In September, a joint FATF-INTERPOL Roundtable Engagement (FIRE) was held in Singapore, where participants agreed on the importance of a strong legal framework to effectively pursue asset recovery. The event also discussed the impact of cyber-enabled fraud on victims.
Finally in October, the FATF released, for public consultation, draft guidance on Recommendation 24 and a consultation of proposed revisions to Recommendation 25 on transparency and beneficial ownership of legal arrangements. FATF members also approved a report on the illicit proceeds generated from the supply chains for fentanyl and related synthetic opioids, and discussed a report on money laundering through arts, antiquities, and other cultural objects, which will be finalized by February 2023.
B. Regional Developments
1. Americas
a. U.S. Anti-Money Laundering Regulatory Updates - 2022
In the United States, by far the most noteworthy development this year in the AML world has been the issuance by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) of the highly anticipated rule implementing the beneficial ownership information reporting requirements of the Corporate Transparency Act of 2021 (CTA). The rule, issued on September 29, 2022, produced the most significant revisions to the U.S. AML compliance framework in more than twenty years, implementing sweeping beneficial ownership disclosure requirements applicable to all U.S. entities, as well as foreign entities registered in the United States. Beginning on January 1, 2024, the rule will require all covered entities - within thirty days of formation - to provide FinCEN with detailed information regarding natural person beneficial owners as well as individuals who substantially control such entities, unless the entity meets certain defined exemptions set out in the rule. Moreover, such information will have to be updated within thirty days of any change. Companies formed prior to January 1, 2024, will have until January 1, 2025, to make initial filings.
Penalties for violations of the rule will apply only to willful violations, including willful failure to file, willful provision of false or fraudulent information, or willfully failing to provide complete or updated information. The rule does not provide for penalties in the case of negligent or reckless failures. The September 2022 rule was the first of three rulemakings required to implement the CTA. It neither addressed access to the information collected and safeguards to ensure that it is secured, nor did it address required revisions to FinCEN’s customer due diligence (CDD) rules to incorporate this new process.
Finally, on December 15, 2022, FinCEN issued a Notice of Proposed Rulemaking (NPRM) that implement provisions of the CTA on security and confidentiality to protect sensitive personally identifiable information (PII) reported to FinCEN. Written comments on the proposed rule cannot be submitted prior to February 14, 2023.
Another closely watched area of development in the U.S. AML world is the proposed regulation under the Establishing New Authorities for Businesses Laundering and Enabling Risks to Security Act (Enablers Act) of certain previously unregulated categories of service providers regarded as gatekeepers or otherwise potential facilitators of money laundering. The proposed legislation would bring under the ambit of the U.S. Bank Secrecy Act providers of (i) corporate structuring and formation services, (ii) trust services, and (iii) third party payment services as well as legal and accounting services to the extent that they facilitate services described in (i) through (iii). If passed, the legislation could result in significant new regulatory burdens for corporate formation agents, trustees, and law and accounting firms. These regulatory burdens could result in implementation of robust customer due diligence programs and potential requirements to monitor and file reports relating to suspicious transactions engaged in by clients (i.e., Suspicious Activity Reports or SARs).
Like the Anti-Money Laundering Act of 2020, the Enablers Act appears to have broad bipartisan support in the U.S. Congress. It was initially included in the annual U.S. National Defense Authorization Act (NDAA) to ensure swift passage through expedited procedures but was removed in the final draft. The legislation is expected to be reintroduced as a standalone bill to face more lengthy debate over its specific terms in 2023.
b. Cayman Islands Anti-Money Laundering Regulatory Updates - 2022
For the Cayman Islands, the National Risk Assessment 2021 Report published in March 2022 emphasized the threat of foreign corruption and discussed recent enforcement actions. In April, the Cayman Islands Government issued a statement informing the industry that it had established a joint task force to coordinate, identify, and implement policy amendments to employ sanctions on Russia. Since the commencement of the Russian invasion of the Ukraine in February 2022, more than 800 asset freezes had been imposed in the Cayman Islands, with over 400 Compliance Reporting Forms submitted, resulting in an estimated value of USD $7.3 billion of frozen assets.
