Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 24, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the 2022 DC Blockchain Summit focusing on the vulnerabilities in the cryptocurrency framework and recent volatility with stablecoins. In his remarks, Hsu described that he has “been a crypto skeptic,” and that it has become clear to him that the crypto economy depends on “hype” to “generate the interest and investment that are key to creating the ‘flywheel’ of growth that crypto projects seem to need to get off the ground.” In his speech, he discussed his three high level observations surrounding recent events from the perspective of a bank regulator. First, Hsu described “deep vulnerabilities in the crypto system,” noting that “[c]rypto is highly fragmented and prone to hacks,” and that “[c]ontagion risks are real.” He also argued that ownership rights are underdeveloped for the size, scope, and ambitions of the industry, explaining that “[f]or a technology and industry so focused on promoting an ‘ownership society,’ the lack of clarity on ownership rights, modes of ownership, and custody of digital assets seems like a fundamental problem that needs to be solved.” Second, Hsu observed that “recent events have shown the value of the OCC’s ‘careful and cautious’ approach to banks seeking to engage in crypto activities.” Hsu explained that there has been no contagion from cryptocurrencies to traditional banking and finance, stating that “[n]o banks are under stress or even rumored to be under stress due to crypto exposure.” Lastly, he warned “that hype is not harmless.” Hsu noted that a hype-driven economy has challenges for individuals interested in truly productive innovation and in protecting consumers. He recognized the possibility “for positive and transformative change with digital assets,” but warned that “the hype and the associated vulnerabilities noted above make the crypto space very dangerous for investors of modest means.” Hsu stated that while he remains a “a crypto skeptic,” he sees “its potential and understand[s] why there is excitement around it.” He also stated that the agency “will continue to take a careful and cautious approach to crypto in order to ensure that the national banking system is safe, sound, and fair.”
On May 20, NYDFS Superintendent Adrienne A. Harris emphasized the role regulation plays in protecting consumers from cybercriminals in the virtual currency marketplace. According to Harris, NYDFS is committed to mitigating risks in this space by guarding against sanctions evasion and illicit activity and making sure corporate infrastructure and consumer data are well protected from bad actors. Harris stressed that NYDFS “will continue to improve upon [its] regulation and supervision; engage with key stakeholders on important trends and issues; collaborate with state, federal and international regulators; and strive to be a forward-looking, innovative regulator, including through [its] VOLT initiative,” which supports the department’s efforts to increase transparency and enhance supervision related to virtual currency.
On May 6, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13722 against a virtual currency mixer used by the Democratic People’s Republic of Korea (DPRK) to support its cyber activities and money-laundering. According to OFAC, in March, a DPRK state-sponsored cyber-hacking group carried out the largest virtual currency heist to date, worth almost $620 million, from a blockchain project linked to an online game. The virtual currency mixer was used to process over $20.5 million of the illicit proceeds. OFAC noted that the sanctions are the first-ever sanctions on a virtual currency mixer. As a result of the sanctions, all property and interests in property belonging to the sanctioned entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons.
On May 4, the California governor issued an executive order calling on the state to create a transparent and consistent framework for companies operating in blockchain, cryptocurrency, and related financial technologies. This framework, the governor stated, should harmonize federal and California laws and balance innovation with consumer protection. The executive order outlined several priorities, including:
- The framework should include input from a range of stakeholders for potential blockchain applications and ventures;
- The Department of Financial Protection and Innovation (DFPI) should engage in a public process, including with federal agencies, to “develop a comprehensive regulatory approach to crypto assets harmonized with the direction of federal regulations and guidance” and should “exercise its authority under the California Consumer Financial Protection Law (CCFPL) to develop guidance and, as appropriate, regulatory clarity and supervision of private entities offering crypto asset-related financial products and services” in the state;
- DFPI should publish consumer protection principles that include model disclosures, error resolution, and other criteria, and “seek input from stakeholders and licensees in order to publish guidance for California state-chartered banks and credit unions”;
- DFPI should engage in actions to protect consumers, including initiating enforcement actions to enforce the CCFPL, enhancing its review of consumer complaints related to crypto asset-related financial products and services and working with companies to remedy such complaints, and publishing consumer education materials;
- GovOps should issue a request for innovative ideas to explore opportunities for deploying blockchain technologies that address public-serving and emerging needs; and
- Members of the Governor's Council for Postsecondary Education should “identify opportunities to create a research and workforce environment to power innovation in blockchain technology, including crypto assets” to “expose students to emerging opportunities.”
