The Financial Action Task Force issued new standards for member countries that would require virtual asset service providers as well as traditional financial institutions to obtain, retain and transmit certain information related to the originator and beneficiary in connection with all virtual asset transfers. Separately, the UK Financial Conduct Authority fined a bank £45.5 million for not disclosing that it suspected fraudulent conduct had occurred in a branch office. However, FCA conceded that it had no jurisdiction to regulate the fraudulent conduct itself. Huh? As a result, the following matters are covered in this week’s edition of Bridging the Week:
Principal among FATF's new requirements is that VASPs and already regulated financial institutions (each an “obliged entity") initiating virtual asset transfers should obtain and retain certain information regarding each sender and intended recipient and forward that information to the recipient’s obliged entity. The required information covered by this “travel rule” should include the sender’s name; the sender’s account number where an account is used to process the transaction (e.g., a virtual asset wallet); the sender’s physical address, national identity number or customer identification number that links the customer to the sending institution, or date and place of birth; the recipient’s name; and the recipient’s account number where an account is used to process the transaction (e.g., a virtual asset wallet). This information does not need to be included in a virtual asset transfer; it could be transmitted separately as provided in the guidance.
Under FATF’s new guidance, a VASP includes any legal or natural person not otherwise covered by anti-money laundering or prohibitions against terrorism financing requirements that, as a business for or on behalf of other persons: (1) exchanges virtual assets for fiat currencies or other virtual assets; (2) transfers virtual assets; (3) safekeeps and/or administers virtual assets enabling control over such assets; or (4) participates in and provides financial services related to an offer and/or sale of a virtual asset. VASPs could include virtual asset exchanges and transfer services, and virtual asset wallet providers that host wallets or maintain custody or control over other persons' virtual assets, wallets or private keys, among other legal entities or natural persons.
FATF also recommended that countries require VASPs to develop risk-based programs to address the risks of their businesses and conduct due diligence of all their customers. This customer due diligence ("CDD") should include identifying a customer and, where applicable, the customer’s beneficial owner, and verifying the customer’s identify on a risk basis utilizing “reliable and independent information, data, or documentation as consistent with existing requirements for obliged entities.” VASPs should be required to identify and report suspicious transactions, freeze assets as required by law and prohibit transactions with designated persons and entities. Countries and national regulators should require registration of all VASPs in the county where formed, if a legal entity, or the country where located, if a natural person. National regulators may also require registration of legal entities that conduct business in their country even if formed elsewhere. VASPs should be required to retain all records of transactions and CDD for at least five years.
FATF additionally urged countries to put in place measures to cooperate with each other, including providing legal assistance, in connection with their oversight of VASPs, and to enact enforcement regimes to address AML/Combating the Financing of Terrorism ("CFT") violations.
Without explanation, FATF noted that “only competent authorities [e.g., government regulators] can act as VASP supervisory or monitoring bodies and not self-regulatory bodies.” Notwithstanding, FATF acknowledged that in Japan, the Japan Virtual Currency Exchange Association, a self-regulatory body, has a principal role in overseeing VASPs’ AML/CFT compliance in conjunction with Japan’s Financial Services Agency.
Although FATF's guidances are not binding on any national authority, FATF encouraged its member countries and regional organizations to take “prompt action” to implement its recommendations and will conduct a review of implementation in June 2020.
In praising adoption of FATF’s interpretive guidance, US Secretary of the Treasury Steven Mnuchin said, “[b]y adopting the [agreed] standards and guidelines …the FATF will make sure that virtual asset service providers do not operate in the dark shadows. This will enable the merging FinTech sector to stay one-step ahead of rogue regimes and sympathizers of illicit causes searching for avenues to raise and transfer funds without detection.” (Click here to access Mr. Mnuchin’s complete comments.)
Previously, in October 2018, FATF made clear that its core AML/CFT recommendations apply to financial activities involving virtual assets. (Click here to access "International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation – The FATF Recommendations.) Last week FATF also finalized an interpretation proposed in February 2019 that applied its core recommendations to VASPs (click here to access).
FATF is an intergovernmental body whose objective is to set standards and promote effective legal, regulatory and operational measures to combat money laundering, terrorist financing and related threats. FATF currently consists of 36 countries and two regional organizations. (Click here for further background regarding FATF.)
In other legal and regulatory matters related to cryptoassets:
Quadriga was a Canada-based virtual currency exchange run by Mr. Cotten. After he died in December 2018, none of Quadriga’s virtual currencies reserves purportedly held for customers in hot and cold wallets were able to be accessed because no private keys (e.g., passwords) could be located, and the firm filed for bankruptcy.
Following a preliminary investigation, the monitor also concluded that Quadriga’s operating structure “appears to have been significantly flawed.” Among other things, there were no accounting records and activities were mostly directed by one person – Mr. Cotten – without “typical segregation of duties and basic internal controls.” There also appears to have been no segregation of customer funds from Quadriga’s proprietary funds. According to the monitor, “[f]unds received from and held by Quadriga on behalf of Users appear to have been used by Quadriga for a number of purposes than to fund User withdrawals.”
