5AMLD: Everything You Need About EU's Crypto Regulations
In recent years, cryptocurrencies1 have emerged as a prominent feature of the global financial system. Since the first decentralised cryptocurrency, Bitcoin, was unveiled by the mysterious figure known only as “Satoshi Nakamoto” in 2009,2 both the overall value of cryptocurrency in circulation and the variety of different types of cryptocurrency have expanded dramatically. According to one estimate, the global market capitalisation of cryptocurrencies exceeded USD602 billion in the fourth quarter of 2017, before falling below USD300 billion in 2018.3
Due to this growth, cryptocurrencies and initial coin offerings (“ICOs”) have become an important form of personal wealth and a broad range of cryptocurrency-related businesses have emerged to serve the cryptocurrency sector. These include businesses that are directly involved in cryptocurrency trading and development, such as cryptocurrency exchanges and cryptocurrency “mining” operations,4 as well as those that provide ancillary services to or are otherwise indirectly involved with the cryptocurrency markets and participants, including, but not limited to, firms in the retail, banking, gaming, and computing sectors. The growth of such markets has been fuelled by substantial investor interest, such that many now include cryptocurrencies within their investment portfolios.
For regulated financial institutions (“FIs”),5 the opportunities presented by cryptocurrencies and distributed ledger technology (“DLT”)6 are tied to significant operational and regulatory challenges, not least to the implementation of anti-money laundering and counter-terrorist financing (together, “AML”) regimes. From the regulatory standpoint, many of the risks associated with cryptocurrencies echo those presented by new financial products and technologies of the past: the risk of untested business models; the potential for abuse and fraud; the lack of a clear and shared understanding of DLT and how cryptocurrencies are sold and traded over it; and the related uncertainty of a still unshaped regulatory environment.
At the same time, key aspects of the cryptocurrency ecosystem are, by design, different from past internet-based systems and platforms. Peer-to-peer transaction authentication was created to permit coin holders to bypass institutional intermediaries, who are required to serve as essential gatekeepers in the global AML regime and in the broader financial markets. The potential for mutual anonymity among counterparties can frustrate the Know-Your-Customer (“KYC”) and customer identification procedures (“CIP”) on which existing AML regimes depend. The online ecosystem surrounding cryptocurrency opens new cyber and insider threat vulnerabilities, while the iterative nature of the DLT underlying cryptocurrencies prevents reversibility when a fraudulent or unlawful transaction has occurred. Finally, the absence of in-built geographic limitations makes it difficult to resolve which jurisdiction, or jurisdictions, may potentially regulate each underlying activity.
In this environment, both FIs and regulators must confront technically complex problems in a compressed time-span and in the face of what often appear to be unquantifiable risks. After an initial period of relative forbearance, financial regulators are now responding more aggressively to emerging risks and potential benefits associated with cryptocurrency, ICOs, and DLT. Recent moves by regulators in the United States and other jurisdictions to assert authority over cryptocurrency markets underscore this backdrop of legal and regulatory uncertainty. The ambiguous legal status of many cryptocurrency businesses further raises the stakes for FIs doing business with cryptocurrency entrepreneurs, whose regulatory risk tolerance may be more likely to reflect the ‘wild west’ culture of technology startups than that of traditional financial services providers.
Acknowledging the dynamism of the present moment, this chapter seeks to provide a high-level view of how the emerging cryptocurrency sector intersects with AML regulations and the risk-based AML diligence systems maintained by FIs. To begin, section 2 provides a brief description of how cryptocurrencies function, including the underlying technology and associated cryptocurrency businesses. Section 3 presents a non-exhaustive survey of the evolving regulation of cryptocurrency in key jurisdictions, with an emphasis on major financial centres and contrasting approaches to cryptocurrency AML regulation. Finally, section 4 identifies cryptocurrency risk considerations for FIs, focusing on risks posed by customers who hold, produce, or otherwise interact with cryptocurrencies to a significant degree and by services provided to cryptocurrency markets.
Before outlining how governments have applied AML rules to cryptocurrencies, it is helpful to establish both a basic technical understanding of how cryptocurrencies work and a common vocabulary for the types of products, services, and actors that play a role in the cryptocurrency markets.
Cryptocurrency is a form of virtual currency. FATF has defined “virtual currency” as “a digital representation of value” that “does not have legal tender status ...
in any jurisdiction”, and serves one or more of three functions: (1) “a medium of exchange”; (2) a “unit of account”; or (3) “a store of value”.7 Lack of legal national tender status is what, under the FATF definition, distinguishes virtual currency from “fiat currency”, which is traditional national currency, and “e-money”, which is a digital representation of fiat currency. Virtual currencies may be either convertible8 (having a fixed or floating equivalent value in fiat currency) or non-convertible9 (having use only within a particular domain, such as a game or a customer reward programme), and the administration of a virtual currency may be centralised10 (controlled by a single administrator) or decentralised (governed by software using DLT principles).11
Under this taxonomy, a paradigmatic cryptocurrency such as Bitcoin is a convertible, decentralised virtual currency that “utilizes cryptographic principles” to ensure transactional integrity, despite the absence of trusted intermediaries such as banks. While Bitcoin, which launched in early 2009, is the oldest and most well-known cryptocurrency, many variations have since been created with various features. LiteCoin, the second-longest running cryptocurrency after Bitcoin, used the same source code but permits more efficient decryption (also known as “hashing” or “mining,” as discussed below). Ether, which as of this writing has the second largest market cap after Bitcoin, debuted in 2015 and is built on a flexible “smart contract” protocol called Ethereum, which can in turn be used to encode rights in a variety of asset types into a DLT-tradable form.12 More recent variants, such as Ripple, provide for issuance and redemption through a centralised administration controlled by a consortium of banks, while retaining decentralised exchange based on an encrypted ledger for transactions. The most recent boom has seen cryptocurrency increasingly adopted as a means of raising capital, often portrayed as a variant of “crowdsourcing” startup costs. As noted below, however, the use of cryptocurrencies to raise capital for investment purposes can raise issues under applicable securities laws and other financial regulatory regimes. Depending on the technical structure of the cryptocurrency issued, some issuers and related persons point to “utility characteristics” of the cryptocurrency (sometimes called a “coin” or “token”) to argue that it is not a security under relevant case law discussed below. However, SEC Chairman Jay Clayton has cautioned that many such assertions “elevate form over substance” and that structuring a coin or token to provide some utility does not preclude it from being a security. Indeed, Chairman Clayton emphasises that a token or coin offering has the hallmarks of a security under U.S.
