In 2008, the pseudonymous Satoshi Nakamoto published the bitcoin white paper describing a cryptocurrency free from the control of governments or banks.¹ Twelve years later, there are over 2,000 cryptocurrencies, but Nakamoto’s libertarian vision has collided with the realities of regulation. According to Chainalysis, a New York-based blockchain-tracing company, over 90% of cryptocurrency transactions by volume pass through centralised intermediaries such as exchanges.² Those intermediaries are increasingly facing the same anti-money laundering/counter-terrorist financing (AML/CTF) rules as banks—a far cry from Nakamoto’s brand of financial anarchism.

Over 90% of cryptocurrency transactions by volume pass through centralised intermediaries such as exchanges. Those intermediaries are increasingly facing the same anti-money laundering/counter-terrorist financing (AML/CTF) rules as banks.

Governments worldwide believe the financial crime risks posed by cryptocurrencies (aka crypto assets, virtual assets or virtual currencies) must be addressed. However, as one country after another amends its laws, a fundamental dilemma has become apparent—customers are not limited to using domestic virtual asset service providers (VASPs) for their cryptocurrency needs. With VASPs operating across borders from anywhere in the world, how can any government hope to regulate all businesses that might be used for money laundering?

The Two Extremes

The Financial Action Task Force (FATF) suggests that VASPs should be, at a minimum, registered in the country of their incorporation (for legal entities) or place of business (for natural persons).³ In an ideal world, all states would act responsibly and each would take charge of policing their own jurisdiction with vigour. As this does not always happen in practice, it is not surprising that some governments prefer to cast their regulatory net far beyond their own borders.

The most extreme approach is to extend AML/CTF regulation to all relevant VASPs that have any number of customers in a given country. For example, Great Britain’s⁴ gambling regulation imposes licencing requirements on all online gambling operators with gambling services used in Great Britain.⁵ As a result, the Gambling Commission has regulated 495 businesses since January 2018, and it occasionally takes enforcement action against overseas operators.⁶

Alternatively, governments could restrict the reach of their rules to businesses that are incorporated and individuals that are residents in their country. This is FATF’s minimum requirement insofar as the regulation of VASPs is concerned: ‘[j]urisdictions may also require VASPs that offer products and/or services to customers in, or conduct operations from, their jurisdiction to be licensed or registered in this jurisdiction.’⁷ In this case, the challenges of extraterritorial enforcement do not arise, but as one can provide services far beyond the country of incorporation or residence, this approach leaves the door open to unscrupulous businesses that might not be subject to meaningful AML/CTF oversight anywhere in the world.

Between these two extremes, there is a middle course that involves regulating businesses with some sort of a substantial connection to the country in question. For instance, a money services business (MSB) has to carry out activity ‘wholly or in substantial part’ in the US for it to come within the scope of American AML/CTF rules.⁸ In the UK, the test is whether a person is ‘carrying on business in the United Kingdom’—a rather amorphous criterion—and it is only online gambling operators that face AML/CTF obligations solely on account of providing services to UK customers.⁹

Nevertheless, even a moderate stance like this raises complex questions. For example, how can a state enforce its laws against a business with all of its assets or employees located overseas? Limiting AML/CTF regulation to businesses with significant presence in a given country is not merely a policy choice, but also a reflection of law enforcement realities. Without assets to seize and people to detain, a government’s power to enforce compliance relies on arcane and time-consuming mutual legal assistance processes, which makes it hostage to another state’s willingness to cooperate. In some instances, even simple investigatory actions, such as obtaining corporate ownership records, may become an impossible task.¹⁰

Splendid Isolation

There is no obvious way to square this circle. However, one possible solution is insulating a given country’s market from noncompliant overseas VASPs. There are two major components to this. The first one is limiting internet access to offending websites by working with internet service providers, similar to how law enforcement agencies and governments around the world deal with businesses selling counterfeits. However, such restrictions are easy to evade and would hardly pose a barrier to even a moderately tech-savvy money launderer. The second solution—a more promising solution—is engaging with financial institutions (FIs).

Almost invariably, an individual using cryptocurrency for illicit purposes will need to exchange it for fiat currency, such as pounds or dollars. For instance, an organised crime group wishing to transfer drug proceeds to a foreign jurisdiction through cryptocurrency would need to purchase that cryptocurrency first.¹¹ Then, since few goods or services can be bought with cryptocurrency, it would most likely have to be converted back into fiat currency. The same applies to cases of cryptocurrency being accumulated through theft or hacking—it would eventually need to be exchanged.

