Anti-Money Laundering And Cryptocurrency: Legislative Reform And Enforcement – Technology

1. Introduction

Anti-money laundering (AML) is now seen as a
top legislative and law enforcement priority in the UK, the U.S.,
and Europe. The current direction of travel is the culmination of a
number of high-profile cases over the last decade where major
financial institutions and other financial market participants have
failed to prevent criminal funds from being “laundered”
through their accounts. At a political level, there is also a
rising awareness within American, British and European governments
that repositories of “black cash”, concealed and
dispersed through offshore financial systems and controlled by
hostile state actors such as Russia, have been used in attempts to
undermine democratic elections. The current crackdown on money
laundering activity is evident in a number of significant criminal
and regulatory enforcement actions concluded in 2020 and 2021, and
in legislative reform efforts aimed at expanding the regulated
sphere by forcing participants in other vulnerable markets
(particularly art, antiquities and jewellery) to implement AML
controls.

In many important ways, this enforcement trend appears to run
counter to the exponential rise of cryptocurrency and its
increasing prominence and acceptance by mainstream market
participants. Demand for digital assets, including Bitcoin,
Ethereum and others, keeps soaring. Bitcoin’s scarcity and
high stock-to-flow rate, in particular, make it an increasingly
attractive asset for investors. As Bitcoin’s journey towards
the mainstream continues to push forward, important questions arise
regarding how the uptake of cryptocurrency can be made compatible
with basic AML control, such as the requirements for regulated
market participants to check the identity and legitimate source of
funds of their customers.

Cryptocurrency assets such as Bitcoin present unique challenges
to the existing regulatory system. Bitcoin can be thought of as
“pseudonymous” (rather than truly anonymous) in the
sense that the components of Bitcoin, such as addresses, private
and public keys, and transactions, are all read in text strings
(for example, of a public address) that in no way directly link to
anyone’s personal identity. However, if an address is used on
an exchange that implements the kind of basic identity checks used
in the mainstream financial sector, such as Know Your Customer
(KYC), then that address, in theory, can be linked
back to a real-world identity.

This chapter explores some of the tensions and potential
pitfalls inherent in cryptocurrencies’ acceptance within the
broader financial system, particularly the regulated financial
sector and other regulated asset classes. Businesses are
understandably interested to explore opportunities brought about by
broadening acceptance of these assets, but great care needs to be
taken to manage the increasing risk of regulatory, and even
criminal, sanctions under AML legislation.

2. Growth in Virtual Currencies and Supporting
Infrastructure

In a little over a decade, Bitcoin and other cryptocurrencies
have progressed from an idea many sophisticated investors dismissed
as counterculture, to a financial phenomenon. With Bitcoin’s
market value reaching $1 trillion, and even Dogecoin, a virtual
asset created as a joke, touching a valuation of $10 billion, it
has been impossible for the financial, political and legislative
establishment to dismiss the emerging asset class of virtual
currencies. Even with little practical use for the currency at the
moment, major hedge fund managers have joined in with heavyweight
corporate investors like Tesla, Inc., and large Wall Street banks
in the move towards supporting digital assets. A number of
financial institutions are even recommending Bitcoin to retail
investors, a growing number of whom have at least dabbled in the
world of cryptocurrencies. While some banks have dipped their toes
in the water by offering services including safekeeping and
investment advice for virtual assets, earlier this year J.P. Morgan
unveiled its offering of a digital coin that would allow for
instantaneous payments using blockchain technology, JPM Coin. This
may be the first of many.

Along with taking away some of the investment base from the
conventional financial system, cryptocurrencies have taken
advantage of the traditional stock exchange. Coinbase, a
cryptocurrency exchange, listed on the Nasdaq earlier this month
with an initial valuation of $100 billion, which puts it in the
same league as heavyweights like Facebook. This for some has
indicated a coming of age for cryptocurrencies. Others highlighted
the post-listing slump in valuation as the epitome of a bubble.
There also have been high-profile scams linked to cryptocurrencies,
most notably the Ponzi scheme linked to Onecoin.¹ In any
event, with this speculative asset class becoming ever-increasingly
linked to the traditional financial system through its subscribers
and listings, regulators across the globe have been required to pay
attention both to avoid a threat to financial stability and to
close down any new avenues for financial crime.

