Blockchain technology offers a wide array of solutions that challenge traditional business models but this innovation needs updated governance policies to balance efficiency and public safety. Blockchain technology can allow for autonomous users to transfer wealth quickly, worldwide, at any time and without any middlemen using its heretofore most successful use case—virtual currencies. This technology increases transparency and traceability because typically all blockchain transactions are recorded in a distributed ledger; however, this technology is not immune to risks associated with market abuse, money laundering and terrorist financing.
Regulators worldwide have recognised the emerging risks related to virtual currencies and have taken different approaches to mitigate and manage these risks. The method of some regulators has been to define virtual currencies and virtual currency service providers under existing regulatory frameworks like traditional financial service providers, thereby subjecting them to similar anti-money laundering/counter-terrorist financing (AML/CTF) requirements. Other regulators have acknowledged the importance of providing regulatory frameworks specific to virtual currencies and have created safe spaces to grow this burgeoning industry.
Today, the industry remains largely unregulated in many jurisdictions and guidelines for those jurisdictions that are regulated lack uniformity. In fact, according to a report published by CipherTrace in October 2018, “97% of criminal Bitcoin directly received by exchanges flowed into those located in countries with weak AML laws” and “4.7% of Bitcoin received by exchanges in countries with weak regulation is criminal.”1 These statistics are based on confirmed cases of bitcoin transfers from criminals, and it demonstrates criminals’ propensity to exploit countries with weak antimoney laundering (AML) laws. For this reason, it is imperative to set a global standard for a regulatory framework that addresses the emerging opportunities and risks presented by virtual currencies and virtual currency service providers. This article will provide a brief introduction to the regulatory framework proposed by the United States (U.S.), European Union (EU), Switzerland, United Kingdom (U.K.), Japan, Malta and the Financial Action Task Force (FATF). In addition, the risks associated with unregulated markets and the international nature of these risks will be examined through the alleged money laundering case of Alexander Vinnik.
The United States (U.S.) can be considered the first country to have implemented regulations on virtual currencies. In March 2013, the Financial Crimes Enforcement Network (FinCEN) issued guidance that defined exchangers and administrators of virtual currencies as money transmitters, a type of money services business (MSB) under the Bank Secrecy Act of 1970 (BSA).2 Any entity the BSA defines as an MSB must establish and maintain an effective AML program. Effectively, this definition puts major U.S. nexuses for virtual currencies in a position to combat money laundering and terrorist financing. This decision was an important change in the history of virtual currencies because it provided the world with a clear sign that innovative instruments used to transfer wealth, such as virtual currencies, must be regulated to control the risks of nefarious actors using them. It also showed that the instrument itself did not have to be defined as a currency, commodity or security; in order to be regulated. Instead of focusing on definitions, these regulations highlighted the importance of the risks posed by entities that use these instruments, and the controls that could be affected using existing laws.
Among other requirements, operating under the BSA and within the supervision of FinCEN requires exchangers and administrators to develop AML policies and procedures, file suspicious activity reports (SARs), respond to law enforcement requests and develop customer identification programs (CIPs). The information that regulated virtual currency MSBs gather through their CIP and SAR filings is invaluable to law enforcement and regulators. This is because transactions and deposit addresses on blockchains are displayed only as alphanumeric codes, which gives this activity perceived anonymity. In compliance with CIP requirements, MSBs verify a customer’s identity and bank accounts, which can be linked to the customers’ virtual currency deposit address(es), thereby bridging the gap in data between the traditional banking system and the virtual currency system.
In November 2018, the importance of matching identifiable information to virtual currency data (i.e., deposit addresses) was demonstrated by the Office of Foreign Assets Control (OFAC) when they provided the public with the identities and associated deposit addresses of two Iranian nationals that helped convert bitcoins received from a ransomware scheme into fiat.3 Since these deposit addresses are traceable on the blockchain, virtual currency service providers can leverage this information to identify direct connections between their users and the individuals identified by OFAC.
