This client alert summarizes the information contained in the Framework and provides strategies for compliance with cryptocurrency-related regulatory requirements.
On Oct. 8, 2020, the United States Department of Justice (DOJ) Office of the Deputy Attorney General’s Cyber-Digital Task Force, published “Cryptocurrency: An Enforcement Framework” (the Framework). The Framework highlights the emerging criminal and national security threat that cryptocurrency use poses to the US and provides detailed information about the DOJ’s approach to combating the illicit uses of cryptocurrency and related technologies. This client alert summarizes the information contained in the Framework and provides strategies for compliance with cryptocurrency-related regulatory requirements.
The Framework begins with an overview of cryptocurrency and some of its key characteristics (e.g., decentralized in nature, varying degrees of anonymity), and then describes in some detail both the legitimate and illegitimate uses of this type of virtual asset. In focusing on the ways in which malicious actors leverage cryptocurrency for criminal and illegal purposes, the Framework identifies the following categories of illicit activity:
A. Using cryptocurrency to commit crimes or support terrorism
B. Using cryptocurrency to hide financial activity
C. Committing crimes within the cryptocurrency industry
Throughout this section, the Framework gives examples of recent enforcement actions that highlight various criminal schemes involving cryptocurrency, such as cases relating to ransomware, darknet markets, terrorist financing, money laundering, and operating unlicensed money services businesses. Specific examples include the SamSam ransomware case, in which two Iranian men were indicted in November 2018 for executing an international computer hacking and extortion scheme involving $6 million in ransom payments and over $30 million in losses to more than 200 victims, along with the recent (August 2020) actions to dismantle three terrorist financing cyber-enabled campaigns involving the al-Qassam Brigades, al-Qaeda, and ISIS. These cases highlight the cross-border nature of enforcement, the risk typologies associated with cryptocurrencies, and the importance of adhering to regulatory requirements.
In its second section, the Framework presents the current cryptocurrency regulatory landscape, including applicable laws and regulations, as well as relevant regulatory authorities. For the subsection on laws and regulations, the Framework describes the wide variety of federal criminal code authorities that prosecutors can use to bring cases for cryptocurrency-related crimes, including money laundering and asset forfeiture charges. When discussing relevant regulatory authorities, the Framework describes the key US federal, state, and international regulatory agencies that have enforcement authority over cryptocurrency activity. The Framework also highlights the close interaction that DOJ has with several of these agencies, such as the assistance the Financial Crimes Enforcement Network provides to law enforcement by generating investigatory leads through regulatory reporting requirements, DOJ’s enforcement of criminal violations of US sanctions law, and the support DOJ provides to the U.S. delegation to the Financial Action Task Force (FATF) (e.g., contributions to the development of FATF standards, analysis, and case examples).
In its final section, the Framework identifies the types of business models and activities that may facilitate cryptocurrency-related criminal activity as well as strategies that DOJ expects to deploy in response. These business models and response strategies are presented below.
A. Business Models and Activities That May Facilitate Criminal Activity
B. DOJ Response Strategies
A. Risk Assessment
Institutions should conduct or update their Bank Secrecy Act/Anti-Money Laundering/Sanctions risk assessment to identify how cryptocurrencies may impact the organization’s risk for potential exposure to money laundering and sanctions violations. When conducting a risk assessment, it is important to understand the types of cryptocurrency actors and how they may interact with your own institution, including administrators, miners, exchangers, and mixers.
B. Know Your Customer Assessment and Update
Institutions may need to conduct a Know Your Customer (KYC) refresh to include additional information related to cryptocurrency activity. In addition, institutions should update their KYC procedures to ensure that the additional information is captured in the future. Additional information they should consider capturing includes the following:
C. Transaction Screening and Surveillance
An institution must ensure that its filter technology solution is capable of generating alerts on cryptocurrency-related identifiers. An institution should also be proactive in using blockchains to analyze patterns behind how sanctioned entities use digital assets. Technology marketed by detection solution providers can trace activity by individual wallet addresses to identify activity obscured by mixers and tumblers. Any blockchain analysis should be incorporated into policies, procedures, and training.
Institutions should periodically conduct training related to cryptocurrencies. Training topics should include:
Guidehouse has deep expertise in helping clients in the digital assets space with implementing these and other compliance strategies. In addition, our Business Optimization and Strategy Services offering brings integrated solutions and subject matter expertise to develop lasting, effective, and high-performing organizations in the cryptocurrency area. The core components include business and operating models, governance, and regulatory and compliance advisory services, but the real success comes from integrating these offerings with other technical disciplines—such as Enterprise Risk Management, data analytics, human capital, and cybersecurity. While our clients’ challenges may be diverse, our goal is simple—enable clients to be resilient in the future, while optimizing in the present.
Risk, Regulatory, & Compliance