Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 20, NYDFS Superintendent Adrienne A. Harris emphasized the role regulation plays in protecting consumers from cybercriminals in the virtual currency marketplace. According to Harris, NYDFS is committed to mitigating risks in this space by guarding against sanctions evasion and illicit activity and making sure corporate infrastructure and consumer data are well protected from bad actors. Harris stressed that NYDFS “will continue to improve upon [its] regulation and supervision; engage with key stakeholders on important trends and issues; collaborate with state, federal and international regulators; and strive to be a forward-looking, innovative regulator, including through [its] VOLT initiative,” which supports the department’s efforts to increase transparency and enhance supervision related to virtual currency.
On May 6, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13722 against a virtual currency mixer used by the Democratic People’s Republic of Korea (DPRK) to support its cyber activities and money-laundering. According to OFAC, in March, a DPRK state-sponsored cyber-hacking group carried out the largest virtual currency heist to date, worth almost $620 million, from a blockchain project linked to an online game. The virtual currency mixer was used to process over $20.5 million of the illicit proceeds. OFAC noted that the sanctions are the first-ever sanctions on a virtual currency mixer. As a result of the sanctions, all property and interests in property belonging to the sanctioned entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons.
On April 9, the New York governor signed S. 8008-C, which enacts the state’s 2023 fiscal year budget and requires, among other things, NYDFS to start charging a new assessment fee to all virtual currency businesses licensed in New York in order to cover the costs associated with their oversight and “defray operating expenses.” Specifically, Section 206 is amended to read: “The expenses of every examination of the affairs of any person regulated pursuant to this chapter that engages in virtual currency business activity shall be borne and paid by the regulated person so examined, but the superintendent, with the approval of the comptroller, may in the superintendent’s discretion for good cause shown remit such charges.” The amendments do not specify a specific assessment amount, however regulated companies engaged in virtual currency business activity “shall be assessed by the superintendent for the operating expenses of the department that are solely attributable to regulating such persons in such proportions as the superintendent shall deem just and reasonable.”
NYDFS Superintendent Adrienne A. Harris issued a press release the same day praising the budget adoption as it now allows the Department to collect supervisory costs from licensed virtual currency businesses as it does for banking and insurance companies. Noting that “New York was the first to start licensing and supervising virtual currency companies,” Harris said that the “new authority will empower the Department to build staff with the capacity and expertise to best regulate and support this rapidly growing industry.”
On April 11, the Virginia governor signed HB 263, which permits banks in the Commonwealth to provide customers with virtual currency custody services “so long as the bank has adequate protocols in place to effectively manage risks and comply with applicable laws.” Before offering virtual currency custody services, banks must conduct a self-assessment process to carefully examine the risks involved in offering such services, which includes: (i) “implement[ing] effective risk management systems and controls to measure, monitor, and control relevant risks associated with custody of digital assets such as virtual currency”; (ii) confirming adequate insurance coverage for such services; and (iii) maintaining a service provider oversight program to address risks to service provider relationships as a result of engaging in virtual currency custody services. Banks may provide virtual currency custody services in either a fiduciary or non-fiduciary capacity. If a bank provides such services in a nonfiduciary capacity, the bank will “act as a bailee, taking possession of the customer’s asset for safekeeping while legal title remains with the customer” (i.e. “the customer retains direct control over the keys associated with their virtual currency”). Should a bank provide services in a fiduciary capacity, it must “require customers to transfer their virtual currencies to the control of the bank by creating new private keys to be held by the bank.” The bank will have “authority to manage virtual currency assets as it would any other type of asset held in such capacity.” HB 263 takes effect July 1.
OFAC sanctions Russians, issues guidance on sanctions evasion through virtual currency, general licenses, and FAQs
On March 11, the U.S. Department of the Treasury’s Office of Foreign Assets Control issued guidance, in line with the G7 leaders' statement, to guard against possible attempts to use virtual currency to evade U.S. sanctions imposed on Russia. According to OFAC, the public guidance “further cut[s] off avenues for potential sanctions evasion by Russia” and “continues to make clear that Treasury’s expansive sanctions actions against Russia require all U.S. persons to comply with OFAC regulations, regardless of whether a transaction is denominated in traditional fiat currency or virtual currency.