Switzerland went a step further than the U.S. and introduced virtual currency companies to formal licensing structures and requirements, beyond those of an MSB. In October 2018, Switzerland’s Financial Market Supervisory Authority (FINMA) awarded the world’s first asset management licence to a virtual currency platform,4 essentially giving this company the ability to operate like traditional asset managers in Switzerland. Virtual currency exchanges in Switzerland may seek asset management licences through FINMA. The Swiss Bankers Association (SBA) also issued guidelines that can help banks assess the risk of virtual currency service providers, including specific know your customer (KYC) and AML checks banks can conduct for Initial Coin Offerings (ICO)—business processes that involve funding and launching new tokens, similar to initial public offerings. The SBA’s guidelines can help virtual currency providers gain access to traditional banking services.
FINMA also adopted a fintech licensing program effective January 1, 2019, which will allow non-bank institutions to accept public deposits up to 100 million Swiss francs and hold security tokens without obtaining additional securities dealer licensing. This licensing program is another way Swiss regulators have removed barriers to entry for virtual-currency-based businesses while taking measures to regulate the industry.
FINMA appears to take on a more conservative approach when considering liquidity, credit and market risk of virtual currencies from institutional investors’ trading activities in virtual currencies. For example, it cites a trading cap for virtual currencies of 4 percent of total capital for institutional investors and suggests a risk weighting of 800 percent for virtual currencies at the high end due to credit risk, liquidity risk and the volatility of the market. There are currently no regulations specific to virtual currencies in Switzerland; however, virtual currency businesses are subject to current AML and securities regulations.
In June 2018, the Fifth AML Directive (5AMLD) included virtual currency exchange platforms and custodian wallet providers as obliged entities. This means that by January 2020, EU member states will require virtual-currency-centric obliged entities to implement AML/CTF controls. This also means that member states must have established laws, regulations and administrative provisions to accommodate the virtual currency industry.
The European Securities and Markets Authority (ESMA) along with the European Banking Authority (EBA) have also published reports on ICOs and virtual currencies. Both authorities have raised concerns over the applicability of current EU laws to virtual currencies. One conclusion both publications note is that current EU regulations do not govern most of the virtual currency activity. Therefore, regulatory responses at the national level are uncoordinated and seem to diverge.
Current EU regulations do not govern most of the virtual currency activity
Virtual currencies that qualify as financial instruments will be governed by the Markets in Financial Instruments Directive II (MiFID II). Interpretations of the MiFID II differ at the national level, and EU member nations have different interpretations of this directive. For example, there are different interpretations of whether MiFID II obligations apply at the fund level or fall to the management company. The MiFID II typically governs investment firms providing portfolio management services. However, in some EU countries, investment firms that provide collective portfolio management services and are governed by securities regulations are allowed to provide portfolio management services without being registered as an investment firm. The result is, again, misalignment among European states when it comes to regulating virtual currencies.
For this reason, the ESMA and EBA reports advise that the European Commission set regulatory standards to create consistency in risk mitigation efforts.
ICOs, security tokens and utility tokens can provide opportunities for innovation and efficiencies in the financial sector
According to a study conducted by Statis Group, 11 percent of ICO funding, or $1.34 billion (US dollars) out of $11.9 billion (US dollars), in various tokens went to scams in 2018.5 Pincoin was a significant contributor, having been responsible for a $660 million (US dollars) ICO exit scam that victimised 32,000 investors. Issuing warnings to consumers regarding the risks associated with ICO investments does not appear to provide sufficient investor protection. ESMA Chairman Steven Maijoor acknowledged that the current lack of regulation of virtual currencies is leaving consumers exposed to substantial fraud risk through ICOs. On January 9, 2019, ESMA issued a report on ICOs and virtual currencies advising that specific virtual currencies that do not qualify as financial instruments or electronic money should be regulated by a set of rules tailored specifically to address their unique risks.
The United Kingdom (U.K.) published the Sanctions and Anti-Money Laundering Act 2018, allowing the U.K. to establish its own AML/CTF regulations when it exits the EU. The U.K. is likely to adopt the 5AMLD as a minimum standard because the deadline set in the directive falls within the U.K.’s exit from the EU.
The Cryptoassets Taskforce launched in March 2018, consisting of the HM Treasury. The Financial Conduct Authority and the Bank of England recently published its final report, where it defines three different types of virtual currencies: exchange tokens, security tokens and utility tokens.