In May, the Ministry of Finance received confirmation from the EU’s Department for Financial Stability and Capital Markets (DG FISMA), which oversees the EU’s AML/CFT listing process, that the EU does not require further measures, beyond those included in the FATF action plan, for removing the Cayman Islands from the EU’s AML/CFT list. Regulations were then published in June, confirming that beneficial ownership information under the Cayman regime must include details of the individual’s unexpired and valid passport. Accordingly, this aspect of beneficial owner information must be updated on an ongoing basis.
Also in June, the Cayman Islands Monetary Authority (CIMA) published additional guidance on sanctions screening, following up its 2021 inspections. In particular, it emphasized the need to follow procedures and controls (i.e. effective implementation as opposed to just creating the systems), to properly document screening carried out for onboarding and ongoing monitoring, as well as adequate training. CIMA had previously issued additional guidance on third party reliance testing for agents/nominees and Eligible Introducers, which is comprised of written assurance as well as control testing. Finally, on July 1, 2022, PART XA of the Anti-Money Laundering (Amendment) (No. 2) Regulations, 2020 (AMLRs) came into force, setting out the identification and record-keeping requirements related to transfers of VAs in accordance with the FATF’s standards.
c. British Virgin Islands Anti-Money Laundering Regulatory Updates - 2022
In line with the FATF guidance, the British Virgin Islands (BVI) amended AML/CFT rules in August 2022 to include VAs and VASPs. BVI has proposed to introduce VASP legislation and in September 2022 the British Virgin Islands Financial Services Commission (FSC) published a draft bill in the form of the Virtual Assets Service Providers Act 2022 (the VASP Act) for industry consultation. Whilst no clear enactment date has yet been fixed, it is understood that this will likely become effective before the end of 2022 or in early 2023. The VASP Act will include a transitional grace period of six months for an existing VASP to register with the FSC. AML/CFT measures, including the FATF Travel Rules for VA transfers above USD $1,000, have been in effect since December 1, 2022.
In addition, the BVI introduced changes to the business companies’ regime in order to align it with the FATF’s standards effective January 1, 2023. Director names will be available to the public via the BVI Registrar of Corporate Affairs upon request, the register of members will include voting rights, and the concept of bearer shares will be removed from BVI business companies legislation.
2. Asia Pacific
a. Australia Anti-Money Laundering Regulatory Updates - 2022
The Australian Transaction Reports and Analysis Centre (AUSTRAC) released in April 2022 two new financial crime guides focused on ransomware attacks and crimes linked to digital currencies. These guides provide information and key indicators to help businesses identify and report if a payment could be related to ransomware attacks, and any other criminal activity through digital currencies. Additionally, these guides were designed due to increased attention on cybercrime and digital assets in 2022, including a letter from the Australian Prudential Regulation Authority (APRA) with the risk management expectations for all regulated entities that engage in activities associated with crypto-assets, and new guidance from the Australian Securities & Investments Commission (ASIC) on cybersecurity.
On the enforcement side, Helio Lending Pty. Ltd., a Melbourne-based business offering cryptocurrency-backed loans to consumers, was charged in April 2022 with falsely claiming that it held an Australian credit license (ACL). In July 2022, a report on investment scams published by the Australian Competition and Consumer Commission (ACCC) revealed that crypto-scams increased 270% compared to 2021, leading ASIC to issue a media release targeted at consumers in November 2022 to increase awareness with respect to top red flags.
In reference to regulatory policy, AUSTRAC published additional guidance in October 2022 aimed at helping reporting entities identify and verify sources of funds and wealth as part of their know-your-customer (KYC) processes. AUSTRAC also continued to express concern over gatekeeper professions such as designated non-financial businesses and professions (DNFBPs) that were not subject to the anti-money laundering (AML) regime, after a March 2022 Senate Committee Report which examined Australia’s failure to expand the scope of AML measures to cover DNFBPs and recommended that the Federal Government take immediate action. This builds onto a previous AUSTRAC report, where it was estimated that more than USD $1 billion was laundered through Australian real estate by Chinese entities alone.
b. Hong Kong Anti-Money Laundering Regulatory Updates - 2022
In April 2022, the Hong Kong Monetary Authority (HKMA) published the sixth issue of its Regtech Adoption Practice Guide, focusing on regtech solutions utilizing artificial intelligence (AI). In July 2022, HKMA co-organized its second AML Regtech Lab (AMLab) focused on the use of enabling technologies such as robotic process automation, low-code/no-code platforms and visualization tools to automate compliance.
