On July 26, 2017, the Financial Crimes Enforcement Network (FinCEN) of the US Department of the Treasury assessed a civil monetary penalty of $110,003,314 against Canton Business Corporation (BTC-e), one of the largest virtual currency exchanges by volume in the world, and a $12,000,000 penalty against Alexander Vinnik, a Russian national who allegedly controlled, directed, and supervised BTC-e’s operations, finances, and accounts. On the same day, a 21-count criminal indictment against BTC-e and Mr. Vinnick was unsealed, and Mr. Vinnick was arrested in Greece.

This is the second supervisory action that FinCEN has taken against a virtual currency exchanger, and the first against a foreign entity operating as a money services business (MSB) with activities in the United States. FinCEN’s action also imposes the second highest civil monetary penalty assessed against an MSB to date. FinCEN has increasingly brought enforcement actions against MSBs and other non-traditional financial institutions, and similar actions seem likely in the future.

According to FinCEN, BTC-e lacked basic controls to prevent the use of its services for illicit purposes, and as a result, purportedly maintained a customer base of criminals who concealed and laundered proceeds from crimes such as ransomware, fraud, identity theft, tax refund fraud schemes, public corruption, and drug trafficking, none of which BTC-e reported to FinCEN and law enforcement as required.

Specifically, the penalty assessment concluded that BTC-e violated FinCEN’s regulations issued under the Bank Secrecy Act (BSA) applicable to financial institutions by willfully failing to:

  1. Register with FinCEN as an MSB
  2. Implement an effective anti-money laundering (AML) compliance program
  3. Detect suspicious transactions and file suspicious activity reports (SARs)
  4. Obtain and retain records relating to transmittals of funds in amounts of $3,000 or more

FinCEN further determined that Mr. Vinnik willfully participated in these BSA violations.

Background

According to FinCEN, BTC-e provides services related to the exchange of currency and virtual currency; and its operations involve the purchase and sale of fiat currency (US dollars, Russian Rubles, and Euros) and virtual currencies (Bitcoin, Litecoin, Namecoin, Novacoin, Peercoin, Ethereum, and Dash), as well as enable users to send and receive fiat currencies, including US dollars, with other BTC-e users. Since 2011, BTC-e has served approximately 700,000 customers worldwide.

Jurisdiction

Although BTC-e is not a US company, FinCEN asserted jurisdiction because BTC-e conducts business as an MSB in substantial part within the United States. More specifically, FinCEN regulates as “money transmitters” (MTs) any person in the business of accepting currency, funds, or any substitute for currency from one person and transmitting such currency, funds, or substitute for currency to another person or location (unless an applicable exemption applies). To establish jurisdiction, FinCEN asserted that:

  • Since 2011, BTC-e customers located within the United States conducted at least 21,000 virtual currency transactions worth over $296,000,000.
  • These transactions included funds sent from customers located within the United States to recipients who were also located within the United States.
  • These transactions were processed through servers located in the United States.
  • BTC-e attempted to conceal that it provided services to customers located within the United States.
  • BTC-e instructed customers to make use of correspondent accounts held by foreign financial institutions or services provided by affiliates of BTC-e located abroad.

Willful Conduct

To justify its penalty, FinCEN alleged the following relevant facts of illegal conduct, in contravention of legal requirements for MSBs/MTs under the BSA.