Exchange tokens that utilise blockchain are not issued or backed by a central body and are used as a means of exchange (e.g., bitcoin). Security tokens are specified investments, transferable securities or financial instruments that provide rights such as ownership, repayment or entitlement to a share in future profits. Finally, utility tokens can be redeemed for access to a specific product or service and typically utilise a blockchain platform.
The report makes it clear that virtual currencies did not fit the criteria of traditional currency. Therefore, ICOs, security tokens and utility tokens can provide opportunities for innovation and efficiencies in the financial sector. Finally, the report proposes prohibitions on the sale of all exchange token derivatives to retail consumers. Excluded from this proposal are derivatives on virtual currencies that qualify as securities, although they could be subject to restrictions from other security authorities such as ESMA.
Financial Action Task Force
In June 2015, FATF released guidance on applying a risk-based approach when mitigating money laundering/terrorist financing risks related to virtual currencies. The purpose of FATF’s guidance was to instruct centralised and decentralised providers of virtual currency payment products and services (VCPPS) on how to apply a riskbased approach to AML/CTF processes, and how to implement applicable FATF Recommendations.6
In October 2018, FATF made an official amendment to Recommendation 15—New Technologies. Initially, Recommendation 15 focused on mitigating the risk that could arise from the development and application of new technologies. The October 2018 amendment was specific to virtual currencies and focused on requiring countries to establish AML/CTF regulations for virtual asset service providers (VASP), which includes exchanges, certain types of wallet service providers and providers of financial services for ICOs.7 In addition, VASPs would need to be licenced and registered with the appropriate regulatory body to operate. Important implications for a jurisdiction’s regulator include, but are not limited to, controlling the existence of VASPs (e.g., revoking licences, rejecting licence applications, preventing criminals from becoming beneficial owners of VASPs), monitoring VASPs’ AML/CTF compliance and taking punitive measures for non-compliance.
FATF set June 2019 as the final adoption date for the prescribed regulatory requirements concerning virtual currencies. The FATF’s 40 Recommendations to combatting money laundering and terrorist financing are considered the global standard. This amendment is essential in creating a consistent approach toward AML/ CTF internationally for virtual currencies. Furthermore, countries that are not compliant with the amended Recommendation 15 or deficient in its implementation may become designated as high-risk and therefore subject to increased diligence requirements by FATF-compliant countries and barriers to obtaining vostro accounts with large international banks. Gaining guidance on the responsibilities of VASPs may help for setting standardised AML/ CTF practices worldwide, but it is equally important that indicators of suspicion be communicated so that VASPs can consistently provide law enforcement with useful SARs. Given the importance of FATF standards in shaping jurisdictional regulations, consultation from the virtual currency industry, law enforcement, traditional banking and national regulators is indispensable for the creation of effective FATF Recommendations.
Japan has one of the largest virtual currency markets in the world and has been proactive in accepting and regulating virtual currency exchanges. It has also been home to some of the biggest virtual currency thefts. Japan accounted for a significant portion of the $950 million (US dollars) worth of virtual currency that was stolen from exchanges in 2018.8 Japan-based exchanges Coincheck and Zaif9 saw losses of $530 million (US dollars) and $60 million (US dollars), respectively, in various tokens due to theft. In response to these attacks, the Financial Services Agency gave the virtual currency industry self-regulating status by establishing the Japanese Virtual Currency Exchange Association (JVCEA) as the self-regulatory body. The group is considering placing a cap on customer deposits that can be managed online on hot wallets (wallets where keys are held online) of 10-20 percent,10 as funds placed in hot wallets can be a target for hackers. Security standards around custodial services such as these can go a long way toward protecting virtual currency consumers and improving the reputation of the virtual currency sector.
The JVCEA also issues business improvement orders that may involve financial penalties. Zaif has two improvement orders so far: one for the “[e]stablishment of an effective risk management system” and a second for the “[e]stablishment of a system to respond appropriately to customers.” Another virtual currency exchange, Quoine, indicated that the order they received pertains to compliance, KYC and AML. The introduction of a watchdog that can monitor the level of security and AML controls of Japanese virtual currency exchanges as well as enforce the regulations acts as a preventative measure to mega-heists like the ones Japan saw in 2018.
