Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 6, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13722 against a virtual currency mixer used by the Democratic People’s Republic of Korea (DPRK) to support its cyber activities and money-laundering. According to OFAC, in March, a DPRK state-sponsored cyber-hacking group carried out the largest virtual currency heist to date, worth almost $620 million, from a blockchain project linked to an online game. The virtual currency mixer was used to process over $20.5 million of the illicit proceeds. OFAC noted that the sanctions are the first-ever sanctions on a virtual currency mixer. As a result of the sanctions, all property and interests in property belonging to the sanctioned entities subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons.
On May 4, the California governor issued an executive order calling on the state to create a transparent and consistent framework for companies operating in blockchain, cryptocurrency, and related financial technologies. This framework, the governor stated, should harmonize federal and California laws and balance innovation with consumer protection. The executive order outlined several priorities, including:
- The framework should include input from a range of stakeholders for potential blockchain applications and ventures;
- The Department of Financial Protection and Innovation (DFPI) should engage in a public process, including with federal agencies, to “develop a comprehensive regulatory approach to crypto assets harmonized with the direction of federal regulations and guidance” and should “exercise its authority under the California Consumer Financial Protection Law (CCFPL) to develop guidance and, as appropriate, regulatory clarity and supervision of private entities offering crypto asset-related financial products and services” in the state;
- DFPI should publish consumer protection principles that include model disclosures, error resolution, and other criteria, and “seek input from stakeholders and licensees in order to publish guidance for California state-chartered banks and credit unions”;
- DFPI should engage in actions to protect consumers, including initiating enforcement actions to enforce the CCFPL, enhancing its review of consumer complaints related to crypto asset-related financial products and services and working with companies to remedy such complaints, and publishing consumer education materials;
- GovOps should issue a request for innovative ideas to explore opportunities for deploying blockchain technologies that address public-serving and emerging needs; and
- Members of the Governor's Council for Postsecondary Education should “identify opportunities to create a research and workforce environment to power innovation in blockchain technology, including crypto assets” to “expose students to emerging opportunities.”
The governor emphasized that while blockchain technology over the past decade “has laid the foundation for a new generation of innovation, spurring a rise in entrepreneurialism in sectors including financial technology,” among others, its impact “is both uncertain and profound” and carries risks and legal implications.
On May 3, the SEC announced it will nearly double the size of its Crypto Assets and Cyber Unit within the Division of Enforcement. “By nearly doubling the size of this key unit, the SEC will be better equipped to police wrongdoing in the crypto markets while continuing to identify disclosure and controls issues with respect to cybersecurity,” SEC Chair Gary Gensler stated. Since the unit’s inception, more than 80 enforcement actions have been brought against actors related to fraudulent and unregistered crypto asset offerings and platforms, resulting in monetary relief totaling more than $2 billion. The unit has also “brought numerous actions against SEC registrants and public companies for failing to maintain adequate cybersecurity controls and for failing to appropriately disclose cyber-related risks and incidents.” The expanded unit will focus on investigations related to: crypto asset offerings, crypto asset exchanges, crypto asset lending and staking products, decentralized finance platforms, non-fungible tokens, and stablecoins.
On April 28, the DOJ issued a fact sheet outlining legislative proposals to strengthen kleptocracy asset recovery as part of the Biden administration’s efforts “to isolate and target the crimes of Russian officials, government-aligned elites, and those who aid or conceal their unlawful conduct.” The proposed measures would “streamline asset forfeiture proceedings in certain circumstances” and also:
- Enable the DOJ and Treasury and State Departments to work together to return forfeited kleptocrat funds to remediate harms caused to Ukraine;
- Expand forfeiture authorities under the International Emergency Economic Powers Act (IEEPA) to include property used to facilitate the violations of sanctions and “amend IEEPA’s penalty provision to extend the existing forfeiture authorities to facilitating property, not just to proceeds of the offenses”;
- Expand the definition of “racketeering activity” in the Racketeer Influenced and Corrupt Organizations Act to include criminal violations of IEEP and the Export Control Reform Act to improve the U.S.’s ability to investigate and prosecute sanctions evasion and export control violations;
- Extend the statute of limitations for prosecuting sanctions violations and the statute of limitations for seeking forfeitures based on foreign offenses from five years to 10 years; and
- Improve the U.S.’s ability to work with international partners to facilitate enforcement of foreign restraint and forfeiture orders for criminal property and improve the ability to take these actions in the U.S.
