The cryptocurrency world is awash in uncertainty as the federal government intensifies its scrutiny of crypto companies. This regulatory crackdown requires all participants in the crypto market to elevate their compliance efforts, not only to appease regulators but also to reinforce the trust of their customers and partners.
Today’s crypto compliance landscape demands a sophisticated approach. Despite the lack of industry-specific laws and regulations, several U.S. regulatory and law enforcement agencies are aggressively asserting their authority over the digital asset space. The U.S. Department of Justice, along with regulators such as the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and others at both the federal and state levels, have pursued enforcement actions against a wide range of crypto-related activities. These include crypto exchanges, trading platforms, initial coin offerings (ICOs), non-fungible tokens (NFTs), stablecoins, and more.
Adding to the complexity, these agencies often issue conflicting and competing requests for information and guidance. Their efforts have frequently lacked coordination and been driven by differing interpretations of applicable legal theories, even when presented with the same set of facts.
This lack of clear regulatory guidance, coupled with the flurry of enforcement actions, creates a treacherous environment for even the most diligent compliance officers. Recent comments from SEC Enforcement Division Director Gurbir Grewal regarding compliance expectations, particularly concerning the individual liability of compliance personnel, should raise concerns for crypto market participants.
Grewal emphasized that the SEC would pursue actions against compliance personnel “where there was a wholesale failure by compliance personnel to carry out their compliance responsibilities.” This assertion hinges heavily on a shared understanding of what constitutes “compliance responsibilities.” However, with no established federal legislation or substantive regulatory framework in place for the crypto industry, unlike in the traditional financial services sector, the likelihood increases that even good-faith efforts in the crypto space could be deemed insufficient by regulators. These efforts could even be characterized as “wholesale failures” warranting penalties, according to Director Grewal’s public statements.
Confronting Crypto Risks Head-On
Crypto compliance officers cannot afford to wait for clearer regulations to be enacted. They must act now, despite the uncertainty, to ensure that their protocols satisfy the expectations of a multitude of regulators with often opaque and divergent views. Let’s delve into some primary areas of focus that are crucial for reducing risk and fostering confidence in a compliance program’s efficacy.
Mastering Blockchain Technology
For companies operating in the cryptocurrency space, a deep understanding of blockchain technology, the very foundation of crypto-based activities, is non-negotiable. This understanding is essential for both company executives and members of their compliance teams. Compliance teams must be equipped to educate employees on compliance expectations and to effectively communicate the intricacies of their crypto products and operations to regulators. This ability to bridge the knowledge gap between the industry and regulatory bodies is essential for establishing a robust and defensible compliance framework.
Strengthening AML Procedures
A cornerstone of any effective compliance strategy is the implementation of a comprehensive and robust Anti-Money Laundering (AML) program. Regulators often view the decentralized and pseudonymous nature of crypto with suspicion, perceiving it as a potential tool for concealing illicit activities. AML experts highlight that failure to comply with AML requirements frequently forms part of the charges brought by regulatory agencies against companies.
Without adequate safeguards against money laundering and other financial crimes, crypto companies become vulnerable to regulatory scrutiny and exploitation by bad actors. Crypto asset trading companies must go beyond traditional AML procedures and integrate crypto-specific tracking and analysis into their compliance regimens. This includes utilizing blockchain intelligence tools to identify high-risk and terrorist-associated crypto wallet addresses.
Furthermore, companies should remain vigilant about potential scrutiny under the Bank Secrecy Act (BSA). For instance, in October 2022, Bittrex was classified as a money services business and subsequently fined over $24 million by the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) – both agencies within the U.S. Treasury Department – for violations of the BSA, AML laws, and sanctions.
A key factor contributing to these penalties was Bittrex’s access to customer IP addresses and physical address information collected during the onboarding process. The company was aware that numerous customers were located in sanctioned jurisdictions but failed to screen this customer information for connections to those jurisdictions.
Violations of the BSA by crypto companies can also lead to criminal charges. In May 2022, the former CEO of BitMEX, one of the oldest and largest convertible virtual currency derivatives exchanges, was sentenced in the Southern District of New York to six months of home detention and a $10 million fine for BSA violations. The charges stemmed from the company’s failure to establish, implement, and maintain an adequate AML program, including a robust know-your-customer (KYC) program to verify the identities of BitMEX’s customers.