law if it relies on marketing efforts that highlight the possibility of profits based on the entrepreneurial or managerial efforts of others, regardless of structure.13
Technologically speaking, cryptocurrencies such as Bitcoin operate on the basis of a global transaction record known as a “blockchain”. A variety of resources are available to help explain blockchain technology more thoroughly than can be done here.14 However, at a high level, a blockchain is a particular form of DLT that requires the resolution of a new, randomised cryptographic key in order to be updated with more recent transfers. Each successive key is resolved through a process known as “hashing”, which in practice is achieved through the ongoing computational guesswork of all computers in the network until one of the computers identifies the correct key, thus decrypting the latest iteration of the ledger (and, in the case of Bitcoin and cryptocurrencies that follow a similar model, releasing a small amount of new cryptocurrency into the world by means of a payment to the “miner” with the correct hash). Each time this occurs, the validated block of new transactions is timestamped and added to the existing chain in a chronological order, resulting in a linear succession that documents every transaction made in the history of that blockchain. Rather than residing in a centralised authoritative system, the blockchain is stored jointly by every computer node in the network. This distributed, encrypted record is what provides assurance to mutually anonymous, peer-to-peer transferees that there can be no double-spending, despite the absence of a trusted intermediary or guarantor.15
Blockchain has been described as “anonymous, but not private”.16 The anonymity (or “pseudo-anonymity”)17 of blockchain derives from the fact that a party transacting on the ledger is identified only by a blockchain address, which acts as an account from which value can be sent and received and can in principle be created without providing personal identifiable information. On the other hand, blockchain is not “private”, since all transactions on the ledger are a matter of public record and every coin is associated with a unique transaction history. Complicating this picture, users with an interest in secrecy can employ a variety of technical tools to obscure the relationship between different blockchain addresses and actual transacting parties – while, as a countermeasure, increasingly complex data analytics methods are being developed that can identify related blockchain transactions and attribute addresses to particular users under certain circumstances.18 The fact that even well-resourced and technically sophisticated actors face limits on their ability to decipher blockchain transactional activity, however, makes cryptocurrency attractive for money launderers and other parties seeking to exchange value away from the formal financial sector.
Creation of a new cryptocurrency requires the development and release of the software that establishes the rules for its use, maintains the ledger, and governs the issuance and redemption of the cryptocurrency.
FATF defines a person or entity engaged as a business in putting a virtual currency into circulation and who “has the authority to redeem…the virtual currency” as the “administrator” of the virtual currency.19 Many cryptocurrencies – including some of the most significant examples, such as Bitcoin, Litecoin, and Ether – have no administrator. Such cryptocurrencies are run on open-source software that governs issuance and redemption, and no central party has authority to modify the software or the rules of exchange. Other DLT applications have been developed that use the distributed ledger for validating transfers while retaining central control over issuance and redemption. The result is that the universe of “cryptocurrencies” encompasses a diverse range of virtual currencies, “coins”, and “tokens” that have varying uses and characteristics and that are subject to very different degrees of control by their operators.
In addition to the creators and administrators of cryptocurrency, supporting applications have been developed to ease access and use of the underlying peer-to-peer system. In particular:
A Virtual Wallet (“wallet”) is a software application or other mechanism for holding, storing and transferring virtual currency.
Custodial versus Non-Custodial: A custodial wallet is one in which the virtual currency is held by a third party on the owner’s behalf, whereas a non-custodial wallet is one in which the virtual currency owner holds his own private keys and takes responsibility for the virtual currency funds himself.
Hot versus Cold: Wallet storage may be “cold”, meaning held offline (usually on a USB drive) and plugged in only when needed, or “hot”, meaning held online (e.g., in one of many crypto wallet applications).
A Virtual Currency Exchange (“VCE”) is a trading platform that, for a fee, supports the exchange of virtual currency for fiat currency, other forms of virtual currency or other stores of value (for example, precious metals). Individuals may use exchangers to deposit and withdraw money from trading accounts held by the VCE or to facilitate crypto-to-crypto and crypto-to-fiat exchange with the VCE or third parties through the VCE.
Whereas individual blockchain account holders may not need to involve a bank in order to obtain and transfer cryptocurrency value, the operators of these platforms frequently require traditional financial services to facilitate exchange, banking, financing, and investment with the non-crypto economy. And because the operators of these platforms typically seek to serve a large community of cryptocurrency holders for profit, they confront many of the same money laundering, fraud, cyber, and sanctions vulnerabilities as traditional financial institutions. And while the leading wallet and VCE providers use centralised data and processing models,20 new efforts to decentralise cryptocurrency storage and exchange services create further complexity.21 Adding to the risks, many wallet and VCE providers may, correctly or incorrectly, consider their businesses to fall outside the scope of existing AML regulations. Going forward, how to apply existing AML regimes to this complex and rapidly changing ecosystem will be a critical question for financial crime regulators.
In recognition of the calls for the adoption of global AML standards for cryptocurrency trading,22 FATF announced that it has finalised and will formally adopt as part of the FATF standards in June 2019 an Interpretive Note to Recommendation 15 to clarify how the FATF standards apply to activities or operations involving virtual assets. This should serve to reinforce what is emerging as the leading view that cryptocurrency payment service providers should be subject to the same obligations as their non-crypto counterparts,23 and the majority of jurisdictions that have issued rules or guidance on the matter have concluded that the commercial exchange of cryptocurrency for fiat currency (including through VCEs) should be subject to AML obligations (or, in the case of China, prohibited). Salient differences in national regulations include: (i) the existence of special licensing requirements for VCEs; (ii) the extent to which AML rules also cover administrators and wallet services; (iii) the extent to which ICOs are covered by securities laws or equivalent regulations with AML regulatory implications; and (iv) the extent to which crypto-to-crypto exchange is treated differently from crypto-to-fiat exchange. As discussed below, in many cases the regulatory status of these activities is either ambiguous or case-specific, or is otherwise subject to pending changes in law and regulation. Note that while national security sanctions laws are outside of the scope of this article, the breadth of sanctions screening requirements will generally be equal and, more often, exceed that of AML compliance obligations.