Additionally, OFAC announced sanctions against Russian and Kremlin elites, and Russia’s political and national security leaders who have supported Russia’s invasion of Ukraine. As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities that are in the U.S. or in the possession or control of U.S. persons, and “any entities that are owned, directly or indirectly, 50 percent or more” by the targeted individuals and/or entities are blocked and must be reported to OFAC. The sanctions complement an Executive Order (E.O) issued by President Biden that imposes new import and export restrictions on Russia, including the export of U.S. banknotes to Russia. Among other things, this E.O. prohibits the importation into the U.S. of certain products of Russian Federation origin. Additionally, the E.O. bans the exportation, reexportation, sale, or supply, directly or indirectly, from the U.S., or by a U.S. person, wherever located, of U.S. dollar-denominated banknotes to the Russian government or to any person located in the Russian Federation.
OFAC also issued Russia-related General License 17 to authorize the import of existing purchases of prohibited products that are under pre-existing contract until March 25, 2022, and General License 18 and General License 19 to authorize certain activities regarding U.S. dollar-denominated banknotes as they pertain to personal remittances and U.S. persons, respectively. OFAC also issued Ukraine-related General License 23, “Blocking Property of Certain Persons and Prohibiting Certain Transactions With Respect to Continued Russian Efforts to Undermine the Sovereignty and Territorial Integrity of Ukraine,” “to authorize certain transactions that are ordinarily incident and necessary to nongovernmental organizations’ activities in the so-called Donetsk People’s Republic (DNR) or Luhansk People’s Republic (LNR) regions of Ukraine, including activities related to humanitarian projects to meet basic human needs, democracy building, education, non-commercial developments projects, and environmental and natural resource protection,” and published new Frequently Asked Questions and amended one Frequently Asked Question regarding Russia sanctions.
Find continuing InfoBytes coverage on the U.S. sanctions response to Russia’s invasion of Ukraine here.
On March 7, FinCEN issued an alert advising financial institutions to be vigilant against potential attempts to evade sanctions levied against Russian individuals, banks, and other entities in response to the situation in Ukraine. FinCEN provided several examples of red flag indicators that could help identify attempted sanctions evasions, including actions by state actors and oligarchs, and reminded financial institutions of their Bank Secrecy Act (BSA) reporting obligations.
The alert stressed that all financial institutions, including those with visibility into convertible virtual currency (CVC) flows identify and promptly report associated suspicious activity, and conduct appropriate, risk-based customer due diligence or enhanced due diligence as required. This includes CVC exchangers and administrators within or outside of Russia (which are generally considered to be money services businesses under the BSA) that retain at least some access to the international financial system. FinCEN noted that “[w]hile large scale sanctions evasion using [CVC] by a government such as the Russian Federation is not necessarily practicable, CVC exchangers and administrators and other financial institutions may observe attempted or completed transactions tied to CVC wallets or other CVC activity associated with sanctioned Russian, Belarusian, and other affiliated persons.”
Financial institutions are instructed to specifically watch for (i) transactions initiated from IP addresses located in Russia, Belarus, FATF-identified jurisdictions with anti-money laundering/countering the financing of terrorism/counter-proliferation deficiencies, or other sanctioned jurisdictions; (ii) transactions connected to CVC addresses listed on OFAC’s Specially Designated Nationals and Blocked Persons List; and (iii) customers’ use of a CVC exchanger or foreign-located money service businesses in high-risk jurisdictions, including those with inadequate “know-your-customer” or customer due diligence measures. FinCEN also warned financial institutions of the dangers posed by Russian-related ransomware campaigns and encouraged financial institutions to refer to FinCEN and OFAC resources to help detect, prevent, and report potential suspicious activity.
