qualify as a “consumer payment transaction,” unless one of the exclusions to that term applies.

Notably, the NPRM proposes to exclude from the definition of “consumer payment transaction” a transaction “for the purpose of exchanging one type of funds for another, such as exchanges of fiat currencies … a purchase of a crypto-asset using fiat currency, a sale of a crypto-asset in which the seller receives fiat currency in return, or the exchange of one type of crypto-asset for another type of crypto-asset.”

Therefore, in its current form, it is reasonable to assume that the NPRM applies to transactions involving digital assets as follows:

  • fiat-to-crypto and crypto-to-crypto trading activity on digital asset exchanges would not be covered;
  • payment applications enabling consumers to purchase goods and services using cryptocurrency, including stablecoins, would be covered; and
  • other activities, such as the transfer of digital assets between consumers, unrelated to exchange activity, would be covered.

CFPB jurisdiction is not exclusive, so entities that become subject to CFPB supervision by virtue of engaging in the above activities would remain subject to existing federal and state regulatory requirements, as appropriate.

Comment Period

The CFPB invites comments on all aspects of the NPRM. It also requests comments on each of the specific definitions, proposals, and criteria proposed by the NPRM.

The comment period for this NPRM closes on January 21, 2024.

* * *

For additional information on this proposed rulemaking or assistance in preparing a comment, please contact a member of Steptoe’s Financial Regulatory Compliance and Policy Practice or Blockchain and Cryptocurrency Practice.

On October 30, 2023, HM Treasury released a policy update announcing its intention to bring forward secondary legislation to introduce regulatory measures for specific cryptoassets known as stablecoins by early 2024.  The policy update outlines the proposed framework for regulating the issuance, custody, and utilization of fiat-backed stablecoins by amending existing financial services legislation.  In order to assess the UK’s regulatory roadmap for stablecoins, it is imperative to understand the key aspects of this regulatory proposal and explore its implications and the potential impact it could have on the crypto industry in the United Kingdom.

Understanding Stablecoins

Stablecoins are a type of cryptoasset that are designed to maintain a stable value by anchoring their worth to fiat currencies such as the British Pound or the US Dollar.  Their stability makes them an attractive choice for various financial transactions, from investments to everyday purchases.

Proposed Regulatory Framework

The core of HM Treasury’s regulatory proposal concerns regulation of the issuance and custody of stablecoins conducted within or from the United Kingdom.  The key elements of this framework are as follows:

  1. Regulation under the Financial Services and Markets Act

Firstly, the proposed legislation would classify the issuance and custody of UK issued fiat-backed stablecoins as regulated activities through their inclusion in the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (“RAO”).  This legal categorization would empower the Financial Conduct Authority (“FCA”) to authorize firms engaging in these activities and to set forth rules governing the sector.  This change will allow the FCA to take steps to establish a secure and compliant environment for the issuance and management of stablecoins.

  • Inclusion in Payment Services Regulations

Secondly, the use of stablecoins in payments chains would also be brought under regulatory oversight by means of amendments to the Payment Services Regulations 2017.  This adjustment would encompass payments made by both consumers and businesses using stablecoins, whether they are issued within the United Kingdom or overseas.  This move is intended to ensure that all transactions involving stablecoins are subject to regulatory scrutiny, promoting transparency and security.

  • Oversight by the Bank of England

Thirdly, to safeguard financial stability the Bank of England will be granted the authority to monitor systemic stablecoin systems and service providers, including those using stablecoins issued both in, or from, the United Kingdom or issued overseas) that pose potential threats to the integrity of the financial system.  This proactive approach is aimed at preventing any adverse impact on the broader financial landscape that could result from the unchecked growth of these cryptoassets.

  • Regulation of Systemic Stablecoin Payment Systems

Lastly, the Payment Systems Regulator would also be responsible for overseeing systemic stablecoin payment systems.  This regulatory oversight ensures that the payment infrastructure underpinning stablecoins operates efficiently and securely, minimizing the potential for systemic risks.

Balancing Risks and Rewards

The UK’s approach to stablecoin regulation is part of a broader strategy to position the United Kingdom as a global hub for cryptoassets.  The regulatory framework seeks to strike a balance between mitigating risks associated with the rapidly evolving crypto industry while harnessing its potential benefits.  This equilibrium is crucial to encourage innovation and investment in the crypto sector while protecting the interests of consumers and the stability of the financial system.

Next Steps

The proposed regulatory measures will now undergo the standard parliamentary procedures before being enacted into law.  The UK government anticipates that the regulatory framework for stablecoins will be fully operational by 2024.


The impending regulation of stablecoins in the United Kingdom is a significant development that underscores the UK government’s commitment to fostering a secure and dynamic environment for cryptoassets.  By bringing these cryptoassets within the regulatory fold, the United Kingdom aims to balance innovation and stability, ultimately positioning itself as a leading player in the global crypto industry.  As these proposals move closer to becoming law, stakeholders in the crypto sector should remain vigilant and prepare to adapt to the evolving regulatory landscape.  For more information on these developments, contact the authors of this post, Alexandra Melia or Elliot Letts, in Steptoe’s Anti-Money Laundering team in London.