In June, amendments to the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) were published, including a new licensing regime for VASPs which will be administered by the Securities & Futures Commission (SFC), and is expected to be effective in March 2023. Also a new registration regime for dealers in precious metals and stones (DPMSs) is now administered by the Commissioner for Customs and Excise. Additional amendments addressed various technical issues previously identified in the FATF’s evaluation report on Hong Kong. Finally in July 2022, Hong Kong published its Money Laundering and Terrorist Financing Risk Assessment Report, which overall noted a medium-high level of ML/TF risk.
c. Singapore Anti-Money Laundering Regulatory Updates - 2022
In January and June 2022, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) announced measures to safeguard customers from digital banking scams. Several additional measures were required to be implemented by banks by October 31, 2022, including additional customer confirmations, emergency kill switch for customers, rapid account freezing, and enhanced fraud surveillance systems.
In March, following various inspections and engagements conducted in line with enforcement priorities, a new AML/CFT guidance was issued by MAS for financial institutions (FIs) in the conduct of their operations and business activities in precious stones, precious metals, and precious products (PSM). This guidance also revised existing AML/CFT notices for FIs and variable capital companies (VCCs). MAS also published an Information Paper in August 2022 for External Asset Managers and a circular in September 2022 setting out expectations for effective AML/CFT frameworks and compliance for VCCs and eligible financial institutions (EFIs).
3. Europe
a. U.K. Anti-Money Laundering Regulatory Updates - 2022
In March 2022, as part of its response to the Russian invasion of Ukraine, the U.K. Government introduced the Economic Crime (Transparency and Enforcement) Bill into the House of Commons, which established a Register of Overseas entities owning U.K. property, with a 6-month transitional period for registration. The legislation was fast-tracked and Royal Assent was obtained in the early morning of March 15, 2022, becoming the Economic Crime (Transparency and Enforcement) Act 2022. In addition to the creation of the Register of Overseas Entities, the Act brought amendments to the Unexplained Wealth Order (UWO) regime (part II) and existing legislation on U.K. sanctions (part III).
In April, the Financial Conduct Authority (FCA) published the conclusions of a 2021 review of SARs by six challenger retail banks covering over 8 million customers and concluded that challenger banks and FinTech companies must improve AML/CFT controls. While the FCA noted the innovative use of technology, it also flagged weaknesses in customer due diligence (CDD) and enhanced due diligence (EDD) procedures. In June, the FATF published a follow-up report on the U.K.’s AML/CFT measures acknowledging that the country had strengthened its framework and increased its rating to partially compliant due to the introduction of EDD measures for correspondent banking (for financial institutions outside of the European Economic Area (EEA)). The FATF cited the U.K. Financial Intelligence Unit’s lack of resources as a major contributing factor to the rating.
At the same time, the U.K. government issued a review of its own AML/CFT regulatory and supervisory regime, together with reviews of the existing money laundering regulations (MLRs) and the Office for Professional Body Anti-Money Laundering Supervision (OPBAS) regulations. The U.K. continued to strengthen its regulatory regime with the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022, published in July 2022, which expanded the information sharing standard for wire/bank transfers to transfers involving crypto-assets, i.e., implementing the Travel Rule for crypto-assets and introducing new ongoing compliance requirements for crypto-asset firms (such as the obligation to notify the FCA ahead of any change of control). At the same time, the British Art Market Federation (BAMF) issued updated guidance on AML requirements for U.K. art market participants (AMPs) in line with the European Union’s Fifth Anti-Money Laundering Directive (5AMLD).
