Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 16, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned two Russian nationals who were allegedly involved in phishing campaigns targeting virtual asset service providers in 2017 and 2018, resulting in losses of at least $16.8 million. Specifically, the Russian nationals spoofed web domains of legitimate virtual currency exchanges to steal customers’ login information and gain access to their real accounts. According to OFAC, they used a “variety of methods to exfiltrate their ill-gotten virtual currency” and subsequently laundered the money to a personal account, attempting to “conceal the nature and source of the funds by transferring them in a layered and sophisticated manner through multiple accounts and multiple virtual currency blockchains.” OFAC designated the individuals pursuant to Executive Order 13694, which targets “malicious cyber-enabled activities, including those related to the significant misappropriation of funds or personal identifiers for private financial gain.”
OFAC emphasized that anti-money laundering and countering the financing of terrorism regimes “pose a critical chokepoint in countering and deterring” this type of cybercriminal activity. As a result, all property and interests in property belonging to the designated individuals subject to U.S. jurisdiction are blocked, and “U.S. persons generally are prohibited from dealing with them.”
The California Department of Business Oversight (CDBO) released several opinion letters issued throughout the summer covering virtual currency and agent of payee rules under the California Money Transmission Act (MTA). Highlights from the redacted letters include:
- Cryptocurrency - Escrow Accounts and Exchanges. The redacted opinion letter states that the CDBO has not yet determined whether cryptocurrencies are a form of money that triggers the application of the MTA and therefore, a business model that operates brokerage accounts using cryptocurrency exchanges would not need to be licensed and supervised under the MTA. As for a business model that the letter describes as a third-party repurchase transaction related to borrowing and lending cryptocurrency, the CDBO reminds the company that the activity may still be subject to California Escrow Law.
- Agent of Payee Exemption - Payment Processing Service. The redacted opinion letter concludes that the company’s payment processing services—which use mobile applications or card readers to capture customer information through merchants, and the payment funds flow first from the customer to the company, and then from the company to the merchant—“fall within the definition of ‘money transmission’ but are exempt from the MTA to the extent [the company], acting as the [m]erchant’s agent, receives money from [c]ustomers, via the relevant card company, as payment for goods or services.”
- Online Foreign Currency Exchange Service. The redacted opinion letter concludes the company’s online foreign currency exchange service is not subject to licensure under the MTA, because the service does not “involve ‘payment instruments’ or ‘stored value’” and there is no indication that the company would “receive money for transmission,” as customers would use the service to purchase foreign currency “like other online retail purchases.”
- Exemption for Operator of Payment System. The redacted opinion letter notes that California governmental entities are exempt from the MTA, and a company that provides payment processing services to facilitate the transfer from a California Department of Correction detainee’s cash at a detention facility to that detention facility’s bank account, is exempt from the MTA because it is processing payments between or among persons exempt from the MTA.
- MTA - Agent of Payee. The redacted opinion letter states that the company’s transactions by an agent of a merchant to collect funds from the merchant’s customer for payment of goods and services are exempt from the requirements of the MTA. The company is acting as an agent of the payee when a company is receiving money as an agent of a merchant pursuant to a preexisting written contract, and delivery of the money to the company satisfies the customer’s obligation to the merchant for a good or service provided by the merchant.
- Sending Instructions Not Money Transmission. The redacted opinion letter states that the company’s actions do not constitute money transmission under the MTA because “[the company] never ‘receives money for transmission.’” The company only “receives instructions from consumers and merchants to transmit money to each other and forwards these instructions for processing by their respective banks on the ACH network.” Because the banks are “solely responsible for payment and settlement in accordance with these instructions” the company’s payment system does not require an MTA license.
On July 22, the OCC issued an interpretive letter concluding that national banks and federal savings associations (collectively, “banks”) may hold cryptocurrency on behalf of customers so long as they effectively manage the risks and comply with applicable law. Specifically, the letter responds to a bank’s proposal to offer cryptocurrency custody services to its customers as part of its standard custody business. The OCC notes that “there is a growing demand for safe places, such as banks, to hold unique cryptographic keys associated with cryptocurrencies.” The letter emphasizes that the OCC “generally has not prohibited banks from providing custody services for any particular type of asset,” and providing cryptocurrency custody services “falls within  longstanding authorities to engage in safekeeping and custody activities.”
