InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS to collect assessment fees from licensed virtual currency businesses
On April 9, the New York governor signed S. 8008-C, which enacts the state’s 2023 fiscal year budget and requires, among other things, NYDFS to start charging a new assessment fee to all virtual currency businesses licensed in New York in order to cover the costs associated with their oversight and “defray operating expenses.” Specifically, Section 206 is amended to read: “The expenses of every examination of the affairs of any person regulated pursuant to this chapter that engages in virtual currency business activity shall be borne and paid by the regulated person so examined, but the superintendent, with the approval of the comptroller, may in the superintendent’s discretion for good cause shown remit such charges.” The amendments do not specify a specific assessment amount, however regulated companies engaged in virtual currency business activity “shall be assessed by the superintendent for the operating expenses of the department that are solely attributable to regulating such persons in such proportions as the superintendent shall deem just and reasonable.”
NYDFS Superintendent Adrienne A. Harris issued a press release the same day praising the budget adoption as it now allows the Department to collect supervisory costs from licensed virtual currency businesses as it does for banking and insurance companies. Noting that “New York was the first to start licensing and supervising virtual currency companies,” Harris said that the “new authority will empower the Department to build staff with the capacity and expertise to best regulate and support this rapidly growing industry.”
Virginia allows banks to provide virtual currency custody services
On April 11, the Virginia governor signed HB 263, which permits banks in the Commonwealth to provide customers with virtual currency custody services “so long as the bank has adequate protocols in place to effectively manage risks and comply with applicable laws.” Before offering virtual currency custody services, banks must conduct a self-assessment process to carefully examine the risks involved in offering such services, which includes: (i) “implement[ing] effective risk management systems and controls to measure, monitor, and control relevant risks associated with custody of digital assets such as virtual currency”; (ii) confirming adequate insurance coverage for such services; and (iii) maintaining a service provider oversight program to address risks to service provider relationships as a result of engaging in virtual currency custody services. Banks may provide virtual currency custody services in either a fiduciary or non-fiduciary capacity. If a bank provides such services in a nonfiduciary capacity, the bank will “act as a bailee, taking possession of the customer’s asset for safekeeping while legal title remains with the customer” (i.e. “the customer retains direct control over the keys associated with their virtual currency”). Should a bank provide services in a fiduciary capacity, it must “require customers to transfer their virtual currencies to the control of the bank by creating new private keys to be held by the bank.” The bank will have “authority to manage virtual currency assets as it would any other type of asset held in such capacity.” HB 263 takes effect July 1.
OFAC sanctions Russians, issues guidance on sanctions evasion through virtual currency, general licenses, and FAQs
On March 11, the U.S. Department of the Treasury’s Office of Foreign Assets Control issued guidance, in line with the G7 leaders' statement, to guard against possible attempts to use virtual currency to evade U.S. sanctions imposed on Russia. According to OFAC, the public guidance “further cut[s] off avenues for potential sanctions evasion by Russia” and “continues to make clear that Treasury’s expansive sanctions actions against Russia require all U.S. persons to comply with OFAC regulations, regardless of whether a transaction is denominated in traditional fiat currency or virtual currency.
Additionally, OFAC announced sanctions against Russian and Kremlin elites, and Russia’s political and national security leaders who have supported Russia’s invasion of Ukraine. As a result of the sanctions, all property and interests in property belonging to the sanctioned individuals and entities that are in the U.S. or in the possession or control of U.S. persons, and “any entities that are owned, directly or indirectly, 50 percent or more” by the targeted individuals and/or entities are blocked and must be reported to OFAC. The sanctions complement an Executive Order (E.O) issued by President Biden that imposes new import and export restrictions on Russia, including the export of U.S. banknotes to Russia. Among other things, this E.O. prohibits the importation into the U.S. of certain products of Russian Federation origin. Additionally, the E.O. bans the exportation, reexportation, sale, or supply, directly or indirectly, from the U.S., or by a U.S. person, wherever located, of U.S. dollar-denominated banknotes to the Russian government or to any person located in the Russian Federation.
OFAC also issued Russia-related General License 17 to authorize the import of existing purchases of prohibited products that are under pre-existing contract until March 25, 2022, and General License 18 and General License 19 to authorize certain activities regarding U.S. dollar-denominated banknotes as they pertain to personal remittances and U.S. persons, respectively. OFAC also issued Ukraine-related General License 23, “Blocking Property of Certain Persons and Prohibiting Certain Transactions With Respect to Continued Russian Efforts to Undermine the Sovereignty and Territorial Integrity of Ukraine,” “to authorize certain transactions that are ordinarily incident and necessary to nongovernmental organizations’ activities in the so-called Donetsk People’s Republic (DNR) or Luhansk People’s Republic (LNR) regions of Ukraine, including activities related to humanitarian projects to meet basic human needs, democracy building, education, non-commercial developments projects, and environmental and natural resource protection,” and published new Frequently Asked Questions and amended one Frequently Asked Question regarding Russia sanctions.