The governor emphasized that while blockchain technology over the past decade “has laid the foundation for a new generation of innovation, spurring a rise in entrepreneurialism in sectors including financial technology,” among others, its impact “is both uncertain and profound” and carries risks and legal implications.
On May 3, the SEC announced it will nearly double the size of its Crypto Assets and Cyber Unit within the Division of Enforcement. “By nearly doubling the size of this key unit, the SEC will be better equipped to police wrongdoing in the crypto markets while continuing to identify disclosure and controls issues with respect to cybersecurity,” SEC Chair Gary Gensler stated. Since the unit’s inception, more than 80 enforcement actions have been brought against actors related to fraudulent and unregistered crypto asset offerings and platforms, resulting in monetary relief totaling more than $2 billion. The unit has also “brought numerous actions against SEC registrants and public companies for failing to maintain adequate cybersecurity controls and for failing to appropriately disclose cyber-related risks and incidents.” The expanded unit will focus on investigations related to: crypto asset offerings, crypto asset exchanges, crypto asset lending and staking products, decentralized finance platforms, non-fungible tokens, and stablecoins.
On April 28, the DOJ issued a fact sheet outlining legislative proposals to strengthen kleptocracy asset recovery as part of the Biden administration’s efforts “to isolate and target the crimes of Russian officials, government-aligned elites, and those who aid or conceal their unlawful conduct.” The proposed measures would “streamline asset forfeiture proceedings in certain circumstances” and also:
- Enable the DOJ and Treasury and State Departments to work together to return forfeited kleptocrat funds to remediate harms caused to Ukraine;
- Expand forfeiture authorities under the International Emergency Economic Powers Act (IEEPA) to include property used to facilitate the violations of sanctions and “amend IEEPA’s penalty provision to extend the existing forfeiture authorities to facilitating property, not just to proceeds of the offenses”;
- Expand the definition of “racketeering activity” in the Racketeer Influenced and Corrupt Organizations Act to include criminal violations of IEEP and the Export Control Reform Act to improve the U.S.’s ability to investigate and prosecute sanctions evasion and export control violations;
- Extend the statute of limitations for prosecuting sanctions violations and the statute of limitations for seeking forfeitures based on foreign offenses from five years to 10 years; and
- Improve the U.S.’s ability to work with international partners to facilitate enforcement of foreign restraint and forfeiture orders for criminal property and improve the ability to take these actions in the U.S.
As previously covered by InfoBytes, the DOJ launched “Task Force KleptoCapture,” an “interagency law enforcement task force dedicated to enforcing the sweeping sanctions, export restrictions, and economic countermeasures that the United States has imposed, along with allies and partners,” in order to “isolate Russia from global markets” in March. The task force has since engaged in numerous transatlantic efforts to sanction numerous Russian elites, Russia’s largest privately-owned aircraft, and one of the world’s largest superyachts (covered by InfoBytes here), and has “seized approximately $625,000 associated with sanctioned parties held at nine U.S. financial institutions.”
Find continuing InfoBytes coverage on the U.S. sanctions response to Russia’s invasion of Ukraine here.
