In Depth
Regulatory Background
A “money service business,” including “a “money transmitter,” must be registered with FinCEN. (See 31 USC § 5530; 31 CFR § 1010.100(ff)(7).) A “money transmitter” is a company that engages in “money transmission services,” the “acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency funds, or other value that substitutes for currency to another location or person by any means.” (31 CFR § 1010.100(ff)(5); see also 31 USC § 5330(d)(1).) In addition, nearly every state has its own money transmitter licensing regime (commonly referred to as MTLs). Thus, a company that engages in money transmission needs to register with FinCEN as an MSB and register in each state in which it conducts money transmission, unless an exemption applies.
Importantly, FinCEN and certain federal courts have ruled that (at least certain types of) virtual currency constitutes “money” or “funds” for purposes of determining whether a company is required to register as an MSB with FinCEN or as a money transmitter in certain states.* The state regime is varied. Each state differs as to whether virtual currency constitutes “money” under the relevant statutory definition of “money” and whether companies that accept and transmit virtual currency must register as an MTL. Companies transacting in virtual currency regularly rely on the statutory definitions, guidance issued by state regulators and “no action” responses by local regulators to determine whether they need to obtain an MTL in a particular state.
*For additional information, please click here or here. See also United States v. Murgio, 209 F. Supp. 3d 698 (S.D.N.Y. 2016); United States v. Harmon, No. 19-cr-395, 2020 WL 4251347 (D.D.C. Jul. 24, 2020); but see United States v. Petix, No. 15-cr-227, 2016 WL 7017919 (W.D.N.Y. Dec. 1, 2016).
DFIRs Making Ransom Payments in Virtual Currency May Need to Register as Money Service Businesses and Obtain Money Transmitter License
On November 12, 2020, FinCEN held a virtual conference titled “Ransomware FinCEN Exchange.” This virtual conference focused on the recent uptick in cybercrimes and ransom payments—with a particular focus on ransom payments made in cryptocurrency. While FinCEN (and regulators from other federal agencies) spoke about a number of issues, one key issue industry participants need to be aware of is that DFIRs may need to register as an MSB and obtain MTLs.
A representative from FinCEN discussed the fact that DFIRs, on behalf of their clients, may execute payments to cybercriminals in virtual currency. The representative indicated that because those DFIRs are sending virtual currency from one person to another, they may be engaged in money transmission.
FinCEN encouraged DFIRs to reach out to FinCEN for guidance or to request an administrative ruling to determine whether registration as an MSB is required. We anticipate that certain industry participants will be reaching out to FinCEN and seeking administrative rulings on this subject.
Issues Facing DFIRs/Effects of Statement
Many DFIRs currently execute virtual currency ransom payments. These DFIRs are usually in a better position than the cybervictim to make the ransom payments and to potentially track those payments to aid a law enforcement investigation. If DFIRs refuse to execute those payments, it places the burden and risk on the cybervictim to make the payments. These cybervictims may not have the technological capabilities or a process in place to make payments in virtual currency. These regulatory hurdles could result in fewer ransom payments to criminals. However, ransom payments are often made where critical information about the cybervictim’s own customers is at risk, the data may be vital to the cybervictim’s operations, or the ransom payment is ultimately the less expensive option. Eliminating avenues of ransom payments could have the perverse effect of harming the cybervictim.
Once a DFIR registers as an MSB, the company then has multiple anti-money laundering and know your customer (referred to collectively as AML/KYC) obligations. An MSB must maintain a risk-based AML/KYC program. (See 31 CFR § 1022.210.) An AML/KYC program must be “effective” and be “reasonably designed to prevent the money service business from being used to facilitate money laundering and the financing of terrorist activities.” (See 31 CFR § 1011.210(a).) This could pose a problem because if payments are made to cybercriminals it would be nearly impossible for a DFIR to obtain typical AML/KYC information and to know who the payment is being made to. (See 31 CFR § 1022.210(d)(i)(A) (an AML/KYC policy must “at a minimum” include “policies, procedures, and internal controls” for “verifying customer identification”).) How is a DFIR to know whether it is making a payment that would facilitate money laundering or finance terrorist activities, if it does not know who it is making the payment to? As stated in our article, the US Treasury Office of Foreign Asset Control (OFAC) indicated on October 1, 2020, made clear that facilitating ransomware patients could potentially violate US Sanctions programs.
Deciding whether to register as an MSB on the federal level or to obtain MTLs from relevant local jurisdictions is a critical decision. Operating a money transmitting business without an MSB or the appropriate state MTL is a federal felony. (See 18 USC 1960.) This is not merely a theoretical risk for companies making payments in virtual currency. There have been successful prosecutions for operating an unlicensed money transmitting business transacting in virtual currency without the appropriate licenses.* On October 1, 2020, the DOJ issued a policy statement that it would continue to prosecute virtual currency-related crimes and prominently cited the cases that it has brought against companies and individuals for failing to register as a money transmitter. While the majority of these prosecutions contained allegations of other underlying crimes or fraudulent conduct, we would not be surprised if the government started prosecuting companies and individuals for the mere failure to register.
*See, e.g., United States v. Murgio, 209 F. Supp.3d 698 (S.D.N.Y. 2016) (failing to register as a money transmitter under Florida law); United States v. Faiella, 39 F. Supp.3d 544 (S.D.N.Y. 2014) (failing to register with FinCEN as an MSB); United States v. Budovsky, No. 13-cr-368, 2015 WL 5602853 (S.D.N.Y. Sep. 23, 2015) (failing to register with FinCEN as an MSB); see also United States v. BTC-E, No. 16-cr-2227 (N.D. Cal 2017) (indictment of principal and virtual currency company for operating an unlicensed money transmitting business and other crimes).
Conclusions
DFIRs are now in the unenviable position of deciding whether to facilitate virtual currency payments for its clients. Clients will clearly desire (and perhaps expect) that DFIRs would facilitate such payments. However, FinCEN’s and OFAC’s recent statements on the subject make these ransom payments in virtual currency an increasingly risky and more complicated proposition.
FinCEN’s and OFAC’s recent guidance places a significant regulatory burden on cybervictims and the DFIRs in deciding whether and how to make ransomware payments in virtual currency. We anticipate that industry participants will contact FinCEN for further guidance and administrative rulings on this subject. Until further clarifications are issued, DFIRs should consider examining their AML/KYC policies and licensing obligations before facilitating ransom payments in virtual currency.
* * *
McDermott Will & Emery has been a leader in virtual currency and cybersecurity law for years. McDermott lawyers have been advising virtual currency companies on MSB and MTL issues since the inception of virtual currency. McDermott lawyers also have deep experience advising clients on cyber incident response, AML/KYC and OFAC sanctions compliance requirements. McDermott lawyers also have hands-on experience defending government investigations concerning virtual currency, including inquiries concerning compliance with US sanctions programs and other AML/KYC compliance issues.
