On January 18, 2023, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an order identifying the virtual currency exchange Bitzlato Limited (Bitzlato) as a “primary money laundering concern” in connection with Russian illicit finance. The order, which is the first of its kind, was issued pursuant to Section 9714(a) of the Combating Russian Money Laundering Act.
Section 9714(a) is a relatively new provision that authorizes the Secretary of the Treasury to identify a financial institution operating outside the United States as a “primary money laundering concern” and to impose various restrictions on covered financial institutions from dealing with such entities. The restrictions can vary widely, from heightened recordkeeping and reporting requirements to a prohibition on transmittals of funds between covered financial institutions and the institution of primary money laundering concern. In this instance, FinCEN opted for the latter by prohibiting covered financial institutions from “engaging in a transmittal of funds from or to Bitzlato, or from or to any account or CVC address administered by or on behalf of Bitzlato.” (FinCEN refers to most digital assets as “convertible virtual currency” or “CVC”.)
In a related action, the Department of Justice (DOJ) arrested the co-founder and majority owner of Bitzlato in Miami based on a criminal complaint for his alleged operation of an unlicensed “money transmitting business that transported and transmitted illicit funds and that failed to meet U.S. regulatory safeguards, including anti-money laundering requirements.”
As described in FinCEN’s press release, Bitzlato is a “virtual currency exchange” that provides traditional exchange and “Peer-to-Peer (P2P services).” While Bitzlato is incorporated in Hong Kong it allegedly “maintains significant operations in Russia” where it appears to be headquartered. FinCEN asserts that based on its investigation, including information provided to FinCEN from a blockchain analytics company, Bitzlato was engaged in the “facilitation of deposits and funds transfers by Russia-affiliated ransomware groups or affiliates, and transactions with Russia-connected darknet markets.” It also allegedly engaged in a number of dealings with entities subject to US sanctions, including the darknet market Hydra.
FinCEN added that Bitzlato did not take “meaningful steps to identify and disrupt illicit use and abuse of its services” and “advertised a lack of such policies, procedures, or internal controls.” FinCEN further noted that even if Bitzlato did not knowingly engage in transactions with ransomware groups, “it provides an enabling environment for such ransomware criminals” due to its deficient anti-money laundering controls.
Conduct Prohibited Under the Order
Pursuant to FinCEN’s order, “A covered financial institution is prohibited from engaging in a transmittal of funds from or to Bitzlato, or from or to any account or CVC address administered by or on behalf of Bitzlato.” The order defines “covered financial institution” as coterminous with the definition of “financial institution” in FinCEN’s rules, enumerated at 31 CFR § 1010.100(t). Among other types of financial institutions, this includes banks, brokers or dealers in securities, and money services businesses (MSBs), a category that includes many digital asset platforms.
The order explains that a covered financial institution will not be deemed to have violated the order if, “upon determining that it received CVC that originated from Bitzlato or from an account or CVC address administered by or on behalf of Bitzlato, that covered financial institution rejects the transaction, preventing the intended recipient from accessing such CVC and returning the CVC to Bitzlato, or to the account or CVC address from which the CVC originated.”
The order is effective beginning February 1, 2023 and has no expiration date.
Comparison to Section 311
Section 9714(a) is similar to, and builds upon, Section 311 of the USA PATRIOT Act. Under Section 311, the Secretary of the Treasury can identify a foreign jurisdiction, institution, class of transaction, or type of account as being of primary money laundering concern and require domestic financial institutions and domestic financial agencies to comply with certain “special measures.” Such special measures may include one or more of the following:
- Recordkeeping and reporting for certain transactions;
- Collection of information relating to beneficial ownership;
- Collection of information relating to certain payable-through accounts;
- Collection of information relating to certain correspondent accounts; and
- Prohibition or conditions on the opening or maintaining of correspondent or payable-through accounts.
