The Bank Secrecy Act and Crypto Compliance: Lessons Learned from Recent FinCEN and CFTC Settlement

On August 10, 2021, the Commodity Futures Trading Commission (CFTC) and the Financial Crimes Enforcement Network (FinCEN) announced a near-record settlement of $100 million with BitMEX, a cryptocurrency derivatives exchange. FinCEN and the CFTC alleged that BitMEX was operating as an unregistered “futures commission merchant” under the Bank Secrecy Act (BSA) and that it failed to comply with anti-money laundering (AML) and “know your customer” (KYC) obligations under the BSA. BitMEX primarily operates in off-shore locations outside of the United States, but provides services to customers located within the U.S.

FinCEN alleged that BitMEX was a financial institution, and was therefore required to maintain an adequate AML compliance program which satisfies the requirements under the BSA. The five key elements of AML compliance under the BSA are:

1. The establishment and implementation of policies, procedures, and internal controls reasonably designed to prevent the financial institution from being used for money laundering or the financing of terrorist activities and to achieve compliance with the applicable provisions of the Bank Secrecy Act and the implementing regulations thereunder;
2. Independent testing for compliance to be conducted by the futures commission merchant or introducing broker in commodities' personnel or by a qualified outside party;
3. Designation of an individual or individuals responsible for implementing and monitoring the operations and internal controls of the program;
4. Ongoing training for appropriate persons;
5. Appropriate risk-based procedures for conducting ongoing customer due diligence.

According to FinCEN, BitMEX did not have adequate AML policies, procedures, employee training, or other internal controls in place. The company also did not have a compliance program or a compliance officer, and did not conduct any customer due diligence, identification, verification, KYC, or transaction monitoring. In addition, FinCEN alleged that BitMEX failed to understand its customer relationships and did not monitor or report suspicious activity.

The BitMEX case highlights the importance of BSA compliance for exchanges and other digital asset companies moving forward. The case also demonstrates that U.S. regulators such as the CFTC, FinCEN, and the Securities and Exchange Commission (SEC) are likely to take action against digital asset providers where there is a pattern and practice of non-compliance and a flagrant disregard for U.S. laws and regulations. Criminal charges are currently pending against the founders of BitMEX for their “willful” disregard of the BSA and its requirements. Following the payment of fines to FinCEN and the CFTC, BitMEX will be allowed to continue its operations subject to the implementation of satisfactory compliance measures and continued monitoring by the agencies.

While the BitMEX case is a cautionary tale, it is not necessarily representative of crypto companies at large, many of which seek to push innovation forward while operating within the bounds of the law. In order to ensure compliance with the BSA, companies must observe its key requirements and should consult with legal counsel to identify and understand any other laws and regulations which may affect their business.