For purposes of U.S. federal law, a given cryptocurrency may variously be considered a currency, a security, or a commodity (and potentially more than one of these at once) under overlapping U.S.
regulatory regimes. Whether particular activities involving that cryptocurrency are subject to AML regulatory obligations depends on whether the person engaging in these activities, by virtue of doing so, falls within one of the categories of “financial institutions” designated pursuant to the U.S. Bank Secrecy Act (“BSA”).24 The definition of “financial institution”25 depends, inter alia, on registration requirements imposed by the Financial Crimes Enforcement Network (“FinCEN”) (with respect to “money services businesses”),26 the Securities and Exchange Commission (“SEC”) (with respect to issuers, brokers, and dealers of securities),27 and the Commodity Futures Trading Commission (“CFTC”) (with respect to brokers and dealers of commodities and related financial derivatives).28 While the regulatory framework is still emerging, these classifications potentially extend AML rules to most or all VCEs and to many cryptocurrency issuers and wallet providers. Moreover, while beyond the scope of this chapter, states can and increasingly do apply their own licensing and regulatory requirements, such as the New York State Department of Financial Services “Bitlicense” regulation.29
(a) Cryptocurrency Activities Triggering “Financial Institution” Status
The framework for cryptocurrency AML regulation in the U.S.
is most developed for centralised VCEs. In 2013, FinCEN issued guidance concluding that “virtual currency” is a form of “value that substitutes for currency”,30 and that certain persons administering, exchanging, or using virtual currencies therefore qualify as money services businesses (“MSB”)31 regulated under the Bank Secrecy Act.32 In doing so, FinCEN distinguished those who merely use “virtual currency to purchase goods or services”33(a “user”) from exchangers and administrators of virtual currency,34 concluding that the latter two qualify as MSBs unless an exemption applies.35 In both cases, such a business qualifies as a covered MSB if it “(1) accepts and transmits a convertible virtual currency or (2) buys or sells convertible virtual currency for any reason”.36 FinCEN has clarified in subsequent administrative rulings that this definition was not intended to cover companies’ buying and selling cryptocurrencies for their own use or software developers that do not also operate exchanges.37 The extent to which a software developer that creates the cryptocurrency that it then sells directly to users (for example, as an ICO) falls within the MSB definitions remains uncertain.38
Separately from FinCEN’s MSB regulations, the SEC regulates transactions in securities, including by requiring issuers to register offerings of securities or to rely on an available exemption from registration.
The definition of “security” under the Securities Act is extremely broad.39 Certain tokens, including those that are effectively digital representations of traditional equity interests or debt (such as partnership interests, limited liability company interests or bonds), are plainly securities under the Securities Act. The characterisation of other tokens as securities or non-securities may be less obvious. Whether a particular instrument may be characterised as an “investment contract”, and therefore a “security”, is the subject of decades of SEC and SEC staff guidance, enforcement matters, and case law. In the ICO context, recent SEC speeches40 and guidance41 have underscored that the SEC continues to apply the analysis laid out in SEC v.
W.J. Howey Co.42 and the cases that followed it, specifically, whether participants in the offering make an “investment of money” in a “common enterprise” with a “reasonable expectation of profits” to be “derived from the entrepreneurial and managerial efforts of others”.43 Since first invoking this view in its investigation of the DAO ICO,44 the SEC has taken the view that several ICOs constituted offerings of securities that failed to comply with the registration requirements of Section 5 of the Securities Act of 1933 (“Securities Act”).45
While acting as a securities issuer does not make the issuer a “financial institution” under the BSA, the obligation to register a cryptocurrency as a security entails a number of Securities Act obligations,46 and the default anonymity of cryptocurrency holders may preclude ICOs from relying on common exemptions from securities registration.47 Furthermore, if the token offered in an ICO is deemed a security, a party that transmits tokens to purchasers on behalf of issuers or other sellers could become a securities broker-dealer for purposes of the Securities Exchange Act of 1934 (the “Exchange Act”)48 and accordingly be required to register as a broker-dealer subject to BSA FI obligations.49 Similarly, when the cryptocurrencies traded are, or should be, registered as securities, a VCE may be acting as a dealer (if it acts as a market-maker for trading parties) or as a broker (a person that is in the business of effecting transactions in a cryptocurrency on behalf of others),50 and would thus be acting as a covered FI for purposes of the BSA, absent an applicable exemption.51
In 2014, the CFTC observed that cryptocurrencies may constitute “commodities” under the Commodity Exchange Act (“CEA”), such that the CFTC has broad jurisdiction over derivatives that reference cryptocurrencies (e.g., futures, options, and swaps) and market participants that transact in such contracts. In addition, under its enforcement authority, the CFTC has asserted authority to pursue suspected fraud or manipulation with respect to the cryptocurrency itself,52 an authority recently affirmed in federal court.53 Persons that act as futures commission merchants (“FCM”)54 or introducing brokers55(“IBs”) for cryptocurrency derivatives under the CEA are also covered by BSA AML requirements.56
(b) Consequences of Coverage
Slightly different AML programme and reporting requirements, among other things, may apply under the BSA, depending on the particular class of FI involved. However, whether qualifying as an MSB or a broker or dealer in securities or commodities, the BSA requires an FI to maintain a risk-based AML compliance programme, apply CIP, report suspicious activity and certain other transactions, and maintain certain records.57 MSBs are further required to register with FinCEN58 (in contrast to brokers and dealers in securities or commodities, who register with their respective regulators) and in the states where they operate, as applicable, and are subject to lower SAR filing thresholds.59 Though the transmission of funds by MSBs does not necessarily result in the creation of a customer relationship for purposes of AML regulation, MSBs are nonetheless required to obtain identification and retain records when handling transfers of USD3,000 or more.60 Similarly, while Currency Transaction Reporting (“CTR”) requirements do not apply to cryptocurrency-to-cryptocurrency exchange, transactions that involve cash or equivalents for cryptocurrency would be required to be reported under these rules, including obtaining identification of the individual presenting the transaction and any person on whose behalf the transaction is made.61
Because FinCEN’s definition of MSBs excludes registered securities and commodities brokers and dealers, the requirements specific to registered brokers and dealers prevail where cryptocurrency activities would support coverage under either prong.62 In addition to the programmatic, reporting, and record-keeping requirements referenced above, the technical characteristics of virtual currencies could also complicate U.S.
