On October 19, 2020, the Financial Crimes Enforcement Network (FinCEN) released its assessment of a $60 million civil monetary penalty against the operator of two cryptocurrency “mixers” for violations of the Bank Secrecy Act (“BSA”). The action marks the first effort by FinCEN to target the use of these “mixers” to facilitate money laundering and demonstrates FinCEN’s ongoing commitment to regulate entities that transmit cryptocurrencies as money service businesses (“MSBs”) under the BSA.
The action concerned Larry Dean Harmon (“Harmon”), a vendor on the “dark web” who operated a search engine, Grams. Grams allowed users to access and search the onion router network, commonly known as Tor. Grams aggregated dark web content and allowed users to search for illegal drugs, firearms, and Personally Identifiable Information.
In 2014, Harmon expanded his business to cryptocurrency. He founded a virtual currency exchanger, Helix, and linked Helix to Grams. Helix charged customers a fee to transfer bitcoins from a personal account to a designated address without identifying the source or owner of the bitcoin, a process known as “tumbling.” Harmon offered users two options for transferring bitcoin. Users created a virtual “wallet” in Helix associated with a Grams account, and transferred bitcoin to that wallet. The customer would complete a withdrawal form that designated the destination address for the bitcoin. Helix would then break up the bitcoin, sending portions to accounts it held at cryptocurrency exchanges. Helix would concurrently transfer bitcoin from its own account to a different bitcoin address and ultimately to the destination address desired by the customer, minus a fee. Once the withdrawal was complete, Helix allowed customers to delete all records of the transaction.
Alternatively, Harmon offered customers a service, “Helix Light,” that did not require creating a Grams account. For this service, customers provided a destination address for the bitcoin, and then sent the desired amount of bitcoin to an address provided by Helix Light. Helix Light would transmit the bitcoin deposited in its wallet to one of its own accounts at various cryptocurrency exchanges. It would then transfer bitcoin from a different account to yet another account. From that account, Helix Light would transmit bitcoin to the destination address provided by the customer, minus a small fee. Harmon never registered Helix or Helix Light as money service businesses with FinCEN. FinCEN ultimately traced more than $121 million in bitcoin transfers through Helix and Helix Light.
After three years operating Helix, Harmon formed an additional cryptocurrency service, CoinNinja. Unlike Helix, CoinNinja was readily accessible by ordinary retail customers, and expressly operated as a money service business. CoinNinja’s website advertised bitcoin “mixing” services, and provided a service, “Dropbit”, that allowed customers to transmit and accept bitcoin through social media services and text messages. Harmon also advertised CoinNinja as a tool for sidestepping Know Your Customer procedures.
The FinCEN Determination:
FinCEN’s investigation resulted in three determinations. First, FinCEN found that Harmon willfully violated the MSB registration requirements of the BSA. Harmon operated Helix and Helix light for more than three years and never registered either entity with FinCEN. Similarly, Harmon never registered CoinNinja or its associated service, DropBit, as an MSB.
Second, FinCEN found that Harmon failed to implement an effective anti-money laundering (“AML”) program, as required by the BSA and its implementing regulations. The BSA regulations require all MSBs to develop and implement an effective, written AML compliance program, targeted to reduce the risks posed by the MSB’s operations. Harmon never developed policies, procedures, or internal controls, or designated a chief compliance officer for either Helix or CoinNinja. Helix failed to maintain files on its customers, provided no AML training to its employees, and conducted no independent testing. In fact, FinCEN determined that Harmon “actively aided cybercriminals” to avoid the “internal controls in place at U.S.-based convertible virtual currency exchanges.” Harmon also advertised his service as a vehicle for “break[ing] the blockchain taint” and preventing effective transaction tracing.
Third, FinCEN found that Harmon failed to file mandatory Suspicious Activity Reports (“SARs”) on highly questionable transactions processed by Helix, Helix Light, and CoinNinja. FinCEN identified nearly 2,500 transactions where Harmon should have filed a SAR, and failed to do so. Many of these transactions involved “illicit markets” on the dark web where, according to FinCEN, “individuals bought and sold illicit services” using Bitcoin. Harmon also failed to file SARs on transactions between Helix and convertible virtual currency mixing services—services that, according to FinCEN, impede effective transaction tracing.
The FinCEN Penalty Calculation
For these violations, FinCEN calculated a potential maximum penalty of more than $209 million. The BSA permits FinCEN to impose a maximum penalty of $100,000 for each willful BSA violation. The BSA also authorizes a fine of up to $5,000 for failure to register as an MSB. In accordance with the Federal Civil Penalties Inflation Adjustment Act of 1990, FinCEN may then adjust these penalties by applying a penalty adjustment table, found at 31 C.F.R. § 1010.821, for each offense that occurred after November 2, 2015.
The inflation-adjusted penalties in effect at the time of Harmon’s misconduct allowed FinCEN to fine Harmon up to $57,317 for each willful violation of the BSA AML requirements, including Harmon’s failure to adopt an adequate AML compliance program. For willfully failing to file SARs, the penalty adjustment table allowed FinCEN to fine Harmon the greater of the amount of the transaction (up to a maximum of $229,269) or $57,317. The penalty adjustment table further allowed FinCEN to fine Harmon $8,457 for each violation of the MSB registration requirements. Each day the violations continued constituted a separate offense.
FinCEN then considered ten factors in determining the final penalty. Notably, these factors closely parallel the so-called “Filip Factors” – the criteria set forth by the Department of Justice (“DOJ”) for determining whether to file charges in a corporate investigation. The factors are:
- The Nature and Seriousness of the Offense and the Resulting Harm to the Public
- The Impact of the Violations on the FinCEN Mission of Safeguarding the Financial System
- The Pervasiveness of the Wrongdoing
- The History and Duration of the Violations
- Financial Gain from the Violation
- The Systemic Nature of the Violations
- Timely and Voluntary Disclosure of Violations
- Penalties by Other Governmental Entities
Applying these factors, FinCEN arrived at a final penalty of $60 million. FinCEN found that Harmon’s conduct was serious and egregious, particularly given that Helix and CoinNinja operated in a high-risk industry. FinCEN also found that Harmon and his entities “openly flouted existing regulatory requirements” and facilitated money laundering, hindering the efforts of law enforcement. FinCEN criticized Helix’s failure to invest “any resources” in compliance, and emphasized that its failure to file SARs “denied potentially critical information to the BSA database” for at least three years. FinCEN noted that rather than adopting policies to comply with the BSA, Helix “instead instituted policies and procedures that allowed customers of darknet marketplaces to launder bitcoin.”
FinCEN’s action suggests three pertinent takeaways. First, between the recent charges filed by the Department of Justice against BitMEX and this action, it is clear that FinCEN and law enforcement are increasingly focused on cryptocurrency businesses with willfully deficient AML compliance programs, as well as cryptocurrency businesses that facilitate money laundering and other crimes.
Second, cryptocurrency businesses that currently fail to invest in effective AML programs as a way to reduce compliance costs, or that prioritize revenue and marketing over BSA compliance, should quickly implement and maintain effective AML and sanctions compliance programs to avoid regulatory scrutiny and corresponding penalties.
Third, traditional financial institutions and AML-compliant cryptocurrency businesses that seek to do business or partner with other cryptocurrency businesses should ensure that their due diligence efforts are robust and focus on obtaining proof of effective AML compliance programs. “Proof” may include site visits and walkthroughs that focus on financial crime compliance, close reviews of AML and sanctions policies and procedures, and reviews of sample BSA-AML alerts and the disposition of those alerts.