FinCEN Crypto & Ransomware Guidance: Will 2022 Bring More Changes? – Finance and Banking

The Financial Crimes Enforcement Network (“FinCEN”) of
the U.S. Department of the Treasury (“Treasury”) has made
clear that businesses engaging in certain activities involving
virtual currencies are subject to registration, reporting,
recordkeeping, and other anti-money laundering (“AML”)
requirements under the Bank Secrecy Act and its implementing
regulations (collectively, “BSA”). In response to recent
developments in the field of financial technology
(“fintech”), FinCEN has issued new guidance and
advisories related specifically to activities involving virtual
currencies and ransomware payments.

This article introduces FinCEN and the BSA, identifies AML risks
associated with virtual currencies and ransomware that businesses
may encounter in 2022 and beyond, and discusses best practices for
navigating the complex and rapidly evolving BSA landscape.

What is FinCEN and what is the BSA?

In the United States, FinCEN is a bureau within Treasury tasked
with safeguarding the U.S. financial system from illicit use and
promoting U.S. national security through the strategic use of
financial authorities and the collection, analysis, and
dissemination of financial intelligence. As administrator of the
BSA, FinCEN regulates virtual currencies and other digital assets
for AML purposes.

The BSA aims to prevent criminals from using financial
institutions to facilitate money laundering, terrorist financing,
and other financial crimes.
Under the BSA, certain financial institutions called “money
services businesses” (“MSBs”) are subject to
mandatory registration, program, recordkeeping, and reporting
requirements.

Virtual currency.

FinCEN defines the term “virtual currency” as “a
medium of exchange that can operate like currency but does not have
all the attributes of ‘real’ currency. including legal
tender status.” FinCEN uses the term “convertible virtual
currency”
(“CVC”) to refer to a type of
virtual currency that either (i) has an equivalent value as
‘real’ currency or (ii) acts as a substitute for
‘real’ currency. Essentially, CVCs are virtual currencies
that can be exchanged for ‘real’ currencies. Examples of
CVCs include most cryptocurrencies (digital assets maintained by
a

I would like to thank our Law Clerk, Alexander Dieter, for his
contributions to this article.

The Bank Secrecy Act statute is codified at 12 U.S.C.
§§ 1829b, 1951-1959, and 31 U.S.C. §§
5311-5314, 5316-5332. Regulations implementing the BSA statute
appear at 31 C.F.R. Chapter X (formerly 31 C.F.R. Part 103).

decentralized system and secured by cryptography), such as
Bitcoin, Ether, and Monero, as well as most stablecoins (digital
assets designed to maintain a stable market price by pegging their
value to an external reference like fiat currency), such as Tether
and Dai. Note, however, that digital assets with legal tender
status (“LTDAs”), such as China’s digital yuan, are
not virtual currencies.

As bad actors seek to exploit the latest fintech innovations for
illicit purposes, FinCEN has responded by issuing guidance,
advisories, and other publications clarifying the BSA’s
application to emerging business models and novel factual
circumstances. On March 18, 2013, FinCEN became the first U.S.
regulatory agency to issue interpretive guidance on virtual
currencies
by clarifying the BSA’s applicability
to “users,”https://www.mondaq.com/”administrators,” and
“exchangers” of virtual currency. On May 9, 2019, FinCEN
issued comprehensive guidance on
CVCs
, which consolidated related guidance and
administrative rulings from 2011 to 2019 and applied its
interpretation of the BSA to various activities involving CVCs.

Ransomware.

On October 15, 2021, FinCEN published a report analyzing trends
in BSA data collected in the first six months of 2021 concerning
ransomware cyber-attacks and related payments. According to the
report, the severity and sophistication of ransomware attacks are
increasing rapidly, and perpetrators of ransomware are taking new
measures to obfuscate their financial trails and enhance their
anonymity. On November 8, 2021, FinCEN published an updated Ransomware
Advisory
providing specific instructions for
detecting, preventing, and reporting suspicious transactions
associated with ransomware attacks. In 2022, companies should be
well aware of the risks posed by ransomware and the regulatory
obligations that may be triggered by a cyber-attack or related
transaction (for more information, see our previous article,
Ransomware Attacks Are on the Rise; Are You
Ready?
).