Section 9714(a) authorizes the Secretary of the Treasury to impose one or more of the special measures listed above or to “prohibit, or impose conditions upon, certain transmittals of funds (to be defined by the Secretary) by any domestic financial institution or domestic financial agency, if such transmittal of funds involves any [identified] institution, class of transaction, or type of account.” Therefore, Section 9714(a) is broader than Section 311 (although it is only available in the context of “Russian illicit finance”).
Treasury has previously used Section 311 against virtual currency entities, including against Liberty Reserve in 2013. However, it has not been a primary tool in Treasury’s arsenal when targeting virtual currency entities because the restrictions authorized under Section 311 are less effective in the virtual currency context. As FinCEN’s Acting Director Himamauli Das recently told the House Committee on Financial Services, “Section 311 was enacted in a time when most financial relationships and transactions were done through the traditional banking system where there are traditional correspondent account relationships …. Currently, the Section 311 authority is not right-sized for the types of threats that we’re seeing through the use of cryptocurrency.”
The FinCEN order also notes that Section 311 would have been inadequate to address the risks from Bitzlato because recordkeeping, information collection, and reporting requirements would be “insufficient” measures and because “[t]he types of CVC transactions that Bitzlato facilitates do not rely on correspondent or payable-through accounts between domestic financial institutions and foreign banks.”
In addition to the press release and order, discussed above, FinCEN issued a Frequently Asked Questions (FAQ) document to provide additional guidance to industry.
The FAQs explain that covered financial institutions should “cease any and all transmittals of funds, including CVC, from or to Bitzlato, or from or to any account or CVC address administered by Bitzlato” and “incorporate the determination that Bitzlato is of primary money laundering concern into their Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) compliance programs.” It adds that “FinCEN expects covered financial institutions, including, but not limited to, convertible virtual currency (CVC) exchangers, to implement procedures reasonably designed to ensure compliance with the terms of the Order and exercise reasonable due diligence to prevent it (or its subsidiaries) from engaging in transmittals of funds involving Bitzlato.”
Identifying Transactions Linked to Bitzlato
FinCEN does not provide a list of wallet addresses known to be associated with Bitzlato and instead recommends that covered financial institutions use “traditional compliance screening and blockchain tracing software, to identify their customers and determine whether they are involved in a transmittal of funds involving Bitzlato.” This approach is notably different from that of the Department of the Treasury’s Office of Foreign Assets Controls (OFAC), which has begun routinely identifying certain wallet addresses associated with sanctioned persons (although dealings with a wallet address not specifically identified by OFAC can be still be prohibited or sanctionable, when the wallet address is associated with a sanctioned person).
Receipt of Unsolicited Funds from Bitzlato
The FAQs also address situations in which covered financial institutions receive unsolicited transfers from Bitzlato, including “dusting and/or spam attacks.” Such attacks occurred after OFAC’s recent designation of Tornado Cash, and FinCEN “anticipates this will occur after the Bitzlato action” as certain persons may seek to “make a statement on the public blockchain.” FinCEN acknowledges that given the nature of blockchain technology it may not be possible for covered financial institutions to decline or preemptively reject incoming CVC transfers. Therefore, the FAQs explain that no violation will occur if a covered financial institution determines it has received CVC from Bitzlato and (1) prevents the intended recipient from accessing such CVC and (2) returns the CVC to Bitzlato or to the address from which the CVC originated.
The return of the funds is only permitted when (1) doing so would not violate other laws, including OFAC rules, and (2) the funds are transferred in CVC (if the funds are transferred in fiat they must be preemptively rejected without accepting the funds).
A covered financial institution returning funds may, upon establishing a process that can be referenced in an audit, elect to either pay any transaction fee itself or withhold a portion of the original CVC to “facilitate the rejection transaction in accordance with its accounting policies and procedures.”
This approach differs from OFAC rules which require the blocking of the property and interests in property of certain sanctioned persons when within the United States or the possession or control of a US person. Returning previously received blocked funds to the sender would typically be considered a violation of OFAC’s rules and the obligations of the recipient to block (i.e., freeze) such funds. The approach in FinCEN’s FAQs also differs from the OFAC rules regarding rejected transactions: OFAC regulations require or authorize US persons to “reject” certain transactions by refusing to process the transaction, but such a rejection must occur before the rejecting party receives the funds. To the extent that OFAC rules may require rejecting a transaction involving CVC, OFAC has not issued guidance indicating that covered financial institutions or other US persons are permitted to return the CVC to the sender after receiving it.