Find continuing InfoBytes coverage on the U.S. sanctions response to Russia’s invasion of Ukraine here.
On October 28, the Financial Action Task Force (FATF) updated pre-existing guidance on its risk-based approach to virtual assets (VAs) and virtual asset service providers (VASPs). The updated guidance revises guidance originally released in 2019. According to FATF standards, countries are required to “assess and mitigate their risks associated with virtual asset financial activities and providers; license or register providers and subject them to supervision or monitoring by competent national authorities.” The guidance includes updates on certain key areas, such as: (i) expanding the definitions of VAs and VASPs; (ii) applying FAFT standards to stablecoins; (iii) adding guidance regarding the risks and the tools available to countries for the purpose of addressing money laundering and terrorist financing risks for peer-to-peer transactions; (iv) revising VASP licensing and registration guidance; (v) adding guidance for the public and private sectors on the implementation of the “travel rule”; and (vi) adding a section for principles of information-sharing and co-operation amongst VASP Supervisors. FATF also noted that the “guidance addresses the areas identified in the FATF’s 12-Month Review of the Revised FATF Standards on virtual assets and VASPs requiring further clarification and also reflects input from a public consultation in March - April 2021.”
Recently, the California Department of Financial Protection and Innovation (DFPI) released two new opinion letters covering aspects of the California Money Transmission Act (MTA) related to bitcoin automated teller machines (ATMs) and kiosks and the Agent of Payee exemption.
- Bitcoin ATM Kiosk. The redacted opinion letter explains that the sale and purchase of bitcoin through ATMs/kiosks described by the inquiring company is not activity that is subject to licensure under the MTA. DFPI states that the customer’s purchase of bitcoin directly from the company “does not involve the sale or issuance of a payment instrument, the sale or issuance of stored value, or receiving money for transmission.” In each instance, the transaction would only be between the customer using the ATM/kiosk and the company, the bitcoin would be sent directly to the customer’s virtual currency wallet, no third parties are involved in the transmission, and the company does not hold digital wallets on behalf of customers. DFPI reminds the company that its determination is limited to the presented facts and circumstances and that any change could lead to a different conclusion. Moreover, the letter does not relieve the company from any FinCEN or federal regulatory obligations.
- Agent of Payee Exemption. The redacted opinion letter analyzes a proposed future service to be provided by the inquiring company and determines whether the service meets the agent of payee exemption from the MTA. The company and its global affiliates “provide a global, fully integrated suite of back-end service, including sales compliance management, fraud prevention, risk management, tax and regulatory fee calculation, billing optimization, and remittance services to manufacturers, merchants, and retailers” (collectively, “brands”) that want to sell or license products and services to shoppers. The company proposes a future service, which will allow brands to sell products directly to shoppers and transfer the products to the shoppers. The company will not take title to or purchase the products and will continue to provide its suite of back-end services including payment processing, tax and regulatory fees calculations, and refund processing. The company’s contracts with the brands appoint the company as the agent of the brands for facilitating product sales and receiving payments and funds from shoppers. Agreements will also be entered between the company and the shoppers with terms that state a shopper’s payment to the company is considered payment to the brand, which extinguishes the shopper’s payment liability. The company will accept funds for the sale of products on behalf of the brands, and at the conclusion of the sale, will settle the funds paid by the shoppers and remit sales taxes to the appropriate authorities. The company will be the entity responsible for paying and reporting taxes accrued by the sales to shoppers.
DFPI states that the company will “receive money for transmission,” thus triggering the license requirement in the MTA, by receiving funds from the shoppers in the sales transactions. However, the company qualifies for the Agent of Payee exemption because the company will be the recipient of money from the shoppers as an agent of the brands pursuant to a written contract, and payments from the shoppers to the company as the agent will satisfy the shoppers’ payment obligation to the brands. DFPI further notes that refunds facilitated by the company on behalf of the brands will be a reversal of the original transactions with the shoppers, and therefore will not require licensure. Finally, DFPI notes that by contract, the company will be legally responsible for paying local sales taxes on transactions. According to the agreement, because the company will pay taxes on its own behalf, and will not be paying taxes owed by the shoppers, its tax payments will not constitute money transmission. DFPI reminds the company that its determination is limited to the presented facts and circumstances and that any change could lead to a different conclusion.