  • Failure to register: BTC-e neither registered with FinCEN as an MSB, nor appointed an agent for service of process in the United States – notwithstanding guidance issued by FinCEN in 2013 clarifying the application of these requirements to virtual currency firms such as BTC-e.  
  • Failure to maintain an effective AML program: BTC-e lacked adequate controls to verify customer identification, identify and report suspicious activity, and prevent money laundering and the financing of terrorist activities commensurate with the risks posed by its customers, the nature and volume of the financial services it provides, and the jurisdictions in which services are provided.
    • BTC-e failed to collect and verify basic customer information, allowing its customers to open accounts and conduct transactions with only a username, password, and an email address.
    • The minimal identification information collected was the same regardless of how many transactions were processed for a customer or the amount involved.
    • BTC-e lacked adequate internal controls to mitigate the risks presented by identifiable applications to anonymize users, including by virtual currency mixers.
    • BTC-e allowed over $40 million in transfers on its platform from bitcoin mixers. According to FinCEN, mixers anonymize bitcoin addresses and obscure bitcoin transactions by merging together inflows and outflows from many different users. Instead of directly transmitting virtual currency between two blockchain addresses, the mixer disassociates connections. Mixers create layers of temporary virtual currency addresses operated by the mixer itself to further complicate any attempt to analyze the flow of virtual currency.
    • BTC-e facilitated transfers of the convertible virtual currency Dash, which has a feature called “PrivateSend” that FinCEN alleged provides a decentralized mixing service within the currency itself to enhance user anonymity.
    • BTC-e lacked adequate procedures for conducting due diligence, monitoring transactions, and stopping transactions that facilitated money laundering or other illicit activity. In particular, users of BTC-e explicitly discussed conducting criminal activity through the website’s internal messaging system and public user chat. BTC-e received inquiries from customers on how to process and access proceeds obtained from the sale of illegal drugs on dark net markets, including Silk Road, Hansa Market, and AlphaBay.
    • BTC-e failed to conduct due diligence on the transactions or on the accounts in which the stolen virtual currencies were held. Notably, BTC-e processed transactions involving funds stolen from the Mt. Gox exchange between 2011 and 2014, which were sent and held at three separate but linked BTC-e accounts.  
  • Failure to file SARs: BTC-e processed thousands of suspicious transactions without filing a single SAR. More specifically, BTC-e failed to file a SAR for the following unreported transactions:
    • Over 1,000 transactions by the unregistered US-based virtual currency exchange Coin.mx. Its operator Anthony R. Murgio pled guilty to charges that included conspiracy to operate an unlicensed money transmitting business and processing over $10 million in virtual currency transactions derived from illegal activity, ransomware extortion payments. After the conviction of Coin.mx’s operator, BTC-e did not conduct reviews of the transactions that BTC-e processed for Coin.mx.
    • Transactions worth $800,000 tied to the ransomware known as “Cryptolocker,” and over 40% of all virtual currency transactions associated with the ransomware scheme known as “Locky.” In the latter case, public information identified the blockchain addresses associated with Locky, but BTC-e did not conduct any due diligence on the recipients of the funds.
    • Transactions with Liberty Reserve, a Costa Rica-based administrator of virtual currency that laundered approximately $6 billion in criminal proceeds. In 2013, the US government shut down its website and FinCEN issued a finding that Liberty Reserve was a financial institution of primary money laundering concern. BTC-e allegedly shared customers with Liberty Reserve, and offered “BTC-e code” as redeemable for Liberty Reserve virtual currency.  
  • Failure to comply with BSA recordkeeping requirements: Transactional records maintained by BTC-e lacked information such as name, address, and account numbers for the transmittal of funds in amount of $3,000 or more.

Implications

Persons providing services to BTC-e in furtherance of its virtual exchange operations would be well advised to review their business for potential US legal risks.

On the one hand, this case may be seen to present an extreme example of non-compliance, with the suggestion of egregious, willful conduct at BTC-e and its senior management to launder criminal proceeds. On the other hand, the case demonstrates the continued importance of FinCEN’s BSA regulatory framework to companies in the technology sector that facilitate transactions in virtual currency. FinCEN’s 2013 regulatory guidance on administering, exchanging, and using virtual currency and subsequent statements make clear that FinCEN will enforce AML requirements against MSBs/MTs, with particular scrutiny on exchanges of virtual currency and systems providing services for such exchanges.

Even for businesses operating in good faith, the BSA and FinCEN’s implementing regulations are a complicated area of compliance obligations, particularly for emerging virtual currency and tokenized value transmission companies. Entities that exchange or transmit such currencies and their principals face significant criminal and civil legal exposure in the absence of a robust AML compliance program, adequate procedures to combat money laundering and terrorist financing, and a process for reporting SARs. A company’s location overseas is not necessarily a defense, as the BSA and FinCEN’s regulations apply to non-US firms that do business “wholly or in substantial part within the United States.” Companies that facilitate transactions in virtual currency should review FinCEN’s guidance and obtain compliance advice and counsel when necessary.