On January 18, 2023, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an order identifying the virtual currency exchange Bitzlato Limited (Bitzlato) as a “primary money laundering concern” in connection with Russian illicit finance.  The order, which is the first of its kind, was issued pursuant to Section 9714(a) of the Combating Russian Money Laundering Act. 

Section 9714(a) is a relatively new provision that authorizes the Secretary of the Treasury to identify a financial institution operating outside the United States as a “primary money laundering concern” and to impose various restrictions on covered financial institutions from dealing with such entities.  The restrictions can vary widely, from heightened recordkeeping and reporting requirements to a prohibition on transmittals of funds between covered financial institutions and the institution of primary money laundering concern.  In this instance, FinCEN opted for the latter by prohibiting covered financial institutions from “engaging in a transmittal of funds from or to Bitzlato, or from or to any account or CVC address administered by or on behalf of Bitzlato.”  (FinCEN refers to most digital assets as “convertible virtual currency” or “CVC”.)

In a related action, the Department of Justice (DOJ) arrested the co-founder and majority owner of Bitzlato in Miami based on a criminal complaint for his alleged operation of an unlicensed “money transmitting business that transported and transmitted illicit funds and that failed to meet U.S. regulatory safeguards, including anti-money laundering requirements.”

About Bitzlato

As described in FinCEN’s press release, Bitzlato is a “virtual currency exchange” that provides traditional exchange and “Peer-to-Peer (P2P services).”  While Bitzlato is incorporated in Hong Kong it allegedly “maintains significant operations in Russia” where it appears to be headquartered.  FinCEN asserts that based on its investigation, including information provided to FinCEN from a blockchain analytics company, Bitzlato was engaged in the “facilitation of deposits and funds transfers by Russia-affiliated ransomware groups or affiliates, and transactions with Russia-connected darknet markets.”  It also allegedly engaged in a number of dealings with entities subject to US sanctions, including the darknet market Hydra. 

FinCEN added that Bitzlato did not take “meaningful steps to identify and disrupt illicit use and abuse of its services” and “advertised a lack of such policies, procedures, or internal controls.”  FinCEN further noted that even if Bitzlato did not knowingly engage in transactions with ransomware groups, “it provides an enabling environment for such ransomware criminals” due to its deficient anti-money laundering controls.

Conduct Prohibited Under the Order

Pursuant to FinCEN’s order, “A covered financial institution is prohibited from engaging in a transmittal of funds from or to Bitzlato, or from or to any account or CVC address administered by or on behalf of Bitzlato.”  The order defines “covered financial institution” as coterminous with the definition of “financial institution” in FinCEN’s rules, enumerated at 31 CFR § 1010.100(t).  Among other types of financial institutions, this includes banks, brokers or dealers in securities, and money services businesses (MSBs), a category that includes many digital asset platforms.

The order explains that a covered financial institution will not be deemed to have violated the order if, “upon determining that it received CVC that originated from Bitzlato or from an account or CVC address administered by or on behalf of Bitzlato, that covered financial institution rejects the transaction, preventing the intended recipient from accessing such CVC and returning the CVC to Bitzlato, or to the account or CVC address from which the CVC originated.” 

The order is effective beginning February 1, 2023 and has no expiration date. 

Comparison to Section 311

Section 9714(a) is similar to, and builds upon, Section 311 of the USA PATRIOT Act.  Under Section 311, the Secretary of the Treasury can identify a foreign jurisdiction, institution, class of transaction, or type of account as being of primary money laundering concern and require domestic financial institutions and domestic financial agencies to comply with certain “special measures.”  Such special measures may include one or more of the following:

  • Recordkeeping and reporting for certain transactions;
  • Collection of information relating to beneficial ownership;
  • Collection of information relating to certain payable-through accounts; 
  • Collection of information relating to certain correspondent accounts; and
  • Prohibition or conditions on the opening or maintaining of correspondent or payable-through accounts. 

Section 9714(a) authorizes the Secretary of the Treasury to impose one or more of the special measures listed above or to “prohibit, or impose conditions upon, certain transmittals of funds (to be defined by the Secretary) by any domestic financial institution or domestic financial agency, if such transmittal of funds involves any [identified] institution, class of transaction, or type of account.”  Therefore, Section 9714(a) is broader than Section 311 (although it is only available in the context of “Russian illicit finance”). 

Treasury has previously used Section 311 against virtual currency entities, including against Liberty Reserve in 2013.  However, it has not been a primary tool in Treasury’s arsenal when targeting virtual currency entities because the restrictions authorized under Section 311 are less effective in the virtual currency context.  As FinCEN’s Acting Director Himamauli Das recently told the House Committee on Financial Services, “Section 311 was enacted in a time when most financial relationships and transactions were done through the traditional banking system where there are traditional correspondent account relationships …. Currently, the Section 311 authority is not right-sized for the types of threats that we’re seeing through the use of cryptocurrency.” 