On October 22, the Financial Action Task Force (FATF) announced that it concluded its October plenary, which is the sixth session since the beginning of the Covid-19 pandemic. According to the announcement, utilizing a hybrid approach of both virtually and in-person participation, FATF “advanced its core work on virtual assets, beneficial ownership transparency, and illicit finance risks.” Among other things, the FATF: (i) approved an updated version of its Guidance on a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers for publication; (ii) proposed changes to beneficial ownership standards; (iii) approved the commencement of a study on Illicit Proceeds Generated from the Fentanyl and Related Synthetic Opioids Supply Chain; (iv) adopted an update to its 2016 confidential report on terrorist financing risk indicators; and (v) issued a statement regarding Afghanistan that reaffirmed the “United Nations Security Council Resolutions that Afghanistan should not be used to plan or finance terrorist acts, emphasiz[ing] the importance of supporting the work of non-governmental organizations in the country and maintaining the flow of humanitarian assistance to the Afghan people, and for governments to facilitate information sharing with their financial institutions on any emerging illicit finance risks related to Afghanistan.”
On October 15, the U.S. Treasury Department announced additional steps to help the virtual currency industry combat ransomware and prevent exploitation by illicit actors. The guidance builds upon recent “whole-of-government” actions focused on confronting “criminal networks and virtual currency exchanges responsible for laundering ransoms, encouraging improved cyber security across the private sector, and increasing incident and ransomware payment reporting to U.S. government agencies, including both Treasury and law enforcement.” (Covered by InfoBytes here.) The newest industry-specific guidance—part of the Biden administration’s efforts to counter ransomware threats—outlines sanctions compliance best practices tailored to the unique risks associated with this space. According to Treasury, there is a “need for a collaborative approach to counter ransomware attacks, including public-private partnerships and close relationships with international partners.”
The same day, the Financial Crimes Enforcement Network (FinCEN) released new data analyzing ransomware trends in Bank Secrecy Act reporting filed between January 2021 and June 2021. The report follows FinCEN’s government-wide priorities for anti-money laundering and countering the financing of terrorism priorities released in July (covered by InfoBytes here). Issued pursuant to the Anti-Money Laundering Act of 2020, the report flags “ransomware as a particularly acute cybercrime concern,” and states that in the first half of 2021, FinCEN identified $590 million in ransomware-related suspicious activity reports (SARs)—an amount exceeding the entirety of the value report in 2020 ($416 million). If this trends continues, FinCEN warns that ransomware-related SARs submitted in 2021 will have a higher transaction value than similar SARs filed in the previous 10 years combined. FinCEN attributes this uptick in activity to several factors, including an increasing overall prevalence of ransomware-related incidents, improved detection and incident reporting, and an increased awareness of reporting obligations and willingness to report by financial institutions.
In conjunction with the “growing prevalence of virtual currency as a payment method,” Treasury’s Office of Foreign Assets Control (OFAC) issued sanctions compliance guidance for companies in the virtual currency industry, including technology companies, exchangers, administrators, miners, wallet providers, and financial institutions. OFAC warned that “sanctions compliance obligations apply equally to transactions involving virtual currencies and those involving traditional fiat currencies,” and that participants “are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade- or investment-related transactions.” Among other things, the guidance will assist participants on ways to evaluate risks and build a risk-based sanctions compliance program. OFAC also updated related FAQs 559 and 646.
- Buckley Webcast: Fifth Circuit muddles CFPB’s plans to use in-house judges in enforcement proceedings
- Steven vonBerg to discuss “Regulatory plenary” at the Information Management Network’s Non-QM Forum
- Jeffrey P. Naimon to discuss “Understanding the ESG impact on compliance” at the ABA’s Regulatory Compliance Conference