Do foreign digital currency exchanges that take US customers online have to be AML registered in the US?
Not unsurprisingly, the answer is yes.
Under US law, digital currency exchangers qualify as money transmitters and are subject to the obligations under the Bank Secrecy Act. Key concepts to know are that:
- An exchanger is a person engaged in the business of exchanging digital currencies for real money or other digital currencies.
- And if an exchanger, e.g., a business, accepts and transmits or buys or sells convertible digital currencies, it is a money transmitter under the regulations issued by FinCEN.
- If the exchange accepts but does not transmit, it is not a money transmitter.
- If you are a money transmitter, you must then comply with the Bank Secrecy Act and the registration obligations of FinCEN.
If you are a foreign digital currency exchange, you must register in the US if you onboard US customers whether F2F or Non F2F, who are located in the US even if none of your agents, agencies, branches or offices are physically located in the US.
Is “I don’t know where the online customer is from” a defense?
There are sometimes arguments made that a digital currency exchange that operates online may not know if it is onboarding US customers because the Non F2F online registration process involves providing an email address only.
That argument may be problematic for an exchange because it evidences that the exchange may lack anti-money laundering law, counter-terrorist financing or sanctions law compliance to identify its customers. If it does not know where its customers are from, how can it know they are not from a prohibited country? If they do not know who their customers are, how do they know they are not on a list of terrorists?
Moreover, all exchanges record and track IP addresses that provide the location of a customer when onboarding, and have the technology to know where each customer is visiting from.
Obligations for foreign exchanges taking US customers
So what then, are the obligations required for foreign digital currency exchanges that take US customers online from another country?
- Register with FinCEN;
- In whatever state you accept customers online, you must then register, usually as a money services business, with that state;
- Comply with the Bank Secrecy Act obligations including having a competent anti-money laundering program that is risk-based, report transactions including suspicious transactions, verify the identity of customers, undertake record keeping, appoint an AML compliance officer, train and audit the exchange’s systems and the AML program.
- Appoint a US agent for legal service who is physically located in the US.
In practice, the obligations require the digital currency exchange to verify customer identity, conduct due diligence on its customers, file reports with the federal government, and create and maintain records pursuant to the Bank Secrecy Act.
I think they should do more and require officers of digital currency exchanges to file periodic certifications to the bank confirming compliance, as well as filing third party AML certifications.
Banks should also ask for legal sign offs in respect of ICOs and digital currencies mined, both of which are significantly more risky from an AML perspective to require that ICOs and mining pools confirm that the ICO or mining operation was launched legally and is not inconsistent with the securities legislation and is consistent with AML law.
Foreign digital currency exchanges taking US customers are as liable as US exchanges for violations of US law. Last year, the US issued a civil penalty against BTC-E for US$110 million for willful violations of US anti-money laundering law and assessed a penalty of US$12 million against one of its administrators. What BTC-E did for Non F2F online onboarding was to obtain a username, a password and an e-mail address and once it had those, it conducted financial transactions by accepting digital currencies and fiat.
A foreign person employed at or controlling a digital currency exchange that is convicted of money laundering can face up to 20 years in prison and fines of millions of dollars. Any property involved in a transaction or traceable to the proceeds of the criminal activity, including property and bank accounts (even if some of the money in the account is legitimate), may be subject to forfeiture.
Compliance also requires that digital currency exchanges investigate financial crimes and when warranted, file suspicious activity reports. Failures by companies to investigate financial crime alerts and to submit SARs, have resulted in penalties of up to US$97 million by the US government.
Liability can often be personal as well, as against compliance officers who fail to comply with anti-money laundering law at their companies. Liability has not attached, however, in cases where the CAMLO’s function is underfunded or not funded, or there is no buy-in or support from the directors for a compliance department, although CAMLO’s are expected to resign in those situations. Regulators recognize that there are instances where a CAMLO is appointed and the appointment is for show only, meaning that there is no desire or resources allocated by the company for a CAMLO to be an operational position. CAMLOs are also expected to file a report when they depart over a failure of the compliance function at their company.
The chart below, from Thomson Reuters, provides some interesting cases of personal liability of CAMLOs.