Japan also requires that virtual currency exchanges report suspicious activities. Japanese law enforcement reported that the number of suspicious transaction reports from virtual currency exchanges increased tenfold after a bill came into effect in April 2017, which obliges virtual currency exchanges to report suspicious activity. Such regulations pave the way for virtual-currency-based businesses and law enforcement to work together to combat money laundering and terrorist financing. In 2018, virtual currency exchange ShapeShift reported that they assisted with 60 law enforcement inquiries from around the world, 43 of which came from countries with strong AML regulations such as Germany, the U.K., France, the U.S., Canada, Switzerland, Australia and the Netherlands.
Virtual currencies and blockchain technology offer great potential growth for the financial sector and beyond. Therefore, it is not surprising that countries worldwide are competing to attract players in this burgeoning sector to their doors. From amongst the virtual-currency-friendly nations, Malta has made an effort to stand out. Malta is recognised as the first country to create a regulatory framework dedicated to virtual currencies and blockchain technology. Typically, the focus of regulators has been to mitigate emerging risks associated with virtual currencies by including them in existing compliance frameworks for AML/CTF and financial securities. Malta’s regulatory framework is unique from other regulatory frameworks because it includes policies that promote the development of blockchain technology. Three acts will govern the regulatory framework: The Virtual Financial Assets Act (VFAA), Malta Digital Innovation Authority Act (MDIA) and the Innovative Technology Arrangements and Services Act.11
Virtual currencies and blockchain technology offer great potential growth for the financial sector and beyond
The VFAA establishes compliance and licensing requirements for virtual currency financial service providers and regulates different aspects of ICOs, such as procedures on issuances and white paper registration. In addition, the VFAA prohibits market abuse on exchanges and establishes regulatory and investigative powers. The MDIA grants authority to the Malta Digital Innovation Authority to develop and enforce policies that promote the development and use of blockchain in a manner that is ethical and in line with regulatory requirements. The Innovative Technology Arrangements and Services Act provides the framework for the voluntary certification of innovative technology arrangements (e.g., software for distributed ledger technology, smart contracts, etc.).
The International Money Laundering Risks of Insufficient Regulations
In July 2017, the U.S. Department of Justice (DOJ) indicted Alexander Vinnik for allegedly using the exchange BTC-e to launder proceeds of crimes, including bitcoin from the infamous Mt. Gox hack where 850,000 bitcoins were stolen from the exchange’s users. In its address to the public, the DOJ stated, “[a]ccording to the indictment, since its inception, Vinnik and others developed a customer base for BTC-e that was heavily reliant on criminals, including by not requiring users to validate their identity, obscuring and anonymising transactions and source of funds, and by lacking any anti-money laundering processes.”12 Criminals allegedly used this infrastructure to operate and receive funds from cybercrimes such as virtual currency hacking (theft), ransomware schemes, identity theft and various fraud scams. Vinnik allegedly managed multiple BTC-e accounts as well as accounts at other exchanges to obscure the path of hacked bitcoin, such as the Mt. Gox hack, and it is possible that these other exchanges had weak AML controls, if any. It was reported that BTC-e received $4 billion (US dollars) worth of bitcoin, which demonstrates the scale and reach of this scheme.
Appropriately, a collaborative approach between nations was used to investigate and arrest Vinnik. According to FBI special agent Amy Hess, “the arrest of Alexander Vinnik is the result of a multi-national effort and displays the benefits of global cooperation among U.S. and international law enforcement.”13 The ease in transferring ill-gotten wealth using virtual currencies is a global issue. Therefore, nations need to collaborate in their effort to combat money laundering. This effort will require a consistent approach to AML; otherwise, nations’ efforts will remain siloed, and criminals will remain mobile.