Find continuing InfoBytes coverage on the U.S. sanctions response to Russia’s invasion of Ukraine here.
FinCEN warns financial institutions about Russian sanctions evasion
On March 7, FinCEN issued an alert advising financial institutions to be vigilant against potential attempts to evade sanctions levied against Russian individuals, banks, and other entities in response to the situation in Ukraine. FinCEN provided several examples of red flag indicators that could help identify attempted sanctions evasions, including actions by state actors and oligarchs, and reminded financial institutions of their Bank Secrecy Act (BSA) reporting obligations.
The alert stressed that all financial institutions, including those with visibility into convertible virtual currency (CVC) flows identify and promptly report associated suspicious activity, and conduct appropriate, risk-based customer due diligence or enhanced due diligence as required. This includes CVC exchangers and administrators within or outside of Russia (which are generally considered to be money services businesses under the BSA) that retain at least some access to the international financial system. FinCEN noted that “[w]hile large scale sanctions evasion using [CVC] by a government such as the Russian Federation is not necessarily practicable, CVC exchangers and administrators and other financial institutions may observe attempted or completed transactions tied to CVC wallets or other CVC activity associated with sanctioned Russian, Belarusian, and other affiliated persons.”
Financial institutions are instructed to specifically watch for (i) transactions initiated from IP addresses located in Russia, Belarus, FATF-identified jurisdictions with anti-money laundering/countering the financing of terrorism/counter-proliferation deficiencies, or other sanctioned jurisdictions; (ii) transactions connected to CVC addresses listed on OFAC’s Specially Designated Nationals and Blocked Persons List; and (iii) customers’ use of a CVC exchanger or foreign-located money service businesses in high-risk jurisdictions, including those with inadequate “know-your-customer” or customer due diligence measures. FinCEN also warned financial institutions of the dangers posed by Russian-related ransomware campaigns and encouraged financial institutions to refer to FinCEN and OFAC resources to help detect, prevent, and report potential suspicious activity.
Find continuing InfoBytes coverage on the U.S. sanctions response to Russia’s invasion of Ukraine here.
FATF updates virtual assets and service provider guidance
On October 28, the Financial Action Task Force (FATF) updated pre-existing guidance on its risk-based approach to virtual assets (VAs) and virtual asset service providers (VASPs). The updated guidance revises guidance originally released in 2019. According to FATF standards, countries are required to “assess and mitigate their risks associated with virtual asset financial activities and providers; license or register providers and subject them to supervision or monitoring by competent national authorities.” The guidance includes updates on certain key areas, such as: (i) expanding the definitions of VAs and VASPs; (ii) applying FAFT standards to stablecoins; (iii) adding guidance regarding the risks and the tools available to countries for the purpose of addressing money laundering and terrorist financing risks for peer-to-peer transactions; (iv) revising VASP licensing and registration guidance; (v) adding guidance for the public and private sectors on the implementation of the “travel rule”; and (vi) adding a section for principles of information-sharing and co-operation amongst VASP Supervisors. FATF also noted that the “guidance addresses the areas identified in the FATF’s 12-Month Review of the Revised FATF Standards on virtual assets and VASPs requiring further clarification and also reflects input from a public consultation in March - April 2021.”
DFPI addresses MTA licensure requirements in new letters
Recently, the California Department of Financial Protection and Innovation (DFPI) released two new opinion letters covering aspects of the California Money Transmission Act (MTA) related to bitcoin automated teller machines (ATMs) and kiosks and the Agent of Payee exemption.
- Bitcoin ATM Kiosk. The redacted opinion letter explains that the sale and purchase of bitcoin through ATMs/kiosks described by the inquiring company is not activity that is subject to licensure under the MTA. DFPI states that the customer’s purchase of bitcoin directly from the company “does not involve the sale or issuance of a payment instrument, the sale or issuance of stored value, or receiving money for transmission.” In each instance, the transaction would only be between the customer using the ATM/kiosk and the company, the bitcoin would be sent directly to the customer’s virtual currency wallet, no third parties are involved in the transmission, and the company does not hold digital wallets on behalf of customers. DFPI reminds the company that its determination is limited to the presented facts and circumstances and that any change could lead to a different conclusion. Moreover, the letter does not relieve the company from any FinCEN or federal regulatory obligations.
