Leaders in Global Risk Management
Freeh Group International Solutions graphic

Tangible Risks of Virtual Currencies

Walter Donaldson, Steven Szaroleta, and Andrew Cooper Sept. 12, 2014

The advent of the Internet revolutionized the concept of worldwide commerce. It created an environment where currency could be traded or exchanged electronically, without regard to traditional physical, technological, legal, political or cultural barriers. Since this intersection of technology and commerce, we have seen significant advancements to Internet transactions in the form of stored-value cards, electronic banking, mobile payments, and most recently, virtual currencies (e.g., electronic, digital or crypto-currencies). In 2013, the U.S. Department of Treasury Financial Crimes Enforcement Network (FinCEN) defined virtual currency as a “medium of exchange that operates like a currency in some environments, but does not have all the attributes of real currency. In particular, virtual currency does not have legal tender status in any jurisdiction.” In other words, virtual currency is not issued or regulated by any state, government or central bank, nor is it backed by gold, silver or any other commodity — it is a mostly unregulated peer-to-peer digital representation of value that can be traded, exchanged, and accepted as payment for goods and services. However, despite its lack of legal tender status, virtual currency is increasingly popular in today’s global marketplace.

In the past few years, several virtual currencies have surfaced, including Litecoin, Dogecoin, Auroracoin, Spaincoin, Peercoin, Ripple, Mastercoin, Primecoin, Feathercoin and perhaps the most widely known — Bitcoin. Boasting efficiencies such as convenience and ease of use, lower transaction fees, increased protection and security, the ability to conduct transactions remotely across state, political, economic and cultural borders almost instantly with little regulatory oversight, and most of all — anonymity, it is no surprise that an increasing number of consumers, vendors and retailers have adopted and endorsed convertible virtual currencies as an acceptable form of payment as well. Dell, Dish, Expedia, Overstock and even Virgin Galactic, Sir Richard Branson’s suborbital commercial spaceflight venture, have all announced that they accept Bitcoin as payment.

However, as is the case with many emerging technologies, the same efficiencies that create new opportunities can present new risks. Understanding these risks, the potential impact on monetary policy, and the application of consumer protection and anti-money laundering laws is the best protection for virtual currency users, administrators and exchangers against serious exploitation.

FinCEN Guidance
To better comprehend the risks of virtual currency, it is critical to understand the current regulatory framework. The growing popularity of virtual currency (and the rise of its inherent risks) has prompted the attention of FinCEN. On March 18, 2013, and again on January 30, 2014, FinCEN issued interpretative guidance, to clarify the applicability of Bank Secrecy Act (BSA) regulations to persons dealing in virtual currencies. The guidance considers the use of virtual currencies from the perspective of three categories within FinCEN's designation of a money service business (MSB) — users, exchangers and administrators, and how they fall under the purview of the regulation. Importantly, FinCEN considers only “exchangers” and “administrators” as MSBs:

MSBs (i.e. money transmitters) must adhere to the following four basic pillars of anti-money laundering (AML) compliance, as mandated by the BSA:

Additionally, MSBs must adhere to a number of other BSA requirements, including, but not limited to, registering with FinCEN, establishing an AML compliance program, complying with recordkeeping requirements, and filing suspicious activity and currency transaction reports. FinCEN’s guidance notes that these regulations apply to MSBs “wherever located doing business…wholly or in substantial part within the United States.” Under the BSA, U.S.-based MSBs are subject to counter-terrorist financing (CTF) requirements, and are barred from completing transactions with a consumer that appears on the U.S. Treasury Department’s Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals (SDN) list. More specifically, exchangers must develop and implement effective OFAC SDN sanctions screening capabilities and appropriate mechanisms to respond to USA PATRIOT Act 314(a) queries.

As noted by our Pepper Hamilton LLP colleagues Timothy McTaggart and Matthew Silver, “As a result of the time and expense required in connection with ‘money transmitter’ regulations, only select parties will have the resources or desire to pursue a course of action that would require them to follow such requirements…complying with the attendant regulations is not necessarily a simple task.” The federal regulations defined above, plus newly proposed regulation in New York, aim to make dealing in virtual currencies safer. However, enforcement of these requirements could greatly reduce the allure of conducting business in this manner, especially for those looking to use virtual currencies in illegal transactions.