On October 8, 2023, highly anticipated regulatory changes came into effect bringing qualifying cryptoassets within the scope of the UK’s existing financial promotions regime and the remit of the Financial Conduct Authority (“FCA”).  The regulatory changes effectively ban unauthorized firms globally from marketing qualifying cryptoassets to UK consumers, which are now deemed as “controlled investments.”  A final warning letter to firms marketing cryptoassets to UK consumers on the new regime issued by the FCA on September 21, 2023 indicated the FCA’s expectation of full compliance from the outset of the new regime, a stance underscored by the FCA’s issuance of 146 alerts about cryptoasset promotions on the first day of the new regime.  With the arrival of these regulatory changes and the FCA’s focus on enforcement in cases of non-compliance, it is of paramount importance that authorized and unauthorized firms understand the implications of the regime for their business, and take appropriate steps to ensure compliance.

Existing Regime

In the UK, any communication of a financial promotion in the course of business is subject to strict regulations.  A financial promotion is any invitation or inducement to engage in an investment activity.  An investment activity is defined as a controlled activity that is performed in respect of a “controlled investment”.  Controlled activities include accepting deposits, dealing as principal or agent, arranging deals in investments, providing portfolio management, or providing investment advice.

Financial promotions must either be made, or approved, by a firm authorized under the Financial Services and Markets Act 2000 (“FSMA”) or qualify for an exemption.  This framework encompasses a wide range of activities related to “controlled investments,” which extend beyond the mere sale of assets to include various investment-related services.

Controlled investments, as defined by the regime, include deposits, shares, bonds, derivatives, and other financial instruments.  The regime also extends to promotions that have the potential to influence UK investors, even if they originate from outside of the UK.

Exemptions under the existing regime include the:

  1. investment professionals’ exemption, which allows communications to entities reasonably believed to be investment professionals (e.g., banks and investment firms);
  2. high-net-worth individuals’ exemption, which permits non-real time or solicited communications to individuals meeting specific high-net-worth criteria; and
  3. self-certified sophisticated investors’ exemption, which allows communications to individuals who self-certify their adherence to certain investment experience criteria.

New Regime for Qualifying Cryptoassets

As of October 8, 2023, qualifying cryptoassets are now considered controlled investments that fall under the purview of the FCA.  A cryptoasset is a cryptographically secured digital representation of value or contractual rights, which can be electronically transferred, stored, or traded and uses technology supporting the recording or storage of data (e.g., distributed ledger technology).  It is deemed “qualifying” if it is fungible and transferable.  This definition covers many widely traded cryptocurrencies like Bitcoin and Ether.  However, it excludes digitally issued fiat currencies, central bank digital currencies (“CBDCs”), and cryptoassets that meet the criteria for electronic money or other controlled investments.

According to the FCA, it is likely that many online advertisements will be caught.  For example, in the case of apps, websites, or online advertisements that include buttons that lead to other websites (e.g., “buy now” or similar buttons), both the relevant advertisement and the website to which the advertisement leads will need to be assessed as a whole.

Authorized Firms

Firms authorized under FSMA, such as banks and investment firms, can continue to communicate financial promotions under the new regime.  However, they must adhere to the FCA conduct rules, which require financial promotions to be clear, fair, and not misleading.  Additionally, specific requirements apply to cryptoasset promotions, such as the inclusion of a prescribed-form risk warning and a prohibition on inducements to invest such as a refer-a-friend bonus.

One notable feature of the new regime is the regulatory gateway, which permits only authorized firms deemed suitable and with sufficient expertise by the FCA to approve promotions by unauthorized firms.  This gateway grants the FCA enhanced oversight over cryptoasset promotions, with the aim of improving their quality.

FCA Review Process

When authorized firms are unable to benefit from the existing exemptions, they must apply to the FCA in order to approve third-party promotions.  A transition period is granted to these firms, allowing them to continue approving promotions while the FCA assesses their application (subject to complying with the rules contained in the FCA’s Conduct of Business Sourcebook 4).  After reviewing an application, the FCA may grant permission as requested, impose additional terms, or restrict the authorized firm’s promotion approvals to their field of expertise only.  Critically, the FCA can vary or cancel any granted permission upon request or initiative.

Early Struggles with the New Regulations

Since the introduction of the new regulations in October 2023, the FCA has already issued over 200 alerts against firms for potentially illegal cryptoasset promotions and recommends that consumers check its warning list before making any investments in crypto.  One authorized firm, rebuildingsociety,com Ltd, that approved promotions that did not meet the required standards also faced restrictions on its ability to approve cryptoasset financial promotions.

The FCA has identified several recurring problems with the way cryptoassets are continuing to be marketed.  On October 25, 2023, the FCA published a statement outlining three pertinent areas of concern: (i) misleading claims about safety and security, (ii) inadequate risk warnings; and (iii) failure to highlight product-specific risks.

To combat illegal promotions and safeguard consumers, the FCA is collaborating with various third parties, including search engines, social media platforms, app stores, and payment providers.  These entities are urged to consider the alerts published by the FCA and “play their part in protecting UK consumers.”


