Indictment Focuses on “High Risk” Transactions Involving Mexico, Bulk Cash, and Zero SAR Filings

On September 13, the United States Attorney’s Office for the Eastern District of New York announced that defendant Hanan Ofer pleaded guilty to “failing to maintain an effective anti-money laundering program.” Ofer and his co-defendant, Gyanendra Asre, were named in a March 2021 indictment (the “Indictment”) alleging they funneled “hundreds of millions of dollars from high-risk foreign jurisdictions” – primarily, Mexico – from 2014 to 2016, through “small, unsophisticated financial institutions” without implementing an anti-money laundering program as required by the Bank Secrecy Act (“BSA”). Ofer and Asre were charged with failure to maintain an effective anti-money laundering (“AML”) program, failure to file (any) Suspicious Activity Reports (“SARs”), and the operation of an unlicensed money transmitting business.

As we discuss, it is a little difficult to draw clear lessons from the Indictment. Although the DOJ press release emphasizes the eye-catching number of $1 billion, neither the press release nor the Indictment actually describe these transactions as “suspicious,” much less as involving specific illicit proceeds. Rather, and as we discuss, the transactions are described merely as “high risk.” Thus, and although it is entirely possible that the government has access to evidence which it did not reference in the charges, the Indictment appears to rely heavily on a very process-oriented theory of prosecution: the defendants failed to implement adequate processes to monitor and/or prevent transfers that were “high risk,” but not demonstrably related to illicit funds involving specific underlying criminality.

It is also important to acknowledge the Indictment’s allegations against both defendants for operating, apparently “on the side,” a separate unlicensed money transmitter business of their own. Here, the allegations are more concretely severe: the unlicensed money transmitter business “involved the transportation and transmission of funds that were known to the defendants to have been derived from a criminal offense or were intended to be used to promote and support unlawful activity.” Although it is impossible to know, this charge presumably pressured in part Mr. Ofer to plead guilty to more process-oriented BSA charges involving the $1 billion in “high risk” transfers at other financial institutions.

On Friday, the Department of Justice (“DOJ”) announced two developments:  First, the release of a 66-page report, The Role of Law Enforcement in Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Assets (the “Report”), issued under President Biden’s March 9, 2022 Executive Order on Ensuring Responsible Development of Digital Assets. Second, the establishment of the Digital Asset Coordinator (“DAC”) Network, a nationwide group of prosecutors designated as legal and technical experts in digital asset cases.

We focus here on the regulatory and legislative recommendations of the Report, which seek to expand significantly the ability of the DOJ to investigate and prosecute offenses involving digital assets. The recommendations include increasing criminal penalties, extending statutes of limitations, expanding venue provisions, enhancing the government’s forfeiture powers, and prohibiting virtual asset service providers from “tipping off” the subjects of grand jury subpoenas received by the providers.  The recommendations also include making clear that the federal criminal law against maintaining an unlicensed money transmitter applies to peer-to-peer platforms that purportedly do not take custody or assume control over the digital asset being exchanged; ensuring that the Financial Crimes Enforcement Network (“FinCEN”) issues a final rule expanding the application of the Travel Rule under the Bank Secrecy Act (“BSA”) to digital asset transfers; and expanding or arguably clarifying that the BSA applies to platforms dealing in non-fungible tokens, or NFTs, including online auction houses and digital art galleries.

Complaint Illustrates Existential Fight Over OFAC’s Ability to Sanction Open-Source Code – and OFAC Responds (?) By Issuing FAQs on Tornado Cash Use

Last month, the Office of Foreign Assets Control (“OFAC”) sanctioned Tornado Cash, a virtual currency “mixer” operating on the Ethereum blockchain which allegedly has been used to launder the virtual currency equivalent of more than $7 billion since its creation in 2019, by adding it to the Specially Designated Nationals and Blocked Persons List (the “SDN List”). The initial response from certain elements of the crypto community was, not surprisingly, negative: for example, an 8/15 Coin Center whitepaper and an 8/23 letter from Congressman Tom Emmer to Treasury Secretary Janet Yellen argued that OFAC lacked the legal authority.

