alerts & publications
FinCEN SPEAKS CRYPTO: Extensive New Guidance for ICOs, Digital Wallets, DApps, Trading Platforms, Decentralized Exchanges, and others in the Blockchain and Crypto SpaceMay 16, 2019
Any question of FinCEN’s intention to broadly apply traditional rules applicable to money transmitters to the blockchain/cryptocurrency industry, regardless of the complexity or suitability of applying them to a new paradigm, are put to rest by two new guidance documents issued last week. New and emerging businesses utilizing blockchain technology and cryptocurrency transactions have struggled for years with how to apply the regulatory requirements of the Bank Secrecy Act (BSA) and related regulations to their business models. The question of what activity does, or does not, constitute “money transmission” has dominated the debate. FinCEN, an agency of the US Treasury Department charged with administering the BSA, along with other federal and state regulators, has faced questions, complaints, and calls for clarity from the industry.
With the issuance last week of 30 pages of interpretative guidance entitled “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies” (the “Guidance”), FinCEN attempts to provide that clarity and leave no doubt of its intention to strictly apply the rules and principles applicable to “traditional” money services businesses to blockchain and cryptocurrency (which FinCEN refers to as convertible virtual currency (CVC)). FinCEN concurrently released its “Advisory on Illicit Activity Involving Convertible Virtual Currency” (the “Advisory”), highlighting specific red flags indicating potential illicit activity involving cryptocurrency and emphasizing the role of “financial institutions” (both cryptocurrency and fiat-based institutions) in reporting suspicious activity.
Because this is not an easy fit, FinCEN’s new guidance includes discussion of an extensive number of illustrative scenarios and use cases. At the same time, the Advisory signals that FinCEN views cryptocurrency-based money services businesses as being prone to high-risk transactions and expects those businesses to be active participants in the fight against money laundering and other illicit activity endangering national security. Below, we address a number of the most significant aspects of the Guidance and briefly note key aspects of the Advisory.
What’s New in the Guidance
Although not intended to “establish any new regulatory expectations or requirements,” the Guidance provides new insight into FinCEN’s view of how and when the existing regulatory requirements apply to certain blockchain business models. FinCEN’s views are not beyond judicial challenge, but do carry significant weight. Noteworthy aspects of the Guidance include:
- Initial Coin Offerings (ICOs). FinCEN believes that most ICOs that are not otherwise separately regulated by the Securities and Exchange Commission (SEC), US Commodity Futures Trading Commission (CFTC), or an equivalent foreign agency (each of which also require compliance with the BSA/Anti-Money Laundering (AML) requirements established by FinCEN) will constitute money transmitting:
- Token Pre-sale. Developers that issue their own tokens, regardless of the state of operations and whether the platform is designed to operate in a decentralized fashion in the future, are money transmitters, regardless of whether the tokens are exchanged for other funds at the time of the pre-sale or at a later date.
- Fundraising or Hedging Activity. FinCEN generally views the selling of an equity stake or debt instrument to early backers (or the hedging of a previous investment related to an ICO) to be money transmitting activity unless this activity is already regulated by another regulator (such as a banking authority, the SEC, CFTC, or subject to foreign regulation by agencies equivalent to the SEC or CFTC. However, the exemption for transmissions “integral” to the provision of non-money transmission goods or services may still be available.1 The Guidance provides an example stating that money transmission related to “fundraising activity” may meet the integral exemption, unless “the asset is issued to serve as a value that substitutes for currency.” [Although not addressed in the Guidance, one could imagine escrow or custody services that would meet this exemption under the right circumstances.]
- Re-sale of Tokens Obtained During Fundraising. Investors who acquire tokens can re-sell those tokens for their own personal purposes without becoming a money transmitter (although they remain subject to any applicable securities or commodities regulatory requirements and the BSA/AML obligations that would come with them).
- Digital Wallets. The Guidance provides the first clear statements by FinCEN regarding how it approaches various digital wallet scenarios, including hosted and unhosted wallets and multiple-signature wallet services. It also highlights the application of correspondent banking principles to certain types of hosted wallets, an area that brings particular attention from regulators. And, where wallet activity amounts to money transmission, the Funds Travel Rule discussed above applies to wallet providers.
