ICO issuers commonly screen purchasers in initial token or “coin” offerings (ICOs) for anti-money laundering (AML) and “Know-Your-Customer” (KYC) purposes using online vendors. But there has been uncertainty as to whether, and under what conditions, an ICO issuer would need to go as far as registering as a money service business (MSB)1 with the Treasury Department’s Financial Crimes Enforcement Network (FinCEN). However, in a letter that became public last week (but was dated February 13, 2018), FinCEN clearly expressed its view, stating:
A developer that sells convertible virtual currency, including in the form of ICO coins or tokens, in exchange for another type of value that substitutes for currency is a money transmitter and must comply with AML/CFT requirements that apply to [MSBs].
The language in the letter and its potential application is broad, but the facts and circumstances applicable to each ICO issuer must still be evaluated to determine whether they will cause the issuer to fall under FinCEN’s MSB rules. Failure to register and meet related requirements for MSBs may subject a business and its employees to both criminal and civil penalties.
Any ICO issuer that qualifies as an MSB must:
- Register with FinCEN
- Implement a formal AML program with these four elements:
- written AML policies and procedures
- a designated AML compliance officer
- independent review and monitoring of the AML program, and
- a training program for relevant personnel regarding their AML responsibilities
- Monitor for suspicious transactions and filing Suspicious Activity Reports, or SARs, with FinCEN
- Maintain records of certain transactions, payment instructions, and customer identification records
- Conduct enhanced due diligence when working with foreign agents or counterparties. Under these circumstances, there are extra requirements for understanding a foreign partner’s business model, customers, and the foreign partner’s own AML program. Importantly, an MSB must be ready to end its relationship with any foreign partner who does not meet necessary standards.
FinCEN’s letter also noted that, to the extent an ICO involves securities or derivatives, it might instead be subject to the authority of the Securities and Exchange Commission or Commodity Futures Trading Commission, each of which has separate—although similar—AML/KYC requirements.
Even if not required to register as an MSB, what should all ICO issuers do now?
Perform AML/KYC screening aimed at identifying the red flags of potential money laundering. Federal money laundering laws require businesses to avoid conducting transactions involving criminal proceeds, and there are several ways to run afoul of these laws. A transaction may raise red flags that the funds involved—whether fiat or cryptocurrency—originate from a fraud scheme, a hacking incident, or some other unlawful source. A business cannot turn a blind eye to these red flags.
Have a system in place in the event red flags indicate the need for more information about the nature or source of funds being used to purchase their tokens. Be aware that criminal laws prohibit transactions with funds that a person knows originate from unlawful activity, even if the person does not know exactly the type of unlawful activity involved. More serious penalties apply where a person takes intentional steps to conceal aspects of the transaction. Even “clean” funds, if transferred internationally, may comprise a money laundering violation if sent to promote criminal activity. Finally, under conspiracy laws, a person may be liable for actions of business partners who engage in money laundering transactions.
Comply with the sanctions screening requirements administered by the Treasury Department’s Office of Foreign Assets Control (OFAC). In offering tokens for sale in a public or private sale, every ICO issuer is required to ensure that none of its purchasers are on the list of prohibited individuals or entities maintained by OFAC. The OFAC sanctions list is highly complex and frequently changes, so most businesses outsource screening to a third-party servicer. Nonetheless, OFAC imposes strict liability for screening failures, so an ICO issuer should be sure to understand the screening its service provider is doing and take its own steps to engage in a robust customer identification program.
Be prepared to address inquiries from regulators and law enforcement. If a regulator or law enforcement agency contacts an ICO issuer, one of the first demands it is likely to make is that the issuer provide a copy of its AML program and policies as well as its customer identification procedures and screening protocols. If the issuer is equipped with these written policies and procedures, including a clear allocation of responsibility within the company for ensuring compliance, it will be off to a good start.
It is worth noting that the federal agencies involved in overseeing the marketplace for token sales have publicly recognized the societal value of blockchain-based emerging technologies. While the burden of compliance in this area is not light, prior planning may help to protect an ICO issuer’s investment of time and resources and create room for greater innovation.
- WHEN & HOW TO RENEW YOUR MSB REGISTRATION - December 7, 2018
- FinCEN Reissues Real Estate Geographic Targeting Orders and Expands Coverage to 12 Metropolitan Areas - December 3, 2018
- PenFed Employees Saw Anti-Money-Laundering Compliance Gaps - November 1, 2018