Crypto Crackdown: 8 Key BSA/AML Fundamentals for FinTechs

Bradley L. Dizik / July 25, 2024

In June 2024, multiple state regulators took joint action against Plutus Financial, Inc (Abra) ordering Abra to cease and desist certain operations in the U.S. and reimburse customers of virtual assets valued at $81.1 million due to their failure to properly register with state financial regulators. The action illustrates the necessity for FinTech companies participating in virtual assets to register with the relevant regulatory bodies. Registration requires demonstrating a company’s ability to implement robust programs for compliance encompassing effective Bank Secrecy Act (BSA) / Anti-Money Laundering (AML) and sanctions compliance program.

At Issue with Plutus Financial, Inc.

Abra, operated a mobile application for buying, selling, trading, and investing in cryptocurrency offered to U.S. customers. While Abra appears to have registered with the Department of Treasury’s Financial Crime Enforcement Network (FinCEN) as a Money Service Business (MSB) as early as 2022, they did not obtain required licensing from 25 state financial regulators. As a result, they settled with a state regulatory working group led by the Washington State Department of Financial Institutions to cease accepting virtual assets from U.S. based customers and refund any remaining virtual assets on its platform to U.S. customers in the settling states which could be up to $81.1 million.

Proper Licensing is a Requirement Not a Suggestion

The recent enforcement action against Abra highlights a trend in 2024 of regulatory actions targeting cryptocurrency-focused FinTechs that offer legitimate services but lack proper licensing or registration. Here are a few examples:

  • TradeStation Crypto, Inc – In February 2024, the Securities and Exchange Commission (SEC) announced charges against TradeStation Crypto, Inc. for “failing to register the offer and sale of a crypto lending product that allowed U.S. investors to deposit or purchase crypto assets in a TradeStation account in exchange for the company’s promise to pay interest.”
  • ShapeShift AG – In March 2024, the SEC charged ShapeShift AG with acting as an unregistered dealer in connection with its operation of an online crypto asset trading platform.
  • In March 2024, the Commodity Futures Trading Commission (CFTC) filed a civil enforcement action against KuCoin for multiple violations, including not properly registering with the CFTC as a swap execution facility. In addition, a separate Department of Justice (DOJ) indictment which was unsealed in March 2024 stated that KuCoin failed to put into effect any AML protocols from 2017 through 2023 and failed to register with FinCEN. Additionally, it is likely that KuCoin failed to register with various U.S. state regulators such as the New York Department of Financial Services among others.
  • Falcon Labs, Ltd – In May 2024, the CFTC filed and settled charged against Falcon Labs, Ltd for failing to register with the CFTC as a futures commission merchant after it was determined that Falcon Labs, Ltd provided U.S. persons access to digital asset derivative trading platforms.

The basic theme from the DOJ, CFTC, and SEC, and various state regulators is that if a FinTech company dealing in virtual assets plans to provide services to U.S. customers, they better register or be licensed accordingly.

Licensing and BSA/AML Compliance

The crackdown on companies who fail to properly register with appropriate Federal and State regulators highlights the need for digital asset companies to design effective BSA/AML and sanctions compliance programs. In order to obtain the required licensing and registration, FinTech’s in the virtual asset space are generally required to illustrate their BSA/AML and sanctions compliance capabilities . The specific capabilities may vary depending on services offered and the regulatory regime. The following steps will help digital asset FinTech companies develop an effective AML and sanctions compliance program and mitigate exposure to criminal or civil enforcement action:

  • Conduct a risk assessment to determine exposure to AML and sanctions risk. While there are no federal requirements to conduct an AML and sanctions risk assessment, some state jurisdictions do require initial and ongoing risk assessments. Risk assessments are the foundation of an effective compliance program and should be conducted at least annually or whenever significant changes to business operations or structure occurs. At a minimum, risk assessments should take the following into consideration customer base; geographic regions of services; type of services and virtual assets offered.
  • Formalize an AML and sanctions compliance program or if one already exists, conduct an effectiveness review or assessment to make sure controls are working as intended. The AML and sanctions compliance program is a living document that should be continually assessed and updated based on risk assessments.

