When slacker high school failures Bill and Ted get their hands on a time machine, they go back in time to engage some of history's most critical influencers to save the future. While life is not exactly like cult comedy classic Bill and Ted's Excellent Adventure, imagine what economists of the future might think if they traveled back to 2021. It is possible that they could find the year that digital money began its inevitable move toward mainstream adoption. They may find that cryptocurrency the —internet of money— saw a Cambrian explosion of digital assets that moved the crypto-verse from the Bitcoin white paper to the next generation of alternative coins, stablecoins, central bank digital currencies (CBDCs), nonfungible tokens (NFTs), decentralized finance (DeFi) and mainstream adoption by financial institutions (FIs) across the globe. But what does this new world mean for cryptocurrency compliance?

FIs Get Into the Cryptocurrency Game

2021 was the year that major institutional players got into the digital assets game, testing the efficacy of cryptocurrencies to augment, and even replace, traditional banking and payment rails. In February 2021, BNY Mellon announced the formation of a new enterprise digital assets unit and a plan to offer crypto assets to customers.¹ BNY Mellon was only one of a sea of traditional FIs that embraced cryptocurrency in 2021. Also in February, JPMorgan announced JPM Coin, a permissioned, shared ledger system that serves as a payment rail and deposit account ledger facilitating real-time value transfer.

Traditional FIs are building risk-based compliance programs for virtual assets. Also, what the Financial Crimes Enforcement Network (FinCEN) calls money services businesses (MSBs), and what the Financial Action Task Force (FATF) calls virtual asset service providers are expected to build a cryptocurrency compliance program that includes policies and procedures, transaction monitoring solutions in the form of blockchain analytics tools, filing suspicious activity reports (SARs) and performing other risk-based compliance functions.

A New National Security Paradigm Emerged

On May 7, the world witnessed a ransomware attack on Colonial Pipeline, a watershed event. In that same month, President Joe Biden signed an executive order on improving the nation's cybersecurity as an attempt to remove barriers to information sharing between law enforcement and the private sector and to modernize and harden cyber defenses.² Following the executive order, the White House issued an open letter to the industry outlining best practices for cyber hygiene and the attorney general ordered prosecutors across the country to coordinate cases involving cyberattacks, ransomware and cryptocurrency. Notably, on June 4, 2021, FBI Director Christopher Wray compared the Colonial Pipeline attack and other recent cyberattacks to 9/11 saying, There are a lot of parallels, there's a lot of importance, and a lot of focus by us on disruption and prevention. In July, the White House announced the formation of an interagency task force³ on ransomware and the Senate Judiciary Committee held a hearing on ransomware.⁴

On September 21, 2021, the Office of Foreign Assets Control (OFAC) announced its first designation of a cryptocurrency business designating noncompliant exchange SUEX for facilitating ransomware payments.⁵ The plan was to use every weapon —including economic sanctions— to target cryptocurrency exchanges with weak or nonexistent compliance controls in place to stop the facilitation of ransomware payments and other illicit activity. This was a message directed not just at bad actors, but also at larger compliant exchanges that need to build out robust risk-based compliance programs to mitigate the risk of nested entities taking advantage of their infrastructure. In October 2021, OFAC provided guidance to the cryptocurrency industry on how to build a compliance program that limits exposure from sanctioned entities and jurisdictions.⁶

This year there has also been terrorist financing in cryptocurrency, U.S. Justice Department and Treasury Department actions against darknet mixing services,⁷ as well as cyberattacks and programmatic money laundering by nation state actors like North Korea.⁸ 2021 also brought the largest crypto —hack against DeFi platform Poly Network— and a series of scams, frauds and rug pulls. On the other hand, law enforcement and compliance professionals have been focused on the tools and training necessary to thwart these emerging threats.