Timing for Rejection and Return
While there is no explicit time limit in which a covered financial institution must identify and reject and return a transaction associated with Bitzlato, FinCEN states that such institutions are “expected to take such steps that a reasonable and prudent financial institution would take in order to identify and reject transactions” and to “exercise reasonable diligence and discretion in rejecting transactions and develop an established process for rejections that can be referenced in an audit.”
Late Discovery of Bitzlato Funds
The FAQs address situations in which a covered financial institution identifies funds that originated from Bitzlato only after the funds have been provided to an end customer or withdrawn from the platform. FinCEN notes that it “recognizes that screening software may not immediately identify some transactions as involving Bitzlato,” but nonetheless “expects that covered financial institutions will take such steps that a reasonable and prudent financial institution would take to identify any transactions that are prohibited by the Order.”
Historical Dealings with Bitzlato
The FAQs clarify that past dealings with Bitzlato do not violate FinCEN’s order and that absent additional facts, such a dealing is “not necessarily indicative of a connection to Russian illicit finance, money laundering, or other illicit activity.” It adds that covered financial institutions should exercise “ordinary due diligence” to determine the significance of such transactions.
SAR Filing Obligations
The FAQs explain that the order does not impose a SAR filing obligation, but that consistent with a financial institution’s existing SAR reporting requirements, such institutions “may consider, as warranted and appropriate, Bitzlato’s identification as a primary money laundering concern related to Russian illicit finance” when making SAR filing decisions. SARs filed in relation to Bitzlato should contain the phrase “FIN-9714 Bitzlato” in Field 2 (Filing Institution Note to FinCEN).
Implications for Foreign-Located MSBs and Their Executives
The criminal complaint against Bitzlato’s co-founder charges him with operating an “unlicensed money services business” in violation of 18 USC § 1960. Charges against an individual defendant are illustrative of DOJ’s general policy of pursuing individual accountability in connection with corporate criminal conduct. While evidence of criminal intent is often challenging for DOJ to muster in such cases, the complaint alleges that the defendant and others at the company viewed the unlicensed nature of the company’s activities and absence of any meaningful AML compliance program as essential features of Bitzlato’s offering and marketed it as such to platforms and users that were well understood to be engaging in criminal activities ranging from drug trafficking to laundering proceeds of ransomware attacks. As asserted in DOJ’s press release, “Bitzlato sold itself to criminals as a no-questions-asked cryptocurrency exchange.”
The apparent basis for US jurisdiction over the conduct of an executive at a non-US cryptocurrency exchange is also notable. Although Bitzlato is organized in Hong Kong and purportedly operated from Russia and China, foreign-located MSBs are required to register with FinCEN and comply with FinCEN rules if they operate in “substantial part” within the United States. There is relatively limited guidance as to what constitutes “substantial part” and only a handful of past enforcement actions dig into this issue.
The complaint contains a fairly lengthy discussion of how Bitzlato satisfied the “substantial part” requirement and points to (1) knowingly servicing US customers, (2) conducting transactions with US-based exchanges, (3) using US “online infrastructure,” and (4) being managed by the defendant while he was in the United States. The complaint does not state whether, in the view of DOJ, any of these factors alone would be sufficient to establish the required nexus or whether it is only in combination that the “substantial part” threshold is reached. Past enforcement actions, including FinCEN and DOJ actions against BTC-E and BitMEX, have focused on servicing US customers, having US offices, and using US-based servers. But those actions have not specifically focused on the location of individuals in management or on transactions between those platforms and US-based exchanges. Therefore, while the complaint provides additional data points for companies seeking to understand the “substantial part” test, it may raise additional questions for some entities as well.