The FinCEN order also notes that Section 311 would have been inadequate to address the risks from Bitzlato because recordkeeping, information collection, and reporting requirements would be “insufficient” measures and because “[t]he types of CVC transactions that Bitzlato facilitates do not rely on correspondent or payable-through accounts between domestic financial institutions and foreign banks.”

Compliance Guidance

In addition to the press release and order, discussed above, FinCEN issued a Frequently Asked Questions (FAQ) document to provide additional guidance to industry. 

Prohibited Activities

The FAQs explain that covered financial institutions should “cease any and all transmittals of funds, including CVC, from or to Bitzlato, or from or to any account or CVC address administered by Bitzlato” and “incorporate the determination that Bitzlato is of primary money laundering concern into their Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) compliance programs.”  It adds that “FinCEN expects covered financial institutions, including, but not limited to, convertible virtual currency (CVC) exchangers, to implement procedures reasonably designed to ensure compliance with the terms of the Order and exercise reasonable due diligence to prevent it (or its subsidiaries) from engaging in transmittals of funds involving Bitzlato.”

Identifying Transactions Linked to Bitzlato

FinCEN does not provide a list of wallet addresses known to be associated with Bitzlato and instead recommends that covered financial institutions use “traditional compliance screening and blockchain tracing software, to identify their customers and determine whether they are involved in a transmittal of funds involving Bitzlato.”  This approach is notably different from that of the Department of the Treasury’s Office of Foreign Assets Controls (OFAC), which has begun routinely identifying certain wallet addresses associated with sanctioned persons (although dealings with a wallet address not specifically identified by OFAC can be still be prohibited or sanctionable, when the wallet address is associated with a sanctioned person).

Receipt of Unsolicited Funds from Bitzlato

The FAQs also address situations in which covered financial institutions receive unsolicited transfers from Bitzlato, including “dusting and/or spam attacks.”  Such attacks occurred after OFAC’s recent designation of Tornado Cash, and FinCEN “anticipates this will occur after the Bitzlato action” as certain persons may seek to “make a statement on the public blockchain.”  FinCEN acknowledges that given the nature of blockchain technology it may not be possible for covered financial institutions to decline or preemptively reject incoming CVC transfers.  Therefore, the FAQs explain that no violation will occur if a covered financial institution determines it has received CVC from Bitzlato and (1) prevents the intended recipient from accessing such CVC and (2) returns the CVC to Bitzlato or to the address from which the CVC originated. 

The return of the funds is only permitted when (1) doing so would not violate other laws, including OFAC rules, and (2) the funds are transferred in CVC (if the funds are transferred in fiat they must be preemptively rejected without accepting the funds). 

A covered financial institution returning funds may, upon establishing a process that can be referenced in an audit, elect to either pay any transaction fee itself or withhold a portion of the original CVC to “facilitate the rejection transaction in accordance with its accounting policies and procedures.”

This approach differs from OFAC rules which require the blocking of the property and interests in property of certain sanctioned persons when within the United States or the possession or control of a US person.  Returning previously received blocked funds to the sender would typically be considered a violation of OFAC’s rules and the obligations of the recipient to block (i.e., freeze) such funds.  The approach in FinCEN’s FAQs also differs from the OFAC rules regarding rejected transactions:  OFAC regulations require or authorize US persons to “reject” certain transactions by refusing to process the transaction, but such a rejection must occur before the rejecting party receives the funds.  To the extent that OFAC rules may require rejecting a transaction involving CVC, OFAC has not issued guidance indicating that covered financial institutions or other US persons are permitted to return the CVC to the sender after receiving it.

Timing for Rejection and Return

While there is no explicit time limit in which a covered financial institution must identify and reject and return a transaction associated with Bitzlato, FinCEN states that such institutions are “expected to take such steps that a reasonable and prudent financial institution would take in order to identify and reject transactions” and to “exercise reasonable diligence and discretion in rejecting transactions and develop an established process for rejections that can be referenced in an audit.”

Late Discovery of Bitzlato Funds

The FAQs address situations in which a covered financial institution identifies funds that originated from Bitzlato only after the funds have been provided to an end customer or withdrawn from the platform.  FinCEN notes that it “recognizes that screening software may not immediately identify some transactions as involving Bitzlato,” but nonetheless “expects that covered financial institutions will take such steps that a reasonable and prudent financial institution would take to identify any transactions that are prohibited by the Order.”

Historical Dealings with Bitzlato

The FAQs clarify that past dealings with Bitzlato do not violate FinCEN’s order and that absent additional facts, such a dealing is “not necessarily indicative of a connection to Russian illicit finance, money laundering, or other illicit activity.”  It adds that covered financial institutions should exercise “ordinary due diligence” to determine the significance of such transactions.

