The U.S. Department of Justice ("DOJ") has focused on cryptocurrency in the last six months, while consumer interest hits all-time highs. The cryptocurrency market is not unlike the cannabis market from several years ago—drawing a wide range of participants with a variety of motives to a rapidly growing and novel space. In this environment, the crypto-curious should keep in mind that transacting with unscrupulous actors can place companies and individuals in the crosshairs of law enforcement. This alert summarizes the most significant developments and highlights from criminal cases by DOJ from the fall of 2020 through the first quarter of 2021.
DOJ'S CRYPTOCURRENCY ENFORCEMENT FRAMEWORK AND AMLA 2020
In October 2020, DOJ released its Cryptocurrency Enforcement Framework (the "Framework"),1 which it developed as part of the Attorney General's Cyber-Digital Task Force. The Framework contains three sections:2 (1) Threat Overview; (2) Law and Regulations; and (3) Ongoing Challenges and Future Strategies. The first section details the ways in which criminals have used cryptocurrency to fund and facilitate illegal activity, including drug and firearms trafficking, terrorist financing, and other online criminal activity.
The second section explains the existing statutory and regulatory tools that DOJ and others (such as U.S. Treasury Department's Financial Crimes Enforcement Network ("FinCEN"), Office of Foreign Assets Control ("OFAC"), the Securities & Exchange Commission ("SEC"), the Commodity Futures Trading Commission ("CFTC"), and the Internal Revenue Service ("IRS")) have available to regulate cryptocurrency.
Anti-Money Laundering ("AML") standards under the Bank Secrecy Act3 ("BSA") must be considered in assessing cryptocurrency risks, as all financial institutions and money services businesses ("MSBs")—including those that conduct business in virtual currency—are required establish an AML program. In short, a program must be reasonably designed to prevent money laundering and terrorist financing, including monitoring transactions for suspicious activity and reporting suspicious transactions to relevant regulators through Suspicious Activity Reports ("SARs"). The AML program obligations extend to all MSBs, which are defined as entities that do business "wholly or in substantial part" within the United States, irrespective of whether the entity is based in the United States.4
The third and final section of the Framework discusses challenges and strategies for law enforcement in prosecuting criminals. Although cryptocurrency presents challenges because it is decentralized and cross-border, DOJ emphasized that it will prosecute conduct that touches financial data or other computer systems within the United States, even if the actors reside outside the country. The DOJ outlined business models that have high risk profiles but aren't subject to sufficient controls. These business models include public cryptocurrency exchanges, private peer-to-peer exchanges, and cryptocurrency kiosk operators. All are subject to regulatory requirements and are priority enforcement targets given their past misuse.
Then, in December, Congress passed the Anti-Money Laundering Act of 20205 ("AMLA 2020"), the most significant anti-money laundering statute in nearly two decades, which took effect on January 1, 2021. AMLA 2020 made clear that the Bank Secrecy Act applies to cryptocurrency. Specifically, it expressly expanded the reach of the BSA to businesses engaged in the trade of "value that substitutes for currency," e.g., cryptocurrency. AMLA 2020's definition of financial institution also expressly includes virtual currency businesses that essentially serve as money transmitters.
Among other things, AMLA 2020 increases civil and criminal penalties for BSA violations and provides large rewards to an expanded category of whistleblowers who report violations, up to 30% of the amount recovered by the government. The new law also allows nearly anyone with relevant knowledge to become a whistleblower, including compliance personnel or in-house counsel, although this latter category must navigate issues of privilege and confidentiality.
