FinCEN issues CMP linked to cryptocurrency: What you need to know

While cryptocurrency is often used for legitimate purchases, the increase in use for unsavory products and services has caused regulators to pick up their game. Part of the appeal of cryptocurrency is the anonymity. Due to the trend of illicit characters continuing and increasing use of cryptocurrencies, and the responsibility of financial institutions to monitor and report suspicious activity under the Bank Secrecy Act (BSA), all sectors of the financial industry need to understand cryptocurrencies. Since cryptocurrency operates independently of a central bank, regulation of the transactions, specifically BSA, becomes much more difficult.

Regulatory agencies are proving they have taken notice of the use of cryptocurrencies; as in the spring of 2019, the Financial Crimes Enforcement Network (FinCEN) assessed a civil money penalty (CMP) to an individual for violating the BSA, which was the first CMP issued for matters dealing with cryptocurrency. The individual was aware of the requirements, but chose not to comply with the BSA in a variety of ways, such as:

• Not registering as a money service business (MSB). The individual sold and purchased cryptocurrency, specifically bitcoin, to and from others, including for and on behalf of others. The funds were transferred via physical delivery of currency in person, sending or receiving of currency through the mail, and/or coordinating transactions by wire through a depository institution. In addition, the individual discussed anti-money laundering (AML) regulations and how to circumvent those requirements, including registering as an MSB.
• Not having established a written AML program.
• Not filing suspicious activity reports (SARs). The individual failed to file SARs. Examples of the suspicious activity conducted include:

The facilitation of transactions with customers doing business on the darknet, specifically on a website that was shut down by federal law enforcement following highly publicized reports of illegal activity, including the promotion of money laundering by concealing the source of funds.

The individual engaged with a customer who used email addresses with The Onion Router (TOR) that makes is it difficult to determine the location and identity of the darknet user. The torrent service is not in and of itself suspicious, customers making transactions using these services however require additional due diligence for the customer identification, which was not conducted.

• Not filing currency transaction reports (CTRs). According to the BSA requirements, the individual should have filed over 200 CTRs. 

As the use of cryptocurrencies continues to increase, financial institutions should consider the following:

• Review and understand cryptocurrency guidance issued by regulatory agencies, such as FinCEN’s March 2013 guidance on the roles of those involved in the passing of virtual currencies along with the regulatory requirements
• Assess the degree of risk relating to banking customers involved in cryptocurrency and incorporate it in the bank’s BSA risk assessment. Items to consider in the risk assessment, include:
  
  • Customer(s) involved in cryptocurrencies, including their role and overall risk 
  • Methods used by the financial institution to identify and detect new and existing customers involved in cryptocurrencies
• Review policies and procedures to determine if controls are appropriate for the risk associated with customers involved in cryptocurrency. Policies and procedures should address:
  
  • Onboarding new customers involved in cryptocurrency
  • Monitoring new and existing customers for involvement with cryptocurrency
  • Ongoing due diligence that will be performed on customers involved in cryptocurrency  
• Assess the systems (i.e., automated anti-money laundering (AML) system) used to monitor customers’ activities to determine if system parameters should be enhanced to appropriately identify cryptocurrency transactions

Cryptocurrency is a complex virtual currency that is hard to detect and due to the use of this type of currency by illicit characters, expect continued focus by the regulators, especially as it relates to the BSA. If your financial institution has not identified any cryptocurrency transactions, then you should step back and determine how these transactions would be identified to ensure they would be identified. Whether your institution has or has not identified cryptocurrency transactions, you should assess the risk at least annually and ensure that policies and procedures are commensurate with your institution’s risk.