SAR Filing Obligations

The FAQs explain that the order does not impose a SAR filing obligation, but that consistent with a financial institution’s existing SAR reporting requirements, such institutions “may consider, as warranted and appropriate, Bitzlato’s identification as a primary money laundering concern related to Russian illicit finance” when making SAR filing decisions.  SARs filed in relation to Bitzlato should contain the phrase “FIN-9714 Bitzlato” in Field 2 (Filing Institution Note to FinCEN).

Implications for Foreign-Located MSBs and Their Executives

The criminal complaint against Bitzlato’s co-founder charges him with operating an “unlicensed money services business” in violation of 18 USC § 1960.  Charges against an individual defendant are illustrative of DOJ’s general policy of pursuing individual accountability in connection with corporate criminal conduct.  While evidence of criminal intent is often challenging for DOJ to muster in such cases, the complaint alleges that the defendant and others at the company viewed the unlicensed nature of the company’s activities and absence of any meaningful AML compliance program as essential features of Bitzlato’s offering and marketed it as such to platforms and users that were well understood to be engaging in criminal activities ranging from drug trafficking to laundering proceeds of ransomware attacks.  As asserted in DOJ’s press release, “Bitzlato sold itself to criminals as a no-questions-asked cryptocurrency exchange.”    

The apparent basis for US jurisdiction over the conduct of an executive at a non-US cryptocurrency exchange is also notable.  Although Bitzlato is organized in Hong Kong and purportedly operated from Russia and China, foreign-located MSBs are required to register with FinCEN and comply with FinCEN rules if they operate in “substantial part” within the United States.  There is relatively limited guidance as to what constitutes “substantial part” and only a handful of past enforcement actions dig into this issue. 

The complaint contains a fairly lengthy discussion of how Bitzlato satisfied the “substantial part” requirement and points to (1) knowingly servicing US customers, (2) conducting transactions with US-based exchanges, (3) using US “online infrastructure,” and (4) being managed by the defendant while he was in the United States.  The complaint does not state whether, in the view of DOJ, any of these factors alone would be sufficient to establish the required nexus or whether it is only in combination that the “substantial part” threshold is reached.  Past enforcement actions, including FinCEN and DOJ actions against BTC-E and BitMEX, have focused on servicing US customers, having US offices, and using US-based servers.  But those actions have not specifically focused on the location of individuals in management or on transactions between those platforms and US-based exchanges.  Therefore, while the complaint provides additional data points for companies seeking to understand the “substantial part” test, it may raise additional questions for some entities as well.

If you have questions regarding these actions please contact a member of Steptoe’s Anti-Money Laundering Practice or Blockchain and Cryptocurrency Practice.

On December 16, FinCEN issued a notice of proposed rulemaking (NPRM) entitled “Beneficial Ownership Information Access and Safeguards, and Use of FinCEN Identifiers for Entities.” The NPRM is intended to implement the Corporate Transparency Act (CTA) and, in particular, to govern which entities may access corporate beneficial ownership information (BOI) that certain entities will soon be required to report to FinCEN under the CTA. Steptoe previously summarized FinCEN’s final rule on BOI reporting here. The NPRM has important implications for regulated financial institutions in the blockchain industry and would exclude many blockchain companies from accessing BOI.

What Happened

The new NPRM outlines the specific situations in which FinCEN will share BOI with third parties. The majority of these situations relate to requests by other governmental entities, including: (1) US federal, state, local, and tribal government agencies requesting BOI in furtherance of national security, intelligence, or law enforcement activity; (2) certain foreign governmental entities, including law enforcement agencies, judges, and prosecutors, among others; (3) federal functional regulators and other appropriate regulatory agencies acting in a supervisory capacity assessing financial institutions for compliance with customer due diligence (CDD) requirements; and (4) the Department of the Treasury itself.

Certain private entities will also be able to access BOI in specific circumstances. More specifically, under proposed Section 1010.955(b)(4), “financial institution[s] subject to customer due diligence requirements under applicable law” may request BOI information to be used in facilitating compliance with FinCEN’s CDD rule. The CDD rule requires certain financial institutions to collect and retain information regarding the ownership and control of legal entity customers.

Under the CTA, FinCEN may disclose BOI to a financial institution only if “each reporting company that reported such information consents to such disclosure.”  Under the proposed rule, the relevant financial institution is responsible for obtaining and documenting the consent of the reporting company and must certify to FinCEN that it is a financial institution seeking to comply with the CDD rule and has obtained the required consent.

Finally, the NPRM requires financial institutions receiving BOI to take a number of measures to ensure the provided information is maintained in a secure manner, only used for authorized purposes, and only disclosed to authorized persons. Individuals working at financial institutions that receive BOI are permitted to share BOI with other individuals in the same financial institution so long as such persons are “within the United States.”  The inability of financial institutions to share BOI with non-US affiliates, or with other non-US persons who support customer due diligence functions, has potentially significant operational ramifications for international financial institutions.  

