Regulation

Compliance Considerations for the Cryptocurrency Industry

Published

6 months ago

on

The federal government’s high-profile crackdown on crypto companies requires all cryptocurrency market participants to redouble their compliance efforts, both to satisfy regulators and to confirm the trust of customers and counterparties

Crypto compliance right now requires sophistication. Despite the absence of industry-specific regulatory or regulatory regimes, several U.S. regulatory and law enforcement agencies have aggressively asserted jurisdiction over the digital asset universe. To date, the U.S. Department of Justice and regulators, including the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and others at the federal and state levels, have pursued enforcement actions against exchanges of cryptocurrencies, cryptocurrency trading, coin offerings, non-fungible tokens, stablecoins and more, usually with conflicting and competing demands for information and guidance. These efforts often lacked coordination and were led by divergent opinions on the applicable legal theories even when faced with a set of common facts.

The absence of regulatory guidance combined with hyperactivity of law enforcement efforts create treacherous waters for even the most diligent of compliance officers. Recent comments by SEC Enforcement Division Director Gurbir Grewal on compliance expectations, particularly regarding the individual responsibility of compliance personnel, should raise concern among cryptocurrency market participants. Grewal emphasized that the SEC will take action against compliance personnel “where there is a total failure by compliance personnel to carry out their compliance responsibilities.” This test depends critically on agreement or consensus regarding compliance responsibilities. In the absence of federal legislation or a substantive regulatory framework, unlike the traditional financial services industry, it raises the possibility that even good faith efforts in the cryptocurrency space will be deemed insufficient by regulators and perhaps characterized as “wholesale failures” meriting sanctions, according to Director Grewal’s public statements.

Crypto risk areas

Crypto compliance officers don’t have the luxury of waiting for clearer regulations to be promulgated. Instead, they must ensure, even in this uncertainty, that their protocols satisfy a range of regulators who have murky and often divergent expectations. Some key areas of focus, described below, are essential to reduce risk and inspire confidence in a program’s effectiveness.

Understanding blockchain technology

Companies involved in cryptocurrency and their executives need to have people working on their compliance team who fundamentally understand blockchain technology, the foundation of cryptocurrency-based business. Compliance teams must be able to educate employees on compliance expectations and educate regulators about their crypto products and operations. Communicating effectively with both constituencies will ensure a highly functioning and defensible compliance regime.

Anti-money laundering procedures

A key area for your compliance strategy to focus on is implementing a satisfactory and robust anti-money laundering (AML) program. The decentralized and pseudonymous nature of cryptocurrencies is often viewed with suspicion by regulators as a channel to hide illicit activity. Indeed, anti-money laundering experts point out that failure to comply with anti-money laundering requirements is often an integral part of the process. burdens that regulatory agencies carry against companies. Without adequate safeguards against money laundering and the risk of other financial crimes, crypto companies are vulnerable to regulatory scrutiny and exploitation by malicious actors.

Cryptocurrency trading firms must enhance traditional anti-money laundering procedures to include cryptocurrency-specific monitoring and analysis into their compliance regimes, including the use of blockchain intelligence tools to identify risky and/or cryptocurrency-associated crypto wallet addresses. terrorism. Additionally, companies should be aware that they are being assessed under the Bank Secrecy Act (BSA). For example, in October 2022, Bittrex was considered a financial services company, and ultimately is fined more than $24 million by the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) – both agencies within the U.S. Department of the Treasury – for failure to comply with BSA, anti-money laundering laws and other sanctions. Key to the sanctions was Bittrex’s access to customer IP and physical address information collected from onboarding new customers. The company knew that numerous customers were located in sanctioned jurisdictions, but did not filter customer information for associations with those jurisdictions.

Violations of the BSA by crypto companies could also have criminal consequences. In May 2022, the former CEO of BitMEX, one of the oldest and largest convertible virtual currency derivatives markets, was sentenced in the Southern District of New York to six months of house arrest and a $10 million fine for violating the BSA by failing to establish, implemented and maintained an anti-monetary money laundering program, including a program to verify the identity of BitMEX customers via a properly administered Know Your Customer (KYC) program. The company also settled charges with the CFTC and FinCEN in 2021, paying $100 million for BSA and AML violations.

