The following article is reproduced by permission from Promontory Sightlines, a publication of Promontory Financial Group, LLC.
Digital currencies have reached a critical—and delicate—moment in their evolution. U.S. regulators and law enforcement are increasingly focused on the potential use of digital currencies to finance criminal activities, including terrorism.
Scrutiny in the U.S. affects not only domestic digital-currency firms, but also global digital-currency firms that have U.S. customers. Regulators outside of the U.S. have generally not yet indicated the same level of concern, but many are monitoring the digital-currency market and are likely to devote greater resources to its oversight if its growth continues.
The industry can take steps to ease regulators’ concerns, but doing so will require major changes to current practices and technology. The formation of the Committee for the Establishment of the Digital Asset Transfer Authority, which will work with regulators and law enforcement worldwide to establish best practices and a self-regulatory organization for digital-currency firms, represents a positive first step toward these goals.
The necessary changes will likely alienate some legitimate users who value the independence of digital currencies from the influence of national governments, but U.S. law enforcement and regulators expect the industry to make progress on these issues and have shown they will not hesitate to step in if the industry does not. Few firms like to upset customers, but the potential for increasingly severe enforcement actions—which are almost certain without further prompt action by the digital-currency industry—is an even greater threat to the industry’s viability.
Two recent developments have raised the public profile of digital currencies and put them on regulators’ radar. The first is the rapid growth in Bitcoin activity, including:
• Adoption of Bitcoin as a medium of exchange by a small, but growing, group of merchants, creating a nascent payments market for goods and services;
• Use of Bitcoin as an alternative asset class, encouraged by a generally upward trend in the value of the currency. A bitcoin traded at approximately $120 in early September, up from approximately $6 little more than a year ago; and
• Growth in trading of bitcoins against fiat currencies, fueled both by its general increase in value against fiat currencies and recent market volatility. Daily volume on the major exchanges now averages more than $5 million.
The other important development was the recent indictment of Liberty Reserve, a centralized digital currency that appeared to have been set up with the express purpose of facilitating—and profiting from—money laundering. While Liberty Reserve is not representative of digital currencies, it has heightened law enforcement and regulatory scrutiny on the potential for digital currencies to fund illegal activity. The U.S. Department of Homeland Security recently targeted illegal money transmission at Mt. Gox, a Bitcoin exchange, and state regulators in California, New York, and Virginia have issued orders requiring certain digital-currency firms to cease illegal money transmission.
It appears many digital-currency firms may have underestimated their regulatory obligations, the anti-money-laundering risks presented by their business models, and the degree of law-enforcement concern surrounding those risks. The U.S. government’s action to force changes in international wire-messaging practices of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) demonstrates that U.S. authorities can and will require financial institutions to understand the identity of both parties to their financial transactions. The digital-currency industry should expect the U.S. government to hold firms to a similar standard and plan accordingly, which is made more challenging by the ability of users to store and send many digital currencies without using the services of a financial institution.
Because decentralized digital currencies, including Bitcoin, lack a central administrator, regulators and law enforcement are left to pursue public-policy objectives through oversight of those firms that enable others to trade or transact in them. Early indications are that many U.S. regulators and law enforcement authorities would welcome further development of the market through a group of digital-currency firms committed to strong AML processes and cooperation with authorities.
A fully offshore digital-currency industry still poses substantial money-laundering risks to the U.S. government (for example, in relation to drug payments); a thriving onshore industry leading the way towards better industrywide AML standards and controls that in turn strengthen industry practices globally presents the best opportunity to reduce these risks. In this respect, the entertainment industry’s experience with copyright laws may be a reasonable guide: As authorities sought to enforce copyright law, they generally found it more effective to embrace and regulate distributed technologies than to try to shut them down.
The potential of digital currencies
One might reasonably ask whether the game is worth the candle: Do digital currencies offer a legitimate public benefit? Assuming the industry can resolve the serious AML issues it faces, the answer clearly is yes.
Digital currencies have potential to offer payment options that are significantly cheaper than current alternatives available to consumers, small businesses, and nonprofit organizations. (For a schematic of how such transactions work, click here.) The longer-term cost advantage derives in large part from having fewer intermediaries to compensate. In the shorter term, the irreversibility of transactions, in particular the absence of error and dispute resolution, also lowers costs. Transaction costs for bitcoin-to-bitcoin transactions are typically around one cent. In the U.S., merchants can already accept bitcoin and receive Automated Clearing House payments in dollars for a fee of approximately 1%. Future adoption of digital currencies by mainstream financial institutions could give consumers an inexpensive method of transacting without having to hold a balance in the currency. This would mean a consumer would have no more need to understand the inner workings of the digital currency than the Automated Clearing House’s transaction-processing systems. The founders of Ripple, a second-generation digital currency in late-stage development, explicitly envision the main purpose of the currency as a means to the end of facilitating payments in other currencies.