What it Means

Unlike some other jurisdictions, which make some BOI public (e.g., Companies House in the UK), the FinCEN BOI database will be confidential and accessible only by the above categories of actors. This means it will not be available to some financial institutions or to non-financial institutions seeking to conduct due diligence on their customers or suppliers. Nor will it be available to due diligence firms or software providers offering commercial screening tools.

It is notable that the NPRM treats financial institutions with CDD rule compliance requirements differently from those without, by only allowing financial institutions covered by the CDD rule to have access to the BOI in FinCEN’s database. Financial institutions subject to the CDD rule include banks, trust companies, credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities. (Historically certain state-chartered trust companies were not subject to the CDD rule, but this changed in September 2020.)  However, a number of other types of financial institutions, including money services businesses (MSBs) and dealers in precious metals, precious stones, and jewels, are not subject to the CDD rule. This means that, under the proposed rule, these types of financial institutions would not be able to access the FinCEN-reported BOI information for compliance purposes.

Many blockchain platforms, such as exchanges, hosted wallet providers, and dealers, are regulated as MSBs, meaning they would be excluded from BOI access. However, a small number of blockchain entities are regulated as trust companies or other entities covered by the CDD rule.

The CTA authorizes FinCEN to disclose BOI to financial institutions seeking to comply with “customer due diligence requirements under applicable law.”  The NPRM acknowledges that the CTA leaves the phrase “customer due diligence requirements” undefined and, as such, FinCEN chose to define that term narrowly to mean FinCEN’s CDD rule contained at 31 CFR § 1010.230. It explains that FinCEN considered taking a broader approach, but ultimately determined “a more tailored approach will be easier to administer, reduce uncertainty about what FIs may access BOI under this provision, and better protect the security and confidentiality of sensitive BOI by limiting the circumstances under which FIs may access BOI.”  Nonetheless, the NPRM specifically solicits comments on “whether a broader reading of the phrase ‘customer due diligence requirements’ is warranted under the framework of the CTA, and, if so, how customer due diligence requirements should be defined in order to provide regulatory clarity, protect the security and confidentiality of BOI, and minimize the risk of abuse.”

Exclusion from access to BOI for financial institutions not subject to the CDD rule has a number of implications. On one hand, such institutions will not be able to access a potentially useful and important tool in conducting know your customer (KYC) reviews and related compliance measures, potentially placing them at a disadvantage as compared to other financial institutions. On the other hand, not having access to BOI will eliminate any extra compliance burdens that may be generated by obtaining customer consent and submitting requests for BOI to FinCEN. It will also prevent scenarios in which a financial institution’s decision not to seek BOI is later questioned by a regulator.

The Path Ahead

FinCEN welcomes comments on the NPRM through February 14, 2023. The NPRM lists a number of specific questions on topics including the clarity of the rule, the disclosure limitations, limitations on the use of BOI by recipients, and the security and confidentiality requirements, among other topics. Steptoe’s Anti-Money Laundering Practice is available to assist entities in preparing comments on the NPRM.

Reports of FTX Group’s demise has been inescapable since news first broke of potential insolvency and misuse of customer funds. This blog post provides some background on the situation as well as some thoughts on what is likely to come next. Please see our blog post here on the enforcement storm that is about to hit the cryptocurrency industry—we will be posting additional blog posts on related topics here as well.

The Background

In late 2017, Sam Bankman-Fried founded Alameda Research (Alameda), a quantitative cryptocurrency trading firm headquartered in Hong Kong. Alameda provided a platform for trading in every cryptocurrency market, and was known for pursuing aggressive trading strategies. In 2019, Bankman-Fried founded FTX, a cryptocurrency exchange currently headquartered in the Bahamas, out of Alameda. Bankman-Fried built significant wealth through Alameda and FTX—in early 2022, FTX was reportedly worth $32 billion. While it was known early on that Alameda traded on FTX, industry understanding was that the two entities were distinct aside from common ownership. Shortly after Bankman-Fried founded FTX, the CEO of Binance, Changpeng Zhao (CZ), purchased a controlling stake in the company. FTX bought out Binance’s stake in 2021, for which Binance received over $2 billion, much of which was in FTT, the native token of FTX.

On November 2, 2022, Coindesk published an article discussing a report that revealed that a significant portion of Alameda’s assets were held in FTT. The article observed that “Alameda rests on a foundation largely made up of a coin that a sister company invented, not an independent asset like a fiat currency or another crypto.” Specifically, of the $14.6 billion in assets indicated on the Alameda balance sheet, $3.66 billion was in unlocked FTT and $2.16 billion was in FTT collateral.