The regulatory changes in the UK have ushered in a new era for the crypto industry.  Firms involved in promoting cryptoassets should carefully evaluate their status and consider whether they need to apply for inclusion in the regulatory gateway or whether they can rely on existing exemptions.  To ensure compliance, firms must prepare updated policies and procedures to meet the FCA’s enhanced expectations.  With the regulatory landscape continually evolving, staying informed and proactive is essential for all stakeholders in the crypto space.  For more information on these developments, contact the authors of this post, Alexandra Melia or Elliot Letts, in Steptoe’s Anti-Money Laundering team in London.

On October 19, 2023, the U.S. Department of the Treasury’s (“Treasury”) Financial Crimes Enforcement Network (FinCEN) announced a Notice of Proposed Rulemaking (NPRM) that would implement new recordkeeping and reporting requirements on domestic financial institutions and domestic financial agencies, related to transactions that they know, suspect, or have reason to suspect involve convertible virtual currency (CVC) mixing within or involving a non-U.S. jurisdiction. 

FinCEN issued the NPRM pursuant to Section 311 of the USA PATRIOT Act, which provides the Secretary of the Treasury (the “Secretary”) the authority to require domestic financial institutions and domestic financial agencies to take “special measures” where the Secretary finds reasonable grounds to conclude that a class of transactions, institution, account, or foreign jurisdiction is of “primary money laundering concern.”  The NPRM identifies international CVC mixing as a class of transactions of primary money laundering concern, highlighting the use of CVC mixing services by illicit actors including cyber criminals and terrorist groups.  According to FinCEN’s press release, the NPRM represents FinCEN’s first use of Section 311 to target a class of transactions.

Requirements Contained in the Proposed Rule

The proposed rule defines “CVC mixer” as any person, group, service, code, tool, or function that facilitates CVC mixing.  “CVC mixing” is defined as the facilitation of CVC transactions in a manner that obfuscates the source, destination, or amount involved in one or more transactions, regardless of the type of protocol or service used, such as: (1) pooling or aggregating CVC from multiple persons, wallets, addresses, or accounts; (2) using programmatic or algorithmic code to coordinate, manage, or manipulate the structure of a transaction; (3) splitting CVC for transmittal and transmitting the CVC through a series of independent transactions; (4) creating and using single-use wallets, addresses, or accounts, and sending CVC through such wallets, addresses, or accounts through a series of independent transactions; (5) exchanging between types of CVC or other digital assets; or (6) facilitating user-initiated delays in transactional activity. 

The definition of CVC mixing excludes “the use of internal protocols or processes to execute transactions by banks, broker-dealers, or money services businesses, including virtual asset service providers that would otherwise constitute CVC mixing, provided that these financial institutions preserve records of the source and destination of CVC transactions when using such internal protocols and processes; and provide such records to regulators and law enforcement, where required by law.”

The proposed rule would require financial institutions to report information regarding transactions involving CVC mixing in or involving a non-U.S. jurisdiction and the customer associated with any such transaction, including:

  • Amount of any CVC transferred, in both CVC and its U.S. dollar equivalent when the transaction was initiated;
  • CVC type;
  • CVC mixer used, if known;
  • CVC wallet address associated with the mixer;
  • CVC wallet address associated with the customer;
  • Transaction hash;
  • Date of transaction;
  • IP address and time stamps associated with the transaction;
  • Narrative description of the activity observed by the financial institution, including summary of investigative steps taken;
  • Customer’s full name;
  • Customer’s date of birth;
  • Customer’s address;
  • Email address associated with any and all accounts from which or to which the CVC was transferred; and
  • Unique identifying number for the customer (Taxpayer Identification Number, meaning an Employer Identification Number or Social Security Number, or the foreign equivalent).

The proposed rule would require the foregoing information to be reported to FinCEN within 30 days of initial detection of a reportable transaction.

Significantly, the NPRM indicates FinCEN’s expectation that both direct exposure and indirect exposure to CVC mixing involving a non-U.S. jurisdiction would trigger the reporting requirement under the proposed rule.  For example, if CVC were sent from a mixer to an intermediate wallet and then to a covered financial institution, the rule’s reporting obligation would be triggered; and the same would be true if CVC were sent from a covered financial institution to an intermediary wallet and then to a CVC mixer.  But transactions that are only indirectly related to CVC – such as a transfer of the fiat currency proceeds from an exchange of CVC that was previously processed through a CVC mixer – would fall outside the scope of the proposed rule.

Implications of the Proposed Rule

Should the rule be adopted as proposed, covered financial institutions will need to ensure that they collect the above-listed reportable information, or prevent transactions involving CVC mixers.  Many financial institutions may already collect some or all of the required information, but others would need to adjust their data collection and retention practices.  Some financial institutions may simply decline to engage in transactions involving CVC mixers.

Whether for the purpose of ensuring compliance with the rule’s reporting obligation or for the purpose of declining transactions involving CVC mixers, covered financial institutions may also need to enhance their transaction surveillance frameworks to identify direct and indirect exposure to non-U.S. CVC mixing, if the proposed rule is adopted.  According to the NPRM, “FinCEN would expect covered financial institutions to employ a risk-based approach” to compliance with the proposed rule, “including by using the variously available free and paid blockchain analytic tools commonly available.”

