Regulatory clarity, extreme edition — anti-money-laundering and crypto: FATF, OFAC, FinCEN

We live in capitalist countries. Our governments love it when people go out and make a great big pile of money! Regulators aren’t there to douse the party — the SEC and CFTC are there to help you go out and make a great big pile of money. Just do it properly, don’t be a slapdash crook and so on.

The anti-money-laundering (AML) authorities, on the other hand, are absolutely there to douse the party. They are the humorless cops, and they will shut you down in a second.

There’s a lot to dislike about the AML regime — even if you think it has a good purpose. It doesn’t work at all consistently at the big-money level it’s supposed to be for; compliance requires financial institutions to act as the cops against their own customers, and costs them a fortune; and it causes lots of problems for ordinary users at the consumer level that it absolutely shouldn’t.

But AML’s the business environment we have. So let’s see what they’ve made of crypto lately!

There’s slip-ups in compliance monitoring, and then there’s tweeting your visa for North Korea.

 

FATF guidance on virtual assets, 2021 edition

The Financial Action Task Force (FATF) has released the 2021 version of “Updated Guidance for a Risk-Based Approach for Virtual Assets and Virtual Asset Service Providers.” It’s a 111-page PDF. [FATF, PDF]

In AML, a “risk-based approach” means assessing the risk of a given customer and a given transaction. At the regulator level, it means assessing the risks in business actions, and how those can be mitigated.

This guidance is for national regulators, listing AML risk factors with crypto and how to deal with them. It’s advice on what countries had better put into law if they want the US and EU to do business with them.

This is a sub-document of the FATF Recommendations, a 140-page document on what rules regulators need to implement. [FATF, PDF]

In October 2018, FATF amended the Recommendations to explicitly note that they applied to cryptos, and adopted the terms “virtual asset” (VA) and “virtual asset service provider” (VASP) — “acting as a business for or on behalf of another person and providing or actively facilitating VA-related activities.”

The October 2021 revision of the Guidance is to clarify definitions, give guidance on stablecoins, note the issues of peer-to-peer transactions, and clarify the travel rule, which requires VASPs to collect and pass on information about their customers.

VASPs include crypto exchanges, crypto transfer services, crypto custody and financial services around crypto asset issuance (e.g., ICOs). VASPs must do full Know-Your-Customer (KYC), just like any other financial institution.

The rules apply to crypto just like they apply to any other way to transmit money — “there should not be a case where a relevant financial asset is not covered by the FATF Standards.” This guidance is the details of how to regulate fancy new financial products, especially when the products’ operators are full of excuses.

The FATF is concerned that “VAs are becoming increasingly mainstream for criminal activity more broadly.” Paragraph 21 notes a “large increase” in ransomware — “VAs are a vital tool for ransomware actors, without which their underlying crime would be much harder to monetize.”

Industry self-regulation is absolutely not enough — VASPs need proper supervision: “only competent authorities, and not self-regulatory bodies, can act as VASP supervisory or monitoring bodies.” Regulators will need to work with each other internationally as well.

Stablecoins are mentioned in terms of the hypothetical risks of a popular private currency.

The guidance does not treat central bank digital currencies (CBDCs) as Virtual Assets, but as fiat currency — though FATF rules will apply to CBDCs just as they do to bags full of cash.

NFTs and crypto-collectibles are not “virtual assets” under these rules. However, there is no financial asset that is not covered by some FATF rule — so it depends what the buyer and seller do with them. Money-laundering via art is money-laundering.

Peer-to-peer crypto transactions are not directly subject to the FATF Standards, which generally apply to financial intermediaries, and not individuals — except in the case of sanctions violations.

Jurisdictions should assess the local risks from peer-to-peer transactions, and possibly adopt optional provisions, such as restricting direct deposit of cryptos with VASPs (paragraphs 105 and 106) — Germany and Switzerland have already considered such rules.

The crypto press went into performative shrieking that the FATF was gunning for DeFi. The only bit that’s actually about DeFi is paragraphs 67 to 69.

The DeFi smart contract itself is not a VASP, any more than any piece of software is. Developing a piece of software doesn’t count as supplying virtual asset services. But using the software to supply virtual asset services counts as running a VASP.

The FATF notes that a lot of “decentralised” finance is run by very touchable centralised entities, who mistakenly think that waving around the word “decentralised” is a free “can’t sue me, bro” card. This turns out not to be the case: “For self-described P2P platforms, jurisdictions should focus on the underlying activity, not the label or business model.”

Individual users are generally not covered under FATF guidance — but they may be subject to other local regulation, such as sanctions or compliance.