Digital currencies offer great potential for increasing efficiencies in areas such as small intercurrency transactions and remittances. The World Bank estimates that transaction fees are roughly 7% of the $500 billion global remittances market. Digital currencies also offer the potential for greater financial inclusion, particularly in increasing access to affordable payment options in the developing world, especially in applications using SMS (short message service) technology.
Although the combination of digital currency and remittances may sound toxic from an AML perspective, regulators and law enforcement may eventually appreciate the robust digital trail that these transactions create. Most digital currencies already include a public ledger that records every single transaction. A digital-currency transmission system that also provides firms and law enforcement access to reliable counterparty information for all transactions would arguably have greater transparency than any major payments networks in use today. Indeed, the combination would be sufficiently powerful to require careful thought from firms and regulators alike about appropriate privacy controls.
How digital-currency industry can address AML risks
Digital currencies will reach their potential only if the industry acts quickly to reduce AML risk. Three actions are especially necessary, of which two can be taken at the firm level, while the third requires coordination across the industry.
• Develop strong BSA/AML programs
Regulators and law enforcement will expect firms to develop and implement Bank Secrecy Act/AML and sanctions programs commensurate with the risks of digital-currency transactions. The Financial Crimes Enforcement Network has set out the standards applicable to money transmitters in its BSA/AML Examination Manual for Money Services Businesses, but digital-currency firms should consider two additional factors:
• Know Your Customer
The FinCEN manual states that “internal controls should provide for … verification of identity,” but offers little specific guidance on how firms should identify and verify their customers. Given the risks inherent in digital-currency transactions, firms can demonstrate compliance by voluntarily imposing bank-level standards for customer identification and verification, and enhanced due diligence for certain groups of customers.
FinCEN’s manual does not detail the steps that firms must take to comply with Office of Foreign Assets Control sanctions. Firms need strong systems and controls to prevent them from processing transactions involving customers or other parties subject to OFAC sanctions, as well as to comply with OFAC reporting requirements.
An industry initiative to develop AML standards applicable to digital currencies would benefit all digital-currency firms seeking to develop strong BSA/AML programs, and demonstrate industrywide commitment to compliance to regulators and law enforcement. Better still, the DATA initiative contemplates the establishment of a self-regulatory organization (SRO) that would develop external validation of compliance with laws and regulations, as well as adherence to best practices. An SRO, which would supplement rather than replace FinCen and state oversight, would also help the industry work with regulators on difficult questions, such as how to apply the provisions of the “Travel” rule in relation to digital-currency transactions.
[Editor’s note: Read an excerpt from a FinCEN presentation at the ABA/ABA Money Laundering Enforcement Conference, with additional relevant links, at the end of this article.]
Get necessary registration and licenses
FinCEN’s March guidance on treatment of digital currencies suggests that regulators and law enforcement will in most cases treat any firm offering digital-currency exchange, brokerage, or transaction-processing services as a money transmitter. Firms can comply with related requirements by registering with FinCEN and applying for necessary state licenses, or by acting as the agent of a registered and licensed firm. While registration, licensing, and establishing an agency relationship do not by themselves reduce AML risk, they do establish a cooperative tone with regulators and enable government oversight of firms’ compliance programs.
Given the cost of multistate licensing, availability of cost-effective agency arrangements would aid start-ups and promote continued innovation. However, money transmitters and other financial institutions providing agency services to digital-currency firms should expect enhanced regulatory scrutiny of their own BSA/AML programs and agent-oversight arrangements. Regulated firms that cannot demonstrate strong risk-management processes invite regulatory action requiring them to exit higher-risk businesses. Digital-currency firms should therefore conduct careful reverse due diligence on a regulated firm’s compliance program and regulatory relations before relying on an agency arrangement.
The costs of regulation may tempt some digital-currency firms to argue that the law does not require registration or licensing, but absent regulatory concurrence, such firms deploy these arguments at their peril. Regulators and law enforcement are unlikely to tolerate any efforts to exploit gray areas or loopholes. In the words of one law enforcement official, “the tie will not go to the runner.” Firms that believe they have a cast-iron case that they do not transmit money should address that argument in writing with FinCen and relevant states rather than hoping to fly under the radar.