The Collapse

On November 6, 2022, CZ announced on Twitter that Binance planned to liquidate its remaining FTT, citing “post-exit risk management.” In response, Alameda offered to purchase all of Binance’s FTT at $22 per coin, which Binance refused. Instead, Binance began to sell its FTT on the open market, resulting in a significant price drop for FTT. While FTX had already seen an increase in withdrawals since the Coindesk article was published, withdrawals rose dramatically following CZ’s announcement and the subsequent rejection of the Alameda offer—that evening, Bankman-Fried posted on Twitter that FTX “had already processed billions of dollars of deposits/withdrawals” that day. By the evening of November 6, fears arose among FTX customers about the solvency of FTX and Alameda.

On November 7, 2022, Bankman-Fried once again took to Twitter, this time stating (in now-deleted tweets) that FTX and customer assets were fine, that FTX had “enough to cover all client holdings,” and that FTX did not invest client assets. However, by the morning of November 8, 2022, customer withdrawals were taking longer to complete, and soon FTX stopped processing them. Reuters reported that FTX had seen $6 billion in withdrawals in the 72 hours prior, which appeared to cause a liquidity crisis for FTX. Later that morning, Bankman-Fried announced an agreement to sell FTX to Binance, pending due diligence, which was non-binding on Binance. In the same thread of tweets, Bankman-Fried highlighted that “the important thing is that customers are protected.” Much of the industry was, however, skeptical of the FTX-Binance deal.

On November 9, 2022, Binance backed away from the agreement to acquire FTX after reviewing FTX’s financial records. That day, Bankman-Fried sought help from Wall Street investors, stating during a call that FTX needed $8 billion in emergency funding to meet demand for client withdrawals. It was soon revealed that Bankman-Fried allegedly transferred at least $4 billion from FTX to Alameda when the trading firm suffered losses during the industry downturn of summer 2022, some of which was customer funds. Some reports indicated that Alameda owed FTX upwards of $10 billion—FTX had $16 billion in customer funds, and reportedly loaned half of those funds to Alameda. Notably, loaning customer funds was explicitly forbidden in the FTX terms of service, which stated that title to assets remained with the customer. Apparently, Bankman-Fried moved the funds through a “back door” built into FTX’s bookkeeping system that allowed him to alter the company’s financial records without alerting internal compliance.

On November 11, 2022, FTX filed for Chapter 11 bankruptcy protection, along with Alameda and over 130 other FTX-affiliated entities. Bankman-Fried also resigned as CEO of FTX. FTX could owe money to over 1 million customers.

What’s Next?

The collapse of FTX has shaken the crypto industry, particularly because FTX was viewed as one of the most trusted exchanges in the sector. FTX customers are most directly affected by the situation. The only potential reprieve for FTX customers is through bankruptcy proceedings. After filing for Chapter 11 bankruptcy, a business must submit a reorganization plan to the bankruptcy court, agreed upon by the debtor and its major creditors, and the court must confirm the plan. Typically, the goal should be to maximize recovery for creditors. This will not be a typical bankruptcy proceeding, however. Looming jurisdictional disputes between the Bahamas and the United States are likely to add to the complications. 

Following the bankruptcy proceedings, FTX customers should, in theory, receive some portion of the company’s remaining assets. However, it remains unclear what assets, if any, will remain to be disbursed given the recordkeeping discrepancies reported in the press. Another issue arises with respect to who owns the customer deposits. If deemed to be owned by FTX, the deposits would be pooled with the total remaining assets to be divided to pay all creditors, resulting in much lower payments for customers.             

Policymakers in Washington, D.C. are shocked by the apparent deception displayed by one of the most vocal advocates for a new crypto regulatory regime. Hearings are beginning to be scheduled to learn the details of what exactly happened and why in the FTX collapse, and it can be assured that more hearings and potential legislation will be discussed in the new Congress. Finally, federal prosecutors in New York are reportedly investigating the FTX collapse, and specifically the company’s handling of customer funds. This probe joins investigations by the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and law enforcement in the Bahamas.

With the collapse of FTX and Alameda so close on the heels of Celsius, one thing is clear – the regulatory and enforcement storm so many anticipated coming to crypto is now here.  Unfortunately, regardless of what the facts surrounding FTX and Alameda ultimately turn out to be, incidents like this serve to reinforce the biases of enforcement agencies against all crypto companies, regardless of their construction, design, operation, or leadership. For some prosecutors and investigators, this incident will be seen as validation of the view that everything and everyone in the crypto space is dirty, or a scam (or both).

That’s not true, and it’s not fair, but it’s the reality crypto companies are facing.  And these effects will linger long after the fall of FTX is a memory. 

Even in the best of times, it’s hard to get enforcement agencies not to paint all crypto companies with the same brush. These are not the best of times – and all it takes is one or two high-profile incidents to undo years of progress, and we’ve now had more than that just in the past few months.