In August, the Office of Financial Sanctions Implementation (OFSI) issued guidance which brought crypto exchanges and wallet providers in line with the reporting obligations faced by banks and other financial institutions with respect to sanctions. Finally in September, the publication of the Economic Crime and Corporate Transparency Bill 2022, in accordance with the Economic Crime (Transparency and Enforcement) Act passed earlier in the year, marked another reform. The proposed updates will bring crypto assets within the scope of civil forfeiture powers in Part 5 of the Proceeds of Crime Act 2002 (POCA) but will also introduce more general measures such as identity verification requirements for company directors and for persons with significant control (PSCs) as well as an annual confirmation that a company has a lawful purpose.
b. EU Anti-Money Laundering Regulatory Updates - 2022
Perhaps the most aggressive developments in AML/CFT during 2022 were seen in the European Union (EU), where the long-term goal of a pan-European AML/CFT program is now closer with the creation of a central EU authority projected for 2023 the EU Anti-Money Laundering Authority (AMLA). AMLA will become fully operational in 2026 and will monitor, support, and coordinate AML/CFT efforts in the EU. Although the responsibility for AML/CFT currently remains in the hands of member states, AMLA is intended to have direct supervision over the riskiest entities with a focus on large lenders and non-bank financial institutions, and will have the ability to impose fines. The AMLA is expected to help harmonize supervisory practices, oversee high-risk and cross-border financial entities, and coordinate financial intelligence units (FIUs). AMLA is intended to be fully independent, with its own executive board, and will be able to act internationally in the FATF and in relationships with third countries.
Another major development is the new EU Market in Crypto-assets Regulation (MICA), which was agreed on between the EU institutions and is estimated to come into effect in 2023. MICA will provide a comprehensive regulatory regime tailored specifically to crypto-assets, including an EU-wide registration (although businesses will be required to register in each country separately under AML/CFT regulations). MICA integrates into a wider net of EU regulatory frameworks that are currently in place or being developed, including AMLA, a reform of the AML/CFT rules, and the Transfer of Funds Regulation, which requires that information about the sender and the beneficiary of a transaction travel together with the funds (fiat or crypto).
This coincides with other AML/CFT developments in the EU, such as: (i) the European Commission issuing a trainers’ manual for lawyers on AML/CFT rules at EU level, (ii) the report issued by MONEYVAL, the Council of Europe’s financial crime research body, which called for stricter and more coordinated regulations including for digital currencies, or the (iii) Supranational Risk Assessment Report (SNRA) issued in October 2022 by the European Commission to the European Parliament and Council which flagged crypto-assets and online gambling as a high-risk areas for ML/TF.
The European Commission also issued a new proposal to establish common criminal standards and enable the confiscation of assets for a wider set of crimes for the violation of restrictive measures including sanctions. The crimes covered in the proposal include the trafficking of humans, drugs, and arms; money laundering; counterfeiting of payment forms; and organized crime.
In the banking industry, the European Banking Authority (EBA) published new guidelines on the role and responsibilities of the AML/CFT compliance officer in June 2022 with the same goal of harmonizing applicable AML/CFT standards across the EU, and recently issued a call for input on joint guidelines by the European Supervisory Authorities (ESAs) and for experts on crypto asset service providers, AML/CFT, and on restrictive measures regimes. Finally, a central database for AML/CFT intended as an early warning tool was launched by EBA across the EU. The European reporting system for material CFT/AML weaknesses, EuReCA, will centralize information on weaknesses identified in financial institutions, and measures imposed to rectify them.
II. Main Themes
A. Developments
Considering the additional guidance from the FATF and measures taken by various jurisdictions to enforce a beneficial ownership regime and increased transparency, the focus on beneficial ownership was one of the main themes of the year in AML. In the U.K., in April 2022, the U.K. House of Commons published a research report on beneficial ownership regulations in the U.K. and worldwide, noting that in February 2022 the U.K. Government published a White Paper setting out reforms seeking to increase the accuracy of information provided and that all British Overseas Territories and Crown Dependencies have or will introduce public company beneficial ownership registers by the end of 2023. But in November 2022, a decision of the European Court of Justice (ECJ), largely publicized, ruled that the legal provision in the EU Directive 2018/843 whereby information on beneficial ownership is accessible in all cases to any member of the general public is invalid. The Court found that the provision excessively infringed upon certain fundamental rights under the Charter of Fundamental Rights of the EU, namely the right to respect for private life and to the protection of personal data, in a way that went further than was strictly necessary and that the measure was not proportionate to the objective of fighting ML/TF.