The Infrastructure Bill Provided Opening Salvo in Coming Legislative Storm

In November 2021, the House of Representatives passed a massive $1 trillion bill aimed at increasing funding for infrastructure improvements over the next decade or so.⁹ To help pay the bill, the Senate included a provision imposing reporting requirements on cryptocurrency brokers, with estimates that such reporting would allow the IRS to collect an additional $28 billion in tax revenue over 10 years. But the broad definition of broker ”any person responsible for regularly providing any service effectuating transfers of digital assets on behalf of another person” sparked significant backlash throughout the crypto-verse; the bill passed with the original definition still in place. However, the debate marked the first time that the Hill and the cryptocurrency industry were fully engaged on issues related to creating a legal framework for the emerging technology. One bill to watch is the Digital Asset Market Structure and Investor Protection Act, which seeks to provide a clear legislative framework for cryptocurrency.¹⁰

It is tough to know what will ultimately come of this bill, or others like it. But, as a clear regulatory framework for digital assets nears, there may be more of these types of efforts in 2022 and beyond.

Treasury Focuses on Cryptocurrency

2021 also saw a surge of interest from regulators as mainstream adoption and illicit finance risks combined to cause a perfect storm of regulatory scrutiny. In August 2021, FinCEN announced an enforcement action and civil monetary penalty of $100 million against cryptocurrency derivatives exchange BitMEX for operating as an unregistered futures commission merchant and providing money transmission services without implementing and maintaining "a compliant anti-money laundering program and a customer identification program, and it failed to report certain suspicious activity."¹¹ According to FinCEN, "These willful failures expose [FIs] to an increased risk of conducting transactions with money launderers and terrorist financiers, including noncompliant exchanges in high-risk jurisdictions, ransomware attackers, and darknet marketplaces."¹²

In addition to designating noncompliant cryptocurrency exchange SUEX for facilitating ransomware payments, OFAC continued to add cryptocurrency addresses to its Specially Designated Nationals (SDN) list and used its enforcement power to go after crypto-related businesses that were facilitating sanctions evasion. One example is the OFAC enforcement action against payment processor BitPay, which agreed to pay over $500,000 for violations of multiple sanctions programs.¹³ Treasury explained that BitPay allowed persons who appear to have been located in the Crimea region of Ukraine, Cuba, North Korea, Iran, Sudan and Syria to transact with merchants in the U.S. and elsewhere using digital currency on BitPay's platform, even though BitPay had location information, including IP addresses and other location data, about those persons prior to affecting the transactions. Compliance takeaways abound in the BitPay action and it is an example of why enforcement actions can be so valuable to compliance teams. Cryptocurrency businesses are expected to have the tools necessary to mitigate sanctions and other illicit finance risks and use those tools to bolster a risk-based compliance program.

The SEC Seeks to Tame the “Wild West”

The SEC was laser-focused on cryptocurrency in 2021, with Chair Gary Gensler frequently commenting on what he views as the challenge of regulating in the space without a clear legal framework from Congress. In August 2021, Gensler said, “I believe we have a crypto market now where many tokens may be unregistered securities, without required disclosures or market oversight.”¹⁴ He continued, “Right now, we just don’t have enough investor protection in cryptocurrency. Frankly, at this time, it’s more like the Wild West.”¹⁵ Gensler also noted that the SEC will use the full extent of its powers and will pursue more authority from Congress to “prevent transactions, products and platforms from falling between regulatory cracks.”

In August 2021, the SEC announced that web-based trading platform Poloniex agreed “to pay more than $10 million to settle charges for operating an unregistered online digital asset exchange in connection with its operation of a trading platform that facilitated buying and selling of digital asset securities.”¹⁶ Specifically, the SEC’s order found “that from July 2017 through November 2019, when Poloniex sold its platform, Poloniex operated a web-based trading platform that facilitated buying and selling digital assets, including digital assets that were investment contracts and therefore securities,” but failed to register as a “national securities exchange,” under applicable securities laws.¹⁷

On the question of whether or not a cryptocurrency is a security, there will surely be a lot more action in 2022. The case of SEC v. Ripple,¹⁸ filed in December 2020, may ultimately determine whether or not certain cryptocurrencies are securities for purposes of SEC regulation. While the case remained pending throughout 2021, there were a number of developments. SEC Commissioners Hester Peirce and Elad Roisman issued a public statement¹⁹ calling out the lack of clarity surrounding the digital asset space. While this statement is not dispositive of any issue and should not be considered by the court, it is consistent with Ripple’s argument that it should have had, at a minimum, notice of the SEC’s intent to categorize XRP as a security under due process principles.