3. Global AML Enforcement and Legislative Reform

Historically, the UK has been one of the more active
jurisdictions worldwide in AML enforcement, from the time of the
Proceeds of Crime Act 2002 (POCA) and antecedent
legislation, AML enforcement by the UK authorities was active in
2020, and has continued into early 2021. A strong focus on AML
enforcement, particularly targeting financial institutions and
high-growth sectors such as cryptocurrencies and exchanges, appears
to mirror developments in Europe and across the Atlantic, where the
Biden administration is widely expected to usher in a more
stringent regulatory environment in the financial sector.

4. UK AML Enforcement Post-Brexit

Prior to its departure from the European Union on 31 December
2020, the UK was a key player in developing the Europe-wide AML
framework through EU legislation in the form of a succession of
Money Laundering Directives. The existing Fifth Money Laundering
Directive is already fully implemented in UK law. The UK has not
opted into the EU’s Sixth Money Laundering Directive, as the
government considers that the requirements of this Directive are
already effectively in place through the UK’s existing AML
legislative framework.

Building on the offence of failure to prevent bribery in the UK
Bribery Act 2010, the UK is also actively considering expanding the
scope of “failure to prevent” offences in the financial
sector. There have been proposals to amend the Financial Services
Bill so that businesses or individuals regulated by the UK
Financial Conduct Authority (FCA) would be held
liable for failure to prevent economic crime, which would extend
not just to money laundering, but also to fraud, false accounting,
POCA offences, insider dealing, and providing false or misleading
statements. A key development in 2021 will be the UK’s
decision on whether and how to implement a new offence of this
nature. Such a development would have significant ramifications for
financial institutions operating in the UK and their employees,
particularly senior management.

Contrary to the expectations of some commentators, who predicted
a post-Brexit slackening of AML enforcement, the UK authorities
stepped up enforcement activities in the first months of 2021,
including the commencement of criminal proceedings against a large
financial institution, the levying of significant fines and an
expansion of the scope of activities covered by existing
regulations.

On 16 March 2021, the FCA announced that it had initiated
criminal proceedings against the UK bank National Westminster Bank
Plc (NatWest) for breaches of the Money Laundering
Regulations 2007 (MLR 2007) in a period covering
2011 to 2016.² The FCA alleges that NatWest failed to
conduct risk-sensitive due diligence and ongoing monitoring of its
relationships with a UK-incorporated customer for the purposes of
preventing money laundering. The FCA alleges that increasingly
large cash deposits were made into this customer’s accounts.
It is alleged that around £365 million was paid into the
customer’s accounts, of which around £264 million was
in cash.

The case is significant as it is the first criminal prosecution
under the MLR 2007 by the FCA and the first prosecution under the
MLR against a bank. The fact that the FCA has chosen to bring
proceedings under the MLR, rather than the specific AML offences
set out in the POCA, suggests that the FCA has identified
significant regulatory failures rather than acts of deliberate
involvement in money laundering.

For financial institutions and market participants, this
prosecution is a timely reminder that regulatory oversights can
also potentially invoke criminal liability in the UK. The case will
be closely followed to see the level of fine imposed and to compare
civil and criminal regime penalties. Further enforcement action is
expected in the near term, as the FCA announced in December 2020
that it is actively investigating 16 financial institutions for
AML-related issues.