broker-dealers’ efforts to fulfil their non-AML regulatory obligations in a number of ways that dovetail with challenges faced in implementing compliant AML programmes.63
In sum, the potential application of multiple regulatory schemes and the absence of bright line tests make ascertaining the regulatory status of particular customer types and activities labour-intensive. Many FIs are accordingly taking a conservative approach and not opening such accounts, while others have proceeded on a case-by-case basis. As the following sections illustrate, the potential for different standards and consequences to attach to cryptocurrency services that cross borders further complicates these assessments.
(c) Enforcement Trends
While many of the early enforcement actions in the United States targeting cryptocurrency businesses have involved claims of fraud64 or failure to register with appropriate regulators,65 there have been a few examples of enforcement actions targeting VCEs for AML programme failures and there appears to be a growing focus on AML enforcement across regulators that will inevitably extend to cryptocurrency businesses.
In May 2015, FinCEN brought its first ever action against a VCE for AML programme failures when it assessed a civil money penalty against Ripple Labs Inc.
and its subsidiary XRP II LLC (Ripple) for wilful violations of the BSA’s registration, programme and reporting requirements.66 Specifically, FinCEN determined that Ripple was acting as an MSB and selling its virtual currency without registering as an MSB with FinCEN, and that it had failed to implement and maintain an adequate AML programme designed to protect its products from use by money launderers or terrorist financiers.67 Further, Ripple failed to report suspicious activity related to several suspect financial transactions in violation of its BSA SAR-filing requirements.68 FinCEN’s press release announcing the penalty cited its 2013 guidance as having clarified the applicability of regulations implementing the BSA and the requirement to register as MSBs under federal law to virtual currency exchangers and administrators.69 Ripple ultimately agreed to pay a USD700,000 penalty in addition to forfeiting USD450,000 to settle potential federal criminal liability,70 and agreeing to a number of remedial actions including to only engage in its virtual currency activity through a registered MSB, to conduct a three-year look-back to identify suspicious transactions, to implement and maintain an effective AML programme, and a requirement to retain external independent auditors to review their compliance with the BSA every two years.71
In its second supervisory enforcement action against a virtual currency exchange, FinCEN assessed a USD110,003,314 civil money penalty against Canton Business Corporation (BTC-e), then one of the world’s largest virtual currency exchanges by volume, and a USD12 million civil money penalty against one of BTC-e’s Russian operators for wilful violations of the BSA and its implementing regulations in July 2017.72 BTC-e and its operator were also indicted in federal court for violations of federal criminal AML laws.73 FinCEN determined that BTC-e lacked basic controls to prevent the use of its platform for illicit purposes, and that the virtual currency exchange actually attracted a customer based that consisted largely of criminals seeking to launder the proceeds of their crimes.74 In its press release announcing the penalty against the foreign-located exchange, FinCEN stated that “[r]egardless of its ownership or location, the company was required to comply with U.S.
AML laws and regulations as a foreign-locted MSB including AML programme, MSB registration, suspicious activity reporting, and recordkeeping requirements”.75
Since 2017, several individuals have faced criminal charges resulting in prison sentences for illegally exchanging and or transferring virtual currency without registering with FinCEN as an MSB. A July 2018 example involved a California woman who was sentenced to a year in prison by the District Court for the Central District of California for operating a digital currency exchange without registering with FinCEN as an MSB, and for violations of the federal criminal AML laws.76
Beyond FinCEN and the Department of Justice, the CFTC77 and the SEC78 have both taken recent actions indicating that they intend to continue to focus their enforcement authority on ensuring BSA compliance at all types of covered financial institutions subject to their supervision. In September 2018, the CFTC announced the formation of a new Bank Secrecy Act Task Force within the CFTC’s Division of Enforcement, to ensure that FCMs and IBs comply with their AML obligations under the BSA.79 While BSA requirements have applied to FCMs and IBs since 2003,80 the CFTC has traditionally only performed the role of examiner in relation to FCM and IB compliance with the BSA, with FinCEN taking the lead in enforcement.81 However, it appears that the CFTC now views it role in relation to BSA compliance as much broader. This new focus on enforcement could be due in part by the increasing focus on cryptocurrency regulation and the particular AML risks presented by cryptocurrency businesses, combined with the fact that the CFTC has successfully argued that cryptocurrencies are commodities subject to CFTC regulation under the CEA. Increasingly, US financial services industry regulators appear to be eager to use their enforcement mechanisms to regulate domestic and foreign cryptocurrency businesses.
European Union Regulatory Approach
The final text of the most recent European-level AML directive, the Fifth Money Laundering Directive (“MLD5”),82 was published in the Official Journal of the European Union on June 19, 2018 and must be implemented by EU Member States by January 10, 2020. This is the first European Union-level money laundering directive to explicitly address the regulation of cryptocurrency.83
MLD5 extends the definition of “obliged entities” to include virtual currency exchanges84 and custodial wallet providers, thereby requiring such entities to comply with the same AML requirements applied to traditional financial institutions under the EU’s Fourth Money Laundering Directive (“MLD4”)85 – including CIP and beneficial ownership identification, KYC, transaction monitoring, and suspicious activity reporting – and subjects those entities to supervision by the competent national authorities for these areas.