Conservation policies

Retention policies are a relatively simple proactive step compliance officers can take to build goodwill with regulators. There are no explicit regulatory retention obligations for crypto companies, in stark contrast to the explicit obligations governing the traditional financial space. Nonetheless, regulators believe that loyalty policies are an indicator of a company’s compliance culture. Just to give an example, in the recent judicial proceedings and conviction of FTX founder Sam Bankman Fried, prosecutors pointed to FTX’s lack of a retention policy as evidence of wrongdoing. Such negative impressions are avoidable. Cryptocurrency trading companies should consider creating systems that, as appropriate, can record:

        • business data, including profit and loss data;
        • employees who trade assets or operate automated trading strategies; AND
        • the quantity and type of assets exchanged.

Additionally, companies involved in the crypto industry should consider retaining all communications related to company accounts for a few years, including not only standard communication methods such as emails, instant messaging systems, and common less traditional modes of communication in the crypto space.

Third-party due diligence

Companies involved in the crypto industry should be rigorous in implementing risk-based approaches when interacting with third-party providers. Regulators have been clear in the mainstream financial world that companies are responsible not only for their own compliance obligations, but also those of the third-party providers they rely on. In fact, the Interagency guidance on third-party relationships: risk management from the US Federal Reserve, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency, advised that: “[t]The scope and degree of due diligence should be commensurate with the level of risk and complexity of the relationship with third parties. More comprehensive due diligence is particularly important when a third party supports high-risk activities, including critical activities.”

This regulatory focus will be amplified in the crypto space. The government views the cryptocurrency industry as a fundamentally high-risk industry, often based in part on a poor understanding of the crypto ecosystem and its newness. This means that third party diligence requirements are very likely to be an expected area of ​​regulatory scrutiny. Marketing and development efforts that involve third parties, often leveraging less disciplined mediums such as social media, podcasts, and collaborative workshops, create space for misunderstandings and potential problems. Accordingly, as part of a third-party risk assessment program, crypto companies should conduct due diligence on third parties before engaging them.

Audits

Effective and sustainable compliance programs can use internal and external audits to overcome any issues and demonstrate the effectiveness of the program. When performed on a regular basis, it verifies pressure testing compliance programs and provides regulators comfort about a company’s compliance culture. Given the challenges many regulators face in understanding the technologies in operation and identifying a legal theory of culpability, some regulators have pointed to the weak compliance culture with crypto companies as a means to advance investigations.

Data privacy and security issues

Operating in a digital environment, the risk of data leaks, cyber attacks, phishing schemes and malicious actors remains ever-present; and since cryptocurrency is a booming new industry, scammers have been targeting it heavily.

Because cryptocurrencies use blockchain technology for verification and do not pass through financial institutions, it is also more difficult to recover the proceeds of the theft and its impact. Compliance officers must create tailored provisions that safeguard internal company data, partner and consumer data, and company and customer assets.

Conclusion

The crypto enforcement landscape continues to evolve rapidly, but with no sign of increased statutory or regulatory guidance in the immediate future. In December, the The SEC denied a petition from Coinbase looking for new rules aimed specifically at the digital assets sector. The SEC said it will propose neither new rules nor long-sought clarifications on its expectations because the SEC fundamentally maintains that current securities regulations provide crypto companies with sufficient notice of their obligations. This is a premise that few, if any, crypto industry professionals agree with.

There is no indication that law enforcement efforts will slow: if anything, an increased scale of law enforcement is likely, if not certain. Therefore, it is up to compliance departments and their officials to be proactive in creating the best compliance programs to continue to protect not only the company and its customers, but also to insulate themselves from enforcement investigations and potential liability.

Raja Chatterjee contributed to this article. He is a former prosecutor and served as in-house counsel with responsibility for legal, risk and compliance functions.

Source

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version