On April 27, acting Comptroller of the Currency Michael J. Hsu issued a statement regarding stablecoin standards after appearing before the Artificial Intelligence and the Economy: Charting a Path for Responsible and Inclusive AI symposium hosted by the U.S. Department of Commerce, National Institute of Standards and Technology, FinRegLab, and the Stanford Institute for Human-Centered Artificial Intelligence. According to Hsu, the internet has “technical foundations” that “provide for an open, royalty-free network.” He further noted that “[t]hose foundations did not emerge on their own. They were developed by standard setting bodies like IETF (Internet Engineering Task Force) and W3C (World Wide Web Consortium), which had representatives with differing perspectives, a shared public interest ethos, and a strong leader committed to the vision of an open and inclusive internet.” Hsu further stated that stablecoins do not have “shared standards and are not interoperable.” However, to make stablecoins “open and inclusive,” Hsu said that he believed that “a standard setting initiative similar to that undertaken by IETF and W3C needs to be established, with representatives not just from crypto/Web3 firms, but also from academia and government.” As previously covered by InfoBytes, Hsu discussed stablecoin policy considerations earlier this month in remarks before the Institute of International Economic Law at Georgetown University Law Center, calling for the establishment of an “intentional architecture” for stablecoins developed through principles of “[s]tability, interoperability and separability,” as well as “core values” of “privacy, security, and preventing illicit finance.”
NYDFS encourages virtual currency licensees to use blockchain analytics tools for sanctions and AML compliance
On April 28, NYDFS announced new guidance on virtual currency entities that are establishing the use of blockchain analytics tools. NYDFS explained that virtual currency activities can involve, among other things, different sources, destinations, and types of funds flows than are found in more traditional, fiat-currency contexts. Such characteristics of virtual currencies can create compliance challenges, but also can present new possibilities for new technology-driven control measures. In the guidance, NYDFS outlined expectations for New York State-regulated virtual currency companies, including: (i) establishing control measures that may leverage blockchain analytics; (ii) augmenting due diligence controls; (iii) conducting transaction monitoring of on-chain activity; and (iv) conducting sanctions screening of on-chain activity. NYDFS also emphasized "the importance of risk-based policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions."
As previously covered by InfoBytes, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance, which provided guidance for effectively managing cyber insurance risk. The framework is the first guidance released by a U.S. regulator on cyberinsurance. NYDFS noted it has “engaged with external stakeholders to inform this new guidance and continues to conduct significant outreach to state, federal and international regulators; industry; and other experts in the field to ensure New York maintains a robust regulatory regime and remains a destination for virtual currency companies to operate.”
Recently, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to the purchase and sale of virtual currency. The redacted opinion letter examines whether a Company that offers customers the opportunities to deposit fiat currency to a Company account and then draw down that balance to purchase virtual currency from the company requires MTA licensure. The Company explained that virtual currency is purchased from a third party and is transferred to the customer’s Company-issued virtual currency wallet where it can then be stored, transferred to an external wallet, or sold for fiat currency. When a customer later wants to sell the purchased virtual currency for fiat currency, the transaction occurs in a similar fashion. The Company stated that “virtual currency sales to customers are from the Company’s own inventory,” and that for purposes of the opinion, DFPI “assumes these sales occur independently of the Company’s own transactions with third parties.”
DFPI concluded that because the Company’s activities are limited to directly purchasing and selling cryptocurrency to customers, it does not require an MTA license because it does “not involve the sale or issuance of stored value or receiving money for transmission.” Specifically, DFPI stated that because the “customer’s fiat currency balance in the Company account does not meet the definition of stored value” and because “funds in that account can only be used for virtual currency purchases from the Company or transferred out to the customer’s external bank account,” the closed loop stored value “does not constitute issuance of stored value that is regulated under the MTA.” DFPI reminded the Company that its determination is limited to the presented facts and that any change could lead to different conclusions.
On April 22, the OCC announced an upcoming quarterly discussion series focusing on consumer financial wellbeing. The first event in the Financial Health: Vital Signs series will occur on April 28 and focus on minority ownership of cryptocurrency. Future events will feature discussions with acting OCC Comptroller Michael J. Hsu and other academic, community, and industry leaders. The discussion series will be livestreamed and open to the public.
- Buckley Webcast: Fifth Circuit muddles CFPB’s plans to use in-house judges in enforcement proceedings
- Steven vonBerg to discuss “Regulatory plenary” at the Information Management Network’s Non-QM Forum
- Jeffrey P. Naimon to discuss “Understanding the ESG impact on compliance” at the ABA’s Regulatory Compliance Conference