The Financial Crimes Enforcement Network (FinCEN) recently issued guidance (link to document) consolidating current FinCEN regulations, rulings, and guidance about cryptocurrencies and money services businesses (MSBs) under the Bank Secrecy Act (BSA). Along with the May 9 guidance (link), FinCEN issued an advisory to assist financial institutions in identifying and reporting suspicious activity or criminal use of cryptocurrencies.
Rather, it consolidates current FinCEN regulations, guidance and administrative rulings that relate to money transmission involving virtual currency, and applies the same interpretive criteria to other common business models involving CVC (Convertible Virtual Currencies). FinCEN’s rules define certain businesses or individuals involved with CVCs as money transmitters subject to the same registration requirements and a range of anti-money laundering, program, recordkeeping (the process of recording transactions and events in an accounting system), and reporting responsibilities as other money services businesses.
Peer-to-Peer (P2P) Exchangers
- P2P exchangers are (typically) natural persons engaged in the business of buying and selling cryptocurrencies.
- As money transmitters, per the guidance, P2P exchangers are required to comply with applicable BSA obligations, including registering with FinCEN as an MSB and complying with anti-money laundering (AML) program, recordkeeping, and reporting requirements (including filing SARs and CTRs).
- Cryptowallets are interfaces for storing and transferring cryptocurrencies, and could include mobile wallets, software wallets, and hardware wallets.
- The guidance outlines the following four factors used to determine if a wallet provider needs to register as an MSB: Who owns the value; Where the value is stored; Whether the owner interacts directly with the payment system where the cryptocurrency runs; Whether the person acting as intermediary has total independent control over the value
- Based on these factors, the guidance makes a sharp distinction between hosted and nonhosted wallets (custodial vs. noncustodial).
- For hosted wallets, generally the owner of the currency interacts with the host and the host has total independent control over the value of the wallet (although it is contractually obligated to access the value only on instructions from the owner). To determine its specific requirements under the BSA, the host must look to the nature of the owner and the types of transactions that it channels to or from the owner.
- Nonhosted wallets are software hosted on a person’s computer, phone, or other device that allow the person to store and conduct transactions. Generally, the value (by definition) is the property of the owner and is stored in a wallet, while the owner interacts with the payment system directly and has total independent control over the value. Insofar as the person conducting a transaction through the nonhosted wallet is doing so to purchase goods or services on the user’s own behalf, such person is not a money transmitter and is not subject to the BSA.
- Cryptocurrency kiosks are described by FinCEN as ATMs for cryptocurrencies.
- The guidance treats cryptocurrency kiosks as MSBs, meaning that an owner-operator must comply with regulations governing money transmitters.
Decentralized Applications (DApps)
- DApps is a term that refers to software programs that operate on a P2P network of computers running a blockchain platform.
- When a DApp performs money transmissions, the definition of money transmitter, and the requirements that go along with it, will apply to the DApp, the owners/operators of the DApp, or both.
- Certain cryptocurrencies (also called privacy coins) are specifically engineered to prevent their tracing through distributed public ledgers, and certain cryptotransactions are structured to conceal information otherwise generally available.
- The guidance states that such transactions and currencies are subject to the same regulatory regime as nonenhanced cryptocurrencies.
The guidance also enumerates specific business models that, depending on the facts and circumstances, may not be MSBs, such as certain cryptocurrency trading platforms and decentralized exchanges, ICOs, cryptocurrency miners, and DApp developers.
Further, the guidance reiterates that entities such as banks or other financial institutions that are registered with the CFTC and SEC are excluded from the definition of an MSB for purposes of the BSA (although they would still have to abide by the BSA regulations applicable to their own status).