As of April 29, 2019, Quadriga appears to have liabilities of Can $215.7 million (mostly obligations to customers) and assets of Can $28.4 million. (Click here to access Trustee’s Preliminary Report.)
According to Facebook, the goal of Libra is to create a secure, scalable blockchain and global virtual currency to help individuals currently outside the financial system benefit from an efficient payment system and to help reduce payment transaction costs for others.
Libra is intended to function as global money in the form of a non-government-issued stablecoin backed by a reserve basket of “low volatility assets” including bank deposits and short-term government securities representing multiple international currencies “from stable and reputable central banks.” No Libra can be issued without a purchase of Libra for fiat currency and a transfer of the fiat currency to the reserve. Initially, all aspects of the reserve, as well as Libra generally, will be controlled by a not-for-profit membership association based in Switzerland – the Libra Association. However, the reserve is not intended to be “actively managed” and the reserve will be “structured with capital preservation and liquidity in mind.” Users of Libra will not be entitled to any return from the reserve; interest earned from the reserve will be used to support operations of the Association.
Initially, there are 28 founding members of the Association, including Facebook, as well other diverse, geographically dispersed entities, including for profit and not-for-profit corporations and venture capitalists. Facebook hopes to attract 100 members to the Libra Association by the virtual currency’s intended launch in the first half of 2020.
The Libra virtual currency will reside on the Libra blockchain, which initially will be a permissioned ledger but is intended at some point to become permissionless. The software that will power the Libra blockchain will be open source, and consensus of transactions (e.g., to avoid double spending) will be achieved through a protocol that appears to be based on proof of stake (e.g., committing owned virtual currencies to help validate transactions) and not proof work (e.g., obtaining mining rewards as in bitcoin). “Move” will be the new programming language designed for Libra that will be used to design customer transactions and smart contracts.
Whatever the purpose, Facebook will face multiple challenges to launch Libra globally – from government concerns about the protection of user information to issues regarding the appropriate regulation of the Libra virtual currency itself, as well as intermediaries who will help facilitate the issuance and trading of Libra digital coins.
Unlike stablecoins that might be backed by a single currency or asset, Libra will be backed by a basket of bank deposits and government securities managed by an active participant, the Libra Association. Whether Libra might be deemed a payment instrument, a derivative, a security, something else, or a combination of financial instrument types will likely be determined differently by disparate regulators. At a minimum, the path to answers will be full of speed bumps and detours because of unclarity in relevant laws in many countries (let alone US states), and the rollout of Libra will more likely be incremental rather than in one big bang.
However, if there is public clamoring for a non-government-issued global currency, solutions will be found in most jurisdictions. The question is – at what cost and speed? (Click here to access the Libra white paper.)
Legal Weeds: Recently the Financial Crimes Enforcement Network of the US Department of Treasury published a comprehensive overview of its regulations and previously published guidance related to how individuals and firms may have to comply with obligations of money transmitters to the extent they engage in businesses involving so-called “convertible virtual currencies" ("CVC").
Generally FinCEN requires any person engaging in the business of money transmission or the transfer of funds, including CVC, to (1) maintain an “effective” written anti-money laundering program reasonably designed to prevent the business from being employed to help the financing of terrorist activities and money laundering and (2) register as a money service business. A firm or individual engages in money transmission, says FinCEN, when it receives one form of value (including CVC) from a person and transmits it in the same or different form to another person or location by any means. FinCEN concludes, for example, that, applying this definition, a business operates as a money transmitter when it accepts fiat currency from a person and transfers the CVC to the person’s CVC account with the business or to a third party. (Click here for details in the article "FinCEN Publishes Guidance for Businesses Transacting in Virtual Currencies and Indicia of Illicit Cryptocurrency Activity" in the May 12, 2019 edition of Bridging the Week.)
According to FCA, from approximately 2003 through 2007, BOS’s branch lent large amount of funds to distressed businesses, based on the instructions mostly by one former bank director – Lynden Scourfield – who, in some cases, approved loans beyond his authority and beyond customers’ ability to pay. In return, Mr. Scourfield received money, gifts and other benefits from a third-party turnaround consultant – Quayside Corporate Services Limited – that he often required many of the customers to utilize. QCS often implemented “inappropriate or overly optimistic turnaround plans” for the companies that exacerbated their and the BOS’s losses, claimed FCA. Mr. Scourfield pleaded guilty and was convicted of conspiracy to corrupt and fraudulent trading in 2016 and was sentenced to over 11 years of imprisonment in 2017. BOS estimated that its total losses as a result of the fraudulent lending was £245 million and it has committed to pay to customers impacted by the scheme, £115 million.
FCA said that, in 2007, after issues in the branch were reported in the press, BOS advised FSA that these matters were “a failure of controls.” In response, FSA asked that the bank keep it updated about these failures and advise it should any “suggestion” of fraud be identified. Afterwards, claimed FCA, the bank advised FSA on three occasions in 2007 that it had found no evidence of fraud despite its identification in an internal investigation in 2007 of information suggesting otherwise. Specifically, charged FCA, prior to its first contact with FSA on the matter, BOS was aware that the impact of Mr. Scourfield’s misconduct was “significant” and likely would result in bank losses of approximately £50 million. The bank did not provide FSA full disclosure regarding its suspicions, including the full report of its 2007 investigation, until July 2009.