- Agent of Payee Exemption. The redacted opinion letter analyzes a proposed future service to be provided by the inquiring company and determines whether the service meets the agent of payee exemption from the MTA. The company and its global affiliates “provide a global, fully integrated suite of back-end service, including sales compliance management, fraud prevention, risk management, tax and regulatory fee calculation, billing optimization, and remittance services to manufacturers, merchants, and retailers” (collectively, “brands”) that want to sell or license products and services to shoppers. The company proposes a future service, which will allow brands to sell products directly to shoppers and transfer the products to the shoppers. The company will not take title to or purchase the products and will continue to provide its suite of back-end services including payment processing, tax and regulatory fees calculations, and refund processing. The company’s contracts with the brands appoint the company as the agent of the brands for facilitating product sales and receiving payments and funds from shoppers. Agreements will also be entered between the company and the shoppers with terms that state a shopper’s payment to the company is considered payment to the brand, which extinguishes the shopper’s payment liability. The company will accept funds for the sale of products on behalf of the brands, and at the conclusion of the sale, will settle the funds paid by the shoppers and remit sales taxes to the appropriate authorities. The company will be the entity responsible for paying and reporting taxes accrued by the sales to shoppers.
DFPI states that the company will “receive[] money for transmission,” thus triggering the license requirement in the MTA, by receiving funds from the shoppers in the sales transactions. However, the company qualifies for the Agent of Payee exemption because the company will be the recipient of money from the shoppers as an agent of the brands pursuant to a written contract, and payments from the shoppers to the company as the agent will satisfy the shoppers’ payment obligation to the brands. DFPI further notes that refunds facilitated by the company on behalf of the brands will be a reversal of the original transactions with the shoppers, and therefore will not require licensure. Finally, DFPI notes that by contract, the company will be legally responsible for paying local sales taxes on transactions. According to the agreement, because the company will pay taxes on its own behalf, and will not be paying taxes owed by the shoppers, its tax payments will not constitute money transmission. DFPI reminds the company that its determination is limited to the presented facts and circumstances and that any change could lead to a different conclusion.
FATF advances work on virtual assets, beneficial ownership transparency, and illicit finance risks
On October 22, the Financial Action Task Force (FATF) announced that it concluded its October plenary, which is the sixth session since the beginning of the Covid-19 pandemic. According to the announcement, utilizing a hybrid approach of both virtually and in-person participation, FATF “advanced its core work on virtual assets, beneficial ownership transparency, and illicit finance risks.” Among other things, the FATF: (i) approved an updated version of its Guidance on a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers for publication; (ii) proposed changes to beneficial ownership standards; (iii) approved the commencement of a study on Illicit Proceeds Generated from the Fentanyl and Related Synthetic Opioids Supply Chain; (iv) adopted an update to its 2016 confidential report on terrorist financing risk indicators; and (v) issued a statement regarding Afghanistan that reaffirmed the “United Nations Security Council Resolutions that Afghanistan should not be used to plan or finance terrorist acts, emphasiz[ing] the importance of supporting the work of non-governmental organizations in the country and maintaining the flow of humanitarian assistance to the Afghan people, and for governments to facilitate information sharing with their financial institutions on any emerging illicit finance risks related to Afghanistan.”
Agencies announce new measures to combat ransomware
On October 15, the U.S. Treasury Department announced additional steps to help the virtual currency industry combat ransomware and prevent exploitation by illicit actors. The guidance builds upon recent “whole-of-government” actions focused on confronting “criminal networks and virtual currency exchanges responsible for laundering ransoms, encouraging improved cyber security across the private sector, and increasing incident and ransomware payment reporting to U.S. government agencies, including both Treasury and law enforcement.” (Covered by InfoBytes here.) The newest industry-specific guidance—part of the Biden administration’s efforts to counter ransomware threats—outlines sanctions compliance best practices tailored to the unique risks associated with this space. According to Treasury, there is a “need for a collaborative approach to counter ransomware attacks, including public-private partnerships and close relationships with international partners.”