Risks and Challenges of Virtual Currency
Virtual currencies are still considered a novel product, and their limited, albeit increasing, presence in the marketplace means that the majority of current activity is only speculative in nature. That being said, the above guidance from FinCEN and other testimony by U.S. Government officials indicates that virtual currencies present a substantial amount of AML, CTF and OFAC risk to administrators and exchangers, as well as to the financial institutions and financial services businesses that choose to do business with them. As a result, all participants should continually evaluate their level of involvement, and assess their exposure to the illicit finance risks of virtual currencies.

As a user, the idea of investing in an innovative and revolutionary technology such as virtual currency can be very attractive. Since virtual currencies do not exist in physical form, and can be stored in unlimited quantities on something as portable as a smartphone, they do not carry the traditional security risks of carrying equal sums of cash. Additionally, since virtual currencies are not tied to central banks, governments, or any type of security or commodity, they can act as a universal medium of exchange. However, the decentralized nature of some virtual currencies also means that nothing guarantees the safety of deposits (e.g., the standard $250,000 in insurance provided by the Federal Deposit Insurance Commission). This lack of consumer protection combined with the relative anonymity associated with virtual currencies exposes users to fraud and theft. However, since users do not qualify as MSBs, they have much less exposure under the existing regulatory framework than administrators and exchangers.

Administrators and exchangers face risks of fraud and theft, but in their capacity as MSBs, they also are subject to BSA and OFAC regulations. They must create appropriate and effective policies, procedures and controls, and their internal control environments and compliance programs should be based on accurate risk profiles. Risk assessments should be conducted periodically, as is done by financial institutions, in accordance with their regulatory and internal ethics obligations. These regulations can be difficult enough for long-standing banking and financial services companies. For newer technology companies that lack experience in compliance and regulatory related issues, and in working with regulators, they may prove complex and confusing, and an initial impediment to success.

However, the risk does not just apply to users, administrators and exchangers. While the ability to make international transfers with virtually no transaction limits and greater anonymity might appeal to these participants and their business partners, banks which choose to do business with administrators and exchangers, both foreign and domestic, are required to apply the BSA-mandated Customer Identification Programs, and perform risk assessments and due diligence to confirm their compliance with FinCEN and other applicable state registration requirements. This creates an enormous amount of liability for banks and other financial institutions which may not have fully considered their vulnerability to the illicit uses of virtual currency. Not only are these entities required to be in compliance themselves, but they are responsible for ensuring the compliance of their business partners as well — learning as much as possible about these administrators and exchangers and their merchants to protect against transacting with potentially illegitimate businesses.

In addition to the AML, CTF and OFAC risks discussed above, the IRS has also recently issued guidance on how to properly account for virtual currency for tax reporting purposes. According to Joe Salerno, a former supervisor in the IRS Criminal Investigation division and senior consultant with Freeh Group International Solutions, LLC, “On March 25, 2014, the IRS ruled that virtual currency is considered property, not currency, thus the fair market value of any receipt of virtual currency in the form of wages or for services must be reported as income. Likewise, the fair market value of virtual currency received for goods must be reported as gross receipts. Businesses need to make certain that their receipts as well as cost of goods sold accurately reflect the fair market value of the virtual currency so that they avoid any possible investigation related to tax evasion.”

Given the volatility of virtual currencies and the rapid pace of developments in this field, it will be critical for users, administrators and exchangers to continually assess their vulnerability to the illicit uses of virtual currency. As regulation continues to increase, law enforcement agencies will have more ammunition to go after individuals and businesses that fail to properly address their exposure.

Enforcement Actions
New technologies present new risks for consumers and businesses, and new challenges for regulatory, law enforcement and consumer protection agencies. Historically, criminals are among the earliest adopters of new technology — seeking ways to exploit it to make their actions more efficient and less traceable. In the case of virtual currency, criminals are taking advantage of the efficiencies and the lack of regulation to conceal and perpetrate their illicit activity. Fortunately, regulatory and consumer protection agencies have recently issued adequate guidance on the use, administration and exchange of virtual currencies, using existing regulatory frameworks to allow law enforcement agencies to take action.

In May 2013, the U.S. Department of Justice arrested several owners and operators of a digital money service allegedly responsible for processing an estimated 55 million illegal transactions, and facilitating the storing, distribution and laundering of more than $6 billion in criminal proceeds. At least two of those arrested have pleaded guilty, and under their plea agreements, face up to five years in prison; their sentencing is scheduled for January 20, 2015. Prosecutors used amendments to FinCEN’s BSA, which expanded on the definitions of what constitutes a MSB and a money transmitter to charge the principals of Liberty Reserve with conspiracy to commit money laundering, conspiracy to operate an unlicensed money transmitting business and operation of an unlicensed money transmitting business.

