Print PDF

Moving targets - crypto now and next

Keith Nuthall
Money Laundering Bulletin
February 26, 2024

Carol Van Cleef provided analysis in Money Laundering Bulletin on attempts by regulators to bring the cryptocurrency sector under AML/CTF control.

USA takes aim at mixers

. . . Under the proposed rule, [virtual asset service providers] could be directed to collect and store additional information about mixer transactions, such as currency type, amount, US dollar equivalent, the [convertible virtual currency] mixer identity and/or wallet address and the transaction hash, date, IP addresses and timestamps. Orders might be made that customer names, dates of birth, addresses (physical, CVC wallet and associated email), phone number and government-issued (alpha)numeric identifiers be collected, stored and potentially transmitted. FinCEN Director Andrea Gacki said this was the first time the FIU had used its PATRIOT Act "Section 311" authority to target a class of transactions - in the past these controls have focused on entities or jurisdictions. The move would help the US Treasury "identify and root out the illicit use and abuse of the CVC ecosystem," said Gacki.

Carol Van Cleef, an attorney with Washington DC-based law firm Lewis Baach Kaufmann Middlemiss, with deep virtual currency experience, said this move was important and would bring unhosted wallets under FinCEN's AML/CFT purview. "The use of these extraordinary Section 311 powers available to FinCEN can also cause problems even before the regulation is finalised. For example, the designation of commercial banks as primary money laundering or terrorist financing concerns before the proposed Section 311 rules were finalised has led, in the past, to the collapse of more than one bank within days after the designation as they were cut off almost immediately from correspondent banking relationships with US and other banks. In this context, the FinCEN designation of CVC mixers as products/services of primary money laundering or terrorist financing concerns raises questions of what steps financial institutions should be taking now when interacting with VASPs offering mixing services, or customers of VASPs using mixers."

Van Cleef added: "It's a very significant and powerful tool the US government has."

Other jurisdictions have taken different approaches to VASP regulation, impacting how they are controlled under AML/CFT. Van Cleef stressed the "differences" between what is covered by VASP AML/CFT legislation in the UK, European Union (EU) and US, for example, notably on whether and when crypto should be regulated as a security, or not - which in the US is partly a matter of case law, and of statute in Britain and the EU: "There's more confusion than there should be in the crypto space," she said.

In the US, Bitcoin has been kept out of securities regulation, but hence it comes under money transfer rules, which may be more onerous. That designation can be important for compliance: "I said, be careful... If you're not a security, it's going to put you in this other category and you're probably not equipped to be in that category," Van Cleef has warned clients. . . .

Degrees of separation

. . . Might these problems be dealt with by a global convention on detailed crypto law with an international regulator? Don't hold your breath, said Van Cleef: "I would say, especially in this very factionalised world we're existing in today, that ain't gonna happen."

Extraterritorial control

But technology can help, given crypto is by its nature cross-border, and has been built as a multi-jurisdictional business from the outset: "What technology has given us is the ability to have businesses that can operate on a seamless basis globally, which is very different from legacy banking," which traditionally has had to function within regulatory systems based on physical boundaries. Over several decades, as the traditional banking system (TradFi) has moved from very localised operations to global enterprises, multi-jurisdictional regulatory coordination has slowly evolved as well to provide infrastructure to ensure better oversight and mechanisms for avoiding and managing crises, for instance collateral contingency plans operated by the Bank for International Settlements (BIS).

That will happen with crypto and AML, predicted Van Cleef: "More regulatory coordination and infrastructure is needed but there are many institutional barriers to be confronted on the way there, starting with the US. Unfortunately, it will continue to be terribly painful for VASPs in the interim." The international coordination to date has seemingly been more restrictive than facilitating: for example, FATF has established basic AML standards for VASPs to be implemented by each member country, each in their own way, creating more individual regulatory fiefdoms according to Van Cleef: "With the VASPs, they're coming to table with brand new technology platforms that can operate seamlessly across multiple jurisdictions. When [national regulatory] barriers are effectively erected, the results can be crushing - eroding the great promise of the technology for cost-effective and very efficient operations." . . . 

Law enforcement - catching up

Meanwhile, virtual asset and currency technology continues to evolve rapidly said Van Cleef, adding that the industry remains very much a moving target for potential criminal abuse: "It's an arms race between the law enforcement community and... criminal enterprises attempting to use crypto to facilitate their purposes. This arms race is complicated by an ongoing conflict between those who advocate libertarian views and the potential freedom from government interference the technology offers and those tasked with preventing criminal and other abuses of the technology." While that challenges law enforcement and regulators, the number and value of crypto and other virtual assets continues to grow, with greater mainstream ownership of the assets and adoption of the technology. Fortunately, Van Cleef noted, the technology itself offers solutions. And regulators and law enforcement are much more educated, and better equipped than ever to address the AML/CFT challenges: "They're using the tools to trace criminal activity, they have learned how to impose sanctions on crypto wallets and they are more aggressively subpoenaing VASPs, seizing stolen crypto and pursuing forfeitures, just like in TradFi."

Platform liability

An emerging issue that may have some impact on regulation is whether or to what extent there may be legal liability of the platforms (e.g. Layer 1 blockchain platforms and Layer 2 protocols that integrate third party services with blockchains) for the activity that is undertaken within systems. In the US, for example, calls are growing for the abolition of Section 230 of the 1998 Digital Millennium Copyright Act (DMCA) that removed liability for the consequences of content posted by internet systems, such as Google and Facebook.

Faint murmurs that crypto protocols should be viewed in the same way can be heard in certain regulatory circles, said Van Cleef, if it is possible to identify "who, if anyone, is actually making the decisions for the protocol and the scope of those decisions." She said that key elements of these conversations include "is anything in crypto really decentralised?" Even in DeFi? And while Bitcoin is widely considered to be decentralised in its governance, "the power to make meaningful changes in the code is still limited to very few coders, who are able to effect changes." With respect to smaller protocols: "It's easier to identify one or a few individuals who may be in control of the code for those networks... and while coding is considered by many in crypto to be an exercise of free speech, not everyone in the US government agrees with that view as we are seeing in the Tornado Cash case," she told MLB.

Click here to read the article on (subscription may be required).