Lately, I’ve seen a lot of people say “Bank Grade AML” in their marketing and promotions… But, what does that mean?
Well, actually there is no defined standard for that– it’s not a real term.
People use it to mean “like a bank.” As a bank is a BSA-subject firm and has enhanced responsibilities – especially when receiving cash deposits or conducting international business – and is under constant scrutiny from the various regulators (OCC, FDIC, Treasury, state banking commissioner, etc.), each of whom have guidelines for banks, as well as annual examination guidelines. All banks and trust companies are subject to these standards and perform numerous anti-money laundering checks on customers, as well as detailed know-your-customer (KYC) onboarding. Money Services Businesses (MSB’s) and other types of BSA-subject firms, while not banks or trust companies, are still generally held to these standards.
How does this apply to cryptocurrency and the digital economy, and ICO’s in particular?
ICO issuers, as you likely know, must register with FinCEN as a Money Services Business (MSB) if they are touching cash or cryptocurrency and if they are minting tokens. And if they are touching money or cryptocurrency then they must also register with each state as a Money Transmitter (no reciprocity or preemption like there is for banks and trust companies). They are required to develop their own in-house BSA program and administer it directly. They can NOT rely on any firm to do this for them except for banks or clearing firms who are performing and taking liability for the AML, and who are “minting” the tokens.
Disturbingly, I see a lot of people either ignoring this or doing it wrong and setting themselves up for serious problems. Technology entrepreneurs chafe at regulation, I understand that. It’s a burden, it’s a hassle, it’s expensive, and at times it just doesn’t make sense. But it is what it is. Violations of regulations can lead to fines, offering rescissions, civil lawsuits, sanctions and even jail time for officers, directors and even outside lawyers and broker-dealers advising an ICO.
Often, I hear people say “Oh, we are using such-and-such AML firm to do this for us.” Huh? You can’t do that. The issuer can certainly rely on non-bank AML providers for data feeds. That’s fine, banks and trust companies all do that (e.g. LexisNexis, Trulioo, Identity Mind, etc., etc.). But, the responsibility is for the issuer to develop, staff and run an in-house BSA program, file CTRs and SARs, and make accept/deny decisions—not the outsourced firm, unless they are a bank or clearing firm.
Developing an in-house BSA program will cost an issuer quite a bit of money, and require time to put together (heck, finding and hiring a CAMS credentialed chief compliance officer doesn’t happen overnight). Furthermore, there are numerous ongoing expenses as the issuer will without a doubt be spending time and money responding to:
- Grand Jury subpoenas,
- SEC investigations,
- FBI investigations,
- IRS Criminal Division investigations; and,
- State Attorney General investigations.
Yes, really. Take it from me, as we are one of the firms on the front line doing this for issuers and others in the market. As the saying goes, this is real. So, to run their own AML program, the issuer will need lawyers to deal with these things as they will happen.
Can it be avoided? Maybe. The only way around it that I know of is to rely on a bank, trust company or clearing firm (note that the list does not include MSBs) to:
- Touch and handle all the money and cryptocurrency.
- Perform KYC and AML on all customers and investors, and (important) take responsibility AND liability for those.
- Perform directly, or require a law firm to perform, Bad Actor checks pursuant to Dodd-Frank on issuers and all associated persons.
- Trigger the smart contract to distribute tokens to cleared persons wallets (what regulators see as the “minting”).
- OFAC every receipt of cash or crypto, every disbursement of cash or crypto, and every customer every 90 days.
In conversations about this, some issuers have said “my lawyers say I don’t have to do this, and that FinCEN’s letter/guidance was an internal memo and they aren’t really serious about it.” Really? Make sure your lawyers have actually picked up the phone and spoken to the staff at FinCEN, as my attorneys have repeatedly, as I believe they will get a different response. Ignorance is not a get out of jail free card, it’ll get you in trouble.
If you are involved in the digital economy, you are required to perform AML and KYC. To regulators, cryptocurrency and tokens are no different than someone walking into the bank with a bag of cash—you have no idea where it really came from, but that doesn’t mean you can’t accept it, provided you undertake heightened AML and KYC procedures. ICO issuers are required to do this themselves, unless they outsource it to a bank, trust company or clearing firm (but not to an MSB).
When people complain about the cost of our ICO escrow services, I point out that it’s far cheaper than doing it themselves. And, not many other financial institutions are stepping up to take liability and to mint tokens, as required. At the end of the day, I think that issuers need to spend their time and resources on their core business, not on trying to be a BSA-compliant firm.