The Way Forward
The ease in transferring ill-gotten wealth using virtual currencies is a global issue
In the next two years, the regulatory landscape is expected to change significantly with the final adoption and enforcement of regulations guided by FATF’s amendment in June of 2019 and the EU’s 5AMLD directive in January 2020. To some, these regulations may seem like an impediment to the virtual currency industry’s growth, but virtual currencies and the underlying blockchain technology that supports it will be poised to expand further if the industry and its participants can establish trust with governments, regulators, financial institutions and the general public. Trust can occur when global minimum standards combined with local laws, regulations and enforcement provisions, can create a system of accountability. Companies in the virtual currency space often have difficulties in acquiring and keeping banking relationships necessary for sustainable business growth and instances of operators with weak AML/CTF controls worsen this problem for companies with appropriate compliance programs. Consistent regulations that emphasise public safety without stifling the growth of business and technology can be beneficial for the virtual currency sector and the public at large. For this reason, efficient and pragmatic regulations that draw from the knowledge of responsible virtual currency operators and law enforcement can best handle the related money laundering/terrorist financing risks.
Regulators have taken measures to mitigate risks associated with virtual currencies by placing controls on the industry and its participants. While a consistent approach to global minimum standards is critical, it is also important that regulators tailor their framework to mitigate risks that are unique to virtual currencies. Forcing legacy standards from the traditional financial industry unto virtual currencies is not always warranted and doing so can stifle growth and may even lead to unnecessary reporting and the related privacy issues. In the case of virtual currency regulations, a cohesive starting point is necessary, but in the long run, a flexible and far-sighted approach that can change with technological innovations will likely work more efficiently than a one-size-fits-all approach.
- “Cryptocurrency Anti-Money Laundering Report 2018 Q3,” CipherTrace, 2018, https://ciphertrace.com/crypto-aml-report-2018q3.pdf
- “Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies,” Financial Crimes Enforcement Network, 18 March 2013, https://www.fincen.gov/sites/default/files/shared/FIN-2013-G001.pdf
- “Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses,” U.S. Department of the Treasury, 28 November 2018, https://home.treasury.gov/news/press-releases/sm556
- Matthew Allen, “Crypto Fund wins first Swiss crypto asset management licence,” Swissinfo, 9 October 2018, https://www.swissinfo.ch/eng/finma-breakthrough_crypto-fund-wins-first-swiss-crypto-asset-management-license/44461088
- Ana Alexandre, “New Study Says 80 Percent of ICOs Conducted in 2017 Were Scams,” Cointelegraph, 13 July 2018, https://cointelegraph.com/news/new-study-says-80-percent-of-icos-conducted-in-2017-were-scams
- “Guidance for a Risk-Based Approach to Virtual Currencies,” Financial Action Task Force, June 2015, http://www.fatf-gafi.org/publications/fatfgeneral/documents/guidance-rba-virtual-currencies.html
- “Outcomes FATF Plenary, 17-19 October 2018,” Financial Action Task Force, 19 October 2018, http://www.fatf-gafi.org/publications/fatfgeneral/documents/outcomes-plenary-october-2018.html
- “Cryptocurrency Anti-Money Laundering Report 2018 Q4,” CipherTrace, 2018, https://ciphertrace.com/wp-content/uploads/2019/01/crypto_aml_report_2018q4.pdf
- “Cryptocurrency Anti-Money Laundering Report 2018 Q3,” CipherTrace, 2018, https://ciphertrace.com/crypto-aml-report-2018q3.pdf
- Erik Gibbs, “JVCEA to tighten crypto storage regulations,” Squire Mining, https://squiremining.com/category/japan-virtual-currency-exchange-association/
- FinTech,” Malta Financial Services Authority, https://www.mfsa.com.mt/fintech/
- “Russian National and Bitcoin Exchange Charged In 21-Count Indictment For Operating Alleged International Money Laundering Scheme and Allegedly Laundering Funds From Hack Of Mt. Gox,” The United States Attorney’s Office Norther District of California, 26 July 2017, https://www.justice.gov/usao-ndca/pr/russian-national-and-bitcoin-exchange-charged-21-count-indictment-operating-alleged
- “Russian national and bitcoin exchange indicted in multi-billion dollar money laundering scheme,” U.S. Immigration and Customs Enforcement, 26 July 2017, https://www.ice.gov/news/releases/russian-national-and-bitcoin-exchange-indicted-multi-billion-dollar-money-laundering