The UK tax authority HM Revenue & Customs
(HMRC) is considered a supervisor for more than
30,000 businesses across the UK under the Money Laundering,
Terrorist Financing and Transfer of Funds (Information on the
Payer) Regulations 2017 (MLRs). In 2019 to 2020,
HMRC recovered over £166 million from the proceeds of crime,
of which more than £22 million was linked to money laundering
offences. In January 2021, HMRC announced a record-breaking
£23.8 million fine on MT Global Ltd., a UK-based money
transfer service, for significant breaches of the Money Laundering
Regulations 2017.³

5. U.S. AML Enforcement under the Biden Administration

In the United States, the AML landscape has also seen
significant movement as the Biden administration indicates its
intentions to ramp up enforcement in this area. The National
Defense Authorization Act for Fiscal Year 2021
(NDAA), which was passed on 1 January 2021, will
have a significant impact on the regulatory environment at the
start of the new administration. Indeed, the NDAA is the most
significant amendment to the AML landscape in a generation since
the adoption of the U.S. Patriot Act, and will require extensive
implementation by the Treasury Department.

The regulatory and legislative changes together have two
principal themes: (i) a conscious effort to evolve AML compliance
and the 1970 Bank Secrecy Act and its implementing regulations
(collectively, the BSA) to make the system more
efficient and more effective; and (ii) the adaptation of the BSA to
a new generation of threats. The NDAA extends the rules of the BSA
to cover other sectors including the art market, specifically
antiques and art dealers. The bill aims to improve AML efforts by
making it harder for purchasers to obscure their identities through
offshore entities and shell companies by requiring investors and
collectors to identify an “ultimate beneficial owner”.
It remains to be seen how these businesses will synchronise these
new requirements with recent acceptance of cryptocurrencies as a
form of payment.

On 15 January 2021, it was announced that Capital One had agreed
to pay a $390 million civil penalty to the U.S. Financial Crimes
Enforcement Network (FinCEN) after admitting to
engaging in both wilful and negligent violations of the
BSA.⁴ From 2008 to 2014, Capital One offered banking
services to a group of between 90 and 150 cheque cashers in the New
York/New Jersey area. The bank “was aware of several
compliance and money laundering risks associated with banking with
this particular group, including warnings by regulators, criminal
charges against some of the customers, and internal assessments
that ranked most of the customers in the top 100 of the
bank’s highest-risk customers for money
laundering”.

6. Recent European AML Enforcement

In April 2021, ABN Amro was fined €480 million to resolve
an investigation by the Dutch Public Prosecution Service
(OM) into “serious shortcomings” in
its AML procedures and other misconduct by its clients in the
Netherlands between 2014 and 2020.⁵

The violations were so severe that the OM accused the bank
itself of committing money laundering in addition to internal
controls failures, such as: incomplete dossiers on high-risk
customers; insufficient risk assessments on new clients; and
failures to properly report suspicious transactions. Three former
executives remain under investigation.

Danske Bank remains under criminal and regulatory investigation
by authorities in France and Denmark. Danske Bank’s Estonia
branch was allegedly a key enabler of the Azerbaijani Laundromat, a
huge money laundering scheme and slush fund that saw billions of
dollars run through the bank and into offshore companies and paid
to high-ranking officials and European politicians.⁶
Another investigation, the Russian Laundromat, revealed that $20
billion to $80 billion was fraudulently moved out of Russia through
a network of global banks that included Danske Bank.

7. FCA Guidance

While cryptocurrencies were born into a regulatory sandbox to
avoid over-regulation and allow for innovation, with the increased
investment into this volatile asset class, the FCA assumed
responsibility as the AML and counter-terrorist financing
(CTF) supervisor for such firms. As of 9 January
2021, businesses operating in cryptoasset activity in the UK are
required to comply with the MLRs.⁷ To assist the FCA in
monitoring compliance, firms engaging in cryptoasset activities are
required to register with the FCA before conducting business with
the threat of civil or criminal enforcement. Cryptoasset activities
have been broadly defined by the MLRs as:

1. exchanging or arranging to exchange money for cryptoassets or
   vice versa, or one cryptoasset for another;




2. operating machines that use automated processes to exchange
   cryptoassets for money, or vice versa; and




3. providing services to safeguard or administer cryptoassets for
   customers or private cryptographic keys.⁸

As the official gatekeeper for businesses in/seeking to expand
into the cryptoasset space, the FCA’s registration
requirement allows for confirmation that the company has adequate
systems and controls for AML compliance, and its management is fit
and proper to carry out such activities. To ensure this is the
case, the application for registration requires a plethora of
information including the organisational structure, key individuals
involved in the business, beneficial owners, systems and controls
(both IT and regulatory in relation to AML/CTF compliance), and any
other governance arrangements including diligence related to client
on-boarding and ongoing transaction monitoring. 