In the intervening month, things have heated up considerably. Last week, six plaintiffs filed a complaint against OFAC and the Treasury Department, as well as Secretary Yellen and OFAC Director Andrea Gacki in their respective official capacities, in the Western District of Texas (Waco Division), seeking declaratory and injunctive relief – specifically, that the court declare OFAC’s addition of Tornado Cash to the SDN List as unlawful, and permanently enjoin the enforcement of the designation and any sanctions stemming therefrom. Plaintiffs allege that venue is proper due to Plaintiff Joseph Van Loon’s residence in Cedar Park, TX, within the Western District. Plaintiffs’ decision to opt for the Waco Division, rather than the Austin Division, may be intentional, because the Waco Division has only one judge, who until recently has been the go-to choice for patent litigation plaintiffs.

The complaint has and will continue to draw considerable attention. It lays out the framework for a fascinating question: under existing law, can OFAC act directly against a piece of technology such as open-source code? Or, must OFAC pursue enforcement, through a more difficult, piece meal and time-consuming process, only against specific individuals and specific legal entities? Presumably, both sides will invoke broad policy-related and equity-related arguments regarding “privacy,” “transparency,” and the need to fight crime. However, the key issue may come down to a more traditional and rather dry legal issue of parsing the meaning of statutory language.

On September 8, the Office of the Comptroller of the Currency (“OCC”) published an extension of its notice and request for comment (the “Notice”) in the Federal Register regarding changes to the OCC’s Money Laundering Risk System (the “MLR System”) The Notice indicates that the OCC is inviting greater scrutiny of customers and transactions involving cryptocurrency, cannabis, and (fiat) currency.

The MLR System is a data collection process, whereby the OCC gathers and analyzes data on an annual basis from the community banks it supervises. This annual survey, known as the Risk Summary Form (“RSF”), gathers information for the MLR System on four major data points of community banks: products, services, customers, and geographies (collectively known as “PSCs”).

This year, the OCC is making changes to the MLR System by adding new categories of PSCs and deleting certain existing categories. Six new PSCs will be added: cash transactions, marijuana-related businesses, ATM operators, and three types of crypto assets – custody, stablecoin issuance, and stablecoin payments. Further, two new customer types will be added under the “money transmitter” category: administrators/exchangers of virtual currency and crypto ATM operators. Finally, the following four categories will be removed from the existing PSCs: boat/airplane, bulk cash/currency repatriation customers, bulk cash/currency repatriation, and international branches. The full and lengthy list of PSC categories, including the changes proposed by the Notice, can be found here.

The additions are aimed at enhancing the OCC’s data collection process to more accurately reflect the risks posed to community banks—and the emphasis on marijuana and crypto-related transactions aligns with trends in the market as well as the enforcement priorities of many governmental agencies. These changes show how the OCC—an agency that has been apprehensive to make sweeping changes in light of new technologies—is preparing to invest in a system that will put cannabis and crypto-related risks front and center.

Only one of the newly added categories—cash transactions—is not directly connected to marijuana or crypto. By removing the more targeted “bulk cash/currency repatriation customers” and “bulk cash/currency repatriation” categories, and replacing them with the more general “cash transaction” category, it appears that the OCC is intending to broaden the scrutiny associated with cash transactions. It is possible that a broader category will facilitate data reporting by the community banks, since the RSF is fully automated and contains fixed categories that cannot be altered based on nuanced circumstances.

The OCC touts its MLR System as a critical tool to identify areas of risk within its covered institutions and respond accordingly by allocating the proper resources to high risk areas. According to the OCC, “[b]anks will benefit from the reporting of MLR System data as it will assist in the managing of the bank’s BSA/AML programs and provide a starting point for banks to develop their risk assessments.” The OCC further believes that gathering annual data allows it the flexibility to shift examination priorities based upon the ever-changing money laundering schemes facing community banks. According to the Notice, the OCC estimates that the annual burden for reporting MLR System data will be 7,760 hours, across 970 respondents.

However, not everyone agrees with the OCC’s view that these changes to the MLR System are worth the burden. It is worth noting that the OCC originally posted this notice and request for comment back in June. In response, the OCC received only three comments from the public—one of which was a critical response from a banking organization. The banking association primarily criticized the OCC for underestimating the time and resources required to adhere to the proposed changes to the MLR System. According to the Notice, which cited the critical response, the banking association also asserted that the additional PSCs would “unnecessarily complicate the data collection process, require significant staff retraining, and potentially result in mis-categorizations of the PSCs.”