- The Guidance states that the use of unhosted wallets—software a user has on their own computer or device that allows them to interact directly with the payment system they are using—does not make a person a money transmitter if a third party is not necessary for the transactions to occur and that the person is using the unhosted wallet for their own purchases of goods or services.
- The use of multiple-signature features, requiring the key of not just the user, but also of the original provider of the wallet or another third-party validation service, does not in itself convert an unhosted wallet into a money transmitter, but would where the wallet has the characteristics of hosted wallets discussed below.
- Hosted wallets are money transmitters because they are account-based, the host has technical control over the value contained in the wallet, and the host interacts with the payment process on behalf of the account owner. Further, the regulatory obligations of the wallet host will vary depending on the nature of their customers. Where a wallet service is providing an account to an individual user,2 the wallet provider must apply the regular customer identification and diligence procedures contained in its anti-money laundering program. On the other hand, if a wallet provider utilizes another business as an agent, and provides that agent an account, the wallet provider has additional requirements in monitoring the activities of its agent. Finally, where a wallet provider maintains an account for another business that is not its agent, this will be considered a “correspondent account,” which brings its own unique enhanced requirements and expectations under BSA rules and regulations.
- Anonymizing Services and Privacy Coins. The Guidance addresses both privacy coins and various anonymizing services and tools. However, FinCEN does not recognize any difference in the customer identification requirements for money transmitters engaged in anonymized transactions as for any other money transmitter. The creation of software that anonymizes transactions is not in and of itself money transmission because it is covered by the exemption under FinCEN regulations applicable to “the delivery, communication, or network access services used by a money transmitter to support money transmitting services,” but the following are considered to be money transmitters:
- An individual who uses anonymizing software for their own personal transactions.
- Businesses who act as “mixers” or “tumblers,” receiving cryptocurrency for the purpose of obscuring or masking the transaction or identity of the user and then transmitting it back or to a third party.
- A business that utilizes anonymizing services as part of its own business model transmitting or exchanging funds on behalf of others.
- An issuer of privacy coins that exchanges those coins for another type of value or that transfers privacy coins on behalf of another is still a money transmitter.3
- Internet Gaming and Predictive Markets. The Guidance notes that the $1 million gross annual gaming threshold applicable to internet-based gaming and predictive markets includes cryptocurrency, and that even where an internet platform may not meet the definition of casino, it still may be considered a money transmitter if it accepts or transmits funds upon conclusion of a bet.
- Transaction Messaging. The Funds Travel Rule requires money transmitters involved in transactions of $3,000 or more to have collected, forwarded, or received certain identifying information of the individuals involved. While this rule works easily with fiat wire transactions utilizing SWIFT messaging, there is no similar existing mechanism for sending transaction information among participants in blockchain transactions. The Guidance makes clear, however, that FinCEN expects businesses such as exchangers and wallet hosts to meet the requirements of this rule, regardless of whether doing so will require a separate and additional step for each transaction in order to be able to send the required transaction information. This is potentially a significant new burden to business models falling into the money transmitter category and to the entire industry that does not yet have a unified messaging system.
What’s Not New in the Guidance
The following aspects are noteworthy because FinCEN either relies on them as a theme throughout the Guidance or they confirm interpretations that generally seemed to be understood by the cryptocurrency industry.
- Facts and circumstances. Although FinCEN goes farther in the Guidance than it has previously in addressing real-world scenarios applicable to the cryptocurrency industry, it continues to emphasize that whether a person is a money transmitter under the BSA is a matter of the specific “facts and circumstances” involved, leaving the agency plenty of room for future interpretations.
- Activity-Specific. Throughout the Guidance, FinCEN reiterates that the determination of whether a person is a money transmitter must be done on an activity-specific basis rather than as a single question for the business. Businesses may have one part of their activities that is unregulated and another that is money transmitting, and each needs to be evaluated independently.
- Crypto Payment Processing. While fiat payment processors are generally exempt from regulation as a money transmitter, cryptocurrency payment processors are not. This is not a surprise, as a requirement for the exemption to apply is that the processor “operate through clearance and settlement systems that admit only BSA-regulated financial institutions,” and the industry is not yet there as a whole.
- Communication and Access Services. Various forms of delivering information, communication, and network access through trading platforms and decentralized exchanges where the parties themselves accomplish and settle transactions are exempt from money transmitter status.
