Cryptocurrencies and Exchanges Will Face Increased Regulatory Focus

By Dustin Palmer

Global and U.S. regulators are clamping down on the “Wild West” crypto industry. New York’s attorney general shut down Coinseed for trading currencies without being registered as a broker-dealer. Bitfinex and Tether were also shut down earlier this year after they paid $18.5 million in penalties. And Treasury’s Office of Foreign Assets Control just designated SUEX for facilitating financial transactions for ransomware actors (such as Colonial Pipeline).

These investigations are not just for the small players. It has also been reported that Binance Holding Ltd is being investigated by the Department of Justice, Internal Revenue Service, and Commodity Futures Trading Commission—for everything from sales of derivatives to money laundering to insider trading and market manipulation. In response, Binance centralized its compliance function and hired a former U.S. Treasury Criminal Investigator as its new AML Officer. Probably a dozen other firms are under investigation, with other regulators involved, such as the New York State Department of Financial Services, the Financial Crimes Enforcement Network and the Securities and Exchange Commission.

Indeed, the Biden administration’s SEC chairman, Gary Gensler, has mentioned multiple times that there is insufficient regulatory oversight of crypto exchanges. That appears to be changing.

Overseas, the new reality of crypto exchange regulation is coming into sharper focus:

  • In 2020, Canada’s financial intelligence unit, FINTRAC, began regulating all crypto exchanges as money services businesses. This includes registration with FINTRAC, recordkeeping, and a full compliance program.
  • In May 2020, Japan began regulating crypto exchanges as legal property, requiring them, along with crypto custodians, to have full compliance programs.
  • The Monetary Authority of Singapore has been clear that crypto exchanges should be fully regulated and require AML programs as digital payment token service providers.
  • In March 2021, South Korea amended its AML law to fully designate cryptocurrency exchanges as financial institutions, and it gave them six months to comply, which includes registration, obtaining authenticated banking contracts with domestic banks, and instituting full information security management certification and AML programs. The South Korean financial regulator went so far as to say that all exchanges that did not comply by September 2021 would be shut down. As of a week before the deadline, only 28 of the 63 crypto exchanges were registered.
  • The United Kingdom’s Financial Conduct Authority in March issued a new policy statement that includes crypto companies on the list of businesses required to comply with AML laws. Of the approximately 23,000 financial companies in the UK, only 2,500 of them previously had to submit financial crime reports. With the new policy statement applying to “all crypto asset exchange providers and custodian wallet providers,” the figure increases to 7,000.
  • In April 2021, Taiwanese authorities clearly indicated that all cryptocurrency exchanges and trading platforms must follow existing AML regulations. Authorities promised that further crypto laws would be forthcoming and said that cryptocurrency exchanges and Bitcoin trading platforms had until July 2021 to fully comply with existing AML regulations.
  • In June 2021, India announced that the well-known Indian crypto exchange WazirX would be shuttered due to money laundering and other criminal offenses.
  • Also, as of June, the European Union’s Sixth AML Directive requires every company that provides financial services, including cryptocurrency exchanges, to comply with all AML and know your customer laws. Various European countries have gone further. For example, in April 2021, Ireland required that all virtual assets service providers register with the central bank within three months to ensure compliance with the AML obligations.

This list could go on, and with China’s central bank last week announcing a ban on all non-official digital currency payments and services, outside of its own that it is developing, the trend is clear.

What are U.S. regulators doing?

In late 2020, FinCEN proposed two major rule changes. First, in October, FinCEN sought to amend the recordkeeping and “travel rule” regulations to collect, retain, and transmit information on international payments at $250, a much lower threshold than the $3,000 limit that it would replace. The rule specifically includes cryptocurrency transfers as a class of transactions to which the proposal would apply.

Second, FinCEN issued an advanced notice of proposed rulemaking in December that would require banks and crypto firms to verify the identity of their customers, keep records of virtual currency transactions greater than $3,000, and submit currency transaction reports for virtual currency transactions over $10,000, if the counterparty in the transaction uses an un-hosted (noncustodial) or “otherwise covered” (such as a primary money laundering concern area) wallet.

Despite the change in administrations, most analysts expect these rules to take effect in 2021.