For the next few weeks, the OCC will accept comments regarding the MLR System and its data collection process generally, including: the accuracy of the OCC’s estimate of the burden of collecting information, ways to enhance the quality and clarity of the information to be collected, ways to minimize the burden of the collection on respondents, estimates of costs to purchase services that facilitate providing the information, and (perhaps most importantly) whether the collection of information is necessary for the proper performance of the functions of the OCC.

If you would like to remain updated on these issues, pleaseclick hereto subscribe to Money Laundering Watch. Pleaseclick hereto find out about Ballard Spahr’s Anti-Money Laundering Team.

How effective is the current framework for filing Suspicious Activity Reports, or SARs?  The AML Act mandates that federal law enforcement agencies provide statistics to assist Congress, regulators, and financial institutions answer this question.  Specifically, it requires the Department of Justice (“DOJ”) to annually produce a report to the Secretary of the Treasury containing statistics, metrics and other information on the use of Bank Secrecy Act (“BSA”) reports.  It further requires the Financial Crimes Enforcement Network (“FinCEN”), to the extent possible, to periodically disclose to financial institutions summary information on SARs that proved useful to law enforcement; it also requires FinCEN to review SARs and publish information on threat patterns and trends.

Yet, on August 25, 2022, the United States Government Accountability Office (“GAO”) published a report, Action Needed to Improve DOJ Statistics on Use of Reports on Suspicious Financial Transactions, describing how the DOJ has not fulfilled that statutory mandate. The GAO’s report sets forth two recommendations: (1) the DOJ should include data on the use of BSA reports in its ongoing agency-wide efforts to improve data collection; and (2) involve its Chief Information Officer and Statistical Official in the design of its annual BSA statistical report.

Arguably, the most eye-catching observation of the report is that FinCEN itself “cannot currently provide comprehensive feedback on the impact of BSA reports [to the DOJ] because agencies do not provide FinCEN with comprehensive data on their use of those reports or the effect they had.” Accordingly, and despite ongoing calls for FinCEN to provide meaningful feedback (now, a statutory requirement under the AML Act), FinCEN “cannot connect their data on report searches to the impact of those reports on case outcomes.”

Department Focuses on Transfers of Virtual Currency

On August 8, 2022, the District of Columbia Department of Insurance, Securities and Banking (the Department”)issued a Bulletinon money transmission (the “Bulletin”). The Department issued the Bulletin to ensure that parties “engaging in or planning to engage in money transmission with Bitcoin or other virtual currency used as a medium of exchange, method of payment or store of value in the District,” understand that such transactions “require a money transmitter license.”

In support of its position, the Department highlights the July 2020 decision of the U.S. District Court for the District of Columbia in United States v. Larry Dean Harmon, 474 F.Supp.3d 76 (D.D.C. 2020).  In Harmon, the court noted that the D.C. Money Transmitters Act of 2000 (“MTA”), D.C. Code §26-1001 et seq., does not define the term “money.”  The court therefore relied on the common definition of the term “money,” namely a “medium of exchange, method of payment or store of value.”  Finding that Bitcoin was a medium of exchange under this definition, the court determined Bitcoin was “money” for purposes of the MTA.

The court also noted that the MTA specifically defines some specialized banking and financial terms, but the term “money” was left undefined.  In the court’s view, this demonstrated a lack of legislative intent for the term “money” to have a specialized definition for purposes of the MTA.   As such, the court reasoned that the goal of the MTA is to regulate all kinds of transfers of funds, whether fiat currency, virtual currency or cryptocurrencies. The Harmon case was the first case in the District of Colombia targeting virtual currency mixer operations. The second case, following in the wake of Harmon, was the arrest of Roman Sterlingov as an unlicensed money transmitter for his alleged role as the founder and operator of Bitcoin Fog, a cryptocurrency “tumbler” or “mixer” aimed at concealing the source of funds.

Treating cryptocurrencies as money, the Department states in the Bulletin that it “views the transactions where entities receive for transmission, store, and/or take custody, of Bitcoin and other virtual currencies from consumers via kiosks (aka BTMs), mobile applications and/or online transactions, as engaging in the business of ‘money transmission.’ Such entities require a money transmitter license to operate in the District.” The Department also states that the application process for a money transmission license is “fact-driven, and whether an entity is considered a money transmitter requiring a license to operate in the District depends on the facts and circumstances of each applicant, including, but not limited to, the applicant’s proposed business plan and proposed flow of funds. Additionally, information about an applicant’s business model may also be required in order to make a determination on whether to grant a money transmitter license.”