So what should crypto companies be doing now, with these storm clouds clearly on the horizon?

First, line up counsel now, so you are prepared for the day when subpoenas arrive and agents start knocking on doors to interview your people. Decisions made in the initial moments of an investigation can have far-reaching consequences, so it’s important to think through those scenarios and issues in advance.  

Second, this is the time for a “wellness check” of sorts – a review of the areas of your business that are most likely to draw interest from DOJ and other agencies. AML/KYC.  Sanctions. Disclosures to customers or counterparties. Lending arrangements.  Arrangements among companies with shared or overlapping ownership. All of these should be scrutinized by your company now, because agencies will scrutinize them later.  And to be most useful, this type of review should be done by a different firm than the one that helped design your systems or drafted your policies. In these circumstances, a fresh set of eyes is better, and more credible with the government, than having a firm check its own work. This doesn’t mean displacing that firm – it means making sure you have covered all of your bases. Doing this type of review won’t prevent a company from being targeted, just as storm shutters can’t prevent a hurricane. But it will increase the chances that the company can mitigate the pain associated with any such investigation and put the company in a stronger position to get through it successfully.

Exchanges and other VASPs, decentralized exchanges and decentralized finance platforms, and others in the digital asset space would be wise to prepare now – the calm before the storm is over, and the storm will be with us for quite some time. 

On October 11, 2022, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) announced enforcement actions against Bittrex, Inc. (Bittrex), a privately-owned digital asset trading platform based in Bellevue, Washington, for apparent violations of anti-money laundering (AML) laws and of multiple sanctions programs. A settlement of over $24 million was announced by OFAC and a $29 million fine was announced by FinCEN. FinCEN will credit payment of the OFAC settlement amount toward Bittrex’s potential liability with FinCEN, meaning Bittrex will pay just over $29 million in total. Joint enforcement action between OFAC and FinCEN is uncommon—the settlements mark the first instance of parallel enforcement actions by OFAC and FinCEN in the digital asset sector.

The parallel settlements provide insight into certain sanctions and AML risks in the digital asset sector and illustrate how OFAC and FinCEN rules intersect and overlap in part: for example, that OFAC violations can trigger suspicious activity report filing obligations.

Continue Reading OFAC and FinCEN Announce Enforcement Actions Against Bittrex

On October 10, 2022, the Organisation for Economic Co-Operation and Development (OECD) released its new global tax reporting standards for cryptocurrency and other digital assets, the Crypto-Asset Reporting Framework (CARF) and Amendments to the Common Reporting Standard.[1] The CARF provides standards that, if adopted by jurisdictions, would require cryptocurrency exchanges, intermediaries, and other service providers to report to tax authorities required tax information related to certain crypto-asset transactions.

In response to the rapid use and adoption of cryptocurrency, the G-20 mandated the OECD develop a framework for the exchange of tax information for crypto-assets. According to the OECD, crypto-assets are often transferred without the use of traditional financial intermediaries and the CARF addresses coverage gaps in the Common Reporting Standard (CRS) to develop an international reporting framework to ensure standardized tax reporting for crypto-asset transactions.

The CARF includes model rules and commentary for countries to implement domestic laws to collect information related to crypto-asset transactions and is focused on four key areas: (1) the scope of crypto-assets to be covered, (2) the entities and individuals subject to reporting, (3) the transactions subject to reporting, and (4) due diligence procedures.

Continue Reading OECD Releases New Global Tax Reporting Framework for Cryptocurrency

On August 30, 2022, further amendments to the UK’s nine thematic and 29 geographic sanctions regulations came into effect, which expand financial sanctions reporting obligations to cryptoasset exchanges and custodian wallet providers.  The amendments, which were introduced under the Sanctions (EU Exit) (Miscellaneous Amendments) Regulations 2022 and the Sanctions (EU Exit) (Miscellaneous Amendments) (No.2) Regulations 2022 (Amending Regulations), revise the definition of a “relevant firm” to which mandatory financial sanctions reporting obligations apply.

For more information on how these developments could impact your organization, contact Alexandra Melia, in Steptoe’s Economic Sanctions team in London.

Continue Reading New UK Sanctions Legislation Expands Mandatory Financial Sanctions Reporting Obligations to Include Crypto Providers

On August 1, Robinhood Crypto, LLC (RHC) entered a consent order with the New York State Department of Financial Services (DFS) requiring RHC to pay a $30 million fine for violating (1) New York’s virtual currency regulatory regime known as the BitLicense, (2) a Supervisory Agreement entered with DFS as a condition of its BitLicense, (3) anti-money laundering (AML) requirements applicable to money transmitters, and (4) other requirements related to transaction monitoring, filtering, and cybersecurity. The consent order, which is DFS’s first enforcement action under the BitLicense regime or against a digital currency business, offers several important takeaways for blockchain companies operating or seeking to operate in the state, including (1) the importance of scaling up compliance processes commensurate with business growth, (2) the risks of relying on compliance programs of affiliated entities, (3) the importance of well-developed reporting lines in compliance programs, and (4) the consequences of filing “improper” certifications under DFS’s transaction monitoring and cybersecurity rules.