What Does the NFT Boom Mean for Compliance?

In 2021, nonfungible tokens (NFTs) exploded into almost every aspect of our society—from art to pop culture, sports to finance, NFTs were everywhere and they are not slowing down. Trading volume surged in the third quarter of 2021 to $10.67 billion, a report²⁰ by analytics platform DappRadar found. That is a 704% increase from the previous quarter. NBA Top Shot did over $700 million²¹ in volume, a work of art by the digital artist known as Beeple sold at Christies for $69 million,²² and weirdly wonderful Cryptopunks consistently sold for six figures. Even Visa purchased one,²³ explaining, “To help our clients and partners participate, we need a firsthand understanding of the infrastructure requirements for a global brand to purchase, store, and leverage an NFT.”

There are currently about 20 bills— from issues involving stable coins and CBDCs, to anti-money laundering (AML) and securities regulations, to tax and national security— that touch on digital assets.

The October 2021 FATF guidance explains that while NFT collectibles are not generally considered to be virtual assets for purposes of regulation, some NFTs may be virtual assets “if they are to be used for payment or investment purposes in practice.” While the guidance does provide some clarity, questions remain as most NFTs are tradable and have a secondary market, which are likened to baseball cards or physical works of art. When collectors invest in NFTs, in many cases they are doing so with the hope that they appreciate in value and can be traded or sold.

Conclusion

If economists were to time travel Bill and Ted-style to 2021, they would experience an extraordinary moment in financial, regulatory and compliance history. The year was bookended by regulatory stories—beginning with FinCEN’s notice of proposed rulemaking²⁴ on unhosted wallets and ending with FATF’s updated guidance,²⁵ which addressed the hottest issues in the crypto-verse. It has been a year in which compliance professionals have had to react to emerging technologies and evolving threats at the speed of the internet and regulators attempted to regulate in real time. While challenges abound, it was a year in which there was mainstream adoption and a focus on bringing legal clarity to this new internet of money. “Now that is excellent, dude.”

Ari Redbord, head of legal and government affairs, TRM Labs, Washington, D.C., ari@trmlabs.
com, Twitter: @ARedbord