On Jan. 1, 2021, Congress, after stating that cryptocurrencies are used by “terrorists and criminals . . . to exploit vulnerabilities in the global financial system,” passed the Anti-Money Laundering Act of 2020. AMLA provides the most comprehensive update to AML laws under the Bank Secrecy Act since the USA Patriot Act of 2001, extending requirements to crypto firms by expanding the definition of “financial institutions” to include businesses involved in the exchange of “value that substitutes for currency or funds.” This includes KYC, transaction monitoring, identifying beneficial owners of accounts, and more.

AMLA made it clear what former FinCEN Director Ken Blanco had been saying: All virtual currency businesses must register with FinCEN.

Earlier in 2020, the OCC clarified national banks’ authority to provide custody services of cryptocurrency for all of their customers and issued guidance regarding banks’ use of stablecoins and blockchains, which can be used to facilitate payments and other activities. In January 2021, the OCC gave conditional approvals for national trust bank charters to three cryptocurrency firms: Anchorage, Protego Trust Co., and Paxos. But even those conditional approvals have since been questioned by the OCC’s acting comptroller and could be stopped.

More recently, in July, the President’s Working Group on Financial Markets met to address stablecoins and their potential threat to financial stability, emphasizing “the need to act quickly to ensure there is an appropriate regulatory framework in place.” And in September, Gensler said that any trading platform where someone can buy and sell digital tokens and earn interest must register with the SEC or face an enforcement action, similar to the Wells Notice given to Coinbase (and which caused Coinbase to drop its Lend program).

Based on the above, what regulatory actions are likely in the United States? To be clear, these are my views only:

  • Classification. The SEC currently views cryptocurrency as a security, while the CFTC contends that it is a commodity, the IRS views it as property, and Treasury calls it a currency. Some of these overlap and the SEC v. Ripple case will likely limit the SEC’s role, with most cryptos ultimately being classified as commodities and currency (except for stablecoins, which will likely be considered securities).
  • Initial challenges. Who remembers AML enforcement immediately after the Patriot Act? For many banks and regulators, it was rough—at least partially due to personnel and training. Most regulatory agencies are resource-strained, and technology developments move so quickly that lack of specific knowledge and experience could be an issue. How many banks or regulators understand staking pools, storage options (cold, hot, steel), binary options, hash and nonce?
  • Increased enforcement. In addition to the publicly announced investigations, there are likely many more ongoing. Some will become public shortly, and more investigations will begin this year as state and federal attention is on the industry and the money flowing through it. In the short term, we will likely continue to see regulation by enforcement, with the DOJ and the SEC taking the lead.
  • Specific regulations. Targeted regulations, everything from AML to insider trading, are likely to be issued soon—likely this year and next—especially because blockchain transactions often contain more or different information than typical fiat currency transactions (hence the travel rule issue).
  • Broad reach to non-fungible tokens. These regulations will broadly apply to all sorts of tokens, including those linked to digital art and other valuable property.
  • Full registration and oversight. The era of finding exceptions to being a “financial institution” may be over. The default answer will be “yes,” with very few unregistered crypto firms.
  • Up-or-out mentality. If foreign precedent is followed, U.S. regulators may not give crypto firms extra time to get their affairs in order. They have known for years that this is coming. If crypto firms cannot meet AML and other requirements, they may have licenses withdrawn (if already granted) or be shut down.
  • Expanded focus on sanctions. With significant mining and crypto exchanges in sanctioned countries, U.S. regulators—including OFAC—will likely enhance regulations to stop these countries from circumventing trade embargoes and sanctions.

Whatever the specifics, we can be certain that there will be increased regulatory focus and attention on cryptocurrencies, exchanges and every business that deals with virtual currencies. Real change could require further Congressional action, which could take years to implement—and may very well include some or all of the Senate-passed Infrastructure Investment and Jobs Act’s new transaction reporting requirements that apply to all “cryptocurrency brokers.”

Dustin Palmer is a managing director and a leader of BRG’s Financial Institution Advisory practice. He can be reached at [email protected]. The opinions expressed in this article are those of the author and do not necessarily represent the opinions of BRG or its other employees and affiliates.