***

As virtual currencies become more popular and widespread in
society, companies will need to carefully consider the regulatory
implications of engaging in activities involving virtual
currencies. Some important considerations include:

  1. Determining whether your company is a Money Services
    Business under the BSA.

The BSA defines a “money services business”
(“MSB”) as “a person wherever located doing
business, whether or not on a regular basis or as an organized or
licensed business concern, wholly or in substantial part within the
United States,” operating in one or more enumerated
capacities, including as a “money transmitter.” Generally, a
“money transmitter” is a “person that provides money
transmission services,” including “the acceptance of
currency, funds, or other value that substitutes for
currency
from one person and the transmission of currency,
funds, or other value that substitutes for currency to
another location or person by any means.” The BSA also provides
that certain persons, such as natural persons acting as money
transmitters on an infrequent basis and not for profit,
are exempt from MSB status.

According to FinCEN’s 2013 VC Guidance, users of virtual
currency that obtain CVCs to purchase goods or services are not
MSBs, whereas administrators or exchangers of virtual currency that
(i) accept and transmit CVCs or (ii) buy or sell CVCs are
determined to be money transmitters subject to the BSA requirements
for MSBs. Moreover, FinCEN’s 2019 CVC Guidance provides that
whether a person qualifies as an MSB generally depends on the
person’s activities and not its formal business
status. Although the 2019 CVC Guidance describes the BSA’s
applicability to several common business models, such as
peer-to-peer (“P2P”) exchangers, CVC kiosks, and certain
decentralized applications (“DApps”), it does not resolve
all ambiguities. Answering the threshold question of whether a
company qualifies as an MSB is crucial, yet seldom
straightforward.

  1. Ensuring that your MSB has properly and timely
    registered with FinCEN.

The first step for an MSB operating in the United States in
establishing its BSA compliance framework is registering as an MSB
with FinCEN using FinCEN’s BSA E-Filing system by submitting
FinCEN Form 107. An MSB’s
registration with FinCEN must be renewed every two years.

An entity acting as an MSB that fails to register as required by
the BSA is subject to civil money penalties and possible criminal
prosecution. In fact, FinCEN’s first enforcement action against
a virtual currency exchanger – the 2015 Ripple Labs case – involved
a determination by FinCEN that the respondents willfully violated
the mandatory registration requirement for MSBs, among other
violations. On May 5, 2015, FinCEN
assessed a $700,000 civil money penalty against

31 C.F.R. § 1010.100(ff).

31 C.F.R. § 1010.100(ff)(5)(i)(A)
(emphasis added).

31 C.F.R. § 1022.380; 31 U.S.C.
§ 5330.

See In the Matter of Ripple
Labs Inc., Assessment of Civil Money Penalty, Number 2015-05 (May
5, 2015), available at https://www.fincen.gov/sites/default/files/shared/Ripple_Assessment.pdf.
See also In the Matter of Ripple Labs Inc., Statement of
Facts and Violations, Attachment A (May 5, 2015), available
at
https://www.fincen.gov/sites/default/files/shared/Ripple_Facts.pdf;
In the Matter of Ripple Labs, Remedial Framework, Attachment B (May
5, 2015), available at

Ripple Labs Inc. and its wholly owned subsidiary, XRP II LLC,
for multiple violations of the BSA relating to operating as an
unregistered virtual currency exchanger and selling its virtual
currency known as XRP. FinCEN also referred the matter to the U.S.
Attorney’s Office for the Northern District of California,
which eventually resolved possible criminal charges for related
conduct.

  1. Ensuring that your MSB has an effective, written AML
    program.

MSBs must implement an effective, written, risk-based AML
program that meets certain minimum requirements. MSBs are required
to develop, implement, and maintain an AML program that is
reasonably designed to prevent the MSB from being used to
facilitate money laundering and to finance terrorist
activities. AML programs for MSBs
must be commensurate with the unique money-laundering risks
associated with the specific factual circumstances of the MSB, such
as the composition of its customer base, geographies served, and
financial products or services offered. In the context of reviewing
risk-based policies, procedures, and practices, MSBs should consult
the most recent list of jurisdictions with strategic deficiencies
in their AML regimes published by the Financial Action Task Force
(“FATF”), an intergovernmental standard-setting body in
which the U.S. government, through the Treasury, actively
participates. AML programs for MSBs
must also meet other “minimum” requirements, such as
providing training on AML responsibilities for appropriate
personnel, designating an AML compliance officer, and establishing
an independent audit function to review the adequacy of the AML
program.

