Silicon Valley meets Washington: federal regulation and enforcement of the cryptocurrency industry

December 2021  |  SPECIAL REPORT: WHITE-COLLAR CRIME

Financier Worldwide Magazine

December 2021 Issue

In recent months, we have witnessed an explosion of digital assets. We have moved from a bitcoin-only world to a multiverse of altcoins, stablecoins, central bank digital currencies, non-fungible tokens and decentralised finance (DeFi).

This rapid expansion of the cryptoverse and its mainstream adoption by traditional financial institutions – from established investment banks, to credit card companies, to online payment systems and other financial technology firms – has increased the focus on cryptocurrency regulation and enforcement at both the federal and state levels, as policymakers have realised that the same qualities that make crypto a force for good – permissionless, decentralised cross-border value transfer at the speed of the internet – also make it attractive to illicit actors.

In the face of such heightened scrutiny, the cryptocurrency industry has engaged as never before with legislators and regulators across Capitol Hill and the interagency. Below we discuss some of the recent notable federal regulation and enforcement developments in this industry.

Regulation and the ransomware focus

On 21 September 2021, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued an updated advisory about the sanctions risks of facilitating ransomware payments using cryptocurrencies. OFAC’s advisory reminds organisations that it applies a strict liability standard when imposing civil penalties for sanctions violations. Thus, organisations may be liable for making a ransomware payment even if they do not know that the recipient has been designated a malicious cyber actor by OFAC.

If a payment is made to a sanctioned entity, the advisory noted that OFAC would consider in its enforcement response: (i) whether the organisation took meaningful steps to reduce the risk of extortion by a sanctioned actor, citing practices highlighted in the ‘Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide’; and (ii) whether the organisation reported the attack “to appropriate US government agencies”, as well as “the nature and extent of [any] cooperation with OFAC, law enforcement, and other relevant agencies, including whether an apparent violation of US sanctions is voluntarily self-disclosed”.

On the same day, OFAC also issued its first-ever sanctions against a crypto exchange, designating the exchange SUEX as a malicious cyber actor. SUEX operated as a so-called ‘nested’ or ‘parasite’ exchange, meaning that it did not directly custody its clients’ crypto. Instead, it fed off the infrastructure of a large, global cryptocurrency exchange to conduct its transactions.

Nested exchanges often take advantage of the greater liquidity and lower transaction costs of big, multinational exchanges while presenting customers with a custom-made interface obscuring the connection to the larger service. Using this relationship with a large exchange, and access to cash from unknown sources, SUEX was able to convert the illicit monies of its clients to physical cash at an alarming scale.

According to the Treasury Department’s press release, over 40 percent of SUEX’s known transactions were associated with illicit actors, and SUEX was sanctioned for providing material support to the threat posed by criminal ransomware actors. Under OFAC’s sanctions, all of SUEX’s property and interests in property that are subject to US jurisdiction are blocked, and US persons generally are prohibited from engaging in transactions with the exchange. Further, entities in which SUEX owns 50 percent or more are also blocked. According to the Treasury Department, financial institutions and other entities that engage in transactions with SUEX may also expose themselves to sanctions or be subject to an enforcement action.

In the wake of the SUEX designation, the Treasury released two additional resources. First, FinCEN issued a report on ‘Ransomware Trends in Bank Secrecy Act Data’, cataloguing average ransomware payment amounts, prevalent ransomware variants and prominent ransomware money laundering typologies. Second, OFAC also published a brochure titled ‘Sanctions Compliance Guidance for the Virtual Currency Industry’.

The brochure is a resource for the private sector that outlines the longstanding OFAC guidance that sanctions apply to the cryptocurrency space in the same way they do for traditional financial institutions. While the brochure highlights sanctions against North Korean cyber unit Lazarus Group in March 2020, and the September 2021 SUEX designation, most of it is dedicated to providing digestible guidance to financial institutions and cryptocurrency businesses on best practices to combat the use of virtual currency by sanctioned persons or jurisdictions.

The SUEX designation and the ensuing guidance for the crypto industry signals that the administration is prepared to go after cryptocurrency businesses that facilitate money laundering and other illicit activity. But, in doing so, the administration has gone out of its way to make clear that its focus is on the illicit underbelly of the crypto ecosystem and hardening cyber defences.

As Todd Conklin, counsellor to the deputy secretary, explained in announcing the OFAC guidance: “We are going to continue to target the illicit parts of the crypto ecosystem while also ensuring we are helping to bolster compliance regimes across the entire ecosystem. Fundamentally though, we see ransomware as a cyber security issue. It gets framed in many areas as a cryptocurrency issue, but just attacking the crypto ecosystem is not going to fix the core problem, which is cyber vulnerabilities across multiple sectors.”

Enforcement

In recent months, Washington regulators and enforcement authorities ramped up their public statements about cryptocurrency-related risks. In August 2021, Gary Gensler, chair of the Securities and Exchange Commission (SEC), made headlines at the Aspen Security Forum when he called for increased regulatory and enforcement scrutiny of cryptocurrency. “We have a crypto market now where many tokens may be unregistered securities, without required disclosures or market oversight,” he said.

This asset class is “rife with fraud, scams and abuse in certain applications”, he continued, explaining how this leaves prices open to manipulation and investors vulnerable. “Right now, we just do not have enough investor protection in crypto. Frankly, at this time, it is more like the Wild West,” he commented. He also noted that the SEC will use the full extent of its powers and will pursue more authority from Congress to “prevent transactions, products and platforms from falling between regulatory cracks”. Similarly, in an interview with the Wall Street Journal, Mr Gensler reiterated that he would ask Congress to help legislate a solution to fill regulatory gaps.