1. “BNY Mellon Forms New Digital Assets Unit to Build Industry’s First Multi-Asset Digital Platform,” BNY Mellon, February 11, 2021, https://www.bnymellon.com/us/en/about-us/newsroom/press-release/bny-mellonforms-new-digital-assets-unit-to-build-industrypercent27s-first-multi-asset-digital-platform-130169.html
2. “Executive Order on Improving the Nation’s Cybersecurity,” The White House, May 12, 2021, https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
3. Eric Geller, “White House announces ransomware task force and hacking back is one option,” Politico, July
   15, 2021, https://www.politico.com/news/2021/07/14/white-house-ransomware-task-force-499723
4. “America Under Cyber Siege: Preventing and Responding to Ransomware Attacks,” July 27, 2021, https://www.judiciary.senate.gov/meetings/america-under-cyber-siege-preventing-and-responding-toransomware-attacks?utm_source=Sailthru&utm_medium=email&utm_campaign=SoC%207.27&utm_content=B&utm_term=State%20of%20Crypto
5. “OFAC takes first action against cryptocurrency exchange and issues updated ransomware advisory,” TRM,
   September 21, 2021, https://www.trmlabs.com/post/ofac-takes-first-action-against-cryptocurrencyexchange-and-issues-updated-ransomware-advisory
6. “Sanctions Compliance Guidance for the Virtual Currency industry,” Office of Foreign Assets Control,
   October 2021, https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf
7. Mengqi Sun, “Operator of Helix Bitcoin ‘Mixer’ Pleads Guilty,” The Wall Street Journal, August 18, 2017, https://www.wsj.com/articles/operator-of-helix-bitcoin-mixer-pleads-guilty-11629328791</li>
8. “Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and
   Financial Crimes Across the Globe,” U.S. Department of Justice, February 17, 2021, https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and
9. “H.R.3684 – Infrastructure Investment and Jobs Act,” U.S. Congress, June 4, 2021,
   https://www.congress.gov/bill/117th-congress/house-bill/3684
10. “Digital Asset Market Structure and Investor Protection Act,” U.S. Congress, June 17, 2021,
    https://beyer.house.gov/uploadedfiles/beyer_028_xml.pdf
11. FinCEN Announces $100 Million Enforcement Action Against Unregistered Futures Commission Merchant
    BitMEX for Willful Violations of the Bank Secrecy Act,” Financial Crimes Enforcement Network, August 10,
    2021, https://www.fincen.gov/news/news-releases/fincen-announces-100-million-enforcement-actionagainst-unregistered-future
12. Ibid.
13. “OFAC Enters Into $507,375 Settlement with BitPay, Inc. for Apparent Violations of Multiple Sanctions
    Programs Related to Digital Currency Transactions,” U.S. Department of the Treasury, February 18, 2021,
    https://home.treasury.gov/system/files/126/20210218_bp.pdf
14. Gary Gensler, “Remarks Before the Aspen Security Forum,” U.S. Securities and Exchange Commission, August 3, 2021, https://www.sec.gov/news/public-statement/gensler-aspensecurity-forum-2021-08-03
15. Ibid.
16. “SEC Charges Poloniex for Operating Unregistered Digital Asset Exchange,” U.S.
    Securities and Exchange Commission, August 9, 2021, https://www.sec.gov/news/pressrelease/2021-14
17. Ibid.
18. “Securities and Exchange Commission vs. Ripple Labs, Inc., Bradley Garlinghouse, and Christian A. Larsen,” U.S. Securities and Exchange Commission, December 22, 2020, https://www.sec.gov/litigation/complaints/2020/comp-pr2020-338.pdf
19. “RE: SEC v. Ripple labs Inc. et al., No. 20-cv10832 (AT) (SN) (S.D.N.Y.),” Cleary Gottlieb Steen & Hamilton LLP, July 19, 2021, https://www.dropbox.com/s/83olmrd2cqmrei8/Letter from Counsel for Individual Defendants regarding Coinschedule.pdf?dl=0
20. Pedro Herrera, “Dapp Industry Report: Q3 2021 Overview,” DappRadar, October 1, 2021, https://dappradar.com/blog/dapp-industry-report-q3-2021-overview
21. Ingram Yuzek Gainen Carroll & Bertolotti, “Understanding NFTs,” JD Supra, October 29, 2021, https://www.jdsupra.com/legalnews/understanding-nfts-3254600/
22. Scott Reyburn, “JPG File Sells for $69 Million, as ‘NFT Mania’ Gathers Pace,” The New York
    Times, March 11, 2021, https://www.nytimes.com/2021/03/11/arts/design/nft-auction-christies-beeple.html
23. Ryan Browne, “Visa jumps into the NFT craze, buying a ‘CryptoPunk’ for $150,000,” CNBC, August 21, 2021, https://www.cnbc.com/2021/08/23/visa-buys-cryptopunk-nft-for-150000.html
24. “Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets,” Financial Crimes Enforcement Network, December 23, 2020, https://publicinspection.federalregister.gov/2020-28437.pdf
25. "Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers,” Financial Action Task Force, 2021, https://www.fatf-gafi.org/media/fatf/