While MLD5 was pending, some EU jurisdictions acted to extend AML obligations to certain cryptocurrency services on their own. As shown by the following examples, there is currently significant variation, with some Member States (such as Germany and Italy) having substantially implemented an MLD5-type regime through national law or regulatory actions, and other Member States (such as the UK and the Netherlands) having thus far left cryptocurrency trading largely outside the AML regulatory regime.
When Italy amended its AML Decree86 in compliance with MLD4 in 2017 (which was done via a legislative decree, “AML4 Decree”),87 it simultaneously incorporated definitions for cryptocurrency consistent with the FATF-definition88 and classified cryptocurrency service providers89 that provide cryptocurrency-to-fiat conversion services as “non-financial intermediaries” regulated under the AML Decree.90 Such service providers are consequently subject to Italian AML obligations,91 including KYC,92 recordkeeping and communications to the authorities,93 suspicious transaction reporting,94 and, as a consequence of the pseudo-anonymity of blockchain users, enhanced due diligence (“EDD”).95 Article 8 of the AML4 Decree further requires cryptocurrency service providers to register in a special section of the Italian Registry of currency exchange professionals96 and to communicate to the Ministry of Economy and Finance about exchange activities carried out within the Italian territory (an issue that can be particularly complex given the decentralised, global nature of cryptocurrency transactions).97 The Ministry of Economy and Finance published a draft decree outlining these communication requirements in February 2018, but as of this writing, the decree is still under consultation.98
Although Italy’s investment services authority, CONSOB,99 has not yet taken a clear position in relation to transactions in cryptocurrencies, at least one Italian court has found that the sale and conversion of cryptocurrencies to legal tender could in theory constitute a form of investment services in the context of proprietary trading.100 A 2015 Bank of Italy communication101 on the prudential risks of cryptocurrency further suggested that some cryptocurrency functions could violate criminal provisions of Italian banking law, which reserve certain banking, payment, and investment services exclusively to authorised entities.102 These precedents suggest the potential for collateral risk from serving unlicensed entities or, in the extreme case, handling illicit proceeds as a consequence of serving non-compliant cryptocurrency businesses in Italy. In addition to the above, it is also worth remarking that recently (19 March 2019) CONSOB launched a public consultation with the purpose to determine the legal nature and the relevant regime applicable to the issuance or exchanges of cryptoassets. The public consultation is addressed to all entities and individuals potentially interested in cryptoassets (e.g.
investors; consumers; issuers of cryptoassets; and financial intermediaries) and the term to deliver opinions and comments is set on 19 May 2019.
The German Federal Financial Supervisory Authority (“BaFin”) considers cryptocurrencies that have the character of a cash instrument to be “financial instruments” under the German Banking Act (“KWG”).103 However, in September 2018, this administrative practice was challenged by the Berlin Court of Appeal. The court held that Bitcoin was not a “financial instrument” and would therefore not fall under the KWG. Since BaFin is not obliged to change its administrative practice after a decision reached in an individual criminal proceeding, the future application of the KWG on cryptocurrency exchanges remains uncertain. In February 2019, the BaFin noted that it maintains its former view.
As in the U.S., use of cryptocurrency as payment for goods and services and the sale or exchange of self-procured cryptocurrency would not trigger AML regulation, and such users need not seek authorisation under applicable German banking laws.104 However, commercial dealings with cryptocurrencies can trigger an authorisation requirement where the platform involves (i) buying and selling cryptocurrency in order to carry out principal broking services, or (ii) operating as a multilateral trading facility. Providers that act as “currency exchanges” offering to exchange legal tender for the purposes of proprietary trading, contract broking, or investment broking, are also generally subject to authorisation. Finally, underwriting an ICO may be regulated underwriting or placement business within the ambit of applicable German banking laws.
When such commercial dealings with cryptocurrencies trigger an authorisation requirement, the business must obtain a licence as a credit institution or financial services institution under applicable German banking laws, and is treated as an “obliged entity”105 under the German Money Laundering Act (“GWG”),106 transposing the MLD4 AML requirements.107 Under the still-to-be-transposed MLD5, it is envisaged that firms operating centralised cryptocurrency exchanges or custodial wallet providers for cryptocurrencies shall also fall under the GWG. However, the legislator’s planned approach to implement MLD5 in Germany and the timing for this is still unclear. It is also noteworthy that BaFin has suggested that whether a cryptocurrency is also a security must be assessed on a case-by-case basis, with the rights associated with the respective token as the decisive factor.108 If a token is also classified as a security (beyond the classification of a mere unit of account (Rechnungseinheit)), this may in particular trigger conduct and prospectus requirements that go beyond licensing requirements and a resulting AML-regulation.
(c) The Netherlands
In contrast to Germany and Italy, the Netherlands has not yet formally extended their AML regulations in order to cover cryptocurrency-related services.