Finally, the Department states that it “does not view transactions where entities proposing to sell and buy Bitcoin and other virtual currencies and cryptocurrencies from consumers in exchange for cash payments via kiosks and/or online transactions as engaging in the business of ‘money transmission.’”

If you would like to remain updated on these issues, pleaseclick hereto subscribe to Money Laundering Watch. Pleaseclick hereto find out about Ballard Spahr’s Anti-Money Laundering Team.

On August 8, the U.S. Department of the Office of Foreign Assets Control (“OFAC”) sanctioned “notorious” virtual currency “mixer” Tornado Cash, which allegedly has been used to launder more than $7 billion worth of virtual currency since its creation in 2019. Tornado Cash is a virtual currency mixer that operates on the Ethereum blockchain. Tornado Cash receives a variety of transactions and mixes them together before transmitting them to their individual recipients. The stated purpose of such mixing is to increase privacy, but mixers are often used by illicit actors to launder funds because the process enhances anonymity and makes it very hard to track the flow of funds. According to the Treasury Department press release, “[d]espite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risk.” This statement seems to imply that Tornado Cash is run by actual people – an implication that is at the heart of the controversy over these sanctions, as we will discuss.

The sanctions against Tornado Cash have elicited enormous controversy in the crypto world because, some argue, (1) Tornado Cash is not an entity run by actual people, but is merely code; and (2) although OFAC has the legal authority to sanction people and entities, it lacks such authority to sanction code or a technology – or at the very least, such sanctions create many practical problems for innocent actors, including in ways which no one has foreseen fully. As we discuss, even a member of the U.S. House of Representatives has waded into the controversy this week, questioning the ability of OFAC to issue the sanctions and demanding answers. The controversy also reflects that, once again, whether one chooses to focus on the word “privacy” or on the word “anonymity” typically reflects an a priori value judgment predicting one’s conclusion as to whether something in the crypto world is good or bad.

Indisputably, the Tornado Cash sanctions are, to date, unique and unprecedented. Although they may turn out to be an outlier experiment by OFAC, public pronouncements by the U.S. Treasury Department strongly suggest that, to the contrary, they represent part of the future of crypto regulation, in which the enormous power of the U.S. government to issue broad sanctions obliterates legal and practical hurdles which could stymie other agencies, such as the Financial Crimes Enforcement Network (FinCEN). This may be because, ultimately, the government actually agrees that no person is in control of a powerful technology that has easy application for malicious uses, and that is precisely the problem.

Case Involves Familiar But Instructive Regulatory Findings

The New York Department of Financial Services (“NYDFS”) made clear last week that crypto companies can be held accountable for allegedly failing to comply with anti-money laundering (“AML”) / Bank Secrecy Act (“BSA”) regulations.  Federal and certain State laws require crypto companies like Robinhood Crypto, LLC (“RHC”) to maintain effective AML programs, and to implement systems to identify suspicious activity and block illegal transactions on their platforms (which we have previously discussed, including here and here).  On August 2, 2022, NYDFS announced that it entered a Consent Order penalizing RHC $30 million for alleged AML, cybersecurity and consumer protection violations.  RHC also is required to retain an independent consultant to perform compliance assessments evaluating the Company’s remediation efforts. 

This enforcement action is entirely consistent with the recent Guidance on Use of Blockchain Analytics issued by the NYDFS, directed to all virtual currency business entities that either have a NYDFS Bitlicense or are chartered as a limited purpose trust company under the New York Banking Law. As we have blogged, the Guidance emphasizes “the importance of blockchain analytics to effective [AML] policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening.”

The Consent Order contains a litany of alleged AML deficiencies, many of which have figured prominently in other enforcement actions. We detail them below. From a BSA/AML perspective, the key focus – not surprisingly – was on the adequacy of RHC’s transaction monitoring systems. Again, the message is: written policies and programs may look great on their face, but actual execution is key. The adequate funding and staffing of compliance functions is also critical.

As we have repeatedly blogged, concerns about perceived anti-money laundering (“AML”) risks in the real estate industry are rising globally.  Consistent with this concern, the Financial Action Task Force (“FATF”) has updated its AML guidance for the real estate sector in a document entitled “Guidance for a Risk-Based Approach: Real Estate Sector,” (“FATF Guidance” or “the Updated Guidance”).  The FATF Guidance urges a variety of players in the real estate industry to adopt a risk-based approach (“RBA”) to mitigate AML risks and sets forth some high-level recommendations.  The Updated Guidance notably coincides with FinCEN’s advanced notice of proposed rulemaking to impose reporting and perhaps other requirements under the Bank Secrecy Act (“BSA”) for persons involved in real estate transactions to collect, report, and retain information, and the  recent extension of Geographic Targeting Orders for U.S. title insurance companies.

