The United States has already pursued enforcement in the cryptocurrency space, particularly against mixers. Mixers provide anonymity and aid in hiding the origin and movement of funds. Recently, the U.S. Department of the Treasury’s Office of Foreign Assets Controls (OFAC) imposed sanctions on Tornado Cash, a virtual currency mixer, which was utilized to launder more than $7 billion worth of virtual currency since 2019. The figure included more than $455 million stolen by the previously sanctioned Lazarus Group of the Democratic People’s Republic of Korea (DPRK) back in 2019. Additionally, the Treasury’s Financial Crimes Enforcement Network (FinCEN) assessed a $60 million civil money penalty against the owner and operator of a virtual currency mixer for violations of the Bank Secrecy Act (BSA) and its implementing regulations. Enforcement further signals the necessity for financial institutions and those in the virtual currency industry to mitigate the risks presented by virtual currencies.
As part of a company’s Bank Secrecy Act / Anti-Money Laundering (BSA/AML) and sanctions programs, it is critical to prevent sanctioned persons and other illicit actors from exploiting digital currency for illicit and criminal purposes. Even if not formally subject to such regulations, each company in the industry should take a risk-based approach to assess the various risks associated with different virtual currency services, develop and implement measures to mitigate such risks, and address the challenges anonymizing features can present to compliance with BSA/AML and sanctions obligations. Given recent enforcement actions, mixers should generally be considered high risk, and companies should proceed with caution when considering whether to process transactions involving mixers, unless appropriate processes and controls are in place to prevent money laundering or identify illicit or designated actors.
Since we can expect the U.S. government to exercise its authority against malicious cyber actors to expose, disrupt, and hold accountable perpetrators that enable criminals to profit from cybercrime and other illicit activity, it is crucial that financial institutions and businesses engaged in the financial services sector consider these priorities and actions in their efforts to combat illicit use of digital currencies.
A risk-based approach coupled with a comprehensive risk assessment are critical, foundational aspects of both compliance and combatting financial crime. Revisiting risk assessments periodically is also critical—especially considering the current rate of regulatory change and published guidance in the digital currency space.