Criminals’ ability to use rogue VASPs can be constrained if FIs refuse to process incoming or outgoing payments involving these VASPs. To some extent, FIs’ existing AML/CTF controls may already lead to this if they are reluctant to process high-risk transactions. However, FIs need to be able to identify cryptocurrency transactions for this to happen. That ability would be bolstered if regulators could share intelligence on noncompliant foreign VASPs. As information sharing is already occurring between the regulator and FIs in at least some countries to tackle rogue online gambling operators, information could also be exchanged to tackle rogue VASPs.¹²

The Devil Is in the Details

Preventing criminal abuse of VASPs with this strategy has its difficulties; essentially, regulators would be advising against interacting with certain VASPs, a step that could have disastrous effects on a VASP that finds itself on the regulator’s ‘naughty list.’ This gives rise to fairness and due process concerns, as it would be wrong for governments to deny foreign VASPs access to their markets for arbitrary reasons.

Therefore, measures taken to exclude a VASP from a country’s market should only apply to VASPs that are demonstrably in breach of their regulatory obligations, for instance by failing to comply with licencing or registration requirements or ignoring other AML/CTF rules. These measures should not be wielded as a pre-emptive risk management tool to eliminate potentially high-risk VASPs. It goes without saying that affected VASPs should have adequate notice of the regulators’ action and the ability to contest the action in court.

Another issue to consider is what form such regulatory action should take. The closest analogy is Section 311 of the USA PATRIOT Act, which authorises the secretary of the treasury to prohibit FIs in the US from maintaining accounts ‘for or on behalf of’ foreign institutions identified by the secretary as being ‘of primary money laundering concern.’¹³ In the US, VASPs are considered MSBs. Therefore, Section 311 action could be taken against a foreign VASP.

States that do not have comparable legal provisions could consider introducing them. Given American financial supremacy, no other country’s designations would produce as devastating an effect on a target as a Section 311 notice would, but that is not the point. As long as a noncompliant VASP is shut out of the financial system of the sanctioning country, the regulator’s job would be complete and a degree of punishment would be inflicted on the offending business.

Furthermore, countries such as Australia, Singapore and the UK operate public-private information-sharing partnerships, which could conceivably be used for communicating intelligence on noncompliant VASPs.¹⁴ However, participation tends to be limited to a segment of the financial sector. Therefore, in order for all FIs and compliant VASPs to receive the message, a framework for public designations similar to Section 311 of the USA PATRIOT Act would be preferable.

A Muscular Response

Finally, in the most egregious cases, law enforcement action against businesses that actively facilitate money laundering should be an option. While cross-border investigations and prosecutions face various challenges, they too are feasible when the stakes are high and resources are dedicated accordingly.

A case in point is the takedown of BTC-e by US law enforcement agencies. BTC-e was a cryptocurrency exchange based in Seychelles and Cyprus. According to the US Department of Justice, BTC-e was ‘designed to help criminals launder their proceeds.’¹⁵ The alleged operator of BTC-e is currently held in pre-trial detention in France following his arrest in Greece three years ago and protracted disputes over whether he should be extradited to France, Russia or the US.¹⁶ On the one hand, the BTC-e saga is yet another study in the length and complexity of multijurisdictional legal proceedings. However, from the standpoint of preventing money laundering, the shutdown of the illicit exchange was a resounding success, regardless of whether anyone ultimately faces individual criminal liability for BTC-e’s activities.

To date, the US strike against BTC-e remains an exception rather than a rule. Unlike illicit dark web marketplaces, which are put out of business by police agencies with heartening regularity,¹⁷ noncompliant exchanges have largely been spared from law enforcement’s scrutiny. As countries around the world implement FATF’s standards on virtual assets, this will have to change for a new regulation to be credible.

Conclusion

The emergence of cryptocurrency throws into stark relief a familiar dilemma. States are increasingly affected by the activities of businesses that they cannot regulate easily. Therefore, governments are forced to reconsider their approach to regulation. The most intuitive way to address this issue is for regulators to identify noncompliant foreign VASPs and share this information with FIs and compliant VASPs to exclude rogue actors from a country’s market. If a state chooses to pursue this option, the legal framework and the process to disseminate the information shared should be carefully designed to ensure that the affected VASP’s due process rights are respected.