While it may be seen as a new asset class to regulate, the FCA
has similar expectations in relation to AML monitoring that are in
place for more conventional assets. The FCA has stated that it will
take a risk-based approach to supervision. Therefore, the larger
the potential for money laundering and terrorist financing, the
more scrutiny a firm will receive and the higher the likelihood for
FCA enforcement where misconduct is detected. Components of an
effective compliance programme will also follow in the footsteps of
conventional wisdom. These include ensuring that the business has
policies, controls and procedures that effectively manage money
laundering risks proportionate to the size and nature of the
business’ activities. Additionally, regular assessments of
the governance system will need to be conducted with a specific
focus on the impact that a change in the business’ operating
model may have on its risk profile. With the inherent volatility
and requirement for a degree of anonymity imbedded in the basic
structure of cryptoassets, businesses will be required to take an
even greater proactive monitoring role. Some of the requirements,
though not exhaustive, highlighted by the FCA include:

• taking appropriate steps to identify and assess the risks of
  money laundering;




• assess risks related to new technologies prior to launch and
  take appropriate steps to manage or mitigate such risk;




• maintain policies, systems and controls appropriate for
  mitigating the risk of the business being used as a vehicle of
  illicit financial activity, particularly money laundering and
  terrorist financing. This may include creating an internal
  independent audit function with the responsibility of examining and
  evaluating the adequacy of safeguards or, where appropriate,
  appointing a member of senior management to be responsible for
  MLRs;




• undertake adequate due diligence, including employee screening
  and customer due diligence (both at the onboarding stage and
  periodically thereafter). This may include applying more rigorous
  checks for customers who are considered a higher risk, including
  politically exposed persons; and




• ensure ongoing monitoring of all customers and transactions to
  make sure that they are consistent with the business’
  knowledge of the client’s risk profile.

Additionally, as part of the its supervisory toolkit, the FCA
now requires businesses that may engage with cryptoassets that are
outside the scope of the Financial Ombudsman Services or the
Financial Services Compensation Scheme to inform potential clients
of this prior to entering into a business relationship.

As above, the FCA’s requirements from firms engaging in
cryptoassets, for a large part, mirror the expectation for the
broader market. It is therefore worthwhile to consider what the FCA
has indicated would be effective systems and controls through
enforcement actions and guidance. Most recently, a speech by Mark
Steward, the Executive Director of Enforcement and Market
Oversight, stated that: “AML systems and controls must be
focused explicitly on activating purpose and function of those
controls, to ensure the system is not just a bureaucratic process
and to ensure it cannot be gamed.”⁹ This has given
credence to the already well-founded understanding that an AML
policy must be user-friendly, implemented in practice and show some
teeth for a regulator to consider it to be fulfilling its purpose.
Steward also laid a particular focus on cryptocurrency firms as the
FCA will consider them to be a high priority and “area of
risk”, bringing attention to the FCA’s warning list
that already has been put in place to flag firms that appear to be
working in the cryptoasset space and that have not registered with
the FCA.¹⁰

