Originally published on November 28, 2019
The Internal Revenue Service (IRS) is auditing companies who registered with the Financial Crimes Enforcement Network (FinCEN) as a Money Service Business (MSB) involved in the Bitcoin space — it’s called a Title 31 Exam. These exams were typically reserved for Indian Casinos but they’re happening in the Bitcoin space now. I’ve seen a few companies get hit with these exams last week and from what I’ve heard, they’ve been issued on-mass, kind of like the SEC subpoenas of early 2018. It’s an unpleasant notice to receive. The far-reaching rules of the Bank Secrecy Act apply equally to companies with large resources and small-scale bitcoin ATM operators or exchangers.
The notice tells the MSB company that the IRS is coming in person to ensure the MSB complies with the Bank Secrecy Act. They are picking a 4-month range and examining all transactions that took place within the specified dates. If you’re a real player in the crypto-MSB space, you likely have a Title 31 Exam coming up. This is not an income tax audit, but the notice makes sure to point out the recipient may be liable for penalties if they failed to comply with the BSA.
It all feels like an attack on the fungibility of Bitcoin, but no matter a company’s views on privacy, the reality of the situation is if you exchange or issue cryptocurrency as a business in America, you are required to register as an MSB and comply with the Bank Secrecy Act by:
· Hiring a Compliance Officer, Registering as an MSB with FinCEN, Drafting a robust Compliance Program including an AML Policy, OFAC Policy, KYC Policy, Customer Identification Policy, Enhanced Due Diligence Policy, SAR Policy, CTR Policy, Record Retention Policy, Independent Testing Policy, & Staff-Training Policy, & Following the policy.
Based on the documents being requested, the IRS and FinCEN also wants to see that compliance is discussed and documented at board meetings as well — something I believe a lot of smaller operations in the space are falling short on.
Deborah Connor, the Principal Deputy Chief, Asset Forfeiture and Money Laundering for the Department of Justice (DOJ), addressed the casino industry with some insight to the Title 31 exams that have been prevalent in their industry. The most common findings in those Title 31 exams were that casinos were failing to know their customer properly. Ms. Connor outlined the four critical (and minimum) components of an AML program as:
1. Internal policies, procedures, and controls;
2. A designated compliance officer;
3. Ongoing AML training; and
4. Independent auditing to test the effectives of the program
In order for an AML program to be considered effective, it needs to be “risk based” and “tailored to the unique needs, risk profile, and structure of each institution.” I’m sure that was just what every casino owner in the room wanted to hear — it’s subjective based on the DOJ’s conclusion of the risk level.
The DOJ’s hallmarks for an effective compliance program:
· An institution must ensure that its senior business managers provide strong, explicit, and visible support for its corporate compliance policies.
· The people who are responsible for compliance should have stature within the company. Compliance teams need adequate funding and access to necessary resources…
· An institution’s compliance policies should be clear and in writing. They should be easily understood by rank-and-file employees beyond the compliance department. That means that the policies must be translated into languages spoken in the countries in which the companies operate…
· An institution should periodically review its policies and practices to keep them up to date with evolving risks and circumstances…
· There must be mechanisms to enforce compliance policies. Those include encouraging compliance and disciplining violations… The Department of Justice does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated, but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences.
· A financial institution should inform third parties like vendors, agents, or consultants about the company’s compliance policies and of the expectation that its partners will also take compliance seriously. This means more than including boilerplate language in a contract. It means taking action — including termination of a business relationship — if a partner demonstrates a lack of respect for laws and policies.
Practice > Paper
When AFMLS evaluates a company’s compliance policy during an investigation, they look at how the policy is implemented, not how it reads on paper.
Snitches do NOT get Stitches
It is strongly encouraged to reach out to law enforcement proactively, through SARS and the FinCEN hotline. They encourage financial institutions to address suspicious activity before they see it.
More Data = More Jobs.
BSA data includes nearly 190 million records and there are around 55,000 added each day. Domestically, FinCEN grants more than 10,000 agents, analysts, and investigative personnel from over 350 unique federal, state, and local agencies across the United States with direct access to the reporting.
FinCEN does not maintain a strict matrix for assessing penalties. Rather, FinCEN weighs a number of factors and considerations when determining CMPs.
1) The Nature and Seriousness of Violations
2) Knowledge and Intent
3) Remedial Measures
4) Financial Condition of the Financial Institution or Individual
5) Payments and Penalties Related to Other Enforcement Actions
These are the documents requested of the crypto-related MSB companies for their Title 31 exams. It seems, if you haven’t got your house in order, now is a good time to get busy with compliance.