Another key issue is likely to be which platforms qualify as a CVC mixer.  The definition in the proposed rule is quite broad and could capture a wide range of platforms that are not typically considered mixers.  For example, exchanging between types of CVC or other digital assets would capture an array of decentralized protocols, many of which would not fall into the exemption for virtual asset service providers because they are not licensed or registered as such.  Additionally, if financial institutions (which include most digital asset custodial exchanges and platforms, among many other digital asset business models) decline to deal with CVC mixers to ease their compliance burden, that could have a significant impact on the liquidity and, potentially, viability of those CVC mixers.

The Treasury has shown an increased interest in addressing sanctions and money laundering-related concerns arising from CVC mixing over the past two years.  In 2022, the Treasury’s Office of Foreign Assets Control (OFAC) designated virtual currency mixers Blender.io and Tornado Cash as Specially Designated Nationals (SDNs) (see Steptoe’s blog post on the designation of Tornado Cash for more information).

Comment Period and Topics

In addition to inviting comments on all aspects of the proposed rule, the NPRM posits a number of specific matters for commenters to address, including, for example:

  1. What impact would this proposed rule have on legitimate activity conducted by persons in the course of conducting financial transactions?
  2. Does the proposed definition of CVC mixing adequately capture the activity of concern? If not, please provide suggested revisions to the proposed definition that would better capture such activity. Where possible, please provide information or examples to illustrate how the recommended revisions would improve upon the definition as proposed.
  3. Does the proposed exception to the definition of CVC mixing adequately account for legitimate activity conducted by VASPs and other financial institutions?

The comment period for the NPRM closes on January 21, 2024.

* * *

For additional information on this proposed rulemaking or assistance in preparing a comment, please contact a member of Steptoe’s AML and Sanctions Practice or Blockchain and Cryptocurrency Practice.

On September 1, 2023, the Financial Conduct Authority (“FCA”) set out its expectations for cryptoasset businesses in the UK’s compliance with the “Travel Rule”, introduced by The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 (the “Amended MLRs”).  The Travel Rule requires cryptoasset businesses to gather, authenticate, and share information concerning cryptoasset transfers.  Ultimately, the Travel Rule seeks to raise the level of transparency associated with cryptoasset transfers, bringing them into line with practices common in other areas of financial services, a feature that will have broader relevance to the future of the UK crypto industry.

The detailed guidance from the UK may also serve as an example for other jurisdictions that continue to struggle with implementation of the Travel Rule for cryptoassets.  For example, although US regulators have long asserted the Travel Rule applies to cryptoassets, there has been no specific guidance on how to apply the rule in that context.  A proposed rule from the US Department of the Treasury was published in October 2020 and would have provided some clarity on the topic, but was never finalized.

The Travel Rule Explained

The goal of the Travel Rule is to enhance transparency in cryptoasset transfers, thereby curbing the potential misuse of cryptoassets for illicit activities.  In particular, the Travel Rule is designed to advance anti-money laundering (“AML”) and counter-terrorist financing (“CTF”) efforts by equipping cryptoasset businesses to detect suspicious transactions and conduct effective sanctions screening.

The Travel Rule was introduced by the Amended MLRs as a new Part 7A of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLRs”) and, according to Regulation 1(3) of the Amended MLRs, comes into effect on September 1, 2023.

The FCA has stated that the introduction of the Travel Rule aligns with its dedication to consumer protection and market integrity, and epitomises its commitment to elevating standards within the cryptoasset sector.  Together with the FCA’s impending financial promotions regime for cryptoassets in October 2023, the Travel Rule is intended to contribute to safeguarding individuals, preserving market integrity, and nurturing the sustained competitiveness of the UK’s cryptoasset sector.

The impetus behind this regulatory shift stems from the Financial Action Task Force (“FATF”), an international body focussed on AML and CTF.  The FATF has not only urged the UK to embrace the Travel Rule, but also has called upon other countries to promptly adopt this standard, with the aim of standardizing the procedures for cryptoasset businesses across jurisdictions and ensuring uniformity in sending and receiving transactions – a move particularly pertinent due to the interconnected nature of the financial industry.

FCA Expectations for Implementation of the Travel Rule

Recognizing the potential roadblocks posed by varying adoption timelines and enforcement delays across different jurisdictions, the FATF has emphasized the need for a unified approach.  Consequently, in collaboration with industry players, the FCA has laid out guidelines for compliance with the Travel Rule.  These guidelines detail the expectations the FCA has for cryptoasset firms moving forward, including:

  1. Exercising Due Diligence: Cryptoasset firms are expected to diligently adhere to the Travel Rule by taking all reasonable steps, including conducting due diligence to ensure compliance.
  2. Third-party Responsibility: Even when collaborating with third-party suppliers, cryptoasset firms remain accountable for achieving Travel Rule compliance.
  3. Comprehensive Compliance: Cryptoasset firms must fully comply with the Travel Rule when sending or receiving cryptoasset transfers from entities located within the UK or other jurisdictions that have implemented the Travel Rule.
  4. Adapting to International Changes: Cryptoasset firms must regularly assess the implementation status of the Travel Rule in other jurisdictions and adapt their business processes accordingly to ensure ongoing compliance.

When a cryptoasset transfer is destined for a jurisdiction without the Travel Rule, the FCA expects cryptoasset firms to adhere to the following protocols:

  1. Verification Efforts: A cryptoasset firm must take all reasonable steps to determine whether the receiving entity can obtain the requisite information.
  2. Absence of Information: In cases where the necessary information cannot be obtained, UK cryptoasset businesses are still obligated to collect and validate the data as mandated by the MLRs.  This information should be stored prior to executing the cryptoasset transfer.