8. UK Enforcement

Recent FCA investment in enforcement
capabilities

In 2018, the UK Government established a Cryptoassets Taskforce
which comprised representatives from HM Treasury, the Bank of
England and the FCA (the Taskforce). The
Taskforce’s report, which was published later that year,
sought to set out, amongst other things, the UK’s regulatory
approach to cryptoassets.¹¹ In the same year, the FCA
published a notice on its ScamSmart webpage containing details
about cryptoasset investment scams and how to identify and avoid
them.¹² Following the publication of the
Taskforce’s report, in January 2020 the FCA became the
AML/CTF supervisor for cryptoasset firms. As a result, such firms
had to register with the UK’s financial regulator by January
2021 in order to ensure compliance with the relevant AML
legislation. Since that appointment, it has been reported that
during the course of 2020, 199 cryptoasset firms applied to
register with the FCA.¹³ As of 19 April 2021, there were
over 95 cryptoasset firms with Temporary Registration. Temporary
Registration is a provisional measure introduced by the FCA to
ensure that existing cryptoasset firms that have applied for
registration are able to continue trading pending the outcome of
their applications.¹⁴ Pursuant to the MLRs (as amended),
it is a criminal offence for a cryptoasset firm to operate without
being registered with the FCA.

Since the FCA’s assumption of the role of AML/CTF
supervisor of cryptoasset firms, it has undertaken a number of
enforcement actions in this area. Last year, the FCA banned the
sale of derivatives based on cryptocurrencies to retail investors
as it deemed the practice too risky for retail consumers. In a
statement on its website concerning the ban, the FCA stated that:
“[S]ignificant price volatility, combined with the inherent
difficulties of valuing cryptoassets reliably, places retail
consumers at a high risk of suffering losses from trading
crypto-derivatives. We have evidence of this happening on a
significant scale. The ban provides an appropriate level of
protection.”¹⁵ In February of this year, the FCA
issued a statement warning against an unregistered firm that had
been offering “trading services in digital
currencies”.¹⁶ In the same month, it was reported
that the FCA had opened 52 investigations into cryptocurrency
businesses in the last year.¹⁷

In recent months the FCA also has commented publicly, in
relatively strong terms, on the volatile nature of cryptoassets. In
January of this year, the FCA stated that “if consumers
invest in these types of product, they should be prepared to lose
all their money”.¹⁸ Given the infancy of its
regulatory remit in this field, it remains to be seen how, and to
what extent, the FCA will enforce its powers in respect of
non-compliant cryptoasset firms.

9. FCA Enforcement Powers

There are a number of regulatory tools available to the FCA, of
which enforcement is one. The FCA will refer an individual or firm
to its Enforcement division and commence an investigation into that
individual or firm in circumstances where it considers that there
has been potential serious misconduct. While the FCA states that
not all harm is caused by serious misconduct, it notes that
“serious misconduct will likely cause harm to market
integrity, confidence in the financial system or cause harm to
consumers”.19 When selecting cases to investigate, the
FCA’s Enforcement Guide states that it will consider whether
such an investigation is likely to further its aims and objectives,
by considering the following:

1. any available supporting evidence and the proportionality and
   impact of opening an investigation;




2. what purpose or goal would be served if the FCA were to end up
   taking enforcement action in the case; and




3. relevant factors to assess whether the purposes of enforcement
   action are likely to be met.²⁰

In the event that the FCA decides to take action against an
individual or firm, it has an extensive range of civil, criminal
and regulatory enforcement powers at its disposal. These
include:

• withdrawing a firm’s authorisations;




• prohibiting an individual from carrying on regulated
  activities;




• suspending firms and individuals from undertaking regulated
  activities;




• issuing fines against individuals and firms for breaching FCA
  rules or committing market abuse;




• issuing fines against firms for breaching competition
  laws;




• making public announcements when the FCA commences disciplinary
  action against individuals or firms, and when the FCA publishes
  details relating to enforcement notices (which include warning
  notices, decision notices and final notices). Following enforcement
  action, the FCA will often publish a press release;




• making court applications for injunctions, restitution orders,
  winding-up orders and other insolvency orders;




• commencing criminal prosecutions in relation to the commission
  of offences relating to financial crime. When considering this
  option, the FCA will need to be satisfied that the Full Code Test
  is met;