The FATF Guidance appears to be driven, at least in part, by FATF assessments showing that the real estate sector has high AML risks, which industry players often fail to appreciate and/or mitigate. The Updated Guidance explains how various industry players can use an RBA to mitigate those risks. It identifies sector-specific risks, sets forth strategies for assessing and managing those risks, and describes challenges the industry faces in doing so. The FATF also offers specific guidance for “private sector players” and “supervisors” (e.g., countries and self-regulatory boards) for going forward. The Updated Guidance includes tools, case studies, and examples of both private sector and supervisory practices to show real estate supervisors and practitioners how to implement FATF standards in an adequate, risk-based and effective manner.

The FATF is an inter-governmental policymaking body dedicated to creating AML standards and promoting effective measures to combat money laundering (“ML”) and terrorist financing (“TF”). The FATF issued the Updated Guidance with input from the private sector, including from a public consultation with thirteen private-sector representatives (including from sector specific professional associations, the legal profession, FinTech providers, and non-profit organizations) in March and April 2022. This consultation urged FinCEN, among other things, to provide greater clarity in the Updated Guidance regarding its applicability to the real estate sector and related professions (such as lawyers, notaries, and financial institutions) and extend FATF recommendations to broader real estate activities (such as property development and leasing).

On July 20, 2022, the Connecticut Department of Banking (the “Department”) issued aConsumer and Industry Advisory on Money Transmission(the “Advisory”). The Department believes the Advisory was necessary for two reasons. First, the Department notes the “significant disruption to traditional money transmission systems” caused by the “increased use of technology to enable immediate payment mechanisms” and “the explosion of virtual currency.” Second, the Department acknowledges that many consumers do “not realize or understand the regulatory landscape that applies” to using money transmitters.

Although the Department cautions that “[e]ach circumstance is unique,” the Advisory provides general guidance on what types of activities and entities must be licensed. The Advisory lists entities that traditionally provide transmission services like bill payers, payroll processors, and issuers and sellers of prepaid cards and money orders. It also explains that transmission can occur whenever “a person takes possession or control of monetary value belonging to another person” and either holds it for “a period of time” or transmits it to a third party. In other words, unless a company falls within an exemption or exception, if it engages in the above activity in Connecticut or with Connecticut companies or individuals, it may need to first obtain a license.

The definition of money transmission was further broadened in 2018 when Connecticut amended its money transmitter statute to encompass transmission activities involving virtual currency. In the advisory, the Department emphasizes that these statutory amendments cover all types of virtual currencies, stablecoins, and “any other digital asset that is used as a medium of exchange.” Moreover, the Department points out that providing a virtual currency custodial wallet (i.e., holding virtual currency on behalf of another) or virtual currency ATMs that serve as an intermediary between a buyer or seller are also engaging in money transmission.

Finally, the Department discusses Connecticut’s license application and penalties for unlicensed transmission. Like many states, licensure goes through the Nationwide Mortgage Licensing System, NMLS, and involves submitting applications for both the entity seeking licensure and all “control persons.” Beyond these applications and related fees, Connecticut also requires submission of financials, a business plan, the proposed flow of funds, and an Anti-Money Laundering and Bank Secrecy Act (“BSA”) policy, among other documents. Posting of a surety bond valued at between $300,000 and $1 million is also required.

Seemingly in response to a noted uptick “in the number of entities engaged in unlicensed money transmission activity”—especially Internet transmission services and virtual currency companies—the Advisory ends with a warning: unlicensed transmission brings with it the risk of a $100,000 fine per violation and a felony charge. And, of course, operating as an unlicensed money transmitter is a federal felony and a violation of the BSA. Companies based in Connecticut or serving customers in Connecticut should be careful to examine this Advisory and their activities to ensure that they are not engaging in money transmission activities that would require licensure.

If you would like to remain updated on these issues, pleaseclick hereto subscribe to Money Laundering Watch. Pleaseclick hereto find out about Ballard Spahr’s Anti-Money Laundering Team.