Continue Reading DFS’s First Enforcement Action Against a Blockchain Company: Lessons Learned

On August 8, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced the imposition of sanctions on the decentralized digital asset mixer Tornado Cash. The action marks the first time OFAC has targeted an on-chain decentralized protocol. To date, OFAC has not issued any guidance specific to decentralized finance (DeFi) as part of its broader sanctions guidance for the “virtual currency” industry, but the Tornado Cash action lays down an important marker and makes clear that OFAC will target projects or protocols engaged in illicit activity regardless of their centralized or decentralized status. (Our prior blog post on OFAC’s general virtual currency guidance is available here).

According to OFAC, Tornado Cash was “used to launder more than $7 billion worth of virtual currency since its creation in 2019,” including over $455 million stolen by the Lazarus Group, a North Korean-backed hacking group that was previously targeted by OFAC sanctions. In announcing the action, Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian Nelson explained, “Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”

Continue Reading OFAC Designates Tornado Cash in First Action Against a Decentralized Platform

On July 21, 2022, the SEC filed insider trading charges in federal court against a former Coinbase product manager and two others for trading ahead of multiple announcements that certain crypto assets would be made available for trading on the platform.[1] The SEC alleged that the defendants traded ahead of listing announcements for at least 25 crypto assets, “at least nine” of which the Commission asserted are investment contracts under the federal securities laws. The complaint includes a Howey[2] analysis for the nine crypto assets that serve as the basis for the SEC’s jurisdiction in this matter. In a parallel action, the Department of Justice charged the same individuals for wire fraud, notably not pursuant to a securities fraud theory.[3]

The charges against the individuals, should the alleged activity prove to be true, are deserved, and evidently resulted from internal efforts by Coinbase to detect frontrunning of listings. The DOJ’s wire fraud case therefore has a high likelihood of success, again should the allegations prove to be true, because wire fraud can occur regardless of whether the assets at issue are securities. The trouble for the industry comes from the fact that the SEC has made allegations in its civil complaint against nine token projects that are not parties to the action, and in at least some cases, had not previously been subject to a direct investigation by the SEC. Moreover, the SEC’s investment contract allegations are jurisdictional; that is, the SEC must obtain a holding that at least one of the tokens is in fact a security for its insider trading case, based on frontrunning securities listings under US securities laws, to succeed. This creates strong incentives for the SEC to drive the case towards such a finding, and gives little opportunity for the projects at issue—or the industry at large—to effectively refute the SEC’s claims or to contest the SEC’s methods.

Industry problem number one, therefore, is a seeming casting aside of due process considerations with respect to SEC determinations concerning specific tokens or projects. Unarguably, the parties in the best position to defend against the charge that the crypto assets are securities are the projects that launched the crypto assets and the platforms that list them. These entities are not parties to the lawsuit, and at least some were never aware of any investigation by the SEC nor were they solicited for information or legal positions. Moreover, five of the nine projects do not appear to be based in the U.S. and therefore may have little incentive to attempt to intervene or engage with U.S. courts on the matter, since the SEC may not even have jurisdiction over them as entities. Accordingly, the action has placed one platform and nine entities—and by extension, the industry—in a corner, subject to a potentially adverse legal decision without the ability to mount a defense.

The fact that this is an industry problem is illustrated by industry problem number two: the relatively generic nature of the crypto assets that the SEC chose to name in the complaint. Strike out the names of the tokens and their issuers and read only the descriptions of the projects, and the nine tokens sound a lot like representatives of classes or categories of sub-assets within the digital asset ecosystem: payment tokens; native platform tokens; governance tokens, etc. The projects also seemingly represent various sectors of the digital asset industry: payment platforms; decentralized liquidity pools and automated market makers; and projects governed via decentralized autonomous organizations (DAOs). As a result, the complaint portends trouble for the entire digital asset industry, as the SEC uses various factors—some listed in its 2019 FinHub guidance,[4] some not—to support elements of its Howey analysis that are common to many projects across the industry.

As specific examples, the SEC’s Howey analysis for the nine projects reveals the SEC’s views on several common features in DeFi:

Governance TokensThree of the crypto assets identified by the Commission may be characterized as governance tokens. While governance tokens are intended to be a vehicle through which projects can achieve true decentralization, the SEC’s complaint suggests that it will not be persuaded by such efforts, regardless of the level of decentralization via the governance token, when a core development team holds governance tokens and can therefore both vote and derive economic benefit from those tokens. As a result, should the SEC prevail, any governance token could be characterized by the SEC as a security where a core development team (either as individuals or as members of unrelated development companies or labs) holds more than a de minimis number of the tokens.

