Note: This article was originally published on Legaltech News.
The US Department of Justice (DoJ) Cryptocurrency Enforcement Framework, published in the final quarter of 2020, was an opportunity for the financial sector to understand the US DoJ’s approach to dealing with emerging financial crime threats. Its publication was timely as the value of Bitcoin, the most famous cryptocurrency, hit the headlines as it has continued to set all-time high valuations and attract even more attention.
The Framework is an important document as where the DoJ leads, other domestic and global regulators and enforcement agencies often follow. But does the framework break much new ground or is it, as some have suggested, simply a collection of cases with little novel thinking? It seems to me that the answer is a bit of both.
Rich in content
The Framework contains case studies that demonstrate the ingenuity of criminals in exploiting what is a new and poorly understood set of technologies. These case studies also display how these criminals were caught. Some of the examples are eye-opening and bust some of the myths that have grown up around these still relatively immature financial instruments. The details of mixers, tumblers and peel chains should leave no doubt that where there is a will to obscure the flow of illicit funds there is an ingenious way.
Formed of three parts, the Framework describes what the DoJ considers to be the threats posed by the use of cryptocurrency, the current legal and regulatory landscape for dealing with such threats, and then lays out some of the strategies for addressing the challenge.
While touching on the legitimate, potentially transformative, application of cryptocurrency, the framework inevitably majors on the threats. Much of these derive from the potential for anonymity and the DoJ takes the opportunity to distinguish a group of “anonymity enhanced cryptocurrencies” or AECs for which transactions are harder to trace. Four types of threats are identified and explained.
The first threat relates to the use of cryptocurrency to support or provide a vehicle for criminal or terrorist activity. This includes the use of cryptocurrency to buy and sell illicit goods or tools to commit crimes, to enable payments in ransom, blackmail and extortion schemes or as a means of raising funds to support criminal activity.
The second threat relates to the concealment of financial activity. This includes money laundering, the operation of exchanges or money transmitting businesses that fail to comply with anti-financial crime regulations, the evasion of taxes and the circumvention of economic sanctions. These threats are likely to be of most concern to financial institutions, not only to those who have developed products and services based on cryptocurrency but also to those providing banking services to such businesses.
Attacks on the cryptocurrency marketplace itself form the third set of threats. These include the exploitation of human and technical vulnerabilities to hack exchanges and wallets. Estimated at over $4.5 billion for 2019, the scale and growth rate of such theft is extraordinary. A much smaller but perhaps more sinister threat is seen in the form of cryptojacking where criminals or even rogue states hack into computers and co-opt them for mining cryptocurrency.
Finally, the DoJ describe the dangers posed by the operation of Darknet markets. These operate under the cover of the dark web and are facilitated by the enhanced anonymity afforded by cryptocurrency. The history of such markets it littered with tales of the trade in drugs and illicit goods going hand-in-hand with the disappearance of cryptocurrency worth millions of dollars. The almost complete separation of Darknet markets from the regulated international banking system also makes them a haven for cross-border criminality.
Laws and regulations
Perhaps the most useful part of the Framework is its catalogue of the legal and regulatory tools that may be used to counter the threats that it has identified. While focused on the US, it is relevant to many international businesses and non-US citizens as a result of the way in which activity is considered to be within the DoJ’s jurisdiction. This includes taking into account activity that touches US-based servers, data storage or financial systems in any way. As with correspondent banking arrangements used by the conventional banking system for dollar-based transactions, this is likely to significantly broaden the reach of the DoJ when investigating and prosecuting cryptocurrency-related crimes.
What is striking, considering the novelty of the technologies involved, is the range of conventional legal tools used to deal with cryptocurrency-related crimes. This is a reflection of fact that cryptocurrency itself is not the problem – rather it is just a new way for bad actors to fulfil their objectives. The list includes many well-established legal devices such as unauthorised access to computer systems alongside laws covering money laundering, securities fraud and trade in controlled substances.
Similarly, the enforcement coverage is achieved through the coordination of existing regulators include tax and state authorities and links into the international community via The Financial Action Task Force (FATF). This mirrors the approach for the conventional financial system through extending the coverage approach for money service businesses to Virtual Asset Service Providers (VASPs).
The Financial Crime Enforcement Network (FinCEN) provides coverage of regulated businesses that are subject to the US Bank Secrecy Act. This includes its operation as the US’s Financial Intelligence Unit. FinCEN’s requirements extend to non-US located businesses if at least a “substantial” part of their business is undertaken within the US.
The involvement of the Office of Foreign Assets Control (OFAC) is again similar to the situation for conventional currencies. However, cryptocurrency, particularly when combined with the anonymising power of devices such as the Peel Chain which chops transactions into small hard-to-trace slices, has been used to circumvent sanctions controls so poses a significant enforcement challenge.
As set out in an Interpretive Letter published in July, the provision of cryptocurrency services by US banks is supervised by the Office of the Controller of the Currency (OCC). The fundamental premise for this supervision was that the banks must effectively manage the associated risks such as those relating to money laundering.
The Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) cover markets in cryptocurrency including the sale of digital assets through initial coin offerings (ICO) and the trading in derivatives backed by virtual assets.
The DoJ’s stated strategy for dealing with the threats is in two parts. The first is by explicitly identifying the platforms that provide a facility for nefarious activity and to set out the obligations of those operating them. These platforms include the more mainstream examples of cryptocurrency exchanges, kiosks and casinos along with peer-to-peer cryptocurrency platforms. For these, the operators are expected to maintain proper records of customers and transactions and fulfil Anti-Money Laundering responsibilities including undertaking KYC checks and filing suspicious activity reports when necessary.
The AECs mentioned earlier, which include Monero, Dash and Zcash, are specifically identified for attention. In particular, the DoJ states that it “considers the use of AECs to be a high-risk activity that is indicative of possible criminal conduct [emphasis added]”. It makes clear that those offering AEC products should take into account the elevated risks when designing and implementing mitigating controls.
Another category highlighted for special attention by the DoJ are those facilities that enable the obfuscation of the source or owner of cryptocurrency. Mixers and tumblers have the effect of impeding the ability to interpret the transaction record that is inherent within a public blockchain, such as Bitcoin. Chain hopping has a similar effect where funds move rapidly from one cryptocurrency to another, placing layers of transactions between the source and destination.
The second half of the strategy is set out in terms of the intensity of the DoJ’s response. This shows in their stated commitment to aggressively investigate and prosecute those using cryptocurrency to “commit, facilitate or conceal” criminal acts. This is built on coordination with US-based and international regulatory partners, allocating resources to increasing skills and awareness to equip itself to deal with the new technologies and techniques and working with the private sector including banks, providers of virtual asset services and the cryptocurrency user community.
Far reaching implications
The publication of a detailed Framework by the DoJ is a useful step forward. While much of the content is not particularly ground breaking, the opportunity to see inside the DoJ’s thinking and approach to cryptocurrency is valuable. Despite the cutting edge technologies that underpin cryptocurrency, the DoJ has made clear that it will use many of its traditional approaches to enforcement and cast a wide net to assert jurisdiction over foreign companies with a US footprint.
The criminal and terror-related risks associated with cryptocurrency are clearly high on the list of priorities. Critically, any organisation that deals with cryptocurrency should be in no doubt that it is their responsibility to design and operate controls to mitigate the risks. The Framework sets the threats out in black and white and there is no excuse for failing to deal with them.