The OCC notes that while the custody services will not “entail any physical possession of the cryptocurrency,” OCC regulations authorize banks to provide through electronic means any activities that they are otherwise authorized to perform. Thus, because banks may perform custody services for physical assets, they are “likewise permitted to provide those same services via electronic means (i.e., custody of cryptocurrency).” Additionally, a bank with trust powers has the authority to hold cryptocurrencies in a fiduciary capacity, in the same way they manage other assets they hold as fiduciaries.
The OCC reminds banks that they should develop and implement sound risk management practices, and specifically notes that “custody activities should include dual controls, segregation of duties and accounting controls.” Moreover, banks should “conduct a legal analysis to ensure the activities are conducted consistent with all applicable law,” noting that “[d]ifferent cryptocurrencies may also be subject to different OCC regulations and guidance outside of the custody context, as well as non-OCC regulations.”
On July 16, the Financial Crimes Enforcement Network (FinCEN) issued an alert warning financial institutions about a scam using social media accounts to solicit fraudulent payments denominated in convertible virtual currency (CVC). According to FinCEN, high-profile social media accounts were compromised and used to solicit payments to CVC accounts, with claims that any CVC sent would be “doubled and returned to the sender.” The alert reminds financial institutions to report suspicious transactions involving this type of activity as soon as possible, and that “[a]ny data or information that helps identify the activity as suspicious can be included as an indicator” on their Suspicious Activity Report (SAR) form. The alert notes several indicators to assist financial institutions in identifying activity related to the scam, including (i) communications soliciting payments with misspellings; (ii) social media posts soliciting donations from unverified accounts; and (iii) multiple accounts communicating the same message soliciting funds for an unknown purpose.
On June 13, the Louisiana governor signed HB 701, which provides for the licensing and regulation of virtual currency businesses in the state. Subject to certain exceptions, the bill establishes licensing and registration requirements, and, among other things, (i) authorizes reciprocity of licensure with other states; (ii) specifies that licensee applications must be submitted through the Nationwide Multi-State Licensing System; (iii) adds provisions related to licensee examinations; (iv) outlines licensee surety bond requirements “based on the nature and extent of risks in the applicant’s virtual currency business model”; (v) provides the state’s office of financial institutions with enforcement authority; and (vi) prohibits licensees from engaging in unfair, deceptive, or fraudulent practices. The act is effective August 1.
On June 26, the SEC announced a settlement with two offshore entities, resolving allegations that the entities violated federal securities laws by raising more than $1.7 billion in unregistered digital token offerings. As previously covered by InfoBytes, in October 2019, the SEC obtained a temporary restraining order, halting the offerings. According to the SEC, the entities violated Sections 5(a) and 5(c) of the Securities Act by failing to register its offers and sales of securities with the SEC. Prior to the restraining order, the entities had sold approximately 2.9 million digital tokens worldwide, including more than 1 billion tokens to 39 U.S. purchasers. The settlement requires the entities to return more than $1.2 billion to investors in “ill-gotten gains” from the token offerings. Additionally, the parent company is required to pay an $18.5 million civil penalty and give proactive notice to the SEC before participating in any digital asset issuances for the next three years. The entities entered into the settlement without admitting or denying the allegations in the SEC’s complaint.
On June 24, NYDFS launched several virtual currency initiatives, including a Memorandum of Understanding with the State University of New York to launch a virtual currency program, a proposed conditional licensing framework, final guidance concerning a licensee’s ability to self-certify the use of new coins, and additional resources intended to help virtual currency market participants. Among other things, NYDFS requested comments on the proposed framework, which will allow an entity to apply for a conditional license when partnering with an existing NYDFS-authorized entity to engage in virtual currency business activity during the term of the conditional license. NYDFS seeks comments on, among other things, the types of operational, staffing, and other support the existing licensed entity should provide to the conditional licensee until it is able to obtain a full NYDFS virtual currency license of its own. Comments on the proposed framework are due August 10.
NYDFS also announced final guidance regarding licensees’ ability to self-certify the use of new coins. As previously covered by InfoBytes, last December NYDFS issued proposed guidance regarding coin adoption or listing options for virtual currency licensees. The final guidance provides a framework for entities to create firm-specific policies for the adoption or listing of new coins through self-certification, without NYDFS’s prior approval, and establishes that NYDFS will maintain a list of coins approved for use, and their permitted uses, available for adoption and use by licensees more generally.
Finally, NYDFS released additional resources, including a notice of NYDFS practices designed to create “a more transparent and timely process” for evaluating virtual currency license applications, as well as new virtual currency-related Frequently Asked Questions that will be updated on an ongoing basis.