Paragraphs 181 to 192 detail precisely what information must be collected under the Travel Rule, and the data requirements for the sending and receiving VASPs. Providers of virtual asset transfers must “transmit the required originator and beneficiary information immediately and securely.”

There should be sufficient information supplied under the Travel Rule to ascertain whether this transfer violates sanctions.

Section 5 of the guidance includes examples of how some jurisdictions have implemented these rules.

OFAC: Sanctions Compliance Guidance for the Virtual Currency Industry

Back in the US, the Office of Foreign Asset Control (OFAC), which regulates sanctions, will be expecting all US crypto companies — including miners — to do sanctions compliance: [Press release; guidance, PDF]

All companies in the virtual currency industry, including technology companies, exchangers, administrators, miners, and wallet providers, as well as more traditional financial institutions that may have exposure to virtual currencies or their service providers, are encouraged to develop, implement, and routinely update, a tailored, risk-based sanctions compliance program. Delaying development and implementation of a sanctions compliance program can expose virtual currency companies to a wide variety of potential sanctions risks.

The main list is the Specially Designated Nationals and Blocked Persons List — the “SDN List.” OFAC supplies the SDN List and the Consolidated Sanctions List in multiple data formats, and they provide a search engine.

OFAC recommends a risk-based approach — you need a compliance department to assess the risks of your customers and their individual transactions. You can’t not have this. OFAC has a pile of further guidance on how to implement compliance monitoring.

OFAC strongly recommends that senior management get on the case — “members of the virtual currency industry implement OFAC sanctions policies and procedures months, or even years, after commencing operations.”

One example OFAC gives is their February 2021 penalty against BitPay. BitPay screened its direct merchant customers in the US, but not the merchants’ customers who paid via BitPay — despite BitPay having that information. In another example, BitGo failed to block customers in sanctioned jurisdictions, such as Crimea, when they could have done so by IP address. [Treasury, PDF; Treasury, PDF]

Sanctions are strict liability — you can be held liable even if you didn’t know you were dealing with a sanctioned entity. Penalties can be severe, but OFAC recommends voluntary self-disclosure in case of errors, and this can mitigate penalties. You will be expected to correct the root cause of the violations.

In a more recent example, OFAC sanctioned Russian crypto exchange Suex in September for facilitating ransomware payments. Now the Treasury has sanctioned Latvian exchange Chatex for similar involvement with ransomware. Chatex is linked to Suex. [press release]

OFAC has also sanctioned Ukrainian national Yaroslav Vasinskyi and Russian national Yevgeniy Polyanin as part of the Sodinokibi/REvil ransomware attacks on the US. Polyanin stored his holdings at the FTX crypto exchange — who are not US-based, but are smarter than to mess with OFAC, and handed back $6 million of ransom. The FBI would like a word with Polyanin too. [Department of Justice, PDF; FBI, PDF]

FinCEN: Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments

FinCEN has issued an updated advisory to US companies on how not to pass ransomware payments. [FinCEN, PDF]

Ransomware existed for decades before crypto (see Attack of the 50 Foot Blockchain, chapter 7) — but it’s only become a large-scale risk in the era of crypto. Ever since the Colonial Pipeline attack, the US Government is deadly serious about ransomware.

Insurers and “digital forensic and incident response” companies have been getting more directly involved in ransomware payments — even paying out the ransoms. FinCEN expects such companies to: (a) register as money transmitters; (b) stop doing this.

A lot of ransomware gangs are sanctioned groups or individuals. Payments to them are sanctions violations.

Red flags include (in a long list) customers even trying to pay a ransom:

• “When opening a new account or during other interactions with the financial institution, a customer provides information that a payment is in response to a ransomware incident.” Yes, I suppose directly saying so would be a clear sign;
• a customer “inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware.”

Financial institutions — FinCEN means crypto exchanges — may be required to file a Suspicious Activity Report if they think a transaction may be related to extortion, such as ransomware.

Sanctions violation as extreme sport

I didn’t note it at the time, but Virgil Griffith, who attended the Pyongyang Blockchain and Cryptocurrency Conference in North Korea in 2019, pleaded guilty in September 2021 to the charge of conspiring to assist North Korea in evading sanctions.

The most compelling evidence for this was all the times he said in his own words — when talking to the FBI, for instance — that he was attempting to assist North Korea in evading sanctions.

Griffith will be sentenced in January; his plea deal recommends up to six and a half years’ imprisonment. [Department of Justice; CoinDesk]

The Walrus has a long read on the 2019 crypto conference in North Korea that Griffith attended. [The Walrus]