In October 2013, the Federal Bureau of Investigation arrested the alleged owner and operator of Silk Road, an online marketplace for illegal goods and services, and charged him with several acts of conspiracy, including money laundering conspiracy. The website was the most extensive and sophisticated market of its kind, facilitating the distribution of products to more than 100,000 buyers, and generating revenue of more than 9.5 million Bitcoin — approximately $1.2 billion. Its popularity was due in large part to its efforts to preserve the anonymity of its users through its lack of identity verification, use of the Tor Network, and reliance on Bitcoin as the sole form of payment. As such, any assets or property involved in, or used to facilitate money laundering were seized — over $33.6 million worth of Bitcoin — the largest seizure of Bitcoin up to that time.

Billions of dollars have already been exchanged using virtual currencies in the global marketplace. As this technology continues to evolve, participants who want to engage in the use, administration or exchange of virtual currencies on a more commercial scale need to consider the impact of monetary policy changes and consumer protection regulation, and implement appropriate tools and strategies to mitigate the risk.

How to Protect Your Company
As evidenced by the enforcement actions referenced above, it is clear that regulators perceive virtual currencies to be a high-risk medium for exchange, and are taking measures to ensure that companies and individuals are not afforded the opportunity to use virtual currencies for nefarious purposes. After understanding the risks, regulations, and prior enforcement actions, the question then becomes how to effectively protect your company against the risks related to virtual currencies, and how to remain in compliance with applicable regulations.

A company can attain some level of protection in many ways. However, to ensure the highest levels of protection, a company should undertake all of the efforts mentioned below. Note that the efforts described below are relevant to MSBs dealing in virtual currencies as well as to financial institutions that interact with MSBs dealing in virtual currencies.

Relative to the risks related to virtual currencies, a company should:

Perform a risk assessment of the company
The risk assessment should examine, at a minimum, the company’s products and services, amount and number of transactions, customers, and geographic locations to identify its exposure as it relates to dealing in virtual currencies. In performing a risk assessment, all levels of employees of the organization should be interviewed; and relevant policies, procedures and control documentation should be reviewed. Once the risk assessment is complete, the results should be used to design and test the controls to be implemented as part of the AML/BSA compliance program.

Implement an effective AML/BSA compliance program
An effective AML/BSA compliance program should address virtual currencies as they relate to the company and its operations. Specifically, areas to be considered in the program include, but are not limited to, internal accounting and financial controls, testing, verification procedures (customer identification program/know your customer / customer due diligence), suspicious activity reporting, and currency transaction reporting. Importantly, having an AML/BSA compliance program itself is not enough; the operation and execution of the program is critically important.

Ensure compliance officer oversight
There should be a dedicated resource with the knowledge and authority to effectively identify and communicate new trends and risks as they relate to virtual currencies. The compliance officer must have the support of the company executives and all employees should recognize and respect his or her authority.

Administer effective staff training
Institute regular, interactive and role-specific training for those employees who deal with virtual currencies in any capacity. The training should be administered by either the compliance officer or an outside expert. Attendance at the trainings should be well documented, and an evaluation system should be used to identify the level of understanding of the employees of the issues that were presented.

Engage an independent review of the AML/BSA compliance program
Engage an external expert to review the AML/BSA compliance program and determine its effectiveness, especially as it relates to virtual currencies. An external expert can complement the resources that a company has in-house, and fill specific gaps to ensure that the program is operating at maximum efficiency.

Ensure that cyber security concerns have been addressed
A company should consider the implications of dealing in virtual currencies on the company’s IT environment, especially in light of the heavily reported instances of computer hacking that have recently occurred involving Bitcoin. This can be achieved through performing an assessment of the current state of the IT system security and privacy protection at the company.

Based upon the risk assessment that is performed on the company, additional steps may be needed to ensure that the company is protected from virtual currency risks and is in compliance with governmental regulations.

The evolution of currency is real, and virtual currencies could become the next globally accepted means of commerce. Virtual currency may well revolutionize the global payments industry, but the future is uncertain. In 1995, during a meeting of the House of Representatives Subcommittee on Domestic and International Monetary Policy, several legislators gathered to discuss the future of money. Subcommittee Chairman Mike Castle stated that, “This intersection of technology and commerce has been predicted to fall on almost every point along a continuum ranging from over-hyped fad to change with implications as profound as the industrial revolution...whether it occurs over computers linked to the networks or via computer chips embedded in cards or other devices, the potential exists both for great commercial promise and for considerable risk of undermining currencies, systems of exchange, and the administration of justice.”