That is not to deny firms have faced genuine uncertainty about the application of money-transmitter laws to digital-currency exchanges. Before FinCEN issued its guidance, many firms reasonably relied on legal advice that they need not pursue FinCEN registration or state licensing. And the FinCEN guidance itself only applies to federal law, leaving considerable questions concerning the applicability of state laws to digital currency. State regulators and the industry would both benefit from dialogue that clarifies how state laws apply to digital currency. While noncompliance with money-transmitter laws is extremely serious, the genuine uncertainty provides a strong argument against punitive actions for firms that are proactive in their state regulatory outreach and move quickly to comply with state laws.
Develop information-sharing mechanisms on user identities
The measures just described do not sufficiently mitigate the AML risks posed by the anonymity afforded to digital-currency users. Effective AML compliance requires firms not only to Know Your Customer but also to Know Your Counterparty. Without information on their customers’ counterparties, digital-currency firms will not be able to monitor transactions or screen for sanctions compliance to the standards expected of regulated financial firms. Mitigating this risk requires development of information-sharing mechanisms that allow digital-currency firms access to verified information on their customers’ counterparties when needed. It may also require the ability to block transactions with identified bad actors.
Developing these mechanisms takes time, and presents several major challenges. Providing access to verified information about all transaction parties to digital-currency firms will require new protocols to supplement existing transactional information, or the development of an information-sharing database that allows digital-currency firms to identify users. Given that many digital-currency users transact from wallets stored on their own computers without using any firm’s services, any solution must encompass users not associated with a particular firm. The industry could achieve this by making a Web-based verification service available to such users.
Of course, this kind of information sharing raises legitimate privacy concerns, especially when combined with the richness of transaction data available from public ledgers. The industry will need to balance AML controls with best-practice privacy controls that assure customers that their identities and transactions will remain private even without anonymity. This could involve the provision of identity-management services by digital-currency firms or trusted third parties, with user information not generally included in transaction data and disclosed only in certain circumstances. Even then, such steps (as well as other aspects of effective AML compliance) will predictably offend some users who now use digital currencies for legitimate purposes. Development of such mechanisms may prompt greater use of measures—such as use of mixing services and multiple addresses from both money launderers and some legitimate users—to try to mask the source of funds. In the longer term, therefore, the industry may need to develop ways to prevent transactions involving users or funds that firms cannot adequately verify.
Given regulatory and law enforcement concern, leading firms would benefit from a public commitment to address these difficult issues and the expeditious formation of credible industry initiatives to address them. If the industry can move forward while engaging regulators and law enforcement, it can make a strong argument that its initiative will lead to good public-policy outcomes and therefore should be given time to get controls in place.
Implications for banks
Digital currencies present both opportunities and threats to banks. While digital currencies give banks opportunities to offer new services to existing customers, some will cut into existing profitable ones. The digital-currency firms that form successful partnerships with banks to offer services will be those that offer a business model that provides clear benefits over the status quo to banks and their customers alike. Banks also have opportunities to provide banking services to digital-currency firms. However, regulatory expectations for banks’ third-party oversight continue to grow. Banks providing services to digital-currency firms, such as access to the ACH network, should conduct careful due diligence on the firms, including detailed review of their:
• BSA/AML programs
• Information-security and privacy programs
• Marketing, disclosures, and other consumer materials
• Chargeback rates
Other challenges facing digital currencies
AML risks are merely the most immediate regulatory challenges facing digital-currency firms. Those firms that successfully meet regulatory expectations for AML compliance must address a wider array of regulatory and public-policy concerns before digital currencies can fulfill their considerable potential.
• Information security
Consumers and regulators must be confident that both digital currencies and firms offering digital-currency services do not present heightened information-security risks. The industry will need to persuade potential users that each currency’s cryptography and transaction validation can withstand external attack. Distributed digital currencies face particular challenges in gaining widespread trust, as there is no legal entity to offer recourse to users. The industry must also overcome negative perceptions resulting from security breaches that have already occurred at individual firms, and demonstrate that firms have fully addressed the control weaknesses that allowed those breaches.
