Do foreign digital currency exchanges that take US customers online have to be AML registered in the US?
Not unsurprisingly, the answer is yes.
Under US law, digital currency exchangers qualify as money transmitters and are subject to the obligations under the Bank Secrecy Act. Key concepts to know are that:
- An exchanger is a person engaged in the business of exchanging digital currencies for real money or other digital currencies.
- And if an exchanger, e.g., a business, accepts and transmits or buys or sells convertible digital currencies, it is a money transmitter under the regulations issued by FinCEN.
- If the exchange accepts but does not transmit, it is not a money transmitter.
- If you are a money transmitter, you must then comply with the Bank Secrecy Act and the registration obligations of FinCEN.
If you are a foreign digital currency exchange, you must register in the US if you onboard US customers whether F2F or Non F2F, who are located in the US even if none of your agents, agencies, branches or offices are physically located in the US.
Is “I don’t know where the online customer is from” a defense?
There are sometimes arguments made that a digital currency exchange that operates online may not know if it is onboarding US customers because the Non F2F online registration process involves providing an email address only.
That argument is problematic for an exchange because it evidences that the exchange has no anti-money laundering law, counter-terrorist financing or sanctions law compliance in place to identify its customers. If you do not know where your customer is from, how do you know they are not from a prohibited country? If you do not know who your customer is, how do you know they are not on a list of terrorists?
Moreover, all exchanges record and track IP addresses that provide the location of a customer when onboarding, and they know where each customer is visiting from. If an exchange does not, there are serious gaps at the exchange because it is conducting financial transactions without visibility, posing a threat to the financial system, the whole country and its bank. Such an exchange’s activities would make it aligned with the conduct of BTC-E and subject it to signifiant fines (see below).
Obligations for foreign exchanges taking US customers
So what then, are the obligations required for foreign digital currency exchanges that take US customers online from another country?
- Register with FinCEN;
- In whatever state you accept customers online, you must then register, usually as a money services business, with that state;
- Comply with the Bank Secrecy Act obligations including having a competent anti-money laundering program that is risk-based, report transactions including suspicious transactions, verify the identity of customers, undertake record keeping, appoint an AML compliance officer, train and audit the exchange’s systems and the AML program.
- Appoint a US agent for legal service who is physically located in the US.
In practice, the obligations require the digital currency exchange to verify customer identity, conduct due diligence on its customers, file reports with the federal government, and create and maintain records pursuant to the Bank Secrecy Act.
Banking de-risking over AML failures
Unfortunately, foreign digital currency exchanges that operate without authorization in the US by taking on US customers sometimes don’t realize that if they want to become registered and lawful in the future, that conduct harms them. That is because the registration process requires an exchange to disclose past unlawful operations or business practices that are inconsistent with the law. Foreign exchanges accepting US customers without registration in the US is an unlawful activity that is disclosable.
And then there is a greater risk to a digital currency exchange, which is the risk of being de-risked by its bank, or never getting banking services because they are deemed to be too risky for a bank. A foreign digital currency exchange that operates unlawfully in the US by taking US customers without being AML registered and processes financial transactions:
- exposes the bank to massive fines by US bank regulators;
- exposes the bank directors and officers to fines and criminal penalties;
- demonstrates that it is not compliant with AML / CTF and sanctions law; and
- breaches the terms and conditions of the contract for services it has with its bank.
No bank CEO will want to go to jail in the US for banking a digital currency exchange that is risky and does not comply with the law, and no CAMLO will expose the executives of a bank to that possibility.
Financial institutions and banks are beginning to ask for third party certifications that digital currency exchanges operate within the law and that for all the countries in which they accept clients, they are authorized and registered to do so by the applicable government agencies.
I think they should do more and require officers of digital currency exchanges to file periodic certifications to the bank confirming legal compliance, as well as filing third party AML certifications. They are the only two ways banks can be protected and minimize risks when they provide services to digital currency exchanges. An exchange can have a compliance plan but the bank has no confirmation that compliance has been operationalized at a digital currency exchange unless it obtains external professional certifications. Banks obtain legal protection by being able to rely upon the two certifications.
Banks are also asking for third party legal sign offs in respect of ICOs that digital currency exchanges list to confirm that the ICOs were launched legally and are not inconsistent with the securities legislation – both in terms of the ICO itself and the exchange’s function as a listing platform and what they are seeking is confirmation by legal counsel that the ICO was legally issued and that the exchange is registered with the requisite securities commission to trade that particular ICO.
Foreign digital currency exchanges taking US customers are as liable as US exchanges for violations of US law. Last year, the US issued a civil penalty against BTC-E for US$110 million for willful violations of US anti-money laundering law and assessed a penalty of US$12 million against one of its administrators. What BTC-E did for Non F2F online onboarding was to obtain a username, a password and an e-mail address and once it had those, it conducted financial transactions by accepting digital currencies and fiat. Anti-money laundering law requires that exchanges conduct know you customer procedures at the account opening and onboarding phase, before a financial transaction, not after. There is no such thing as customer exit KYC – KYC is a customer entrance obligation.
A willful violation would arise when a foreign digital currency exchange does not inform itself about US law or engages unqualified persons for AML law. For example, a foreign digital currency exchange has legal advice, internal or external in respect of US law and ignores the legal advice, although that is arguably more than willful – it is knowingly unlawful.
A foreign person employed at or controlling a digital currency exchange that is convicted of money laundering can face up to 20 years in prison and fines of millions of dollars. Any property involved in a transaction or traceable to the proceeds of the criminal activity, including property and bank accounts (even if some of the money in the account is legitimate), may be subject to forfeiture.
Compliance also requires that digital currency exchanges investigate financial crimes and when warranted, file suspicious activity reports. Failures by companies to investigate financial crime alerts and to submit SARs, have resulted in penalties of up to US$97 million by the US government.
Liability can often be personal as well, as against compliance officers who fail to comply with anti-money laundering law at their companies. Liability has never attached, however, in cases where the CAMLO’s function is underfunded or not funded, or there is no buy-in or support from the directors for a compliance department, although CAMLO’s are expected to resign in those situations. Regulators recognize that there are instances where a CAMLO is appointed and the appointment is for show only, meaning that there is no desire or resources allocated by the company for a CAMLO to be an operational position. CAMLOs are also expected to file a report when they resign over a failure of the compliance function at their company.
The chart below, from Thomson Reuters, provides some interesting cases of personal liability of CAMLOs.