Most businesses must deal with federal, state, and local laws and regulations from time to time. Operators of Bitcoin ATMs are no different. For such operators, the primary regulations arise out of the federal Bank Secrecy Act (the “BSA”), as discussed below, and the state-level money transmitter laws are discussed in another article.
The Bank Secrecy Act
First signed into law in 1970, the BSA now sets-forth the duties “financial institutions” must follow to assist the government in the detection and prevention of money laundering and terrorism financing. The Act also prescribes transactional reporting obligations and federal registration requirements. The Act is construed and administered by implementing regulations. Those regulations are administered by the Financial Crimes Enforcement Network (“FinCEN”), which is a part of the US Department of Treasury.
The BSA’s defines financial institutions broadly and now includes the term “money services business” (“MSB”). If one is an MSB, and thus a BSA financial institution, the Act’s registration, reporting and recordkeeping requirements apply.
As those who are operating in the “traditional” ATM space may know, compliance with the BSA is generally not an issue, even for non-bank operators. However, the introduction of Bitcoin tokens or other virtual currencies into the ATM world complicates matters. In measure, this is because virtual currencies came about only after the BSA was written, and that since then FinCEN has struggled to fit the round (and changing) peg of virtual currency into the square hole of the Act and its implementing regulations.
Virtual Currencies under the Act
FinCEN’s position is that the type of funds involved in a funds transmission, whether fiat or virtual currency, is generally irrelevant to its authority under the BSA.
With regard to the virtual currency world, FinCEN sees all actors as generally falling into one of three categories: “user,” “exchanger” or “administrator”. Exchangers and Administrators are both MSBs, and thus “financial institutions,” under the BSA.
Bitcoin ATMs (or virtual currency vending machines) are operated by an “Exchanger,” in the eyes of FinCEN. “An exchanger is a person engaged as a business in the exchange of virtual currency or real currency, funds or other virtual currency.”
Registration with FinCEN
A Bitcoin ATM’s operator is typically an MSB, and as a result there are two primary consequences. First, all MSBs must register with FinCEN. “Any person who owns or controls a money services business is responsible for registering the business”. FinCEN registration must be completed within 180 days of the date upon which the MSB is established, and renewed every two years thereafter. The BSA and its implementing regulations declare it unlawful for an MSB to operate without registration. Further, FinCEN has the authority to impose substantial fines for failing to register, and it is a federal crime to operate any unregistered MSB. 
The second important federal consequences of being a statutory MSB is that the Bitcoin ATM’s operator must develop and implement a written BSA and Anti-Money Laundering (“AML”) program. The BSA/AML program needs to address, at least, the five following areas:
- Create procedures and internal controls to assure operations are conducted in compliance with the BSA. The written policies must be approved by senior leadership of the operator’s entity, like the board of directors if operated as a corporation. And the policy must be commensurate to the size of and risks anticipated by the operator.
- Appoint a compliance officer responsible for implementing the controls, and otherwise guiding compliance with the AML program. The compliance officer must have knowledge of the controlling laws and operations risks; must have serious leadership authority within the organization; and must update the compliance policies as needed. The compliance office will also responsible for the organization’s filing of suspicious activity reports, as facts and circumstances may warrant.
- The operator must train, and retrain, its staff on BSA/AML rules and procedures. The training must include exposure to red flag situations which are commonly seen as indicative of suspicious activity and/or money laundering.
- The operator must test its policies for effectiveness. The test results must be documented and acted upon if deficiencies are revealed.
- The program must meet the Know Your Customer (“KYC”) requirements via a written Customer Identification Procedure (“CIP”). This is relatively new component of the BSA’s mandate is derived from Act’s basic goal of preventing the nation’s financial system from being used for illicit purposes. Although there is much to say respecting proper CIP protocol, the three main components are to verify the identity of the person opening the account or transaction, to maintain the verification records, and to determine if the person is on a list of suspected terrorist persons or organizations.
How Difficult is Compliance?
The regulatory hurdles are all manageable, of course. While compliance with the BSA is important, many businesses have obtained federal registration and thereafter have successfully operated their affairs in compliance with the BSA’s implementing regulations. Strategic planning and the correct team approach is essential to minimizing the business-costs incumbent in federal registration and the implementation of the compliance program. The correct time to consider all these regulatory issues is before one purchases and eagerly awaits the delivery of the Bitcoin ATM kiosks.