In the recent months, much has happened covering all aspects of financial crime and sanctions and impacting both traditional and DeFi firms. This includes new enforcement actions related to anti-money laundering (AML) program deficiencies, a lack of suspicious activity report (SAR) filings, and inadequate sanctions programs. There has also been significant activity from the Federal Deposit Insurance Corporation (FDIC) and an increased focus on banks dealing with fintech firms. FinCEN and the Department of Treasury have released several statements and proposed guidance as well as published commentaries, and the Director appeared before the House Financial Services Committee. And lastly (as expected), the SEC increased regulation by enforcement of digital asset firms.

Regulatory Updates

Silicon Valley Bank (SVB), Signature Bank, and First Republic

In the first few months of 2023, financial crimes enforcement actions and regulator intervention continued to dominate the headlines, the most significant being the bank rush and subsequent FDIC actions related to Silicon Valley Bank (SVB), Signature Bank, and First Republic. Given the bank rush on Silicon Valley Bank, which began the second week of March, and the ensuing domino effect, the FDIC chose to expand its intent to protect investors past their $250,000 deposit limit, stating that it would protect all deposits. In March, the FDIC established a new bank, Signature Bridge Bank, N.A., to take over for Signature Bank in New York. The FDIC has also issued joint statements with other agencies regarding liquidity risks from the crypto-asset market and risks to banking organizations from crypto-assets. All these actions have led to a significant ripple effect throughout the digital asset investing community, increasing volatility and raising concern within the community as to what to do next, as there is increased exposure and risk for crypto businesses.

Joint statement on Crypto-Asset Risks

On January 3, the Options Clearing Corporation, the Federal Reserve Board of Governors, and the FDIC issued a joint statement highlighting key risks to banks associated with crypto-assets and crypto-asset sector participants.¹ This was interesting timing since the previously mentioned bank rush and subsequent failures of Silicon Valley Bank and Signature Bank, both involved with fintech and crypto firms, occurred only two months later.

Initial Beneficial Ownership Information Reporting Guidance

On March 24, FinCEN issued its Initial Beneficial Ownership Information Reporting Guidance,² which outlined its expectations and understanding of the upcoming reporting requirements that are to take effect on January 1, 2024.

De-Risking Strategy

On April 25, the Department of Treasury released its de-risking strategy,³ which was a follow on from its January 3 joint statement. The Department supports the view that de-risking poses a challenge to institutions, and that aside from profitability being a main factor, AML/CFT (combating the financing of terrorism) risks “contribute to and/or exacerbate the effects of de-risking.” The report also focused on money services businesses (MSBs) and non-profit organizations (NPOs), pointing out that MSBs and charitable organizations are now exempt from beneficial ownership information reporting requirements as mandated by section 6215 of the AML Act of 2020.

Fiscal Year 2022 in Review

Also on April 25, FinCEN released its Fiscal Year 2022 in Review.⁴ The report highlighted the Bank Secrecy Act (BSA) data and SAR statistics for 2022, and, as was expected, the report showed another year of increase in the number of SARs filed. In FY 2022, 4.3 million were filed, with an average daily total of 11,800 SARs filed with FinCEN, and 10 institutions were responsible for filing 52% of SARs for the year. Notably, nearly all of the filed SARs had “Other” selected as an activity type, with “Money Laundering” selected on 2.927 million, “Fraud” selected on just over 2 million, and “Structuring” selected on just under 1.5 million. There has been, and will continue to be, an ongoing conversation on the usefulness and relevance of the “Other” category and whether the number of SARs filed and its increase year over year is a useful metric to determine if institutions are identifying and helping to disrupt illicit and potentially suspicious activity.

Enforcement Updates

The Kingdom Trust Company

The most recent enforcement action comes from FinCEN on April 26, when it assessed a $1.5 million civil penalty against South Dakota-chartered The Kingdom Trust Company for “willful violations of the BSA and its implementing regulations.” This is the first ever civil monetary penalty (CMP) by FinCEN against a trust company for BSA failures. Time and time again, institutions falling under the BSA make the same mistake as demonstrated here: They do not identify suspicious activity and do not file SARs. In this case, this occurred because of a lack of training, inadequate staff, and manual transaction monitoring.

Coinbase and BitPay

The New York State Department of Financial Services (NYDFS) announced two consent orders in Q1 2023 to resolve matters related to Coinbase, Inc.⁵ in January 2023 and BitPay, Inc.⁶ in March 2023. NYDFS conducted initial examinations of Coinbase and BitPay in 2020 and 2018, respectively, and found deficiencies within the firms’ overall compliance functions, including with respect to the AML programs. Within NYDFS’ 2021 enforcement investigation of Coinbase and second examination and 2022 enforcement investigation of BitPay, although improvements/remedial efforts were made to the firms’ programs to address deficiencies from prior examinations, Coinbase and BitPay required additional improvements to achieve compliance. Deficiencies were noted across both compliance programs related to know your customer, customer due diligence, and onboarding processes, as well as the transaction monitoring system, Office of Foreign Assets Control screening, and a failure to conduct adequate risk assessments for AML (Coinbase) and cybersecurity (BitPay). In resolution of these consent orders, Coinbase needed to pay a civil monetary penalty to NYDFS of $50,000,000, and BitPay needed to pay $1,000,000. Additional provisions also occurred, such as Coinbase continuing its independent monitoring and committing to spend no less than $50,000,000 on further improvements and enhancements to its compliance program within twenty-four months. BitPay needed to submit an action plan and conduct a cybersecurity risk assessment.

In addition, in March 2023, the SEC sent a Wells notice to Coinbase, and this served as a formal declaration stating the regulator intends to recommend its review for an enforcement action. In late April, Coinbase posted a response to the SEC’s Wells Notice and filed a lawsuit to challenge the SEC to write rules for cryptocurrencies. Coinbase’s CEO and Chief Legal Officer stated in their response and public interviews that they do not list securities and again asked for the SEC to respond to its petition from July 2022, asking the agency to define when and how a digital asset would be considered a security and to create a regulatory framework for cryptocurrencies.

Pressure for Regulation and Guidelines

The current regulatory market is not slowing down. Regulators feel pressure to create rules and guidelines, especially in the crypto and digital asset space. However, regulation by enforcement continues in the digital asset space. Additionally, manual processes are mentioned and are at the forefront of enforcement actions. With the number of options in the market and the number of enforcement actions made public, the continual occurrence of manual transaction review remains surprising. These firms should consider the use of outside vendor technologies as part of their larger suite of AML Compliance systems. There are many options in the market that are built to suit all different types of firms with differing customers, products, and risk profiles. Putting in the due diligence on these systems to find what is right for your firm’s risk profile and budgeting up front will save in the long run.

1. Joint Statement on Crypto-Asset Risks to Banking Organizations
2. FinCEN Issues Initial Beneficial Ownership Information Reporting Guidance
3. The Department of the Treasury’s De-risking Strategy
4. Financial Crimes Enforcement Network (FinCEN) Year in Review for FY 2022
5. Enforcement Actions - January 4, 2023: Consent Order Issued to Coinbase, Inc.
6. NYSDFS Enforcement Actions - January 4, 2023: Consent Order Issued to Coinbase, Inc.