Whereas the decision does not bind the U.K. post-Brexit, and the Charter of Fundamental Rights of the EU was not incorporated into U.K. law as part of the EU (Withdrawal) Act 2018, a U.K. court or tribunal may have regard to anything done on or after Brexit by the ECJ. In the aftermath, it was reported that the Ministries of Justice of the Netherlands and of the Grand Duchy of Luxembourg asked the Chamber of Commerce and the Luxembourg Business Registers, respectively, to temporarily stop providing information from the beneficial ownership register to the general public with immediate effect.
B. Enforcement & Litigation Trends
In the United States, 2022 included several notable AML-related enforcement actions by U.S. federal and state regulatory authorities, including the Office of the Comptroller of the Currency (OCC), FinCEN, the Securities and Exchange Commission (SEC), and the New York State Department of Financial Services (DFS). Prominent themes resulting in the assessment of civil monetary penalties included the failure to remediate previously identified AML program deficiencies, failures regarding SAR, failures regarding customer due diligence obligations, and inadequate staffing.
In March 2022, FinCEN and the OCC levied a combined USD $140 million penalty against USAA Federal Savings Bank (USAA) for willful violations of the Bank Secrecy Act (BSA) and AML regulations. For more than five years, USAA had failed to maintain an adequate AML compliance program. Prior to the levying of the 2022 penalty, USAA had been made aware of its AML compliance program failures and had committed to their remediation. But USAA failed to adequately address those issues. It was found that USAA’s AML program lacked sufficiently robust and risk-based policies, procedures, and controls tailored to the risks presented by its customers, products and geographies served. It lacked adequate policies, procedures, and controls regarding identifying, reporting, and evaluating suspicious activity. USAA’s AML program suffered from significant deficiencies in timely identifying and reporting suspicious activity due, in part, to a deficient case alert and investigation system lacking proper tuning and testing. USAA’s compliance department also suffered from significant understaffing and a lack of training. USAA also failed to adequately collect and update customer due diligence information to allow it to properly understand its customers and the risks they presented. USAA had implemented a flawed customer risk rating model.
In April 2022, the Office of the OCC in the United States issued a Consent Order against Anchorage Digital Bank for failure to adopt and implement an adequate compliance program for the bank’s AML requirements under the BSA as laid out in the Operating Agreement entered into with the OCC in January 2021, when Anchorage received the conditional approval to convert into a National Trust Bank. As part of the Consent Order, Anchorage agreed to, among other things, appoint a Compliance Committee of at least three members, of which a majority would be independent directors who are not employees or officers of the bank or any of its subsidiaries or affiliates. The Committee was required to: (i) meet at least quarterly, (ii) communicate a detailed remediation plan for AML compliance, including timelines and responsible persons, and (iii) ensure that the appointed BSA officer has sufficient independence, authority, and resources to carry out their duties, including staff with appropriate skills and expertise (and in sufficient numbers) to support the bank’s AML compliance program, and that compliance staff is vested with sufficient authority to fulfill their duties and responsibilities.
In May 2022, the SEC levied a USD $7 million penalty against Wells Fargo Clearing Services, LLC (Wells Fargo). Wells Fargo’s AML violations centered on failures in its SAR program over a multi-year period. Due to failure in transitioning from one transaction surveillance system to another, Wells Fargo failed to sufficiently capture potentially suspicious transactions involving wire transfers with jurisdictions assessed as being of moderate or high money laundering risk. That resulted in a failure to alert for over 1,700 transactions and to file at least twenty-five SARs.