Staking, Liquidity Pool Tokens, Yield Farming – Decentralized platforms often feature native tokens that enable decentralized liquidity pool trading and automated market making, and often permit (or even require) the staking of a certain number of those tokens in order to access the features of the platform. These functions of the native tokens are commonly considered to represent their utility, and they enable decentralization. However, the SEC relies on these activities and features across a number of the identified crypto assets in order to establish the existence of a common enterprise and a reasonable expectation of profits (two elements of the Howey test). As a result, the complaint is tantamount to an SEC assertion that these common features of DeFi protocols irrevocably taint these tokens as securities.

Offshore DAO StructuresThe SEC’s complaint summarily and repeatedly describes organizational structures consisting of some combination of a U.S.-based company providing software development services, an offshore foundation company, and an offshore unincorporated DAO, as a single entity. The SEC paints with a broad brush, collapsing corporate structures without consideration of applicable provisions of corporate law, ignoring jurisdictional considerations, and conflating platforms and protocols with for-profit corporations and LLCs, foundation and other non-stock entities, and unincorporated entities. While there are no details about the arrangements between these entities, the complaint signals that the SEC may be skeptical of the separation of offshore structures from a U.S. development team, and will not hesitate to make assumptions and allegations concerning the relationship of corporate entities without examination of underlying corporate structures and relationships.

Secondary Market Trading – While the SEC has long represented that the presence of a secondary market for tokens is a factor to consider in determining whether a reasonable expectation of profits exists, the SEC’s complaint focuses on this factor to an unusual degree. The complaint declares that statements emphasizing the ability of purchasers to resell tokens in secondary markets is “a crucial inducement to investors and essential to the market”[5] for crypto assets, and focuses much of its arguments for the nine crypto assets on this factor. As a result, the SEC announces almost a de facto finding of an investment contract if there is secondary market trading of the asset.

It is also worth noting that the Commission’s Howey analysis in this complaint marks an important shift from prior actions. In prior cases like those involving Kik, Telegram, and Ripple, the entities were the subjects of SEC investigations, had the opportunity to provide evidence in their own defense, and had the ability to submit a written legal justification prior to any action being filed (called a Wells submission) presenting its arguments against the security status of the asset. Here, the nine analyses are formulaic: the Commission identifies statements intended to establish that the token issuers promoted (1) the value of the token, (2) the ability for purchasers to engage in secondary trading of the token, and (3) the expertise of the token issuers, at both the time of the sale of tokens to the public and on an ongoing basis. No evidence from the company is included, and in at least some cases, none was ever solicited, nor were the companies provided the ability to advocate their own positions.

In sum, the outcome of the SEC’s complaint is likely to reverberate beyond not only the defendants in the case, the nine crypto asset issuers identified in the complaint, and the platforms that list the nine tokens. Many other DeFi protocols and participants in the larger crypto ecosystem engage in similar activities to the projects identified in the complaint. Many have not had engagement with the SEC, or to the extent that they have, they may believe these interactions to not have reached a point where the SEC would make an allegation concerning their asset in court. To the extent the SEC is successful in obtaining a favorable judgment finding these nine crypto assets to be securities, such a finding will likely be used to underpin additional enforcement actions against larger and more established players in the industry.

Civil insider trading cases are often stayed pending the outcome of the criminal proceeding, so there is time for the industry to react. However, criminal wire fraud cases tend to have the effect of focusing individual defendants’ attention, and there is a real risk that the SEC will attempt to leverage that criminal case to secure the defendants’ agreement to the language of a settlement of the SEC’s civil claims that could be ratified by the court and used as a cudgel against the industry.

For more information on how to assess the potential impact of the SEC’s complaint to your entity, platform, asset, or fund, please contact a member of Steptoe’s Blockchain & Cryptocurrency practice.



[1] Complaint, SEC v. Wahi, et al., 2:22-cv-01009 (W.D. Wash. Jul. 21, 2022), available at https://www.sec.gov/litigation/complaints/2022/comp-pr2022-127.pdf (hereinafter “SEC Complaint”).

[2] SEC v. W.J. Howey Co., 328 U.S. 293 (1946).

[3] Indictment, U.S. v. Wahi, et al., (S.D.N.Y. Jul, 21, 2022), available at https://www.justice.gov/usao-sdny/press-release/file/1521186/download.

[4] SEC FinHub Staff, Framework for “Investment Contract” Analysis of Digital Assets (Apr. 3, 2019), https://www.sec.gov/corpfin/framework-investment-contract-analysis-digital-assets.

[5] SEC Complaint at 22.