Lessons Learned from Binance’s Criminal Settlement (III of III)
Matt Stankiewicz, Partner at The Volkov Law Group, finishes his series on Binance by providing key takeaways for AML compliance programs. Matt can be reached at [email protected].
Binance’s $4.3 billion fine is one of the largest penalties the DOJ has ever obtained from a corporate defendant. Furthermore, its founder and CEO Changpeng Zhao (“CZ”) was also personally subject to a fine, amounting to $150 million. And to top it all off, CZ still faces up to 18 months of jail time as prosecutors pursue the maximum sentence. This should be a clear wake up call to the cryptocurrency industry that compliance is mandatory. Too many foreign exchanges wrongly believed (or, more likely, willfully ignored) that they could bury their heads in the sand and serve U.S. customers without worrying about U.S. laws and regulations.
At a high level, exchanges are considered money services businesses (“MSBs”), so they’re required to register with FinCEN and comply with the Bank Secrecy Act (“BSA”). The BSA requires filing suspicious activity reports (“SARs”) and implementing an anti-money laundering (“AML”) compliance program that is “reasonably designed to prevent the [MSB] from being used to facilitate money laundering and the financing of terrorist activities.”
Now that Binance and CZ have shown the industry what not to do, the resulting fallout from these actions will typically provide a great resource for others to learn from these mistakes. By digging into the allegations, we can identify plenty of lessons to be learned. Further, the compliance obligations of the settlement agreement will also be a great resource as to regulators’ expectations for what cryptocurrency exchanges must have in terms of its compliance program.
It all starts at the top, and compliance is no different. Even DOJ’s compliance obligations for Binance begin with a clear requirement for a high-level commitment to compliance. Looking back at Binance’s misconduct, the exchange’s issues clearly revolved around a complete lack of a high-level support for its compliance commitments. At various times, Binance’s legal and compliance staff raised concerns and recommended improvements and controls, which were ultimately ignored or suppressed by senior leadership. By selecting a new CEO with a strong commitment to and experience in compliance, supported with directors and senior management with explicit and visible support for compliance, will help Binance begin its reformation.
Policies, Procedures, and Internal Controls
DOJ required Binance to develop a policies, procedures, and controls that address the following:
- customer onboarding;
- know your customer and due diligence procedures, including for customers’ customers
- periodic customer reviews for illicit activity, money laundering and sanctions risk;
- designation of high-risk customers;
- reviews of high-risk customers;
- closure of customer accounts;
- maintenance of customer files, including records of and about each customer’s access to and use of the customer’s accounts;
- prohibition of business with designated persons, entities, groups, industries, regions, and countries targeted by U.S. sanctions laws;
- real-time transaction monitoring for suspicious or unlawful activity;
- timely response to law enforcement requests and legal process;
- filing of suspicious activity reports;
- independent audit of anti-money laundering policies, procedures, and systems
- conflicts of interest;
- provision of information to regulators and supervisors;
- provision of information to financial institutions;
- whistleblowing; and
- technological controls to prevent circumvention of the Compliance Programs.
This may help serve as a checklist of areas your respective programs also need to address.
AML Programs and KYC
For those that were unaware, it is clear now that cryptocurrency exchanges are considered MSBs and, as such, must implement an AML compliance program. Binance clearly knew that, but believed that a program would hinder its growth and profitability. This is typically misguided—reputation matters. We see that more than ever now, following the collapse of some crypto titans that threw the industry into a tailspin (FTX, Celsius, Terra, BlockFi, etc., etc.). Customers are looking for reliable and trustworthy exchanges in order to avoid the disastrous impacts of these compliance failures. Customers also don’t want to be associate with hackers, cybercriminals, and other unsavory characters.
We also stress to our clients that compliance does not need to negatively impact the customer experience. In fact, proper compliance controls can sometimes even enhance the experience. We discovered this in working with one client who relied on manual spreadsheets for a complex KYC onboarding process, which many potential customers abandoned before ever completing. We were able to help that client streamline its onboarding process with automated tools to obtain the basic information needed to verify customer identity, which got those customers onboarded and using the exchange quickly, smoothly, and ultimately decreased the abandonment rate. Furthermore, these streamlined KYC processes were them buttressed with a robust transaction monitoring system that could then identify issues in real-time and escalate these users to compliance for more robust monitoring or enhanced due diligence as needed.
In some ways, cryptocurrency provides certain advantages that traditional finance does not have. This is especially true with transaction monitoring. The unique nature of the underlying blockchain—ultimately, a public ledger—provides for incredible transparency of the flow of funds. Since the ledger is public, anyone can view it and trace funds as it moves between wallets. It is technically possible to trace the entire transaction history of every single Bitcoin ever created. Further, several tools have been created to quickly and easily review the ledger and identify links to any potential compliance issues. These tools can identify whether funds were recently washed through a mixer, are coming from a known darknet market, are linked to cybercriminals or sanctioned entities, or otherwise represent some sort of risk to the business. These powerful tools are an incredibly powerful addition to any cryptocurrency compliance program.