Even with those measures in place, law enforcement action will remain necessary to tackle the challenge posed by VASPs like BTC-e that purposely facilitate crime. Thus, better international cooperation and swifter mutual legal assistance are indispensable—objectives no less important for domestic authorities than diligently copying FATF’s standards into their statute books.

Anton Moiseienko, research fellow, Centre for Financial Crime and Security Studies, Royal United Services Institute, antonm@rusi.org

1. Satoshi Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash System,” Bitcoin,
   https://bitcoin.org/bitcoin.pdf
2. “The 5 Key Types of Cryptocurrency Exchanges,” Chainalysis, 28 October 2019, https://blog.chainalysis.com/reports/cryptocurrency-exchange-types
3. “International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation: The FATF Recommendations,” Financial Action Task Force, June 2019, https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF%20Recommendations%202012.pdf, 55.
4. Northern Ireland has a separate gambling regime.
5. “Gambling Act 2005,” legislation.gov.uk, 2005, http://www.legislation.gov.uk/ukpga/2005/19/contents, Sections 33 and 36; “The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017,” legislation.gov.uk, 2017, http://www.legislation.gov.uk/uksi/2017/692/made, Regulation 9(4).
6. “Review of online gambling,” Gambling Commission, March 2018, http://www.gamblingcommission.gov.uk/PDF/Online-review-March-2018.pdf, 9. For an example of an enforcement action against overseas gambling operators, see the Gambling Commission’s action against Casumo Services Limited, a Malta-registered company: https://www.gamblingcommission.gov.uk/news-action-and-statistics/news/2018/Gambling-Commission-takes-widespread-regulatory-action-against-online-casinos.aspx#ReviewofCasumo.
7. “International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation,” Financial Action Task Force, June 2019, https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF%20Recommendations%202012.pdf, 55.
8. “31 CFR § 1010.100—General Definitions,” Legal Information Institute, https://www.law.cornell.edu/cfr/text/31/1010.100
9. “The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017,” legislation.gov.uk, 2017, http://www.legislation.gov.uk/uksi/2017/692/made, Regulation 8(1).
10. “Statement of Steven M. D’Antuono Acting Deputy Assistant Director Criminal Investigation Division Federal Bureau of Investigation Department of Justice Before the Committee on Banking, Housing, and Urban Affairs United States Senate for Hearing Entitled ‘Combatting Illicit Financing by Anonymous Shell Companies,’” US Department of Justice, 21 May 2019, https://www.banking.senate.gov/imo/media/doc/D’Antuono%20Testimony%205-21-19.pdf
11. For an example, see “Cryptocurrency Laundering as a Service: Members of a Criminal Organisation Arrested in Spain,” Europol, 8 May 2019, https://www.europol.europa.eu/newsroom/news/cryptocurrency-laundering-service-members-of-criminal-organisation-arrested-in-spain
12. Anton Moiseienko, “Play Your Cards Right: Preventing Criminal Abuse of Online Gambling,” Royal United Services Institute, November 2019, https://www.rusi.org/sites/default/files/201911_op_rusi_playyourcardsright_moiseienko_web.pdf, 24.
13. 31 U.S. Code § 5318A.
14. Nick J. Maxwell, “Expanding the Capability of Financial Information-Sharing Partnerships,” Royal United Services Institute, March 2019, https://rusi.org/sites/default/files/20190320_expanding_the_capability_of_financial_information-sharing_partnerships_web.pdf
15. “Russian National And Bitcoin Exchange Charged In 21-Count Indictment For Operating Alleged International Money Laundering Scheme And Allegedly Laundering Funds From Hack Of Mt. Gox,” United States Department of Justice, 26 July 2017, https://www.justice.gov/usao-ndca/pr/russian-national-and-bitcoin-exchange-charged-21-count-indictment-operating-alleged
16. Gaspard Sebag, “Russian Bitcoin Suspect Charged in France After Greek Extradition,” Bloomberg, 28 January 2020, https://www.bloomberg.com/news/articles/2020-01-28/russian-cyber-suspect-charged-in-france-after-greek-extradition
17. “EU Drug Markets Report 2019,” European Monitoring Centre for Drugs and Drug Addiction and Europol, http://www.emcdda.europa.eu/system/files/publications/12078/20192630_TD0319332ENN_PDF.pdf. For an informative graph illustrating the lifespan of major illicit dark web marketplaces, see 68-69.