On March 24, the CFTC approved final interpretive guidance concerning the term “actual delivery” in the context of retail virtual currency transactions. As previously covered by InfoBytes, the CFTC reaffirmed its belief that virtual currencies are commodities, and thus certain transactions involving these types of currencies are subject to CFTC oversight. In order to demonstrate the “actual delivery” of virtual currency in connection with retail commodity transactions, the final interpretive guidance sets forth two primary factors that market participants must demonstrate:
- A customer has (i) the ability to secure “possession and control of the entire quantity of the commodity, whether it was purchased on margin, by using leverage, or any other financing arrangement”; and (ii) “the ability to use the entire quantity of the commodity freely in commerce (away from any particular execution venue) no later than 28 days from the date of the transaction and at all times thereafter”; and
- “The offeror and counterparty seller (including any of their respective affiliates or other persons acting in concert with the offeror or counterparty seller on a similar basis) do not retain any interest in, legal right, or control over any of the commodity purchased on margin, leverage, or other financing arrangement at the expiration of 28 days from the date of the transaction.”
CFTC Chairman Heath P. Tarbert stated that he anticipates a 90-day period before the CFTC begins initiating enforcement actions related to the final interpretive guidance that may not have been plainly evident in prior guidance, enforcement actions, and case law.
Chinese nationals sanctioned and charged with laundering over $100 million in cryptocurrency from hacked exchange
On March 2, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Orders 13694, 13757, and 13722 against two Chinese nationals for allegedly laundering over $100 million in stolen cryptocurrency connected to a North Korean state-sponsored cyber group that hacked cryptocurrency exchanges in 2018. According to OFAC, the two individuals “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, a malicious cyber-enabled activity” or in support of the North Korean cyber group, which was designated by OFAC last September (covered by InfoBytes here). OFAC stated that it closely coordinated its action with the U.S. Attorney’s Office for the District of Columbia and the Internal Revenue Service’s Criminal Investigation Division. As a result of the sanctions, “all property and interests in property of these individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC.” OFAC further noted that its regulations “generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of blocked or designated persons,” and warned foreign financial institutions that knowingly facilitating significant transactions or providing significant financial services to the designated individuals may subject them to U.S. correspondent account or payable-through sanctions.
On the same day, the DOJ unsealed a two-count indictment against the two individuals, charging them with money laundering conspiracy and operating an unlicensed money transmitting business. The indictment claims that the individuals converted virtual currency traceable to the hack of a cryptocurrency exchange into fiat currency or prepaid Apple iTunes gift cards through accounts in various exchanges linked to Chinese banks and then transferred the currency or gift cards to customers for a fee. According to the indictment, neither individual was registered as a money transmitting business with the Financial Crimes Enforcement Network, which is a federal felony offense. The complaint seeks forfeiture of 113 virtual currency accounts belonging to the individuals.
On February 6, SEC Commissioner Hester M. Pierce announced her proposal for a three-year safe harbor rule applicable to companies developing digital assets and networks. Pierce suggested that not only would the rule provide regulatory flexibility “that allows innovation to flourish,” but it would also protect investors by “requiring disclosures tailored to their needs” while still maintaining anti-fraud safeguards, allowing investors to participate in token networks of their choice. Proposed Securities Act Rule 195 would allow companies to sell or offer tokens without being subject to the Securities Act of 1933, and without the tokens being subject to the registration requirements of the Securities Act of 1934. In order to qualify for these exemptions, the proposed rule requires that a company developing a network must, among other things, (i) “intend for the network on which the token functions to reach network maturity…within three years of the date of the first token sale”; (ii) disclose key information on a freely accessible public website,” including applicable source code and descriptions of how to search and verify transactions on the network; (iii) offer and sell its tokens in order to allow access to or development of its network; (iv) make “good faith and reasonable efforts to create liquidity for users”; and (v) “file a notice of reliance” with the SEC’s EDGAR system within 15 days of the company’s first token sale made in reliance on the safe harbor. Pierce suggested that the three-year grace period for qualifying companies would allow time for the development of decentralized or functional networks, and, at the end of the three years, a successful network’s tokens would not be regulated as securities.
- H Joshua Kotin to discuss "Being fair, responsible, & profitable" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Kathryn L. Ryan to discuss "NMLS mortgage call report – Where’s NMLS 2.0?" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- Jeffrey P. Naimon to discuss "2021 - A new beginning/what's to come" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "Cyber security, incident response, crisis management" at the Legal & Diversity Summit
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "BSA/AML - Covid impact and regulatory/guidance roundup" at an NAFCU webinar