- DApps. The creation of a DApp itself, even one that is intended to facilitate transactions in cryptocurrency, is not money transmission unless “used” or “deployed” by the developer to engage in money transmission.
The Guidance is the first comprehensive guidance document applicable to the cryptocurrency industry FinCEN has issued since it declared in 2013 that Bank Secrecy Act regulations apply equally to money transmitting activity conducted in virtual currency as they do to “real,” or fiat, currency. It compiles the body of prior FinCEN guidance issued over the last fifteen years—including guidance both directly related to cryptocurrency and some involving fiat and more traditional financial services—which the agency considers relevant to the cryptocurrency space.
Key Aspects of the Advisory
Much of the Advisory reiterates established FinCEN requirements as they apply to cryptocurrency businesses. But it is notable in signaling that FinCEN is focused on ensuring that cryptocurrency money services businesses, including those that are small and/or may be currently unregistered, direct the necessary resources to complying with existing FinCEN requirements as they apply to this high-risk transactional environment.
- High-Risk Entities. The Advisory specifically calls out four classes of cryptocurrency activities that FinCEN views as serial-processors of unlawful transactions: darknet marketplaces, peer-to-peer (P2P) exchangers who exchange cryptocurrency for fiat or other virtual currencies, foreign-located money services businesses, cryptocurrency kiosks (or bitcoin ATMs) that function as or facilitate interactions with cryptocurrency exchanges.
- Red Flags of Suspicious Activity. The Advisory reiterates that cryptocurrency related money services businesses—and others who service or transact with them—are required to evaluate transactions for “red flags” and report suspicious transactions to FinCEN. FinCEN provides an extensive list of examples of red flags that apply it believes companies should be watching for in the cryptocurrency context, including: use of VPN to access Tor or cryptocurrency accounts, evidence that a customer knows little about cryptocurrency or has insubstantial wealth to justify large cryptocurrency acquisitions, and repeated transactions with offshore cryptocurrency exchanges.
- Suspicious Activity Reporting. The Advisory asks cryptocurrency businesses to collect and retain specific categories of information that extend beyond the strict regulatory requirements for the information that must be included in a suspicious activity report (SAR), such as virtual currency wallet addresses, account information, available login information (including IP addresses), and mobile device information (such as device IMEI). FinCEN also asks companies to clearly indicate in the text of a SAR that it pertains to cryptocurrency by including the Advisory number (CVC FIN-2019-A003) in the text of the SAR.
The Guidance and Advisory signal FinCEN’s intent to remain vigilant in its oversight of the financial services industry, and blockchain industry participants should consider the impact on current and proposed business models and best practices in light of the new guidance.
1 See FinCEN, Request for Administrative Ruling on the Application of FinCEN’s Regulations to a Virtual Currency Payment System, FIN-2014-R012 (Oct. 27, 2014).
2 FinCEN, Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies, FIN-2013-G001 (Mar. 18, 2013), (“A user is a person that obtains virtual currency to purchase goods or services” on their own behalf.”).
3 Moreover, the use of privacy coins does not change the obligations of a money transmitter to meet all BSA rules and regulations, including the Funds Travel Rule. A business that sends, receives, or participates in the transmission of anonymized cryptocurrency is required to determine the true identity of the sender or recipient and share that information as required under the Travel Rule.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. David Kirman, an O’Melveny partner licensed to practice law in California, Eric Sibbitt, an O’Melveny partner licensed to practice law in California and New York, Laurel Loomis Rimon, an O’Melveny senior counsel licensed to practice law in California and the District of Columbia, Mary Pat Dwyer, an O’Melveny associate licensed to practice law in the District of Columbia, and Sydney Ryan, an O’Melveny associate licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2019 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.
Thank you for your interest. Before you communicate with one of our attorneys, please note: Any comments our attorneys share with you are general information and not legal advice. No attorney-client relationship will exist between you or your business and O’Melveny or any of its attorneys unless conflicts have been cleared, our management has given its approval, and an engagement letter has been signed. Meanwhile, you agree: we have no duty to advise you or provide you with legal assistance; you will not divulge any confidences or send any confidential or sensitive information to our attorneys (we are not in a position to keep it confidential and might be required to convey it to our clients); and, you may not use this contact to attempt to disqualify O’Melveny from representing other clients adverse to you or your business. By clicking "accept" you acknowledge receipt and agree to all of the terms of this paragraph and our Disclaimer.