Conversely, when a cryptoasset transfer is received from a jurisdiction without the Travel Rule, the FCA expects cryptoasset firms to consider the following:

  1. Incomplete Data Considerations: In instances where the received cryptoasset transfer lacks complete or accurate information, UK cryptoasset businesses should evaluate the countries in which it operates and the status of the Travel Rule in those countries.
  2. Risk-based Assessment: The factors in 1. above should be taken into account as part of a risk-based assessment of whether the cryptoassets should be made available to the beneficiary.

The FCA have stated that this framework will remain dynamic as global adoption of the Travel Rule progresses, with any alterations to its expectations being communicated to the industry. To support cryptoasset businesses in complying with the Travel Rule, the FCA has collaborated closely with industry stakeholders, the Joint Money Laundering Steering Group, and HM Treasury to develop guidance, on which cryptoasset businesses have had an opportunity to provide feedback.  For more information on these developments, contact the authors of this post, Alexandra Melia or Elliot Letts in London.

After months of anticipation, a federal judge has finally ruled in the closely watched case of Joseph Van Loon, et al. v. Department of Treasury, et al.  This important case addressed challenges to the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) decision to impose sanctions on Tornado Cash as a Specially Designated National and Blocked Person (SDN).  The judge granted summary judgement in favor of OFAC, finding it had sufficient legal authority to designate Tornado Cash, and denied summary judgement on the plaintiffs’ claims.  Shortly after that ruling, OFAC announced the SDN designation of Roman Semenov, one of three alleged co-founders of Tornado Cash, and the Department of Justice (DOJ) charged Semenov and Roman Storm, another Tornado Cash founder, with multiple alleged criminal violations related to anti-money laundering (AML) and economic sanctions laws. 

Continue Reading Critical Tornado Cash Developments Have Significant Implications for DeFi AML and Sanctions Compliance

Cash method taxpayers that stake cryptocurrency native to a proof-of-stake blockchain and receive additional units of cryptocurrency as rewards when validation occurs must include the fair market value of the rewards in income in the year in which the taxpayer gains dominion and control of the rewards, according to the IRS.  Revenue Ruling 2023-14 (the “Ruling”), issued on July 31, explains the IRS’s position that those cryptocurrency rewards over which the taxpayer has dominion and control are income for purposes of Section 61[1] and the regulations thereunder.  The fair market value is determined as of the date and time the taxpayer gains dominion and control over the rewards.  Taxpayers have dominion and control over the rewards when they have the ability to sell, exchange, or otherwise dispose of the cryptocurrency received as rewards.  The Ruling also clarified that the result is the same if the taxpayer receives cryptocurrency rewards by staking cryptocurrency native to a proof-of-stake blockchain through a cryptocurrency exchange. 

The guidance is narrowly tailored to advise only on whether staking rewards are gross income, and does not provide guidance on other important open questions regarding the tax treatment of staking, such as the treatment of delegated staking, whether operating a validation node is a trade or business, or how to source income from staking rewards.

In addition, the factual scenario that the Ruling addresses is silent as to whether the staking rewards at issue involve newly-created tokens or pre-existing tokens.  However, the background discussion acknowledges that “validation rewards typically consist of one or more newly created units of the cryptocurrency native to that blockchain.”  This context suggests that the IRS disagrees with the position that has been taken by certain industry participants that staking rewards consisting of newly-created tokens are taxable only on a subsequent sale or disposition.  Although not law, the amended Lummis-Gillibrand Responsible Financial Innovation bill also reflects this perspective and, if enacted, would provide that rewards produced or received from staking activities are only includable in gross income at the time of sale or disposition. 

The IRS issued the Ruling on the heels of oral arguments in Jarrett v. United States[2], which took place in the Sixth Circuit on July 26.  In Jarrett, the taxpayers petitioned a district court for a refund of federal income taxes, alleging that the Tezos tokens the taxpayers earned from staking activities were newly-created property, akin to a baker combining ingredients to bake a cake, and therefore, the tokens were only taxable at sale.[3]  The government ultimately issued a refund check to the Jarretts before a decision was rendered and, despite the Jarretts’ best efforts to continue to litigate the case to gain certainty on the treatment of staking rewards, the district court dismissed the case as moot. 

Some cryptocurrency stakeholders celebrated the result believing that the refund symbolized a concession by the government that staking rewards are taxable only at sale or disposition.  Tax professionals, on the other hand, were more hesitant to read the government’s response as any sort of indication of how the rewards will ultimately be treated.  It appears that by paying the Jarretts’ $4,000 refund, the IRS was able to ensure the district court did not issue a ruling against their position and buy itself more time to issue guidance in this area.

This Ruling is unlikely to be the final word on the taxation of staking rewards.  Some taxpayers can be expected to continue to challenge the ability of the IRS to subject staking rewards to immediate taxation.  A revenue ruling is an official interpretation by the IRS of the Internal Revenue Code, related statutes, tax treaties and regulations.  However, it only represents the IRS’s conclusion on how the law is applied to a specific set of facts, so the Ruling is effectively retroactive but is not binding on courts.  Ultimately, it will be up to Congress (or the courts) to decide this issue.