The 2013 conclusion of the Dutch Ministry of Finance that cryptocurrencies are neither “electronic money” nor ‘financial products’ within the meaning of the Dutch Financial Supervision Act (“DFSA”)109 has provided assurance that virtual currencies and wallet services for currency-like cryptocurrencies fall outside the scope of the DFSA.110 Cryptocurrencies also do not (yet) qualify as “common money”.111 Consequently, issuers of cryptocurrencies, exchange-platforms and undertakings offering wallet services are in general not covered institutions for purposes of the Dutch Act for the Prevention of Money Laundering and Financing of Terrorism (“Wwft”).112
However, the Dutch Central Bank (De Nederlandsche Bank, “DNB”) and the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, “AFM”) have provided guidance regarding the qualification of cryptocurrencies as “financial instruments” as mentioned in the DFSA. In their joint advice, the DNB and the AFM concluded that currently, under Dutch law, most cryptocurrencies do not qualify as a financial instrument under the DFSA but qualify as a prepaid right to access or use a provider’s future services.113 According to the AFM, only in certain cases cryptocurrencies qualify as a “security” and hence as a “financial instrument” under the DFSA, for example, when the holder of the cryptocurrency has a right to receive dividends from the issuer of the cryptocurrency or when the cryptocurrency resembles “traditional” securities such as bonds.114 Investment firms facilitating the trade in or providing advice regarding such cryptocurrencies qualify as “institutions” as mentioned in the Wwft. Such investment firms must meet certain obligations under the Wwft, such as conducting client due diligence and monitoring transaction performed by clients. Due to the broad definition of “client” in the Wwft and the high risks associated with cryptocurrencies, the AFM concluded that investment firms must conduct enhanced due diligence investigations regarding client-investors, but also regarding professional counterparties selling cryptocurrencies, the issuer of the cryptocurrencies and intermediaries and platforms facilitating the trade in the cryptocurrencies.115
When MLD5 is implemented in Dutch law, all undertakings providing exchange services between cryptocurrencies and fiat currencies which are seated in the Netherlands or offering their services to Dutch residents will fall within the scope of the Wwft. The same applies to undertakings providing custodian wallets for cryptocurrencies. The Dutch Ministry of Finance, however, does not only wish to register such undertakings as proposed in MLD5, but has proposed that such undertakings require prior authorisation from DNB before offering their services.116 The Dutch Ministry of Finance has proposed that these undertakings should function as gatekeepers of the (Dutch) financial system. Prior to their authorisation, DNB will assess whether these undertakings are able to fulfil their role as gatekeepers by assessing whether the undertakings are able to comply with their obligations under the Wwft and by assessing the integrity and fitness of their ultimate beneficiaries and management.117 DNB and the AFM are supporters of this licensing regime, but the Dutch Parliament has yet to vote on this proposal.
(d) The UK
In the UK, regulators have recognised that cryptoassets vary significantly both in terms of the rights they confer on their owners, as well as their designed use. Accordingly, the UK Cryptoassets Taskforce (“the Taskforce”), which was established in March 2018 and comprises HM Treasury, the Bank of England and the UK Financial Conduct Authority (“FCA”), developed a framework118 that categorises cryptoassets into three categories:
i. Exchange tokens – these are not issued or backed by any central authority and are intended and designed to be used as a means of exchange. Examples include Bitcoin and Litecoin.
ii. Security tokens – these have specific characteristics that mean they meet the definition of a “specified investment” for the purposes of the Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (“RAO”) similar to, for example, a share or debt instrument.
iii. Utility tokens – these grant holders access to a current or prospective product or service but do not typically have the characteristics of “specified investments”.
The FCA confirmed in its recent consultation paper entitled “Guidance on Cryptoassets” that its prevailing view is to treat exchange tokens as falling outside the regulatory perimeter119 and that they are not expected to be “specified investments” for the purposes of the RAO. This echoes statements made by the FCA’s chief executive Andrew Bailey in 2017, that virtual “commodities” like Bitcoin are not currently regulated by UK financial regulatory authorities and that it is up to Parliament to decide on any changes to those rules.120 Conversely, the FCA confirmed that certain tokens such as security tokens (including those issued as part of an ICO) may well constitute transferable securities and fall within the prospectus regime under the Financial Services and Markets Act 2000 (“FSMA”), or alternatively, depending upon how they are structured, some tokens may instead amount to a collective investment scheme under section 235 of the FSMA. Derivatives that reference a cryptoasset are also capable of being regulated investments.121
Unless one of the regulated financial services regimes above is triggered, cryptoasset activities are unlikely to currently fall within the scope of the UK Money Laundering Regulations 2017.122 Changes under 5MLD (supported by the UK Treasury) would result in fiat-to-crypto exchanges and custodian wallet providers’ activities being brought within the scope of AML laws. Following the work of the Taskforce, the UK government also intends to consult on broadening the UK’s approach to go beyond the requirements of 5MLD to include:
exchange services between different cryptoassets, to prevent anonymous ‘layering’ of funds to mask their origin;
platforms that facilitate peer-to-peer exchange of cryptoassets, which could enable anonymous transfers of funds between individuals;
cryptoasset ATMs, which could be used anonymously to purchase cryptoassets; and
non-custodian wallet providers that function similarly to custodian wallet providers, which may otherwise facilitate the anonymous storage and transfer of cryptoassets.
Additionally, the UK government proposes to consult on whether to require firms based outside the UK to comply with these regulations when targeting and providing services to UK consumers. The rationale is to prevent illicit actors in the UK from dealing with firms based abroad and thereby bypassing UK regulation.
As part of developing a robust AML/CTF framework for cryptoassets, the UK government has asked the FCA to consider taking on the role of supervising and overseeing firms’ fulfilment of their AML/CTF obligations in relation to crypto activities. The Taskforce’s Report notes that the UK government will consult on this before confirming the identity of the supervisor. The FCA has also taken action in relation to regulated firms who, as part of their business activities, interact with cryptoassets. In June 2018, the FCA issued a letter to CEOs of all banks, setting out appropriate practice for the handling of the financial crime risks associated with cryptoassets.123
On an international stage, the UK has been actively engaging in discussions to ensure a coordinated global response to the financial crime risks posed by cryptoassets. The UK continues to be a leading voice in the discussions of FATF, which continues to issue and update guidance on the AML/CTF standards that apply to cryptoassets.
Separately, where firms operate within the regulatory perimeter without correct FCA authorisation (e.g., by issuing security tokens without FCA authorisation), such breaches would be a criminal offence, and thereby may give rise to a predicate crime for certain money laundering offences under the Proceeds of Crime Act 2002 (“POCA”). Moreover, cryptoassets or the proceeds of their sale could also be the subject of a restraint order or confiscation order to the extent that they constitute criminal property under POCA, and concealing or handling such criminal property could trigger the money laundering offences under POCA.124 Indeed, the recent case of R v Teresko (Sergejs)125 demonstrates that the UK courts had little difficulty in concluding that Bitcoin could be the subject of a seizure order pursuant to section 47A-S of POCA.
Regulatory practices in Asia diverge even more than in Europe. At the extreme end, China currently prohibits commercial issuance and exchange cryptocurrency services. In contrast, Japan and Australia both now have regimes for licensing and supervising VCEs and other cryptocurrency businesses.