The company had previously settled charges with the CFTC and FinCEN in 2021, paying $100 million for BSA and AML violations. This case underscores the critical importance of a proactive and comprehensive approach to AML compliance in the crypto industry.
Establishing Robust Retention Policies
Implementing clear retention policies is a relatively straightforward, proactive step that compliance officers can take to demonstrate good faith to regulators. While there are currently no explicit regulatory retention requirements for crypto companies, unlike the strict obligations governing the traditional finance sector, regulators nevertheless view retention policies as a key indicator of a company’s commitment to compliance.
A telling example of this is the recent prosecution and conviction of FTX founder Sam Bankman-Fried, where prosecutors cited FTX’s lack of a retention policy as evidence of wrongdoing. Such negative perceptions can be avoided. Crypto trading companies should consider implementing systems that can log the following information as applicable:
- Trading data, including profit and loss figures
- Records of employees trading assets or managing automated trading strategies
- Information on the quantity and types of assets traded
Additionally, crypto companies should consider retaining all company account communications for a specified number of years. This includes not only traditional communication methods such as email and instant messaging systems but also less conventional modes of communication prevalent in the crypto space.
Prioritizing Third-Party Due Diligence
Crypto companies must be meticulous in their risk-based assessments when engaging with third-party providers. Regulators have made it clear in the traditional finance world that companies are accountable not only for their own compliance obligations but also for those of the third-party vendors they rely on.
The Interagency Guidance on Third-Party Relationships: Risk Management, issued jointly by the U.S. Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency, advises that “[t]he scope and degree of due diligence should be commensurate with the level of risk and complexity of the third-party relationship. More comprehensive due diligence is particularly important when a third party supports higher-risk activities, including critical activities.”
This regulatory focus on third-party relationships is expected to be even more pronounced in the crypto space, given that the government inherently views the crypto industry as high-risk. This perception is often based on a limited understanding of the crypto ecosystem and its inherent novelty. Consequently, due diligence requirements for third parties are highly likely to be a focal point of regulatory scrutiny.
Marketing and development efforts involving third parties, which often utilize less regulated channels such as social media, podcasts, and collaborative workshops, create opportunities for misunderstandings and potential compliance issues. Therefore, as part of a robust third-party risk assessment program, crypto companies should conduct thorough due diligence on all potential third-party partners before engaging in any business activities with them.
Embracing Regular Audits
Effective and sustainable compliance programs benefit greatly from both internal and external audits. When conducted regularly, audits serve as a stress test for compliance programs and provide regulators with assurance of a company’s strong compliance culture.
Given the challenges many regulators face in comprehending the complex technologies at play in the crypto space and in establishing a clear legal basis for culpability, some regulators have resorted to highlighting weak compliance cultures within crypto companies as a means of justifying investigations. Regular audits can serve as a powerful tool to preempt such scrutiny.
Addressing Privacy and Data Security Concerns
Operating in a digital environment inherently exposes companies to risks such as data leaks, cyberattacks, phishing schemes, and other malicious activities. The crypto industry, being a burgeoning and lucrative sector, has become a prime target for scammers. The decentralized nature of crypto, coupled with its reliance on blockchain technology for verification and its independence from traditional financial institutions, makes it challenging to recover stolen funds, amplifying the impact of such attacks.
Therefore, it is crucial for compliance officers to develop and implement tailored provisions that safeguard internal company data, data shared by partners and consumers, and both company and customer assets. These measures are essential for maintaining the integrity and security of the crypto ecosystem.
Charting a Course Through Uncertain Seas
The crypto enforcement landscape continues to evolve rapidly, with little indication of more definitive statutory or regulatory guidance emerging in the near future. In December, the SEC rejected a petition from Coinbase requesting new rules specifically tailored for the digital asset sector. The SEC maintained that it would not propose new rules or offer the long-sought clarifications regarding its expectations. The agency contends that existing securities regulations provide sufficient notice of their obligations to crypto companies, a stance that few, if any, seasoned crypto professionals agree with.
There is no sign of enforcement efforts waning. On the contrary, an expansion of enforcement reach is not just likely but seemingly inevitable. This reality places the onus on compliance departments and their officers to proactively develop best-in-class compliance programs. These programs are essential not only for safeguarding the company and its customers but also for shielding the company and its officers from regulatory inquiries and potential liability. In this evolving landscape, a proactive and comprehensive approach to compliance is paramount.