The same day, the Financial Crimes Enforcement Network (FinCEN) released new data analyzing ransomware trends in Bank Secrecy Act reporting filed between January 2021 and June 2021. The report follows FinCEN’s government-wide priorities for anti-money laundering and countering the financing of terrorism priorities released in July (covered by InfoBytes here). Issued pursuant to the Anti-Money Laundering Act of 2020, the report flags “ransomware as a particularly acute cybercrime concern,” and states that in the first half of 2021, FinCEN identified $590 million in ransomware-related suspicious activity reports (SARs)—an amount exceeding the entirety of the value report in 2020 ($416 million). If this trends continues, FinCEN warns that ransomware-related SARs submitted in 2021 will have a higher transaction value than similar SARs filed in the previous 10 years combined. FinCEN attributes this uptick in activity to several factors, including an increasing overall prevalence of ransomware-related incidents, improved detection and incident reporting, and an increased awareness of reporting obligations and willingness to report by financial institutions.
In conjunction with the “growing prevalence of virtual currency as a payment method,” Treasury’s Office of Foreign Assets Control (OFAC) issued sanctions compliance guidance for companies in the virtual currency industry, including technology companies, exchangers, administrators, miners, wallet providers, and financial institutions. OFAC warned that “sanctions compliance obligations apply equally to transactions involving virtual currencies and those involving traditional fiat currencies,” and that participants “are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade- or investment-related transactions.” Among other things, the guidance will assist participants on ways to evaluate risks and build a risk-based sanctions compliance program. OFAC also updated related FAQs 559 and 646.
DOJ team to address cryptocurrency
On October 6, the DOJ announced the launch of the National Cryptocurrency Enforcement Team (NCET), which will focus on addressing “complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors.” According to the DOJ, the NCET will combine “the expertise of the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section (MLARS), Computer Crime and Intellectual Property Section (CCIPS) and other sections in the division, with experts detailed from U.S. Attorneys’ Offices.” Among other things, the NCET will: (i) develop strategic priorities for investigations and prosecutions involving cryptocurrency; (ii) identify areas for increased investigative and prosecutorial focus; (iii) develop and maintain relationships with federal, state, local, and international law enforcement agencies involved in cryptocurrency cases; (iv) train federal prosecutors and law enforcement agencies in investigative and prosecutorial strategies; and (v) coordinate with private sector actors in cryptocurrency matters. In announcing the program, Deputy Attorney General Lisa Monaco stated that “[a]s the technology advances, so too must the Department evolve with it so that we’re poised to root out abuse on these platforms and ensure user confidence in these systems.”
DFPI addresses MTA licensing exemptions
Recently, the California Department of Financial Protection and Innovation (DFPI) released several new opinion letters covering aspects of the California Money Transmission Act (MTA) related to virtual currency and agent of payee rules. Highlights from the redacted letters include:
- Agent of Payee – Fund Transfers in Connection with Real Estate Closing Transactions. The redacted opinion letter reviewed whether a company—licensed as a money transmitter in several states, including California, and registered with FinCEN as a money services business—is eligible for the agent-of-payee exemption under the MTA. The company proposes to “facilitate fund transfers in connection with real estate closing transactions” during which it “will be authorized to receive real estate closing funds on behalf of its customer (the seller of real estate).” The payment funds will first flow from the buyer of real estate to the company via the buyer’s lawyer or title company, and then from the company to the seller after the company converts the funds from U.S. dollars to another currency. By providing these services, the company, as the seller’s agent, will receive money from the buyer pursuant to a preexisting written contract between the company and the seller. DFPI concluded that “[t]o the extent these fund transfers take place in California or are with, to, or from persons located in California, [the company’s] services constitute “receiving money for transmission” because [the company] receives money from the buyer for transfer to the seller.” However, DFPI noted that a provision in the written contract, which appoints the company as the agent of the seller when the seller is located in California, allows the company’s services to satisfy the requirements of the agent-of-payee exemption in Financial Code section 2010, subdivision (l). The agent-of-payee exemption, DFPI stressed though, does not apply to sellers outside of California.
- Bitcoin ATM Kiosk. Two redacted opinion letters (see here and here) examined whether the sale and purchase of bitcoin through ATMs/kiosks described by the companies is subject to licensure under the MTA. In each instance, the transaction will only be between the consumer using the ATM/kiosk and the company, the transaction will be completed instantly without involving third parties, and any bitcoin sold will be provided from the company’s own inventory. Moreover, the letters state that the companies do not hold virtual currency on behalf of customers nor do they act in a fiduciary capacity. Because the companies’ activities are limited to selling bitcoin, DFPI determined that an MTA license is not required because the activities “do[] not involve the sale or issuance of a payment instrument, the sale or issuance of stored value, or receiving money for transmission.” DFPI reminded the companies that its determination is limited to the activities specified in the letters and does not relieve them from any FinCEN, federal, or state regulatory obligations.