Throughout the fall DOJ and its partner agencies brought significant cryptocurrency actions as well, including a large parallel civil-criminal proceeding by the U.S. Attorney's Office for the Southern District of New York ("SDNY") and the CFTC against BitMEX, a cryptocurrency exchange and derivative trading platform. Also charged were BitMEX's CEO and various entities and individuals associated with founding, owning, or operating the platform. SDNY indicted the CEO and three other individuals for willful violations of BSA by failing to establish and maintain an adequate AML program.6 In parallel, the CFTC filed a civil action against five entities and three individuals that own and operate BitMEX for running an unregistered trading platform and for violating a litany of CFTC regulations, including failing to implement an AML policy.7 Although incorporated in the Seychelles, the exchange platform serves U.S.-based customers. BixMex continues to operate, and in February 2021, BitMEX reported that a total of $1 trillion had been traded on its platform in the past year.8
The SDNY indictment alleges that BitMEX failed to implement any AML policy after it was on notice that it was being used to launder the proceeds of a cryptocurrency hack, and was made aware of Iranian customer activity. The indictment also alleges that BitMEX did not file any Suspicious Activity Reports ("SARs"). The CEO of BitMEX is expected to surrender to authorities on April 6, 2021.9
In November 2020, DOJ seized the largest cache of cryptocurrency to date: thousands of bitcoins valued at approximately one billion dollars.10 The seizure is connected to DOJ's filing of a civil forfeiture action against the alleged criminal proceeds of the Silk Road website, the notorious online marketplace whose founder, the "Dread Pirate Roberts" is serving a life sentence.11
Although the BitMEX actions and the Silk Road bitcoin seizure drew headlines for their size, cryptocurrency enforcement in recent months has not been limited to high-dollar cases. Last month, Treasury's Office of Foreign Assets Control ("OFAC") announced a settlement with BitPay, Inc., a payment processing company for merchants to accept digital currency as payment for goods and services.12 BitPay agreed to pay a civil penalty of over $500,000 to settle allegations that it violated multiple sanctions programs by allowing persons presumably located in North Korea, Iran, and other sanctioned countries to transact through BitPay's platform with merchants in the United States and elsewhere using digital currency. The government cited BitPay's possession of location information—including Internet Protocol (IP) addresses and other data—about those persons prior to their engaging in the transactions. However, BitPay failed to screen the locations of its buyers, instead only screening the merchant customer. The fix was apparently easy for BitPay; the company reported that it now blocks IP addresses from sanctioned areas from using its platform to process payments and has added a customer identification tool.13
Familiar securities fraud schemes are also charged in the cryptocurrency space, as demonstrated by the prosecution of John McAfee, the founder of the McAfee antivirus software. The SDNY charged Mr. McAfee and the executive adviser of his cryptocurrency team with various fraud and money laundering conspiracies arising out of the promotion of a cryptocurrency.14 According to the indictment, one of the schemes involved defendants' purchase of cryptocurrency altcoins and then use of McAfee's Twitter account to tout these altcoins to investors, without disclosing their own investments, in a "pump and dump" scheme. This conduct allegedly made defendants millions of dollars after they sold their investments following their Twitter hype.
The second alleged scheme also used McAfee's Twitter account to promote alleged fraud. Specifically, the defendants allegedly promoted the sale of digital tokens to investors on behalf of initial coin offering ("ICO") issuers, without disclosing that the ICO issuers were compensating them out of the funds raised by their promotional activities. According to the indictment, McAfee and others received more than $11 million in undisclosed compensation.
The DOJ and partner agencies are providing new incentives for whistleblowers, and increased penalties for BSA violations creates a number of risks—including legal trouble and reputational damage—for operators of cryptocurrency exchanges and others. Keeping pace with AML controls that reflect the risk encountered in their businesses is necessary. First, cryptocurrency-related businesses should include whistleblower policies and reporting systems as essential components of their compliance programs. Second, businesses should hire advisors and compliance officers who understand this emerging industry and the risks presented by the company's specific geographic location, customers, and products and services.
Although this alert addresses only the enforcement by DOJ and partner agencies, other countries have made cryptocurrency an enforcement priority as well. Most recently, India's government proposed a law banning cryptocurrencies and making it illegal to own, issue, mine, trade, or transfer crypto-assets.15 Current owners would reportedly have six months to liquidate their holdings.
3 35 U.S.C. § 5311 et seq.
4 See 31 CFR § 1010.100(ff).
5 Pub. L. No. 116-283, §§ 6001-6511.
13See id. at 2-3.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.