As previously covered by InfoBytes, the DOJ launched “Task Force KleptoCapture,” an “interagency law enforcement task force dedicated to enforcing the sweeping sanctions, export restrictions, and economic countermeasures that the United States has imposed, along with allies and partners,” in order to “isolate Russia from global markets” in March. The task force has since engaged in numerous transatlantic efforts to sanction numerous Russian elites, Russia’s largest privately-owned aircraft, and one of the world’s largest superyachts (covered by InfoBytes here), and has “seized approximately $625,000 associated with sanctioned parties held at nine U.S. financial institutions.”
Find continuing InfoBytes coverage on the U.S. sanctions response to Russia’s invasion of Ukraine here.
On April 27, acting Comptroller of the Currency Michael J. Hsu issued a statement regarding stablecoin standards after appearing before the Artificial Intelligence and the Economy: Charting a Path for Responsible and Inclusive AI symposium hosted by the U.S. Department of Commerce, National Institute of Standards and Technology, FinRegLab, and the Stanford Institute for Human-Centered Artificial Intelligence. According to Hsu, the internet has “technical foundations” that “provide for an open, royalty-free network.” He further noted that “[t]hose foundations did not emerge on their own. They were developed by standard setting bodies like IETF (Internet Engineering Task Force) and W3C (World Wide Web Consortium), which had representatives with differing perspectives, a shared public interest ethos, and a strong leader committed to the vision of an open and inclusive internet.” Hsu further stated that stablecoins do not have “shared standards and are not interoperable.” However, to make stablecoins “open and inclusive,” Hsu said that he believed that “a standard setting initiative similar to that undertaken by IETF and W3C needs to be established, with representatives not just from crypto/Web3 firms, but also from academia and government.” As previously covered by InfoBytes, Hsu discussed stablecoin policy considerations earlier this month in remarks before the Institute of International Economic Law at Georgetown University Law Center, calling for the establishment of an “intentional architecture” for stablecoins developed through principles of “[s]tability, interoperability and separability,” as well as “core values” of “privacy, security, and preventing illicit finance.”
NYDFS encourages virtual currency licensees to use blockchain analytics tools for sanctions and AML compliance
On April 28, NYDFS announced new guidance on virtual currency entities that are establishing the use of blockchain analytics tools. NYDFS explained that virtual currency activities can involve, among other things, different sources, destinations, and types of funds flows than are found in more traditional, fiat-currency contexts. Such characteristics of virtual currencies can create compliance challenges, but also can present new possibilities for new technology-driven control measures. In the guidance, NYDFS outlined expectations for New York State-regulated virtual currency companies, including: (i) establishing control measures that may leverage blockchain analytics; (ii) augmenting due diligence controls; (iii) conducting transaction monitoring of on-chain activity; and (iv) conducting sanctions screening of on-chain activity. NYDFS also emphasized "the importance of risk-based policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions."
As previously covered by InfoBytes, NYDFS issued a framework outlining industry best practices for state-regulated property/casualty insurers writing cyber insurance, which provided guidance for effectively managing cyber insurance risk. The framework is the first guidance released by a U.S. regulator on cyberinsurance. NYDFS noted it has “engaged with external stakeholders to inform this new guidance and continues to conduct significant outreach to state, federal and international regulators; industry; and other experts in the field to ensure New York maintains a robust regulatory regime and remains a destination for virtual currency companies to operate.”
Recently, the California Department of Financial Protection and Innovation (DFPI) released a new opinion letter covering aspects of the California Money Transmission Act (MTA) related to the purchase and sale of virtual currency. The redacted opinion letter examines whether a Company that offers customers the opportunities to deposit fiat currency to a Company account and then draw down that balance to purchase virtual currency from the company requires MTA licensure. The Company explained that virtual currency is purchased from a third party and is transferred to the customer’s Company-issued virtual currency wallet where it can then be stored, transferred to an external wallet, or sold for fiat currency. When a customer later wants to sell the purchased virtual currency for fiat currency, the transaction occurs in a similar fashion. The Company stated that “virtual currency sales to customers are from the Company’s own inventory,” and that for purposes of the opinion, DFPI “assumes these sales occur independently of the Company’s own transactions with third parties.”