Less than two months later, Lisa O. Monaco, deputy attorney general, announced the creation of a new National Cryptocurrency Enforcement Team (NCET) under the leadership of the Department of Justice’s (DOJ’s) Criminal Division, that would bring together the department’s anti-money laundering and cyber crime expertise at Main Justice and the US attorney’ offices to prosecute cryptocurrency-related crime and recover virtual assets lost to crime, such as cryptocurrency ransomware payments. The NCET builds on the DOJ’s ‘Cryptocurrency Enforcement Framework’, published in October 2020, that recounted its history of pursuing cryptocurrency-related crime and articulated a commitment to using a wide range of criminal statutes to prosecute criminal activity involving cryptocurrency around the world.

US enforcement authorities have shown too that they are far from all talk. This past summer, the SEC, the Commodity Futures Trading Commission (CFTC) and the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) announced settlements in a number of notable cryptocurrency-related enforcement cases, as outlined below.

On 14 July 2021, the SEC settled charges against UK-based Blotics Ltd., formerly doing business as Coinschedule Ltd., for violations of Section 17(b) of the Securities Act. According to the SEC order, Coinschedule operated a website that profiled and ranked more than 2500 offerings for digital tokens, claiming to list the ‘best’ initial coin and exchange offerings. The SEC determined that the publicised tokens included ‘securities’, and Coinschedule failed to disclose that it received compensation from issuers to profile their tokens. The SEC concluded that failure to disclose this compensation violated the ‘anti-touting’ provisions of the federal securities laws, but the decision did not provide clear guidance as to whether and when cryptocurrencies qualify as securities.

On 6 August 2021, the SEC settled charges against Blockchain Credit Partners and its two founders for purportedly using DeFi technology to sell over $30m of unregistered securities and for misleading investors about the company’s operations and profitability. According to the SEC order, Blockchain Credit Partners sold two types of digital tokens on its DeFi Money Market platform. One of the tokens, a payment token called mToken, paid 6.25 percent interest. The other token, DMG, is a governance token that gave holders voting rights and a share of profits. The SEC alleged that DMG holders had the ability to resell the governance tokens for profit in the secondary market. Notably, the SEC explained that labelling DMG as a governance token and mTokens as decentralised did not prevent the agency from concluding that the tokens constituted unregistered securities under securities laws.

On 9 August 2021, the SEC settled charges with Poloniex, the operator of a web-based platform that facilitated the buying and selling of digital assets that allegedly constituted unregistered securities. According to the SEC order instituting cease-and-desist proceedings, the trading platform qualified as an ‘exchange’ under applicable securities laws because it provided the nondiscretionary means for trade orders to interact and be executed. The SEC alleged that beginning in August 2017, Poloniex employees “aggressive[ly]” sought to increase their market share in the trading of digital assets by listing new digital assets on its platform. Poloniex served both US and international users but did not register as a national securities exchange nor qualify for an exemption. The SEC alleged that Poloniex thus violated Section 5 of the Securities Exchange Act as a result.

On 10 August 2021, BitMEX, a cryptocurrency exchange and derivatives trading platform owned and operated by Seychelles-based HDR Global Trading Limited, entered into a global settlement with FinCEN and CFTC. The settlement resolved civil claims that BitMEX offered cryptocurrency derivatives to US individual and institutional customers without registering with the CFTC, operated a facility to trade or process swaps without being approved as a designated contract market or a swap execution facility and failed to comply with US anti-money laundering (AML) laws to maintain an adequate AML compliance programme. In total, BitMEX paid a $100m penalty to FinCEN and the CFTC, with $20m of the FinCEN penalty suspended pending the completion of two independent consultant reviews. Both the CFTC and the DOJ proceedings and the DOJ’s criminal case against BitMEX’s founders, brought in October 2020, remain ongoing.

On 1 September 2021, the SEC announced that it had filed suit against online cryptocurrency lender BitConnect, its founder, and its top US promoter and his affiliated company. According to the SEC, the defendants conducted an unregistered offering and sale of investments in a BitConnect "Lending Program". The SEC alleged that these investments were securities and that the defendants promised extremely high returns but actually diverted investors’ funds to digital wallets they or their allies controlled, thereby defrauding their victims of some $2bn.

In recent months, the DOJ scored some notable successes in cryptocurrency-related criminal cases, too. On 18 August 2021, Larry Dean Harmon, the operator of a darknet-based cryptocurrency mixer called Helix, pleaded guilty to money laundering conspiracy on the eve of trial. As part of his plea, Mr Harmon acknowledged that Helix partnered with several darknet markets, including AlphaBay, to launder bitcoin for customers for a fee by allowing them to deposit bitcoin linked to the darknet in a wallet controlled by Helix, which in turn would transmit bitcoin which, according to Mr Harmon, “have never been to the darknet before” from other Helix-controlled wallets to a recipient address designated by the customer. Previously, in October 2020, FinCEN had assessed a $60m penalty against Mr Harmon for wilful violations of the Bank Secrecy Act and its implementing regulations in connection with his operation of Helix and another mixer, Coin Ninja.

Conclusion

In recent months, we have seen explosive growth in the crypto economy. This growth, fuelled by mainstream adoption of digital assets, has brought scrutiny from policymakers and enforcement authorities. As government actors begin to construct a clear legal and regulatory framework for this new internet of money, it is evident that crypto will continue to present both promise and challenges.

Jessie K. Liu is a partner at Skadden, Arps, Slate, Meagher & Flom LLP and Ari Redbord is head of legal and government affairs at TRM Labs. Ms Liu can be contacted on +1 (202) 371 7340 or by email: jessie.liu@skadden.com.

© Financier Worldwide

BY

Jessie K. Liu

Skadden, Arps, Slate, Meagher & Flom LLP

Ari Redbord

TRM Labs

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.