[1] Unless otherwise specified, all “section” or “§” references are to sections of the Internal Revenue Code of 1986, as amended.

[2] Brief for Appellants, Joshua Jarrett v. United States, No. 22-6023 (6th Cir. Filed Feb. 7, 2023).

[3] Complaint, Joshua Jarrett v. United States, No. 3:21-CV-00419 (M.D. Tenn. May 26, 2021).

Earlier this year, the European Union (EU) voted in favour of the Markets in Crypto-Assets (“MiCA”) bill, which aims to regulate the crypto industry within the EU. The bill is seen as a major step towards establishing a comprehensive regulatory framework for cryptocurrencies and other digital assets in the EU that will undoubtedly make the EU an attractive destination for crypto firms. As the United Kingdom (UK) continues to navigate its post-Brexit regulatory landscape, the passing of the MiCA bill notably puts renewed and “significant jurisdictional pressure” on the UK to pass its own framework. The recent publication of the Law Commission of England & Wales’ (Law Commission) report, “Digital Assets: Final report”, has only exacerbated this pressure by highlighting how parts of the UK are already ripe for crypto regulation. Yet, before making any further moves, there are a number of lessons that can be learned first from the passing of the MiCA bill that can positively impact the UK’s crypto industry, which continues to lie in wait for some form of regulation to propel it into action.  However, as the UK looks to reaffirm its status as a key global financial hub, it also faces the challenge of implementing an appropriate level of crypto regulation without stifling innovation in the sector.     


The UK government has been actively considering the regulation of the UK crypto industry for several years. A timeline of significant events and legislation in relation to the UK government’s position on the industry can be summarized as follows:

These developments demonstrate the UK government’s increasing focus on the regulation of the crypto industry and the need for companies operating in the industry to comply with existing financial services regulation. However, as the UK government continues to develop its regulatory framework for the industry, there are several lessons that it can learn from the passing of the MiCA bill and its potential impact on the UK’s future regulation of the crypto industry.

Lesson 1: Embrace comprehensive regulation

The passing of the MiCA bill demonstrates that regulators in the EU are taking a proactive approach to regulating the crypto industry. The bill seeks to establish clear rules for the issuance and trading of digital assets, as well as address issues such as market abuse, cybersecurity, and investor protection. By establishing a comprehensive regulatory framework, the EU is sending a signal to the industry that it is serious about promoting innovation while also protecting consumers and maintaining financial stability.

The UK can learn from this approach and seek to establish its own comprehensive regulatory framework for the crypto industry. Currently, the FCA only requires certain crypto assets to be regulated under existing financial services legislation. However, with the growth of the crypto industry and many crypto businesses looking to the UK as a base for expanding operations, the need for a more comprehensive regulatory framework is becoming increasingly apparent. The MiCA bill provides a useful roadmap for the UK in this regard.

Lesson 2: Promote international co-operation

The MiCA bill also highlights the importance of international co-operation in regulating the crypto industry. The bill includes provisions for cross-border trading and co-operation between national regulators, reflecting the global nature of the crypto industry. By promoting international co-operation, the EU is seeking to establish a level playing field for all market participants and to avoid regulatory arbitrage.

The UK can learn from this approach by seeking to co-operate with other jurisdictions in regulating the crypto industry. The UK has already taken steps in this direction by joining the Global Financial Innovation Network (GFIN), a group of international regulators seeking to promote innovation in financial services while ensuring consumer protection. As the crypto industry continues to grow, it will become increasingly important for regulators to work together to establish a consistent regulatory framework.

Lesson 3: Strike a balance between innovation and regulation

Finally, the passing of the MiCA bill highlights the need to strike a balance between promoting innovation and maintaining regulatory oversight. The bill seeks to establish clear rules for the issuance and trading of digital assets while also providing a supportive environment for innovation. By striking this balance, the EU is seeking to ensure that the crypto industry can continue to grow and innovate while also minimizing risks to consumers and financial stability. The UK can learn from this approach by seeking to strike a similar balance in its own regulatory framework.

So far, in the absence of any clear regulatory framework, the US has opted for a more punitive approach to crypto regulation, which has caused many US-based crypto businesses to consider investing more overseas, or even relocating. Some of these crypto businesses have taken issue with the US’ seemingly haphazard approach when it comes to targeting large crypto businesses with enforcement actions, causing many innovators in this field to believe that the US does not have a clear rule book for the crypto industry. The UK will likely attempt to avoid similar action in order to prevent the stifling of innovation, as it aims to reaffirm its reputation as a global hub for fintech innovation. The growth of the crypto industry presents an opportunity for the UK to continue to lead in this area. However, embracing innovation must be balanced against the need for effective regulation to protect consumers and maintain financial stability.

Recent UK Developments

In March, 2020, the Ministry of Justice asked the Law Commission to review the law on crypto-tokens and other digital assets and to consider how the principles of private law, specifically personal property law, apply to digital assets and what regulatory changes may need to be made to accommodate such assets.