China has taken perhaps the strictest approach to cryptocurrency of the world’s major economies, effectively prohibiting all issuance and exchange services for cryptocurrency in the country.
Chinese regulators took a wary view beginning in December 2013, when the People’s Bank of China (the “PBOC”), the central regulatory authority for monetary policy and financial industry regulation, issued a joint circular with other Chinese regulators emphasising the AML risk of Bitcoin and other cryptocurrencies, and requesting that all bank branches extend their money laundering supervision to institutions that provide cryptocurrency registration, trading, and other services, and urge these institutions to strengthen their monitoring of money laundering. In 2016, a PRC-incorporated VCE platform was found partially liable for AML violations due to its failure to perform KYC while offering cryptocurrency registration and trading services.126
Subsequently, in September 2017, the PBOC issued a joint announcement (the “Announcement”), affirming that cryptocurrencies do not have legal status or characteristics that make them equivalent to money, and should not be circulated and used as currencies.127
On the issuance side, the Announcement banned “coin offering fundraising”, defined as a process where fundraisers distribute so-called “cryptocurrencies” to investors in return for financial contributions, and classified illegal distribution of financial tokens, illegal fundraising or issuance of securities, and fraud or pyramid schemes as financial crimes in this context. Organisations and individuals that raised money through ICOs prior to the date of the Announcement were commanded to provide refunds or make other arrangements to reasonably protect the rights and interests of investors and properly handle risks.
On the exchange side, the Announcement required cryptocurrency trading platforms to cease offering exchange of cryptocurrency for statutory (fiat) currency, acting as central counterparties for cryptocurrencies transactions, or providing pricing, information, agency or other services for cryptocurrencies.
In a press conference in March 2018, the former president of the PBOC Zhou Xiaochuan said that the future regulation on cryptocurrency would be very dynamic depending on the development of technology and relevant tests or evaluations.128 However, at the current stage China is still tightening its policy in order to further eliminate illegal token fundraising, taking measures to block overseas trading platforms offering cryptocurrency exchange services to PRC residents.129
Because of the criminalisation of unlicensed cryptocurrency issuances, capital or fees that have been acquired through a coin release in China are likely to be viewed as illicit proceeds for purposes of both Chinese and other countries’ AML laws. That said, although discouraged by the PRC authorities, individual purchase or peer-to-peer trading of crypto is not banned from a PRC law perspective.
In May 2016, Japan amended its Payment Services Act to provide for a definition of cryptocurrency130 and to create a registration requirement for “Virtual Currency Exchange Operators” (“VCEOs”).131 VCEO licences permit holders to engage in the exchange, purchase, sale, and safekeeping of cryptocurrencies on behalf of third parties. VCEOs are designated as “Specified Business Operators” subject to national AML rules contained in the Act on the Prevention of Transfer of Criminal Proceeds, including CIP and suspicious transaction reporting.132 Since licences were first issued to VCEOs on September 29, 2017, the FSA, which exercises regulatory authority over Banks and other financial institutions via delegated authority from the Prime Minister, has begun conducting on-site inspections of VCEOs and has forced at least one exchange to cease operations until it remedies compliance deficiencies, including its AML compliance. The prospect of enforcement of AML regulations appears to have caused some companies to withdraw their applications to become VCEOs in recent months.133
In Australia, cryptocurrency is regulated both as a currency and as a financial instrument such as a share in a company or a derivative depending on the features of the coin.134 Businesses that support cryptocurrency-to-fiat exchange are classified as “digital currency exchanges” and are required to comply with the AML laws and regulations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006; however, the law was changed in 2017 to exclude most ICOs from such requirements.135 For entities that are subject to the law, the Australian Transaction Reports and Analysis Centre (“AUSTRAC”) has published a compliance guide for providing guidance on how to implement an AML-CTF compliance programme.136
Cryptocurrency markets are potentially vulnerable to a wide range of criminal activity and financial crimes. Many of these risks materialise not on the blockchain itself, but in the surrounding ecosystem of issuers, VCEs, and wallets that support consumer access to DLT. Rapidly evolving technology and the ease of new cryptocurrency creation are likely to continue to make it difficult for law enforcement and FI’s subject to AML requirements to stay abreast of new criminal uses.
1. Trafficking in Illicit Goods: Cryptocurrencies provide an ideal means of payment for illegal goods and services, from narcotics, human trafficking, organs, child pornography, and other offerings of the “dark web”. The most notable of these was the online contraband market Silk Road, in which all transactions between the buyers and sellers were conducted via Bitcoin. The site was eventually shut down by the U.S.
Federal Bureau of Investigation and the founder was convicted of seven counts of money laundering, drug distribution, conspiracy, and running a continuing criminal enterprise.137
2. Hacking and Identity Theft: Crypto wallets and VCEs provide hackers with attractive targets for financial fraud and identity theft. If an account is hacked via one of these services, crypto holdings can be easily exfiltrated to anonymous accounts and liquidated for fiat or other assets, with little or no possibility of reversing or cancelling the transactions after detection.
3. Market Manipulation and Fraud: While the blockchain in principle allows all actors to view and monitor exchange transactions, the ability to detect and deter insider trading, front-running, pump-and-dump schemes, and other forms of market abuse involving unregistered ICOs and unlicensed VCEs is severely limited. The absence of regulatory oversight with respect to unregistered offerings and the ease with which criminal actors can create new accounts to execute manipulative schemes makes these markets vulnerable.
4. Facilitating Unlicensed Businesses: Variations in the legal and regulatory requirements surrounding cryptocurrency services in different jurisdictions create added challenges in determining whether cryptocurrency businesses are in compliance with local rules. Providing financial services to non-compliant entities could, in some circumstances, implicate illicit proceeds provisions.
In addition, the anonymity, liquidity, and borderless nature of cryptocurrencies makes them highly attractive to potential money launderers.
5. Placement:The ability to rapidly and anonymously open anonymous accounts provides a low-risk means for criminal groups to convert and consolidate illicit cash.
