Cryptocurrency’s Impact on BSA/AML and Sanctions Programs

The market for digital assets has exploded in recent years. Digital and virtual currency activities provide great opportunities financially and technologically. However, such currencies can be utilized for illicit activity through exchanges, peer-to-peer exchanges, mixers (a service that mixes different streams of potentially identifiable cryptocurrency), and darknet markets, which increase the risk of money laundering and terrorist financing. Financial institutions and other industry players have both struggled with and embraced digital currencies to varying degrees. With innovation and increased popularity comes risk.

The U.S. government is keen to identify ways to mitigate the risks that digital assets present, while recognizing that opportunities and potential benefits may exist. On March 9, 2022, President Biden issued the Executive Order on Ensuring Responsible Development of Digital Assets (EO). The EO was the first whole-of-government strategy to address not only the risks of digital assets, but also the benefits of their underlying technology. The EO outlined six priorities that factor into addressing a national policy for digital assets and called for interagency coordination to implement the EO.

Most recently, on September 16, 2022, the White House published a fact sheet that combines data from the nine reports submitted to date in response to deadlines included in the EO. The fact sheet articulates the first comprehensive framework that supports the six priorities for responsibly developing digital assets, which includes regulatory considerations and makes clear that misuse will give rise to enforcement.

The United States has already pursued enforcement in the cryptocurrency space, particularly against mixers. Mixers provide anonymity and aid in hiding the origin and movement of funds. Recently, the U.S. Department of the Treasury’s Office of Foreign Assets Controls (OFAC) imposed sanctions on Tornado Cash, a virtual currency mixer, which was utilized to launder more than $7 billion worth of virtual currency since 2019. The figure included more than $455 million stolen by the previously sanctioned Lazarus Group of the Democratic People’s Republic of Korea (DPRK) back in 2019. Additionally, the Treasury’s Financial Crimes Enforcement Network (FinCEN) assessed a $60 million civil money penalty against the owner and operator of a virtual currency mixer for violations of the Bank Secrecy Act (BSA) and its implementing regulations. Enforcement further signals the necessity for financial institutions and those in the virtual currency industry to mitigate the risks presented by virtual currencies.

As part of a company’s Bank Secrecy Act / Anti-Money Laundering (BSA/AML) and sanctions programs, it is critical to prevent sanctioned persons and other illicit actors from exploiting digital currency for illicit and criminal purposes. Even if not formally subject to such regulations, each company in the industry should take a risk-based approach to assess the various risks associated with different virtual currency services, develop and implement measures to mitigate such risks, and address the challenges anonymizing features can present to compliance with BSA/AML and sanctions obligations. Given recent enforcement actions, mixers should generally be considered high risk, and companies should proceed with caution when considering whether to process transactions involving mixers, unless appropriate processes and controls are in place to prevent money laundering or identify illicit or designated actors.

Since we can expect the U.S. government to exercise its authority against malicious cyber actors to expose, disrupt, and hold accountable perpetrators that enable criminals to profit from cybercrime and other illicit activity, it is crucial that financial institutions and businesses engaged in the financial services sector consider these priorities and actions in their efforts to combat illicit use of digital currencies.

A risk-based approach coupled with a comprehensive risk assessment are critical, foundational aspects of both compliance and combatting financial crime. Revisiting risk assessments periodically is also critical—especially considering the current rate of regulatory change and published guidance in the digital currency space.