A new frontier: crypto risks for companies

August 2022  |  EXPERT BRIEFING  | RISK MANAGEMENT

financierworldwide.com

 

While recent market turmoil may have dampened demand, there is increasing interest in Australia and globally from both financial services entities and consumers in crypto assets. Additionally, cyber attacks that demand payment in digital currencies are on the rise, meaning that all organisations, not just those that deal directly with crypto, are vulnerable to the legal risks these assets carry.

This article details how cryptocurrency risks arise under Australian law, how companies can mitigate those risks, and what the regulation of crypto assets in Australia may look like in the near future.

Current regulation of crypto in Australia

Australia currently lacks any centralised regulation of crypto, however, as we canvass below this may soon change. The risk landscape is at present dispersed across varying laws, which include the following.

Sanctions. Sanctions risk arises in respect of crypto assets not only because crypto payments in crypto may be made to or from a sanctioned entity, but also because the crypto issuer or exchange platform may itself be sanctioned. The US sanctions risk associated with crypto is becoming particularly acute in the context of ransomware demands, where cyber criminals attempt to infect computers or networks with malware and then demand a ransom to decrypt the impacted files. We have seen crypto assets become the preferred medium for these ransomware payments.

The US has already imposed sanctions prohibiting dealings with many digital currency exchanges (DCEs), and while Australia has not yet followed suit it could do so quickly given the introduction of the Autonomous Sanctions Amendment (Magnitsky-style and Other Thematic Sanctions) Act 2021 (Magnitsky Act) last year in December.

The Magnitsky Act expanded Australia’s autonomous sanctions regime to allow the Australian government to impose ‘thematic’-style sanctions that seek to address transnational criminal issues, including malicious cyber activity. The speed with which sanctions can be imposed by Australia and the international community, as shown in recent months with the Russia/Ukraine conflict, means that it will be important for companies to be aware of the sanctions risk associated with crypto assets (both in the context of ransomware and more broadly) and to proactively consider how to mitigate and manage that risk.

Anti-money laundering (AML) and counter-terrorism financing (CTF). DCEs have been regulated under the AML/CTF Act in Australia since 2018. Given the significant growth of crypto assets since then, AUSTRAC – Australia’s AML/CTF regulator – may increase its scrutiny of these entities by way of compliance assessments or investigations. Furthermore, entities are required under Australia’s AML and CTF laws to appropriately identity and mitigate money laundering and terrorism financing risks faced by their business, which includes risks posed by crypto assets. In April 2022, AUSTRAC released the ‘Digital Currency Financial Crime Guide’, which provides high level guidance on the ways in which AUSTRAC considers that digital currencies and associated technologies can be open to criminal misuse, as well as some of the behavioural and financial indicators to look for. At the same time, it released a financial crime guide on detecting and reporting ransomware.

Proceeds of crime issues. In the context of ransomware demands, companies are having to navigate potential criminal liability under Australian laws relating to dealing with proceeds and instruments of crime. Those laws are broad and can capture making or receiving payments or property that have been used in or have facilitated the commission of an offence, or that have been derived wholly or partly from the commission of an offence, whether directly or indirectly.

General consumer protection and financial services frameworks. In the absence of dedicated legislation regulating crypto assets, regulators and plaintiffs in Australia have started to rely on consumer protection and financial services laws to take action. APRA, Australia’s prudential regulator, also issued its first formal guidance to regulated entities in April 2022 setting out how APRA considers entities should manage crypto risk within the current prudential framework. It includes, among other things, an expectation that appropriate due diligence and a risk assessment will be undertaken, applying robust risk management controls with clear accountabilities and relevant board reporting, and that entities will consult openly with APRA and the Australian Securities and Investments Commission (ASIC) to clarify any confusion about their responsibilities.

Enforcement in Australia and beyond

Even with the patchwork coverage of existing laws, cryptocurrency enforcement is growing in Australia. The first crypto class action is currently before the courts against crypto issuer Qoin for misleading or deceptive conduct, pyramid selling and failure to comply with financial services obligations and consumer guarantees.

In addition, the Australian Federal Police (AFP) recently succeeded in obtaining a freezing order over a wallet held by Blockchain Global for alleged theft, and ASIC has taken action against the founder of Bitconnect for allegedly operating an unregistered managed investment scheme, providing unlicensed financial services and making false or misleading statements to investors. As larger entities engage with crypto assets and representations about crypto are made to the market, we consider that class action risk will grow, and there will be greater regulatory oversight by ASIC and, possibly, the Australian consumer watchdog the ACCC with claims likely to continue to focus on misleading or deceptive conduct and consumer harm, at least until any crypto-specific regulation is introduced.

Looking overseas, the US Treasury established a National Cryptocurrency Enforcement Team (NCET) last year to tackle investigations and prosecutions of criminal misuses of cryptocurrency, including money laundering offences. In its announcement, the Treasury noted that the NCET will leverage expertise from a number of Treasury departments and be informed by the US Department of Justice’s Cryptocurrency Enforcement Framework, released in October 2020.

Furthermore, the US Treasury Department’s Office of Foreign Assets Control (OFAC), the country’s sanctions regulator, has taken enforcement action against companies in the virtual currency industry, demonstrating a heightened focus on virtual currency related violations. OFAC also released last year a new ‘Sanctions Compliance Guidance’ for the virtual currency industry. As the most active global sanctions regulator, OFAC’s guidance is highly influential and can precipitate shifting enforcement priorities globally.

It remains to be seen whether AUSTRAC or the AFP will bring any civil or criminal money laundering-related claims against crypto providers in Australia (as is happening in the US). In our experience we are seeing greater alignment across Australia and its key foreign counterparts in recent years in addressing new and emerging financial crime risks.

A new regulatory regime for crypto on the horizon in Australia?

The crypto regulatory landscape in Australia is evolving as regulators increase their scrutiny of this area. Significantly, in March 2022, the Australian Treasury released a consultation paper outlining the then Morrison government’s proposed approach to regulating crypto assets, to be administered by the ASIC.

The consultation paper sets out three options for a licensing and regulatory regime for ‘crypto asset secondary service providers’ (CASSPrs): a separate licensing and regulatory regime, incorporating crypto assets into the financial services regime and self-regulation. It remains to be seen how the newly formed government will take this consultation forward, although we expect the issue will receive bipartisan support.

The opportunities crypto assets offer are exciting, but the legal risks they carry are becoming more significant. In addition, the danger of cyber attacks leaves all organisations vulnerable to these risks. While in Australia crypto litigation and enforcement are still in their early stages, we can expect to see further developments in this area given the significant growth in digital currencies and as regulators, law enforcement and private litigants skill up.

Companies should ensure that they assess crypto risks carefully across their organisation and that boards and senior management are appropriately cognisant of and briefed on those risks. For many companies, it will be prudent to have in place a risk assessment and ransom recovery plan as well as regular testing and updating of IT systems and processes to reduce the risk of cyber attacks. As the crypto asset landscape continues to rapidly evolve in Australia and overseas, companies should remain agile and reassess their risk and associated controls and response plans on a regular basis.

 

James Campbell is a partner, Cindy McNair is a managing associate and Victoria Eastwood is a senior associate at Allens. Mr Campbell can be contacted on +61 (2) 9230 4751 or by email: james.campbell@allens.com.au. Ms McNair can be contacted on +61 (2) 9230 5515 or by email: cindy.mcnair@allens.com.au. Ms Eastwood can be contacted on +61 (2) 9230 4461 or by email: victoria.eastwood@allens.com.au.

© Financier Worldwide

BY

James Campbell, Cindy McNair and Victoria Eastwood

Allens

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.