On June 28, 2023, the Law Commission published its final report, which found/recommended the following:

  1. There will likely be a tripartite approach to law reform in this area involving: (i) targeted legislative reform, (ii) continued development of the common law; and (iii) guidance from a panel of industry specific technical experts;
  2. Statutory reform will be necessary to confirm the existence of a third category of personal property rights of “things” to include digital objects, but without strict definitions or boundaries, which should instead be developed by common law;
  3. The concept of “control” in the case of digital assets can be highly complex and may differ between factual and legal control such that this is an area where non-binding guidance from a technical expert group would be of assistance;
  4. The introduction of a bespoke statutory legal framework that facilitates entering into, operating, and enforcing certain crypto-token and cryptoasset collateral arrangements will be necessary; and
  5. The Financial Collateral Arrangements (No 2) Regulations 2003 will need to be amended to clarify the treatment of collateral arrangements involving certain cryptoassets (including Central Bank Digital Currencies (CBDCs), stablecoins, equity and debt securities and credit claims).

While the recommendations within this report will serve only as a guideline for UK legislators, the report highlights that UK laws have already proven themselves to be sufficiently resilient and flexible in their recognition of digital assets as things to which personal property rights can relate. These findings should empower legislators to act more decisively in establishing a regulatory framework for the crypto industry sooner rather than later.


The passing of the MiCA bill represents a major milestone in the regulation of the crypto industry in the EU. As the UK government continues to develop its regulatory framework for the industry, there are several lessons that it can take from the passing of the MiCA bill, which could ultimately see the EU offering a trading environment that is more permissive and looks more attractive to institutions and to innovators when compared to the UK. By embracing comprehensive regulation, promoting international co-operation, and striking an appropriate balance between innovation and regulation, the UK can establish a regulatory framework that promotes innovation while also protecting consumers and maintaining financial stability. With the findings of recent research suggesting that the UK regulatory landscape is ripe and ready for the introduction of definitive crypto-related legislation, there has never been a better time for the UK government to capitalize on this momentum. However, as the UK crypto industry continues to evolve, it will still be important for regulators to remain proactive and adaptive to ensure that the benefits of this technology can be realised while minimizing the risks.

For more information on how these developments could impact your organization, contact the authors of this post, Alexandra Melia or Elliot Letts, in Steptoe’s Economic Sanctions team in London.

The Department of the Treasury’s recently issued Illicit Finance Risk Assessment of Decentralized Finance is principally intended to provide insight on how illicit actors are abusing decentralized finance (DeFi) services, as well as anti-money laundering (AML) and countering the financing of terrorism (CFT) vulnerabilities unique to DeFi.  However, the report also contains critical insight on how Treasury, and, presumably, the Financial Crimes Enforcement Network (FinCEN) within Treasury, view the applicability of existing US AML/CFT regulations, issued pursuant to the Bank Secrecy Act (BSA), to DeFi projects. 

FinCEN has previously issued two guidance documents regarding what it calls “convertible virtual currency” or “CVC,” as well as a number of administrative rulings.  The 2013 guidance did not specifically discuss DeFi.  The 2019 guidance briefly addresses decentralized applications (“DApps”) and decentralized exchanges, but dedicates only a couple of pages to the topic. 

The Risk Assessment dedicates significantly more text to the topic of when a DeFi project might be subject to FinCEN’s rules, particularly as a money transmitter, a type of money services business (MSB).  The Risk Assessment states that it “does not alter any existing legal obligations, issue any new regulatory interpretations, or establish any new supervisory expectations.”  However, it does make explicit a number of important points that are at best implied in FinCEN’s 2019 guidance and introduces critical new terminology that does not appear in the prior FinCEN guidance.  For example, the Risk Assessment draws a sharp distinction between the concept of “decentralization,” which it states is not relevant to assessing a DeFi project’s status under the BSA, and “disintermediation,” which it states is relevant (albeit as a gap in existing rules that should be filled).  Notably, “disintermediation” is a term that is never used in FinCEN’s prior guidance.

Therefore, while the Risk Assessment is purportedly not intended to provide “new regulatory interpretations” it is a key new document in understanding how the BSA applies to DeFi projects.

FinCEN’s 2019 Guidance on DeFi

To understand the intersection of the Risk Assessment and FinCEN’s prior guidance, it is worth briefly revisiting that guidance.  As noted above, FinCEN’s 2019 guidance addresses DApps and decentralized exchanges.  FinCEN’s 2019 guidance describes DApps as, “software programs that operate on a P2P network of computers running a blockchain platform (a type of distributed public ledger that allows the development of secondary blockchains), designed such that they are not controlled by a single person or group of persons (that is, they do not have an identifiable administrator).”

The guidance explains “when DApps perform money transmission, the definition of money transmitter will apply to the DApp, the owners/operators of the DApp, or both.”  However, it adds that “the developer of a DApp is not a money transmitter for the mere act of creating the application, even if the purpose of the DApp is to issue a CVC or otherwise facilitate financial activities denominated in CVC,” provided the developer does not use or deploy the DApp to engage in money transmission.  FinCEN rules may also apply to third parties that use the DApp to engage in money transmission.

With respect to decentralized exchanges, FinCEN explains:

[I] f a CVC trading platform only provides a forum where buyers and sellers of CVC post their bids and offers (with or without automatic matching of counterparties), and the parties themselves settle any matched transactions through an outside venue (either through individual wallets or other wallets not hosted by the trading platform), the trading platform does not qualify as a money transmitter under FinCEN regulations.

