I see people saying “Bank Grade AML” in their marketing and promotions quite a bit lately. What’s it mean?
Well, actually there is no defined standard for that, it’s not a real term. People use it to mean “like a bank.” As a bank is a BSA-subject firm and has enhanced responsibilities – especially when receiving cash deposits or conducting international business – and is under constant scrutiny from the various regulators (OCC, FDIC, Treasury, state banking commissioner, etc), each of whom have guidelines for banks, as well as annual examination guidelines. All banks and trust companies are subject to these standards and perform numerous anti-money laundering checks on customers, as well as detailed know-your-customer (KYC) onboarding. Money Services Businesses (MSB’s) and other types of BSA-subject firms are also generally held to these standards, enven though they are not banks or trust companies.
How does this apply to cryptocurrency and the digital economy, and ICO’s in particular?
ICO issuers, as you likely know, must register with FinCEN as a Money Services Business (MSB) if they are touching cash or cryptocurrency, or if they are minting tokens. And if they are touching money or cryptocurrency then they must also register with each state as a Money Transmitter (no reciprocity or preemption like there is for banks and trust companies). They are required to develop, implement and monitor their own risk-based controls, appropriate in-house BSA program and administer it directly as well as meet a number of reporting, record-keeping and data privacy obligations. Simply “punting” this and outsourcing to an unregulated service provider does not change your responsibilities or liability for any failure They can NOT rely on any third-party firm to do this for them except for banks or clearing firms who are performing and taking liability for the AML, and who are “minting” the tokens.
Why is this important?
Disturbingly, I see a lot of people either ignoring this or doing it wrong and setting themselves up for serious problems. Technology entrepreneurs chafe at regulation, I understand that. It’s a burden, it’s a hassle, it’s expensive, and at times it just doesn’t make sense. But it is what it is. Violations of regulations can lead to fines, offering rescissions, civil lawsuits, sanctions and even jail time for officers, directors and even outside lawyers and broker-dealers advising an ICO.
Often I hear people say “oh, we are using such-and-such aml firm to do this for us.” Huh? You can’t do that. The issuer can certainly rely on non-bank AML providers for data feeds and even to do a lot of the leg-work in processing and clearing exceptions. That’s fine, banks and trust companies all do that (e.g. LexisNexis, Trullio, Identity Mind, etc, etc). But the responsibility is for the issuer…not the outsourced firm (unless they are a bank or clearing firm)…to develop, staff and run an in-house BSA program, file CTR’s, SARs and other reports, and make accept/deny decisions.
Developing an in-house BSA program will cost an issuer quite a bit of money, and require time to put together and monitor on a day-to-day basis (heck, finding and hiring a CAMS credentialed chief compliance officer doesn’t happen overnight). Furthermore, there are numerous ongoing expenses as the issuer will without a doubt be spending time and money cooperating with investigators and information requests;
- Grand Jury subpoena’s,
- SEC investigations,
- FBI investigations,
- IRS Criminal Division investigations, and,
- state attorney general investigations.
Yes, really. Take it from me, as we are one of the firms on the front line doing this for issuers and others in the market. As the saying goes, this stuff is real. So, to run their own AML program, the issuer will need lawyers to deal with these things as they will happen.
Can the time and cost of developing your own AML compliance program be avoided? Maybe. The only way to ensure that your ICO’s (and STO’s) are complying with the rules that I know of is to rely on a bank, trust company or clearing firm (note that the list does not include MSB’s) to;
- touch and handle all the money and cryptocurrency;
- perform KYC and AML on all customers and investors, and (important) take responsibility AND liability for those processes and determinations;
- perform directly or require a law firm to perform Bad Actor checks pursuant to Dodd-Frank on issuers and all associated persons;
- trigger the smart contract to distribute tokens to cleared persons wallets (what regulators see as the “minting”);
- OFAC every receipt of cash or crypto, every disbursement of cash or crypto, and every customer at least quarterly.
In conversations about this, some issuers have said “my lawyers say I don’t have to do this, and that FinCEN’s letter/guidance was an internal memo and they aren’t really serious about it.” Really? Make sure your lawyers have actually picked up the phone and directly spoken to the staff at FinCEN, as my attorneys have repeatedly, as I believe they will get a very different response. Ignorance of the law is not a get out of jail free card, it’ll get you in trouble.
If you are involved in the digital economy, you are required to perform AML and KYC. Cryptocurrency and tokens are, to regulators, no different than someone walking into the bank with a bag of cash – you have no idea where it really came from, but that doesn’t mean you can’t accept it, provided you undertake heightened AML and KYC procedures.
When people complain about the cost of our ICO escrow services, I point out that it’s far cheaper than doing it themselves. And not many other financial institutions are stepping up to take liability and to mint tokens, as required. And at the end of the day, I think that issuers need to spend their time and resources building their core business, not on trying to be a BSA-compliant firm.