The following are the fundamentals of an effective AML program:

  1. Establish policies and procedures – The policy must be in writing and comprise of the five pillars of an AML program (internal controls, training, compliance staff, independent testing and customer due diligence).
  2. Know Your Customer (KYC) – An effective KYC program is comprised of three elements: Customer Identification Program (CIP); Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD). A cryptocurrency exchange, and increasingly other virtual asset platforms must have procedures for verifying the identification of a customer as well as procedures to conduct initial and ongoing due diligence of that customer and their crypto asset addresses. Best practices include having a baseline of KYC procedures for all customers and then risk-based enhanced procedures for customers deemed to be higher risk.
  3. Transaction Activity Monitoring – Monitoring a customer’s transaction activity is part of the KYC function. Develop procedures and controls to identify suspicious activity by their customers and activity conducted on their customer’s virtual asset addresses. The procedures must include parameters for when Suspicious Activity Reports are filed with FinCEN.
  4. Training Program – An effective training program must be conducted on at least an annual basis. The training should be reviewed and approved by management and the Board of Directors. The training should emphasize the importance of AML and sanctions compliance and discuss the impact on the organization and the community it services if non-compliance occurs. The training may include a blanket training that the company receives as a whole. However, it should also include job specific training tailored to the function of various compliance personnel.
  5. Compliance Staff – An effective AML and sanctions program requires a BSA/AML Officer and staff. The number and experience of the staff should be based on the risk posed by the total operations of the exchange.
  6. Independent Review – Have procedures for conducting an independent review. Best practices require that an independent review be conducted at least annually or when there are significant changes to business operations such as a merger or new virtual asset offering. The independent review should be conducted by a qualified third-party or by a qualified internal team which is not responsible for designing or implementing the AML program. The independent review should assess whether the written AML program meetings the minimum requirements of state and federal laws. Furthermore, the independent review should access your adherence to their written policy.
  7. Law Enforcement Requests – Have procedures for responding to law enforcement requests. The procedures should include mechanisms for acceptance, review, and response to National Security Letters, FinCEN 314(a) requests, grand jury subpoenas, court orders, and non-judicial requests such as administrative subpoenas and general law enforcement requests.
  8. Sanctions Compliance – Develop procedures to ensure that their direct customers, counterparties, or digital asset addresses are not sanctioned by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC). This includes jurisdictions in which they operate. Best practices require the implementation of controls to identify if customers and virtual asset addresses are sanctioned by OFAC during the onboarding process. In addition, customers and their virtual asset addresses should be rescreened as OFAC updates are available and prior to a transaction being conducted. Internet Protocol address monitoring should be implemented to ensure that customers are not operating in sanctioned jurisdictions. Furthermore, companies should routinely evaluate risk tolerance in determining whether to allow customers to utilize virtual private networks.

The Bottom Line

The benefits of engaging a compliance expert, like Guidepost, can be the key to a company’s sustained success. We bring a wealth of specialized knowledge and an unbiased perspective that is crucial for thorough risk assessments, the development of robust compliance programs for FinCEN, civil and state regulator registration, and AML and sanctions program evaluation and development. Guidepost can also offer support through criminal and civil investigations, should you or your company need it.

Moreover, the presence of an independent compliance authority instills confidence among investors, partners, and customers, reinforcing your company’s commitment to ethical practices and legal integrity. This trust is invaluable, as it not only protects but also enhances your company’s reputation in a market where credibility is currency.

Brad Dizik professional photograph

Bradley L. Dizik

President, Emerging Issues + Technology

Bradley Dizik advises publicly held, private and not-for-profit institutions on integrity issues, including development and evaluation of ethics and compliance programs and related best practices, institutional structure and culture, risk oversight, board and committee structure, board and executive leadership, independent and internal investigations, and audits and assessments. Mr. Dizik is currently advising the President and Board of Regents of the University of Michigan on the implementation of internal controls and structural and cultural transformation efforts in response to its sexual misconduct crisis. He is also a key member of the team investigating and assessing the Southern Baptist Convention’s handling of sexual abuse allegations and related treatment of survivors and practice reform efforts.

InvestigationHotlines