The relatively new phenomenon of virtual currency offers a vision of financial freedom — a vision that is vulnerable, however, to the risks that threaten its users. These risks will likely lead to additional regulatory developments as virtual currencies become more widely accepted. Having in place the programs described above are a company’s best protection against the various risks of dealing in virtual currency. Even more importantly, by having exceptional AML / BSA compliance programs in place, a company will position itself as a front-runner in the eyes of its competitors, business partners, customers and regulators.

  1. FIN-2013-G001: Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies, p. 1. March 18, 2013.
  2. Some virtual currencies claim to record all transaction history in a public ledger viewable to everyone. However, this alone does not make them completely traceable. While transactions can be linked to individuals and companies, those who use it are not identified by name, allowing participants to conduct transactions with some degree of anonymity.
  3. Convertible virtual currency is defined as having equivalent value in real currency, or acting as a substitute for real currency. FIN-2013-G001: Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies, p. 1. March 18, 2013.
  4. http://www.pcworld.com/article/2465743/ebay-may-begin-accepting-bitcoin-payments-via-its-braintree-platform.html; http://www.virgin.com/richard-branson/bitcoins-in-space.
  5. FIN-2013-G001: Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies.
  6. FIN-2014-R001: Application of FinCEN’s Regulations to Virtual Currency Mining Operations; and FIN-2014-R002: Application of FinCEN’s Regulations to Virtual Currency Software Development and Certain Investment Activity.
  7. FIN-2013-G001: Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies, p. 1. March 18, 2013.
  8. Id. at 1.
  9. Id. at 2.
  10. See 31 C.F.R. § 1010.100(ff)(1)-(8).
  11. https://www.ffiec.gov/bsa_aml_infobase/pages_manual/OLM_008.htm.
  12. Bank Secrecy Act Regulations; Definitions and Other Regulations Relating to Money Services Businesses, Vol. 76, No. 140 Fed. Reg. 43,585 (Jul. 21, 2011). See also 31 C.F.R. § 1022.380 (2012) (creating registration requirements); Id. at § 1022.210 (creating requirement to establish and maintain an anti-money laundering program); Id. at § 1010.311 (creating requirement to file currency transaction reports); Id. at § 1022.320 (creating requirement to file suspicious activity reports).
  13. See 31 C.F.R. § 1010.100(ff).
  14. http://www.pepperlaw.com/publications_update.aspx?ArticleKey=2628.
  15. http://time.com/money/3004751/new-york-bitcoin-regulations-benjamin-lawsky/.
  16. Beyond Silk Road: Potential Risks, Threats, and Promises of Virtual Currencies Before the S. Comm. on Homeland Sec. & Governmental Affairs, 113th Cong. (2013).
  17. Some private entities have manufactured physical forms of virtual currency for collectible purposes.
  18. Carrying virtual currency on a smartphone requires appropriate e-wallet software.
  19. On Friday, February 28, 2014, Mt. Gox filed for bankruptcy protection in Japan. What was once the world’s largest Bitcoin exchange stated that hackers exploited weaknesses in their company’s computer systems, and stole roughly $480 million worth of the virtual currency.
  20. MSBs that are located outside the United States but engage in money transmission services within the country are subject to BSA regulations. See 31 C.F.R. § 1010.100(ff).
  21. FFIEC, Bank Secrecy Act / Anti-Money Laundering Examination Manual 308 (2010), p. 52-97.
  22. http://justice.gov/usao/nys/pressreleases/May13/LibertyReserveetalDocuments/Liberty Reserve, et al. Indictment - Redacted.pdf
  23. http://nypost.com/2014/09/04/bitcoin-operator-admits-to-aiding-drug-dealers-launder-1m/
  24. The Currency and Foreign Transactions Reporting Act, its amendments, and the other statutes relating to the subject matter of that Act, have come to be referred to as the Bank Secrecy Act. These statutes are codified at 12 U.S.C. 1829b, 12 U.S.C. 1951-1959, 18 U.S.C. 1956, 18 U.S.C. 1957, 18 U.S.C. 1960, and 31 U.S.C. 5311-5314 and 5316-5332 and notes thereto.
  25. The United States Attorney’s Office of the Southern District of New York Press Release: “Manhattan U.S. Attorney Announces Seizure Of Additional $28 Million Worth Of Bitcoins Belonging To Ross William Ulbricht, Alleged Owner And Operator Of “Silk Road” Website.” October 25, 2013.
  26. Id.
  27. http://archive.org/stream/futureofmoneyhea02unit/futureofmoneyhea02unit_djvu.txt.