Conversely, FinCEN rules do apply if, “when transactions are matched, a trading platform purchases the CVC from the seller and sells it to the buyer.”

Risk Assessment

The Risk Assessment builds on the rather sparse discussion of DeFi in the 2019 guidance in a number of significant manners. 

First, the Risk Assessment states that the centralized or decentralized status of a given DeFi project is not relevant to its status under the BSA.  For example, it explains “a DeFi service that functions as a financial institution as defined by the BSA, regardless of whether the service is centralized or decentralized, will be required to comply with BSA obligations, including AML/CFT obligations.  A DeFi service’s claim that it is or plans to be ‘fully decentralized’ does not impact its status as a financial institution under the BSA.”  While such a view is arguably implied in the 2019 guidance’s discussion of DApps it is not explicitly stated.  Nor does either the 2019 guidance or the Risk Assessment explain who FinCEN would expect to carry out AML/CFT compliance obligations in a fully decentralized model.  The creators that coded the project?  Each individual participant in the project?  Governance token holders or a DAO (if such a thing exists for the given project)?  Each potential answer raises a host of additional questions and complications not addressed in the guidance or Risk Assessment.

Second, the Risk Assessment discusses the concept of “disintermediation,” a term that never appears in FinCEN’s prior guidance.  According to the Risk Assessment, disintermediation refers to “virtual assets [that] can be self-custodied and transferred without the involvement of an intermediary financial institution.”  For example, disintermediation includes “users of unhosted wallets [that] can retain custody of and transfer their virtual assets without the involvement of a regulated financial institution.”  The Risk Assessment notes, “Many DeFi services claim to be disintermediated by enabling automated P2P transactions without the need for an account or custodial relationship.”  The Risk Assessment acknowledges that such disintermediated projects currently fall outside FinCEN rules, but suggests the rules should be updated to address that gap.  Therefore, the Risk Assessment draws a sharp line between “decentralization,” which is not relevant to an entity’s BSA status, and “disintermediation,” which is a key consideration.  This distinction does not appear in FinCEN’s prior guidance, at least not in any explicit manner.  As noted above, the word “disintermediation” never even appears in the prior guidance.

Third, the Risk Assessment states that FinCEN takes a different approach than the Financial Action Task Force (FATF) with respect to DeFi.  FATF is an international AML/CFT standards-setting body that establishes a series of recommendations for AML/CFT compliance, which, while not strictly obligatory, most jurisdictions seek to follow.  As outlined in FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, software programs themselves are not subject to AML/CFT requirements under the FATF standards and, therefore, fully decentralized DeFi projects are not subject to those obligations.  With that said, FATF notes that in practice most DeFi projects do have some elements of centralization and, therefore, may not in fact be fully decentralized, despite representations to that effect. 

FATF’s updated guidance was published in October 2021 and the United States was widely understood to be involved in that update.  No US government agency or official had publicly stated that the US disagreed with FATF’s approach to DeFi until the Risk Assessment.  The Risk Assessment criticizes FATF’s approach noting it “could lead to potential gaps for DeFi services in other jurisdictions” and contrasts it against the US approach in which, according to the Risk Assessment, the decentralized status of a project is not relevant to the applicability of the BSA.

Finally, the Risk Assessment highlights a number of ways in which projects claiming to be decentralized may in fact be largely or partially centralized.  Among other examples, the Risk Assessment cites:  a concentration of governance tokens or voting power, a concentration of nodes or validators, retention of an administrative key or similar back door to amend a protocol, and a centralized front-end that is necessary to access the protocol (or without which protocol access is very difficult).  However, as noted above, because the Risk Assessment states that the level of decentralization of a project is not relevant under the BSA, these factors should not impact the overall analysis of whether a project falls within the BSA. 

The Path Ahead

While the Risk Assessment is not intended to change regulatory interpretations, it contains the US government’s most extensive comments to date on the applicability of the BSA to DeFi and, as such, will undoubtedly shape how industry understands FinCEN’s rules and guidance.  The Risk Assessment’s introduction of new terminology and concepts that are, at best, only implied in FinCEN’s prior guidance will further heighten the importance of the document. 

The Risk Assessment indicates Treasury is open to receiving industry comments, including on the following questions:

  • What factors should be considered to determine whether DeFi services are a financial institution under the BSA? 
  • How can the U.S. government encourage the adoption of measures to mitigate illicit finance risks … including by DeFi services that fall outside of the BSA definition of financial institution?
  • The assessment finds that non-compliance by covered DeFi services with AML/CFT obligations may be partially attributable to a lack of understanding of how AML/CFT regulations apply to DeFi services.  Are there additional recommendations for ways to clarify and remind DeFi services that fall under the BSA definition of a financial institution of their existing AML/CFT regulatory obligations?
  • How can the U.S. AML/CFT regulatory framework effectively mitigate the risks of DeFi services that currently fall outside of the BSA definition of a financial institution?
  • How should AML/CFT obligations vary based on the different types of services offered by DeFi services?

Entities involved in the DeFi space may wish to carefully review the Risk Assessment and to provide comments to Treasury.  Steptoe is available to assist companies in preparing and submitting comments.  For assistance regarding this topic please contact a member of our Anti-Money Laundering Practice or Blockchain and Cryptocurrency Practice