The federal government’s massive crackdown on cryptocurrency companies requires all crypto market participants to redouble their compliance efforts to satisfy regulators and ensure the trust of their customers and counterparties.
At present, cryptocurrency compliance is highly technical. Despite the absence of an industry-specific statutory or regulatory regime, U.S. regulators and law enforcement agencies have aggressively asserted jurisdiction over the world of digital assets. To date, the U.S. Department of Justice, the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and other federal and state-level regulators have pursued enforcement actions against cryptocurrency exchanges, cryptocurrency transactions, initial coin offerings, non-fungible tokens, stablecoins, and others, typically involving contradictory and competing requests for information and instructions. These efforts have often lacked coordination and, even in the face of common facts, been driven by conflicting views regarding applicable legal theories.
The lack of regulatory guidance combined with an excess of enforcement activity creates a dangerous situation for even the most diligent compliance officer. Recent comments by SEC Enforcement Division Director Gurbir Grewal about compliance expectations, particularly the personal liability of compliance officers, should raise concerns among cryptocurrency market participants. Grewal emphasized that the SEC will bring action against compliance officers if they “completely fail to discharge their compliance responsibilities.” This test relies heavily on an agreement or consensus on compliance responsibilities. Unlike the traditional financial services industry, the lack of federal laws or a substantive regulatory framework in place increases the likelihood that even good faith efforts on cryptocurrencies will be deemed insufficient by regulators and deemed a “total failure” worthy of sanctions, according to Director Grewal’s public statements.
Cryptocurrency risk areas
Cryptocurrency compliance officers cannot afford to wait for clearer regulations to be promulgated. Rather, they must navigate this uncertainty to ensure their protocols can meet the demands of a multitude of regulators with vague and often differing expectations. The specific key focus areas described below are essential to mitigate risk and increase confidence in the effectiveness of their programs.
Understanding Blockchain Technology
Companies involved in cryptocurrency and their executives should staff their compliance teams with individuals who have a substantial understanding of blockchain technology, the foundation of cryptocurrency-based activities. Compliance teams must be able to educate employees on compliance expectations and educate regulators about cryptocurrency products and operations. Effective communication with both parties will ensure a highly functioning and defensible compliance regime.
AML Procedures
A core area that any compliance strategy must focus on is the implementation of a satisfactory and robust anti-money laundering (AML) program. Cryptocurrency's decentralization and anonymity often make it suspected by regulators as a means to hide illegal activity. In fact, AML experts note that non-compliance with AML requirements is often part of the charges regulators levy against companies. Without adequate safeguards against money laundering and other potential financial crimes, cryptocurrency companies are vulnerable to regulatory scrutiny and exploitation by bad actors.
Cryptocurrency trading companies must strengthen traditional AML procedures and include cryptocurrency-specific tracking and analysis in their compliance regimes, such as using blockchain intelligence tools to identify high-risk or terrorist-related crypto wallet addresses. Additionally, companies must remain aware that they will be assessed under the Bank Secrecy Act (BSA). For example, in October 2022, Bittrex was deemed to be a money services business., Ultimately, Bittrex was fined more than $24 million by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) for violating the BSA, AML laws, and other sanctions. Key to the fine was Bittrex's access to customer IP and address information collected when onboarding new customers. The company knew that many of its customers were located in sanctioned jurisdictions, but did not vet customer information for ties to those jurisdictions.
Violations of the BSA by cryptocurrency companies may also result in criminal penalties. In May 2022, the former CEO of BitMEX, one of the oldest and largest cryptocurrency derivatives exchanges, was sentenced to six months' home detention and a $10 million fine in the Southern District of New York for violating the BSA by failing to establish, implement, and maintain an anti-money laundering program, including a program to verify the identities of BitMEX's customers through a properly managed authentication system. Know your customers The company also settled lawsuits with the CFTC and FinCEN in 2021, paying $100 million for BSA and AML violations.
Retention policy
A retention policy is a relatively simple proactive step that compliance officers can take to build trust with regulators. In contrast to the clear mandates that govern the traditional finance sector, cryptocurrency companies have no clear regulatory retention requirements. Nevertheless, regulators view retention policies as an indicator of a company's compliance culture. As an example, in the recent indictment and conviction of FTX founder Sam Bankman Freed, prosecutors pointed to FTX's lack of a retention policy as a sign of wrongdoing. Such negative impressions can be avoided. Cryptocurrency trading companies should consider creating a system that can record the following information, if applicable:
-
-
-
- Transaction data including profit and loss figures.
- Employees who trade assets and manage automated trading strategies
- The amount and type of assets traded.
-
-
Additionally, businesses involved with cryptocurrency should consider retaining all corporate account communications for several years, as well as standard methods of communication such as email, instant messaging systems, and less common modes of communication common in the cryptocurrency industry.
Third Party Due Diligence
Firms involved in cryptocurrencies should implement a rigorous risk-based approach when engaging with third-party providers. Regulators have made it clear that in the traditional financial industry, firms are responsible not only for their own compliance obligations, but also for those of the third-party vendors they rely on. Interagency Guidance on Third-Party Relationships: Risk Management The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency have stated,[t]The scope and extent of due diligence must be commensurate with the level of risk and complexity in the third-party relationship. More comprehensive due diligence is especially important when the third party supports higher-risk activities, including critical activities.”
This regulatory focus will be even more pronounced in the cryptocurrency space. Governments view the cryptocurrency industry as fundamentally risky, in part due to a lack of understanding of the cryptocurrency ecosystem and its novelty. This means that due diligence requirements for third parties will likely be subject to regulatory scrutiny. Marketing and development efforts involving third parties often utilize less disciplined mediums such as social media, podcasts and collaborative workshops, leaving room for misunderstandings and potential issues. Therefore, as part of their third-party risk assessment programs, cryptocurrency companies will need to conduct due diligence before engaging with third parties.
audit
A successful, sustainable compliance program can leverage internal and external audits to proactively avoid any issues and demonstrate the effectiveness of the program. When conducted regularly, audits act as a pressure test of the compliance program and reassure regulators about the company's compliance culture. Given the challenges many regulators face in understanding the technology being used and identifying legal theories of liability, some regulators have pointed to a weak compliance culture at a cryptocurrency company as a means to further their investigations.
Privacy and data security concerns
Operating in a digital environment always comes with risks such as data breaches, cyber hacks, phishing scams and bad actors, and as cryptocurrency is a new and fast-growing industry, it is a prime target for fraudsters.
Because cryptocurrencies use blockchain technology for validation and do not go through financial institutions, it is also difficult to recover the proceeds and the impact of theft. Compliance officers must create customized provisions to protect internal data, partner and consumer data, and company and customer assets.
Conclusion
The cryptocurrency enforcement landscape continues to evolve rapidly, with no signs of increased statutory or regulatory guidance in the near future. In December, the SEC denied Coinbase's petition for new rules specifically targeting the digital asset sector. The SEC said it would not propose any new rules or long-sought clarification of expectations, essentially arguing that current securities regulations provide cryptocurrency companies with sufficient notice of their obligations. This is a premise with which few sophisticated crypto professionals agree.
There are no signs of enforcement efforts slowing. In fact, it is likely or certain that enforcement will expand in scope. Therefore, compliance departments and their personnel must be proactive in building best-in-class compliance programs to not only continue to protect their companies and their customers, but also to protect themselves against enforcement investigations and potential liability.
Raja Chatterjee contributed to this article. He is a former prosecutor and in-house counsel responsible for legal, risk and compliance functions.