6. Layering: Cryptocurrency provides an ideal means to transit illicit proceeds across borders. For example, the U.S.
Drug Enforcement Administration’s 2017 National Drug Threat Assessment identified cryptocurrency payment as an “[e]merging ...
vulnerability” in trade-based money laundering, in which cryptocurrency is used to transfer funds across borders in “repayment” for an actual or fictitious sale of goods. The DEA particularly identified Chinese demand for Bitcoin, helpful to avoid Chinese capital controls, creating a market for bulk fiat cash from the U.S., Europe, and Australia, with a mix of licensed and unlicensed over-the-counter Bitcoin exchanges serving as the go between.138 Similarly, in April 2018, European authorities busted a money laundering operation that used Bitcoin purchased from a Finnish exchange to transfer cash proceeds of drug trafficking from Spain to Colombia and Panama.139 Unregistered ICOs also provide opportunities for large scale layering. If the money launderers also control the ICO, then they can use a fraudulent “capital raising” to convert their crypto-denominated illicit proceeds back into fiat currency.
7. Integration: The growing list of goods accepted for purchase with cryptocurrencies expands integration opportunities. For example, the Italian National Council of Notaries recently advised notaries to make a suspicious transaction report every time they have to assist parties in the purchase of real estate by means of cryptocurrencies, since the anonymity of the crypto-payment’s source would prevent the identification of the parties of the transaction.140 The willingness of ICOs to trade crypto-for-crypto could also lead to criminal enterprises taking large stakes in crypto businesses, with or without the awareness of those businesses.
8. Terrorism Financing and Sanctions Evasion: The same anonymity and ease of creation makes crypto-accounts ideal for persons to receive payments that might otherwise trigger terrorism financing or sanctions red flags. Although the use of cryptocurrencies is not yet widespread in terrorism financing, terrorist groups have been experimenting with cryptocurrencies since 2014 and Bitcoin has been raised for such groups through social media fundraising campaigns.141 States targeted by sanctions have also taken an interest in creating their own state-sponsored cryptocurrency, with Venezuela debuting such a coin in February 2018.142
All of these risks are heightened among the unregulated sectors of the cryptocurrency markets. Given regulatory pressure to reject anonymity and introduce AML controls wherever cryptocurrency markets interface with the traditional financial services sector, there are signs that the cryptocurrency market is diverging, with some new coins being created to be more compatible with existing regulations while “privacy coins” prioritise secrecy of transactions and identities in order to facilitate off-market transactions.143
Managing Risk of Cryptocurrency Users and Counterparties
In view of the issues discussed above, financial institutions should approach services and customers connected to cryptocurrency with a full understanding of their respective roles with cryptocurrencies and any potential elevated risks. As with any new line of business, then, the central AML compliance question for financial institutions will be whether they can reasonably manage that risk. FIs that choose to serve new lines of business or customer types should perform a risk assessment so that they can tailor policies and procedures to ensure that AML obligations can still be fulfilled in the cryptocurrency context.
(a) Fulfilling Identification and Monitoring Requirements in the Cryptocurrency Context
The ability to confirm the identity, jurisdiction, and purpose of each customer is essential to the fulfillment of AML programmes. In spite of the inherent challenges that cryptocurrencies pose in all these dimensions, an FI must ensure that its policies and procedures allow it to perform these core functions with the same degree of confidence in the cryptocurrency context as they do for traditional services.
While the precise measures necessary will inevitably depend on the particular customer and service, some broad points can be made.
Customer and Counterparty Identification: Although the pseudo-anonymity of holders is central to many cryptocurrencies, an FI cannot enter into a customer relationship unless it has confirmed the true identity of the customer. Assuming that CIP has been performed on the customer with respect to other financial services, this is most likely to arise in the context of establishing proof of ownership over crypto-assets held by the customer outside of the FI. Similarly, although U.S.
AML rules do not require FIs to perform CIP on transaction counterparties, acquisition of baseline counterparty information will typically be necessary in order to provide a reasonable assurance of sanctions compliance, as well as supporting anti-fraud and transaction monitoring efforts. In the cryptocurrency context, appropriate procedures might resemble those used to confirm ownership of non-deposit assets, such as chattel property or, even better, digital assets such as internet domains. At a minimum, the information obtained about the parties to cryptocurrency-related transactions would likely need to be sufficient to allow the FI to apply the sanctions list screening procedures it applies to other transactions of comparable risk. Since procedures should be risk-based, FIs may find it appropriate to apply more enhanced measures to the verification of crypto-holder assets in view of the underlying risks posed by such assets.
Diligence/KYC, Account Monitoring, and Suspicious Activity: The obligation to develop a reasonable understanding of “the purpose and intended nature of the business relationship”144 generally would apply equally when that relationship involves dealings in cryptocurrency. Again, given the special concerns surrounding cryptocurrency markets, FIs may determine that heightened due diligence is appropriate in this context. Similarly, FIs may find it appropriate to develop special red flags that apply to dealings in cryptocurrency markets, and to train responsible employees accordingly.
Transaction Reporting and Recordkeeping: Where covered transactions involving cryptocurrency surpass specified thresholds, FIs will need to record or report the same information as would apply for a non-cryptocurrency transaction. As with updates to CIP, the policies and procedures in place should give the FI assurance that the information that it obtains for this purpose is accurate and is sufficient for auditing review.
Importantly, true identification of the holders of cryptocurrency accounts from which funds are sent and received will enable the FI to appropriately apply transaction monitoring controls, including aggregation requirements145 and detection of structuring payments.146 To the extent that the FI intends to rely on data analytics for these functions, such systems should be in place and tested before the FI begins processing such transactions.
(b) Assessing and Managing Risks of Customers Dealing in Cryptocurrency
Special AML considerations arise when the customer of an FI is itself a cryptocurrency business. VCE or wallet services potentially will themselves typically be classified as AML-obligated entities, depending on the jurisdiction(s) in which they offer services. A currency administrator, such as the issuer of an ICO, may also be subject to AML obligations, and all three business types may be subject to other financial services licensing or registration regimes. We outline some of these issues below.
(i) Crypto-Business Customers that Are Financial Institutions