In August 2022, DFS levied a USD $30 million penalty against Robinhood Crypto, LLC (Robinhood), partly for its failure to maintain an adequately robust BSA/AML program. Despite tremendous business growth, Robinhood failed to effectively develop its AML program, particularly its SAR program in relation to the risks associated with operating a cryptocurrency platform. Despite the growth, Robinhood’s transaction monitoring system remained manual, rather than automated, which was ill-suited to keeping pace with the daily volume of transactions. That resulted in a significant backlog of alerts needing further investigation. Once Robinhood implemented an automated monitoring system, its transaction monitoring rules were deficient. Furthermore, Robinhood’s compliance program relied significantly on the compliance program of its parent company and an affiliate which were not geared to New York’s requirements. This resulted in Robinhood not having significant influence in the management of larger entity-wide compliance program and the resulting implications for Robinhood regarding staffing, resources, and adopting measures. As a result, Robinhood lacked the necessary skilled compliance staff.
In October 2022, FinCEN in conjunction with the Office of Foreign Asset Control (OFAC) levied a nearly USD $300 million penalty against Bittrex, Inc. (Bittrex). Bittrex failed to sustain an effective AML program over a multi-year period regarding its convertible currency trading platform. Particularly, it failed to maintain adequate controls designed to ensure compliance with SAR obligations. Its SAR program relied on a few minimally trained and inexperienced employees manually reviewing all transactions, an impossible task given its overwhelming daily trading volume. Furthermore, in designing its AML controls, Bittrex failed to adequately account for the risks presented by different virtual currencies traded across its platform. As a result, Bittrex failed to timely identify and report a wide variety of suspicious activity, including transactions with entities in violation of OFAC regulations.
C. Technology, AML, and Ransomware
Enforcement actions in the United States, discussed above, should be read in conjunction with a greater trend related to the expectation of the regulators that businesses implement effective compliance programs, commensurate with the risks they are exposed to and the volume and frequency of transactions, in what is called the Risk Based Approach (RBA). Increasingly, the FATF and national regulators have referred to technology and automation, biometric, and artificial intelligence (AI) as tools which would increase the effectiveness of AML compliance programs. But at the same time, this results in increased attention on cybersecurity and data protection, with increased regulatory attention on resilience, cybersecurity and ransomware.
For example, in October 2022, the G7 Finance Ministers and Central Bank Governors approved the publication of a set of principles on third-party cyber risk management and on countering ransomware risks, including recommendations for public and private financial entities on how to address the growing threat of ransomware attacks, identifying the minimum measures to be adopted both to prevent and to mitigate the impact of possible attacks. In the United States in November, FinCEN announced that reported ransomware-related incidents had substantially increased from 2020, with ransomware-related BSA filings in 2021 approaching USD $1.2 billion, and that roughly 75 percent of the ransomware-related incidents reported to FinCEN during the second half of 2021 were linked to Russia-related ransomware variants.
D. Sanctions
Russia’s invasion of Ukraine rocked the economic sanctions world in 2022, leading to a cascade of multilateral sanctions against Russia and Belarus. These are the most significant sanctions ever imposed on a major global economic power and have had broad implications for nearly every sector of the global economy. Most notably, the United States imposed the following restrictions on U.S. person and entity interaction with Russia:
- Expanded comprehensive sanctions on the Crimea region of Ukraine, which was annexed by Russia in 2014, to two newly annexed Ukrainian regions (Luhansk and Donetsk);
- Targeted the Russian Central Bank and Russian banking sector with punishing sanctions, freezing global assets within U.S. jurisdiction and effectively cutting them off from U.S. markets except in limited, defined circumstance;
- Included numerous Russian entities and individuals associated with the Russian government and defense industry to the Specially Designated Nationals (SDN) list, including President Vladmir Putin, many of his family members and close associates, as well as individuals and business leaders generally regarded as oligarchs and many Russian legislators and government officials;
- Prohibited all new investment in Russia by U.S. persons and entities; and
- Prohibited U.S. persons and entities from, directly or indirectly, providing accounting, trust and corporate formation, management consulting, or quantum computing services to any person or entity in Russia.