  1. Ensuring that your MSB is complying with its reporting
    and recordkeeping requirements.

MSBs are subject to many reporting and recordkeeping
requirements under the BSA. One example is the requirement that
most MSBs must file a suspicious activity report (“SAR”)
using FinCEN Form 111 for certain activities or transactions
relevant to a possible violation of law or regulation. Transactions that are
conducted or attempted by, at, or through an MSB that involve or
aggregate funds or other assets of $2,000 or more (or, in certain
circumstances, $5,000 or

https://www.fincen.gov/sites/default/files/shared/Ripple_Remedial_Measures.pdf;
FinCEN Fines Ripple Labs Inc. in First Civil Enforcement Action
Against a Virtual Currency Exchanger, News Release (May 5, 2015),
available at https://www.fincen.gov/sites/default/files/2016-08/20150505.pdf.

31 C.F.R. § 1022.210.

See FATF, “Jurisdictions under Increased Monitoring -
October 2021” (Oct. 21, 2021), available at
http://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/increased-monitoring-october-2021.html.

31 C.F.R. § 1022.320.

more), and that the MSB knows, suspects, or has reason to
suspect are suspicious must be reported by filing a SAR. Per
FinCEN’s 2021 Ransomware Advisory, when a SAR filing is
required for a suspicious transaction involving ransomware, all
relevant information available, including cyber-related information
and technical indicators, must be included in both the SAR form and
narrative.

***

One final consideration for companies engaged in activities
involving virtual currencies: the BSA/AML regulatory landscape is
characterized by uncertainty. FinCEN’s efforts to refine the
existing BSA regime to address modern challenges are ongoing, as
evidenced by FinCEN’s Request for Information
(“RFI”), published on December 15, 2021, seeking
“ways to streamline, modernize, and update the anti-money
laundering and countering the financing of terrorism (AML/CFT)
regime of the United States” to protect U.S. national security
“in a cost-effective and efficient manner” on a
continuing basis.

This RFI comes approximately one year after several of
FinCEN’s proposed amendments to the BSA concerning virtual
currencies were met with significant backlash from industry
leaders, underscoring the uncertain future of FinCEN’s
forthcoming reforms.
Moreover, with Treasury expected to address issues like stablecoins
and LTDAs in its report to Congress due sometime in January 2022,
the regulatory landscape surrounding virtual currencies and other
digital assets remains under active construction.

If you have questions concerning FinCEN’s regulation of
virtual currencies or ransomware or need assistance with
determining your company’s BSA obligations, assessing your
AML/CFT risks, or coordinating with FinCEN or other government
agencies, feel free to contact the attorneys at Torres Law,
PLLC.

See Review of Bank Secrecy Act Regulations and
Guidance, 86 Fed. Reg. 71,201 (Dec. 15, 2021), available
at
https://www.federalregister.gov/documents/2021/12/15/2021-27081/review-of-bank-secrecy-act-regulations-and-guidance
(announcing the deadline for submitting comments on this RFI is
February 14, 2022).

See Threshold for the Requirement To Collect, Retain,
and Transmit Information on Funds Transfers and Transmittals of
Funds That Begin or End Outside the United States, and
Clarification of the Requirement To Collect, Retain, and Transmit
Information on Transactions Involving Convertible Virtual
Currencies and Digital Assets With Legal Tender Status, 85 Fed.
Reg. 68,005 (Oct. 27, 2020), available at https://www.federalregister.gov/documents/2020/10/27/2020-23756/threshold-for-the-requirement-to-collect-retain-and-transmit-information-on-funds-transfers-and;
Requirements for Certain Transactions Involving Convertible Virtual
Currency or Digital Assets, 85 Fed. Reg. 83,840 (Dec. 23, 2020),
available at https://www.federalregister.gov/documents/2020/12/23/2020-28437/requirements-for-certain-transactions-involving-convertible-virtual-currency-or-digital-assets.

See Interagency Report on Stablecoins (Nov. 1, 2021),
at 21, available at https://home.treasury.gov/system/files/136/StableCoinReport_Nov1_508.pdf.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.