Recent actions filed in early October 2020 by the U.S. Department of Justice (the “DOJ”) and the Commodity Futures Trading Commission (the “CFTC”) against BitMEX, a large cryptocurrency derivatives exchange incorporated in the Seychelles, highlight how virtual asset exchange platforms can be subject to the law and potential enforcement action in multiple jurisdictions based on the locations of their customers. Shortly after the filing of these actions, the DOJ published its Cryptocurrency Enforcement Framework, which emphasized that the DOJ asserted jurisdiction over virtual asset transactions based not only on the location of customers but also contacts with “financial, data storage, or other computer systems within the United States”. These broad assertions of jurisdiction by U.S. prosecutors and regulators, and similar assertions of jurisdiction over foreign trading platforms by Canadian regulators, are a caution to virtual asset exchange platforms to carefully consider the steps taken to limit their contact with jurisdictions in which they do not wish to do business.
Since September 2015, the CFTC has taken the position that Bitcoin and other virtual currencies are commodities under the Commodity Exchange Act. Accordingly, it is the CFTC’s position that entities that offer leveraged retail transactions, futures, options or swaps for commodities are required to register with the CFTC as a future commission merchant (a “Merchant”) as well as comply with the Bank Secrecy Act, which requires Merchants to establish, implement and maintain an adequate anti-money laundering (“AML”) program. As part of the AML program, a Merchant is required to implement a written “know your client” (“KYC”) program that includes risk-based procedures for verifying the identity of its clients. At a minimum, a Merchant must collect the name, date of birth, address and government identification number of each client prior to their opening an account on the Merchant’s platform.
In light of the position taken by the CFTC in 2015, BitMEX announced it was withdrawing from the U.S. market and implemented an Internet Protocol (“IP”) address check, also known as “geo-blocking”, designed to block U.S. residents from accessing the BitMEX trading platform. BitMEX did not, however, implement a KYC program for all of its clients.
On October 1, 2020, the DOJ filed criminal charges (the “DOJ Action”) accusing four executives of BitMEX of evading rules designed to stop money laundering. That same day, the CFTC announced that it had filed a related civil enforcement action (the “CFTC Action” together with the DOJ Action, the “BitMEX Actions”) against five entities and three individuals that own and operate BitMEX, alleging that they had operated an unregistered trading platform in violation of multiple CFTC regulations, including failing to implement required anti-money laundering procedures.
The BitMEX Actions allege that, since BitMEX’s launch in November 2014, BitMEX has actively pursued and served thousands of customers located in the U.S., even after its announced withdrawal from the U.S. market in 2015. In particular, the DOJ alleges that BitMEX or its representatives:
- conducted operations from an office in New York, including customer support, business development and marketing, involving customers located in the U.S.;
- attended U.S. cryptocurrency conventions where it marketed its platform to prospective U.S. clients;
- appeared on U.S. television programmes to promote its services; and
- facilitated the use of its platform by U.S. residents, in one instance even allegedly going so far as to alter a prominent U.S. investor’s country of residence in his BitMEX account to one other than the U.S.
Notably, the DOJ alleges that BitMEX’s geo-blocking of U.S. IP addresses was deficient and failed to prevent U.S. persons from trading on the BitMEX platform. In particular, the DOJ alleges BitMEX failed to implement measures to restrict access to its platforms by clients using a virtual private network (“VPN”), which can be used to mask the location of a computer’s IP address and thereby circumvent geo-blocking.
Based on these allegations, the DOJ and the CFTC allege that BitMEX failed to register with the CFTC as a Merchant as required by the Commodities Exchange Act and knowingly operated its platform in violation of multiple CFTC regulations and the Bank Secrecy Act, including applicable AML and KYC requirements.
The (continued) long reach of U.S. regulators
The BitMEX Actions confirm the willingness of U.S. regulators to assert jurisdiction over virtual asset exchange platforms operating from outside the United States but allegedly with customers or other contacts within the U.S.
As well, shortly after the DOJ Action was filed, the DOJ published its Cryptocurrency Enforcement Framework, a report summarizing its cryptocurrency-related enforcement work to date. In this report, the DOJ emphasized its position that it has “robust authority” to prosecute virtual asset service providers and other entities that violate U.S. laws even when they are not located inside the U.S. The Report asserts that “[w]here virtual asset transactions touch financial, data storage, or other computer systems within the United States, the Department generally has jurisdiction to prosecute the actors who direct or conduct those transactions.”
The Canadian context
Like U.S. regulators and prosecutors, Canadian regulators also take the view that they have jurisdiction over online securities trading platforms operated from outside Canada but with Canadian clients. For example, in September 2018, the Ontario Securities Commission (the “OSC”) reached a settlement [PDF] with eToro (Europe) Limited (“eToro”), a Cyprus-based company that had engaged in online trading of securities or derivatives with Ontario residents, including contracts for difference based on exposure to underlying assets which included cryptocurrencies and stocks. eToro was not a reporting issuer in Ontario, nor was it registered to engage in the business of trading in accordance with Ontario securities law. Nonetheless eToro operated approximately 2,500 accounts for Ontario residents between 2008 and 2017. The OSC settled an enforcement action with eToro based on, among other terms, a CAD$550,000 administrative penalty, disgorgement of nearly USD$2 million, and an undertaking to return funds to Ontario accountholders.
Takeaways for virtual asset exchange platforms
Online virtual asset exchange platforms that do not intend to accept U.S. and Canadian residents as clients nonetheless need to be careful about inadvertent non-compliance with U.S. or Canadian securities, derivatives, money transmission or other laws. At a minimum, platforms need to consider adequate measures to prevent residents from these jurisdictions from accessing their services, but as the DOJ’s Cryptocurrency Enforcement Framework notes, prosecutors or regulators may assert jurisdiction based on financial or technical contacts. Regulators appear to be highly skeptical of geo-blocking of IP addresses, which suggests that more robust KYC processes should be considered to exclude residents from certain jurisdictions.