The United States has also taken an aggressive stance on imposing secondary sanctions on foreign persons continuing to engage with Russian sanction targets supporting the invasion of Ukraine or Russian sanction-evasion efforts, including malicious cyber actors and foreign companies assisting the Russian government in obtaining critical defense-related technology and supplies. FinCEN in coordination with OFAC has also issued numerous alerts and other guidance advising of Russian and Belarussian sanction evasion efforts.
E. Cryptocurrencies & Digital Assets
In 2022, OFAC also demonstrated a notable focus on sanction risks posed by the cryptocurrency industry, designating multiple cryptocurrency exchanges and mixers as SDNs on the basis of their role in facilitating sanction evasion and terrorist financing activity. Previously, OFAC had also issued sanctions and designated cryptocurrency mining company BitRiver and subsidiaries as entities involved in attempts to evade sanctions imposed on Russia.
More recently, an OFAC action against a so-called decentralized virtual currency mixer, Tornado Cash, garnered significant attention for its novelty in challenging a common industry belief that DeFi could not be subject to regulation or enforcement. OFAC also brought several high-profile enforcement actions against cryptocurrency exchanges for failures to prevent sanctioned parties and countries from accessing their services. In the press release, the U.S. OFAC mentioned more than USD $7 billion laundered via Tornado Cash since its creation in 2019. Additionally, Blender.io, another mixer operated as a centralized business but without AML/CFT controls, had been previously sanctioned in May 2022, and the operator of Bitcoin Fog was arrested in 2021. Previously, Bestmixer.io and Helix were also targeted by law enforcement.
Since Tornado Cash was run in a decentralized manner, its being added to the sanctions listings as an entity, followed by the arrest of a Tornado Cash developer in Europe, led to concerns in the industry that blockchain developers may generally be exposed to criminal liability for simply developing privacy-enhancing software, despite previous clarifications approved at the FATF level that software and blockchain developers and node validators would not be imposed AML/CFT requirements. Typically, developers are not maintaining control over networks after launch, which means that there is no operator to be held accountable for AML compliance.
In 2021, the FATF had widened the scope of its AML/CFT regulations standards to capture some of the DeFi projects, such as networks which are not fully decentralized and where operators, promoters, developers, and/or beneficial owners maintain some control or significant influence. Overall, the FATF left the specific rules to be implemented with respect to DeFi networks, subject to several principles, to national regulators. First, the recommendation from the FATF was that a case-by-case determination with a facts and circumstances test be carried out to identify individuals and/or legal entities which could potentially be considered VASPs in connection with a decentralized blockchain project, without taking account of any marketing terms and/or other labels, but rather the services provided by and/or the transactions carried out via the protocol or project. Regulators, in the absence of a legal entity connected to a project, may choose to require that a legal entity be designated for compliance purposes, and/or apply existing rules for non-hosted wallets and peer-to-peer (P2P) transactions. Finally, the FATF highlighted that while self-regulatory bodies would be generally insufficient in themselves, regulators should liaise and discuss potential solutions with the industry. This was consistent with the conclusions of the working group from the Financial Stability Institute (FSI) of the Bank for International Settlements (BIS) stating that collaboration and outreach are the recommended approaches for compliance in the VAs industry.
Finally, in addition to Sanctions and developments with respect to Travel Rule obligations and AML on transactions involving virtual currencies, another aspect of AML compliance for crypto and digital assets for 2022 (and expected 2023 trend) is linked to the work of the Organization for Economic Cooperation and Development (OECD) on a global tax transparency framework to provide for the reporting and exchange of information with respect to crypto-assets. An example is the Crypto-Asset Reporting Framework (CARF), which contains CRS modifications for the automatic transfer of financial account information between jurisdictions. The objective of CARF is to establish a framework that enables tax administrations to gather and share tax-relevant data on specific crypto-asset transactions. CARF is meant to ensure that all assets covered under the new tax reporting framework also fall within scope of AML/KYC obligations. Due diligence procedures will be based on the CRS self-certification process and existing AML/KYC standards.