As anticipated, it has been an incredibly active year for regulation and financial crime related to virtual assets (see our previous alert from January 2022).
Despite the onset of the “crypto winter,” illicit use of virtual assets rose again to an all-time high of $20.1 billion. While the illicit share of the market remains less than 1% of overall volume, legitimate transaction volumes declined throughout 2022, while illicit volumes remained steady, growing slightly.
According to Chainalysis, 44% of the illicit activity in virtual assets was attributable to sanctioned persons – in large part representing attempts to evade new U.S., UK and EU sanctions on Russia. Another large source of illicit activity includes fraud, scams and hacking.
At the same time, there has been unprecedented regulatory enforcement including the U.S. sanctioning of individuals, entities, wallet addresses and crypto exchanges involved in hacking and illicit activity (e.g., Garantex, Hydra Marketplace, Blender.io) and of notorious mixer, Tornado Cash (see our update here), as well as efforts to regulate virtual assets (see link to our prior alert here).
In mid-January, reports began to emerge that the Central Bank of Iran is cooperating with Russia to issue a joint cryptocurrency “stablecoin” to enable cross-border trade. While commentators do not believe that such an arrangement could help either country evade sanctions on a massive scale, the move underscores the importance of efforts to regulate the sector, in particular exchanges and other access points to the global market.
Looking ahead for the year in the United States
The start of 2023 has already been active in terms of enforcement. On January 4, 2023, the New York Department of Financial Services entered into a consent order with Coinbase, its second with a cryptoasset service provider (the first was in August of last year with Robinhood).
On January 18, the U.S. Financial Crimes Enforcement Network (FinCEN) issued a notice of enforcement against cryptocurrency exchange, Bitzlato Limited, while the U.S. Department of Justice (DOJ) arrested Bitzlato’s founder, Anatoly Legkodymov, a Russian national. According to the DOJ, as a result of its deficient know-your-customer procedures – indeed marketing itself as requiring minimal customer identification – Bitzlato “became a haven for criminal proceeds and funds intended for use in criminal activity.”
On January 26, the DOJ also announced a successful campaign to disrupt the Hive ransomware group. According to FinCEN, cybercriminals often request payments in cryptocurrencies to seek to evade detection through the traditional financial system.
On January 31, New York authorities announced the indictment of an NYC-based woman for using cryptocurrency to provide support for terrorist groups operating in Syria.
On February 1, the Office of Foreign Assets Control ("OFAC") imposed blocking sanctions on individuals and wallet addresses associated with Russian sanctions evasion.
On February 9, OFAC imposed blocking sanctions on seven Russian nationals associated with ransomware attacks on the U.S. and UK.
Although the future of anti-money laundering/counterterrorist financing ("AML/CTF") regulation in the United States remains unclear, we continue to expect significant use of sanctions designations and federal and state enforcement powers.
Looking ahead for the year in the United Kingdom
The travel rule for cryptoassets will come into force in September 2023 (see our prior alert here). The Financial Conduct Authority (FCA) released feedback on good and poor quality applications for cryptoasset businesses registering under the Money Laundering Regulations (you may recall that cryptoasset firms have struggled to meet FCA registration requirements, see our alert here).
The FCA highlights that it will not approve an application where the firm “has an incorrect understanding of the risks associated with cryptoasset products [or…] with its ongoing business model” (including not only AML/CTF risks but also proliferation financing risks), nor will it approve an application where the firm has an “underdeveloped AML framework or a weak governance structure.”
This includes, “[f]or example, where the applicant has no clear methodology for risk-scoring its customers, does not consider all relevant factors or where it allows customer transactions before it has completed customer due diligence and does not understand the enhanced due diligence triggers.”
The UK HM Treasury also issued its consultation aimed to robustly regulate a broad range of cryptoasset activities and make the UK a safe jurisdiction for cryptoasset activity. The consultation will close on April 30.
On February 9, the United Kingdom Office of Foreign Sanctions Implementation joined OFAC in designating seven Russian nationals involved in ransomware attacks. The UK also issued Guidance on Ransomware and Sanctions, noting, like the U.S. FinCEN guidance, the connection between crypto and ransomware payments.
Looking ahead for the year in the European Union
The European Union continues to finalize the Markets in Crypto Assets (MiCA) proposal. It is reported the final vote has been delayed to April. Deadlines for cryptoasset firms to register and comply with the travel rule in the European Union are still to be set.
It may still be chilly in the crypto markets, but to ensure future survival, firms must also incorporate controls to protect consumers and guard against misuse by illicit actors.