The federal government's high-profile crackdown on cryptocurrency companies requires all cryptocurrency market participants to redouble their compliance efforts, both to satisfy regulators and confirm the trust of customers and counterparties.
Cryptocurrency compliance right now requires sophistication. Despite the absence of industry-specific legal or regulatory regimes, several US regulatory and law enforcement agencies have aggressively asserted their jurisdiction over the digital asset universe. To date, the U.S. Department of Justice and regulators, including the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and others at the federal and state levels, have undertaken enforcement actions against cryptocurrency exchanges, cryptocurrency trading, initial operations. offerings of coins, non-fungible tokens, stablecoins and more, usually with conflicting and competing requests for information and direction. These efforts have often lacked coordination and have been driven by Divergent points of view on applicable legal theories. even when we are faced with a common set of facts.
The absence of regulatory guidance along with the hyperactivity of law enforcement efforts create treacherous waters for even the most diligent compliance officers. Recent comments by SEC Enforcement Division Director Gurbir Grewal on compliance expectations, particularly as it relates to the individual liability of compliance personnel, should raise concern among crypto market participants. Grewal emphasized that the SEC would take action against compliance personnel "when compliance personnel fail to meet their compliance responsibilities." This test depends fundamentally on the agreement or consensus regarding compliance responsibilities. With no federal legislation or substantial regulatory framework in place, Unlike the traditional financial services industry, the possibility increases that even good faith efforts in crypto will be deemed insufficient by regulators and perhaps characterized as โwidespread failuresโ warranting a penalty, according to public statements from Director Grewal. .
Crypto Risk Areas
Cryptocurrency compliance officers cannot afford to wait for clearer regulations to be enacted. Instead, they must ensure, even amid this uncertainty, that their protocols satisfy a range of regulators who have murky and often different expectations. Certain primary areas of focus, outlined below, are essential to reducing risk and instilling confidence in a program's effectiveness.
Understanding blockchain technology
Companies involved in cryptocurrency and their executives must have people working on their compliance team who substantially understand blockchain technology, the basis of cryptocurrency-based activity. Compliance teams must be able to educate employees on compliance expectations and educate regulators about their crypto products and operations. Effective communication with both parties will ensure a highly functional and defensible compliance regime.
AML procedures
A core area that the compliance strategy should focus on is the implementation of a satisfactory and robust anti-money laundering (AML) program. Regulators often view the decentralized and pseudonymous nature of cryptocurrencies with suspicion as a conduit to conceal illicit activities. In fact, AML experts point out that failure to comply with AML requirements is often part of the charges filed by regulatory agencies against companies. Without adequate safeguards against money laundering and the potential for other financial crimes, cryptocurrency companies are vulnerable to regulatory scrutiny and exploitation by bad actors.
Cryptoasset trading firms should augment traditional anti-money laundering procedures to include tracking and analysis of specific cryptocurrencies in their compliance regimes, including the use of blockchain intelligence tools to identify risky crypto wallet addresses and/or associated with terrorists. Additionally, companies should be aware that they must be evaluated under the Bank Secrecy Act (BSA). For example, in October 2022, Bittrex was considered a money services company., being finally fined more than 24 million dollars by the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN), both agencies within the U.S. Department of the Treasury, for noncompliance with the BSA, AML laws, and other sanctions. Key to the sanctions was Bittrex's access to customer IP and physical address information collected when onboarding new customers. The company knew that numerous customers were located in sanctioned jurisdictions, but did not examine customer information for associations with those jurisdictions.
Violations of the BSA by crypto companies could also have criminal consequences. In May 2022, the former CEO of BitMEXone of the largest and oldest convertible virtual currency derivatives exchanges, was sentenced in the Southern District of New York to six months of house arrest and a $10 million fine for violating the BSA by failing to establish, implement and maintain a anti-currency law. money laundering program, including a program to verify the identity of BitMEX customers through a properly managed system know your customer (KYC) program. The company also settled charges with the CFTC and FinCEN in 2021, paying $100 million for BSA and AML violations.