During the relevant time, claimed FCA, BOS also received complaints from numerous branch customers regarding Mr. Scourfield’s problematic conduct. However, in responding to the customers, BOS failed to consider that its own investigation addressed similar concerns regarding Mr. Scourfield, said FCA.
In settling with BOS, FCA acknowledged that the bank never “intended” to breach its disclosure obligation. Instead, concluded the regulator, “there was insufficient challenge, scrutiny or inquiry across the organization which meant that an assessment of the information as a whole, which ought to have revealed its importance, was never performed.”
Prior to January 2009, BOS was part of the HBOS Group owned by Halifax Bank of Scotland plc. HBOS was acquired by Lloyds TSB Group PLC on January 16, 2009, and BOS became part of the Lloyds Banking Group at that time. FCA acknowledged that BOS and LBG have cooperated with the FCA’s investigation.
Compliance Weeds: The National Futures Association recently proposed an overhaul to its existing guidance related to the supervision of branch offices by all members and relationships with guaranteed introducing brokers. (Click here for background in the article “NFA Proposes Overhaul of Requirements for Supervision of Branch Offices and Guaranteed IBs” in the June 9, 2019 edition of Bridging the Week.) Among the requirements of this new guidance is an obligation that members implement both routine supervision and surveillance to identify and deal with potential issues as they arise and annual inspections that are meant to be more comprehensive and detailed. A firm’s policies and procedures must expressly note when it will notify NFA and/or other “appropriate regulators” of “significant findings,” including, but not limited to, fraud or customer harm, in connection with its supervision and surveillance activities.
NFA’s proposed obligations for members are distinct from certain mandatory reporting obligations for futures commission merchants and other registrants by the Commodity Futures Trading Commission. CFTC Regulation 1.12, for example, requires FCMs to provide notice to the CFTC on a heightened schedule from “immediately” to within two business days, depending on the specific subsection, of certain specified violations of CFTC rules. (Click here for details regarding all mandatory reporting obligations for FCMs and other registrants in the Compliance Weeds to the article “Controller of FCM Named in CFTC Complaint, Along with Firm, for Failure to Timely Notify Commission of Segregation Breach” in the May 15, 2016 edition of Bridging the Week.)
Moreover, in 2017, the CFTC adopted an express policy encouraging potential wrong-doers to voluntary self-report their violations, fully cooperate in any subsequent CFTC investigation, and fix the cause of their wrongdoing to prevent a reoccurrence to receive “substantial benefits” in the form of significantly lesser sanctions in any enforcement proceeding and “in truly extraordinary circumstances,” no prosecution at all. (Click here for background in the article “New Math: Come Forward + Come Clean + Remediate = Substantial Settlement Benefits Says CFTC Enforcement Chief” in the October 1, 2017 edition of Bridging the Week.)
As a result of these and similar obligations by securities regulators, it is important for firms in financial services to rapidly assess the potential materiality of all discovered, potential law and rule violations and formally consider which regulators, if any, to advise of any potential material breach. Some reporting may be mandatory while some may solely be a function of the firm’s compliance culture. However, reporting of any kind should be truthful and not deceptive – either purposely or accidentally. A full internal review of all material legal and regulatory breaches should occur promptly, capturing information from the widest spectrum of relevant sources. Credibility with regulators is potentially lost if initial recounts of incidents are constantly amended.
For further information:
Allison Lee Confirmed as SEC Commissioner:
Better Late Than Never: Global Banking Standards Setter Agrees to Support Central Clearing of Derivatives by Allowing Offset of Client Margin Against Exposure:
Broker-Dealer Pays FINRA Fine for Allegedly Underreporting Amounts of Customer Complaints:
CFTC Charges Company and Principal in Purported US $147 Million Bitcoin Fraud:
Global AML Standards Setter Says Countries Should Require Virtual Asset Service Providers to Obtain and Transmit Certain Information Regarding Senders and Recipients for All Virtual Asset Transfers:
SEC Adopts Capital, Margin and Segregation Rules for Security-Based Swap Dealers
SEC Seeks Comments on Private Offering Harmonization Initiative:
UK Regulator Fines UK Bank £45.5 Million for Failing to Disclose Suspicions of Fraud:
Where’s the Cryptos? – Defunct Exchange’s Missing Cryptoassets Transferred to Principal’s Personal Accounts at Competitors:
The information in this article is for informational purposes only and is derived from sources believed to be reliable as of June 22, 2019. No representation or warranty is made regarding the accuracy of any statement or information in this article. Also, the information in this article is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The impact of the law for any particular situation depends on a variety of factors; therefore, readers of this article should not act upon any information in the article without seeking professional legal counsel. Katten Muchin Rosenman LLP may represent one or more entities mentioned in this article. Quotations attributable to speeches are from published remarks and may not reflect statements actually made. Views of the author may not necessarily reflect views of Katten Muchin or any of its partners or employees.