• Consumer protection
Any digital-currency exchange operating in the U.S. that achieves the volume to which it aspires will soon confront the possibility of compliance with the Electronic Fund Transfer Act and Regulation E, which impose on certain payment-service providers significant obligations related to error resolution and limited liability for unauthorized transfers. Indeed, consumer protection could arise as a strategic question even before it becomes a regulatory imperative, as consumers may prove wary of adopting new payment mechanisms that do not offer the same protections they enjoy with existing options. The same irreversibility of digital-currency transactions that many in the digital-currency industry value for its efficiency could make it prohibitively expensive under existing protocols to provide limited liability and dispute-resolution protections that most consumers now have with their banks and credit card companies. Digital-currency firms should contemplate supplementing existing software to reverse transactions, provide escrow services, or otherwise make consumers whole in cases where errors or unauthorized transfers occur, perhaps as a value-added service. Proactive thinking, as well as engagement with regulators to understand the extent EFTA and Regulation E requirements apply to digital-currency transactions, will facilitate quick industry response if it eventually becomes clear that either regulatory concerns or market pressures require transaction reversibility.
Commodities, derivatives, and securities regulators worldwide will need to confront similar issues as the digital-currency market grows. More speculatively, some jurisdictions could consider regulating digital currencies as securities. In all of these cases, engagement with regulators—both in the U.S. and globally—will reduce the risk of unpleasant surprises.
Digital currencies offer the potential prize of cheaper and faster payments for many consumers and organizations, including many poorly served by existing options. From the perspective of law enforcement and regulators, successfully addressing the Know Your Counterparty issue would mean digital currencies offer a stronger basis for both preventing and identifying money laundering than most, if not all, existing payment networks. The industry and consumers will only realize these benefits, however, if digital-currency firms prioritize AML and other important public-policy challenges posed by digital currencies. This will require hard work, leadership, and ingenuity from the industry and regulatory authorities alike.
About the author
Adam Shapiro is a director at Promontory Financial Group, LLC, who focuses on helping clients with compliance programs and regulatory issues. Before coming to Promontory he served in multiple roles at the United Kingdom’s Financial Services Authority and with the Bank of England. Daniel Bufithis-Hurie and Daniel Bulaevsky contributed to this article, which originally appeared in Promontory Sightlines for Fall 2013.
• • •
From Nov. 19, 2013, Remarks of Jennifer Shasky Calvery, Director, Financial Crimes Enforcement Network at American Bankers Association/American Bar Association Money Laundering Enforcement Conference
The following excerpt comes from this presentation. The same day, Calvery testified at length about virtual currencies before a joint hearing of the Senate Banking Committee’s Subcommittee on National Security and International Trade and Finance and the Subcommittee on Economic Policy. You can read her prepared testimony in full here.
You can access the full hearing record here.
I’d also like to discuss virtual currency, as this has been a hot issue this past year, and I expect it will continue to be so for the foreseeable future.
In March, FinCEN issued interpretive guidance to bring clarity and regulatory certainty for businesses and individuals engaged in money transmitting services and offering virtual currencies.
The guidance explains how FinCEN’s “money transmitter” definition applies to certain exchangers and system administrators of virtual currencies depending on the facts and circumstances of that activity. Those who use virtual currencies exclusively for common personal transactions like buying goods or services online are not affected by this guidance.
FinCEN’s guidance explains that administrators and exchangers of virtual currencies have registration requirements and a broad range of AML program, recordkeeping, and reporting responsibilities. Those offering virtual currencies must comply with these regulatory requirements, and if they do so, they have nothing to fear from Treasury. Those who are intermediaries in the transfer of virtual currencies from one person to another person, or to another location, are money transmitters that must register with FinCEN as MSBs, unless an exception applies.
The guidance clarifies definitions and expectations to ensure that businesses engaged in similar activities are aware of their regulatory responsibilities and that all who need to, register appropriately.
Since the guidance was issued in March, I am pleased to report that some virtual currency exchangers have registered with FinCEN as MSBs. I do, however, remain concerned that there appear to be many domestic virtual currency exchangers that have not taken this step. FinCEN has begun an outreach effort to virtual currency exchangers that have a domestic presence to outline their BSA requirements, and to offer assistance on the registration process.
And if a business does not believe they are required to register, we are asking them to contact FinCEN so we can gather additional information in order to make that determination.
The decision to bring virtual currency within the scope of our regulatory framework should be viewed by those who respect and obey the basic rule of law as a positive development for this sector. It recognizes the innovation virtual currencies provide, and the benefits they might offer society.
Several new payment methods in the financial sector have proven their capacity to empower customers, encourage the development of innovative financial products, and expand access to financial services.
We want these advances to continue. However, those institutions that choose to act outside of their AML obligations and outside of the law have and will continue to be held accountable. FinCEN will do everything in its regulatory power to stop such abuses of the U.S. financial system.