• issuing warnings and alerts about unauthorised individuals and
  firms; and




• requesting that web hosts deactivate
  websites.²¹

The FCA employs its criminal enforcement powers far less
frequently than its civil and regulatory enforcement powers.
Indeed, in its Enforcement Annual Performance Report for 2018/2019,
it recorded that of the 288 outcomes that it secured using its
enforcement powers, 12 of those outcomes related to criminal
disposals.²²

10. Enforcement Relating to Other UK Prosecuting Agencies

As well as the FCA, other UK enforcement agencies are beginning
to focus their efforts on cryptocurrencies being used as a vehicle
for fraud. While at present, it appears that the number of cases
prosecuted by the Crown Prosecution Service (CPS)
involving cryptocurrencies is small in comparison to the total
number of prosecutions brought by the CPS, it is anticipated that
over the next year and beyond the number of prosecutions involving
cryptocurrencies will increase. Indeed, the CPS recently stated
that 86% of reported fraud “is now estimated to be cyber
enabled, fuelled by advances in technology”. The CPS released
such data as it launched its first Economic Crime Strategy (the
Strategy) in March 2021, recognising economic
crime “as a growing area of criminality”. The Strategy
sets out the CPS’ plan to tackle economic crime over the next
five years. During the previous financial year, the CPS prosecuted
10,000 cases relating to economic crime.²³ Similarly, in
light of the increasing number of high-profile endorsements of
cryptoassets which are likely to continue to drive interest in and
demand for such assets, the National Crime Agency and Serious Fraud
Office are likely to see an increase in the number of its
investigations involving cryptoassets.

11. Summary and Key Takeaways

• Cryptocurrency is an increasingly important growth area, but it
  is fundamental that companies invest in robust internal controls to
  stay on the right side of UK regulators.




• AML will be the big focus for regulators and for criminal
  enforcement over the next few years.




• Emerging cryptocurrency businesses have a number of inherent
  vulnerabilities that make them an especially ripe target for
  regulatory enforcement: technical challenges in managing the
  pseudonymous nature of cryptoassets to conform with AML KYC
  requirements; underinvestment in risk functions (a blind spot
  shared with other “disruptor” business models); and
  others.




• Cryptocurrency companies must obtain the right advice to design
  their internal controls and to assist with their external
  communications with regulators and law enforcement.

The days of cryptocurrency operating in the Wild West are over.
The sheriff has arrived in town, and times are changing.

Footnotes

1. (Hyperlink)

2. (Hyperlink)

3. (Hyperlink)

4. (Hyperlink)

5. (Hyperlink)

6. (Hyperlink)

7. Regulation 14A of the MLRs defines cryptoasset
activities as: (1) exchanging or arranging to exchange cryptoassets
for money or one type of cryptoasset for another; (2) operating a
machine such as a crypto ATM that uses automated processes to
exchange cryptoassets into money, or vice versa; and (3)
providing custodian services for customers’ cryptoassets or
private cryptographic keys. 

8. For further information on the types of cryptoassets
that fall within the FCA’s regulatory remit, see Guidance
on Cryptoassets: Feedback and Final Guidance to CP 19/3, (Hyperlink)

9. Speech by Mark Steward, Executive Director of
Enforcement and Market Oversight, delivered at the AML & ABC
Forum 2021, 1 April 2021: (Hyperlink)

10. Unregistered Cryptoasset Businesses, (Hyperlink)

11. (Hyperlink)

12. (Hyperlink)

13. (Hyperlink)

14. (Hyperlink)

15. (Hyperlink)

16. (Hyperlink)

17. The FCA’s year end is 30 June.  This
information was released by the FCA following a Freedom of
Information Request by Reynolds Porter Chamberlain LLP.

18. (Hyperlink)

19. (Hyperlink)

20. Section 2.2.8.

21.(Hyperlink)

22.(Hyperlink)
(see page 5).

23.(Hyperlink)

Originally published by International Comparative Legal
Guides (ICLG).

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.