DFPI concluded that because the Company’s activities are limited to directly purchasing and selling cryptocurrency to customers, it does not require an MTA license because it does “not involve the sale or issuance of stored value or receiving money for transmission.” Specifically, DFPI stated that because the “customer’s fiat currency balance in the Company account does not meet the definition of stored value” and because “funds in that account can only be used for virtual currency purchases from the Company or transferred out to the customer’s external bank account,” the closed loop stored value “does not constitute issuance of stored value that is regulated under the MTA.” DFPI reminded the Company that its determination is limited to the presented facts and that any change could lead to different conclusions.
On April 22, the OCC announced an upcoming quarterly discussion series focusing on consumer financial wellbeing. The first event in the Financial Health: Vital Signs series will occur on April 28 and focus on minority ownership of cryptocurrency. Future events will feature discussions with acting OCC Comptroller Michael J. Hsu and other academic, community, and industry leaders. The discussion series will be livestreamed and open to the public.
On April 18, the Congressional Research Service released an overview of digital wallet technology and related cybersecurity, data privacy and consumer protection policy considerations. Digital wallets are software applications that store payment or account details to facilitate traditional payments using bank and credit card details, and also cover transfers from consumers’ bank accounts to retailers and peer-to-peer and cryptocurrency transactions. One issue the report identified is that companies that offer digital wallets and payment companies often collect information about users and may share data with affiliates and nonaffiliates unless users opt out. As previously covered by InfoBytes, the CFPB is developing proposed rulemaking around sharing consumer financial data, but it remains unclear whether the rules would apply to digital wallet companies. The report also stressed that because funds stored on digital wallets are not deposits, digital wallets are generally not covered by deposit insurance. And while credit, debit, or prepaid cards stored on a mobile wallet are covered by the EFTA and TILA (and implementing Regulations E and Z), those statutes do not currently cover cryptocurrency wallets. The report explained that “[c]ryptocurrency transactions are not subject to Regulation E primarily because these are not bank products and also because cryptocurrencies are not typically used for consumer payments.”
On April 9, the New York governor signed S. 8008-C, which enacts the state’s 2023 fiscal year budget and requires, among other things, NYDFS to start charging a new assessment fee to all virtual currency businesses licensed in New York in order to cover the costs associated with their oversight and “defray operating expenses.” Specifically, Section 206 is amended to read: “The expenses of every examination of the affairs of any person regulated pursuant to this chapter that engages in virtual currency business activity shall be borne and paid by the regulated person so examined, but the superintendent, with the approval of the comptroller, may in the superintendent’s discretion for good cause shown remit such charges.” The amendments do not specify a specific assessment amount, however regulated companies engaged in virtual currency business activity “shall be assessed by the superintendent for the operating expenses of the department that are solely attributable to regulating such persons in such proportions as the superintendent shall deem just and reasonable.”
NYDFS Superintendent Adrienne A. Harris issued a press release the same day praising the budget adoption as it now allows the Department to collect supervisory costs from licensed virtual currency businesses as it does for banking and insurance companies. Noting that “New York was the first to start licensing and supervising virtual currency companies,” Harris said that the “new authority will empower the Department to build staff with the capacity and expertise to best regulate and support this rapidly growing industry.”
- John R. Coleman to discuss “CFPB update” at the MBA Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State licensing and NMLS challenges" at MBA’s Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Fair lending and equal opportunity laws” at the MBA Legal Issues and Regulatory Compliance Conference
- Jeffrey P. Naimon to discuss “Contemplating the boundaries of UDAAP” at the MBA Legal Issues and Regulatory Compliance Conference
- Steven vonBerg to speak at closing “super session“ on compliance topics at MBA Legal Issues and Regulatory Compliance Conference
- Jeffrey P. Naimon to discuss “Understanding the ESG impact on compliance” at the ABA’s Regulatory Compliance Conference