Retention policies
Retention policies are a relatively simple proactive step that compliance officers can take to build goodwill with regulators. There are no express regulatory withholding requirements for cryptocurrency companies, in stark contrast to the express obligations governing the traditional financial space. However, regulators consider retention policies as an indicator of a company's compliance culture. As an example, in the recent prosecution and conviction of Sam Bankman Fried, founder of FTX, prosecutors pointed to the absence of a retention policy by FTX as an indication of irregularity. These negative impressions are avoidable. Cryptocurrency trading companies should consider creating systems that, where appropriate, can record:
-
-
-
- business data, including profit and loss figures;
- employees who trade assets or manage automated trading strategies; and
- the amount and types of assets traded.
-
-
Additionally, companies involved in cryptocurrency should consider retaining for a few years all communications from company accounts, including not only standard communication methods such as email, instant messaging systems, and less traditional modes of communication. common in the crypto space.
Third Party Due Diligence
Companies involved in cryptocurrencies must be demanding in implementing risk-based approaches when interacting with third-party providers. Regulators have been clear in the traditional financial world that companies are responsible not only for their own compliance obligations, but also for those of third-party providers on which they depend. In fact, the Inter-agency guidance on relationships with third parties: risk management by the United States Federal Reserve, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency, reported that โ[t]The scope and degree of due diligence must be proportional to the level of risk and complexity of the relationship with third parties. โMore comprehensive due diligence is particularly important when a third party supports higher risk activities, including critical activities.โ
This regulatory approach will be magnified in the crypto space. The government views the crypto industry as fundamentally high risk, often based in part on a poor understanding of a crypto ecosystem and its novelty. This means that third-party diligence requirements are very likely to be an expected area of โโregulatory scrutiny. Marketing and development efforts that involve third parties (often leveraging less disciplined mediums such as social media, podcasts, and collaborative workshops) create room for misunderstandings and potential problems. Accordingly, as part of a third-party risk assessment program, crypto companies must conduct due diligence on third parties before engaging them.
Audits
Successful and sustainable compliance programs can use internal and external audits to get ahead of any issues and demonstrate the effectiveness of the program. When performed on a regular cadence, it audits pressure testing compliance programs and provides regulators with peace of mind regarding a company's compliance culture. Given the challenges many regulators face in understanding the technologies at work and identifying a legal theory of culpability, certain regulators have pointed to weak compliance cultures with crypto companies as a means to boost investigations.
Data Privacy and Security Concerns
When operating in a digital environment, the risk of data leaks, cyberattacks, phishing schemes, and bad actors remains ever-present; And because cryptocurrencies are a booming new industry, scammers have targeted them.
Since cryptocurrencies use blockchain technology for verification and do not go through financial institutions, it is also more difficult to recover the proceeds of theft and its impact. Compliance officers must create customized provisions that safeguard internal company data, partner and consumer data, and company and customer assets.
Conclusion
The cryptocurrency application landscape continues to evolve rapidly, but without any sign of further legal or regulatory guidance in the immediate future. In December, the The SEC rejected a petition from Coinbase looking for new rules aimed specifically at the digital asset sector. The SEC said it would not propose new rules or a long-requested clarification of its expectations, because the SEC fundamentally maintains that current securities regulations provide crypto companies with sufficient notice of their obligations. This is a premise that few, if any, sophisticated crypto professionals agree with.
There is no indication that law enforcement efforts will slow down; If anything, greater scope for enforcement is likely, if not certain. Therefore, it is incumbent on compliance departments and their officers to be proactive in developing the best compliance programs to continue to protect not only the company and its customers, but also to protect themselves from compliance inquiries and potential liabilities.
Raja Chatterjee contributed to this article. He is a former prosecutor and served as in-house counsel with responsibility for legal, risk and compliance functions.
