New guidance from the New York State Department of Financial Services mandates the use of blockchain analytics services for cryptocurrency businesses licensed in New York.
The New York State Department of Financial Services (NYDFS), which is the government body responsible for regulating the banking and finance sector of entities subject to New York’s laws, recently issued the “Guidance on Use of Blockchain Analytics,” clarifying some of the requirements for “all virtual currency business entities” licensed under the state’s “BitLicense” or chartered under New York Banking Law.
As the first guidance from a state regulatory body covering blockchain analytics, some legal commentators believe it will be the model for future regulations in different states. “Other regulators and law enforcement will likely start looking to this guidance to inform their own best practices for crypto monitoring going forward, and those in the industry would be well served by internalizing and implementing these guidelines, regardless of their jurisdiction,” an author at the National Law Review wrote.
The purpose of this guidance from the New York State Department of Financial Services (“Department”) is to emphasize to all virtual currency business entities that are either licensed under 23 NYCRR Part 200 or chartered as a limited purpose trust company under the New York Banking Law (collectively, “VC Entities”) the importance of blockchain analytics to effective policies, processes, and procedures, including, for example, those relating to customer due diligence, transaction monitoring, and sanctions screening.
Financial activity involving virtual currency can involve, among other things, different sources, destinations, and types of funds flows than are found in more traditional, fiat-currency contexts. For example, virtual currencies such as Bitcoin and Ether can be transferred peer-to-peer directly from one individual or entity to another pseudonymously, absent the use of a regulated third party (e.g., between non-custodial wallets, or self-hosted wallets that allow users to maintain control of their private keys). Thus, to effectively address compliance requirements under the New York Banking Law and the New York Financial Services Law, as well as federal Bank Secrecy Act/anti-money laundering (“BSA/AML”) and Office of Foreign Assets Control (“OFAC”) requirements, VC Entities must be sure that their compliance programs fully take into account the unique characteristics of virtual currencies.
While such characteristics present compliance challenges, they also present new possibilities for control measures that leverage these new technologies. For example, virtual currencies, by their nature, typically enable provenance tracing (i.e., review of previous transfers or “hops” along the public blockchain ledger, or “on-chain”). Put differently, the blockchain ledger’s immutability typically allows a historical view of a virtual currency transmission between wallet addresses, providing the opportunity for greater visibility into transaction lineage than is typically found with traditional, fiat funds transfers.
A VC Entity’s risk mitigation strategies must take account of the VC Entity’s business profile to assess risk across types of virtual currencies and effectively address the specific characteristics of any particular virtual currency involved. For most virtual currencies, information stored on-chain includes certain identifying information, such as sending and receiving wallet addresses, time and date, and value of the transaction. However, as suggested above, these wallet addresses are typically pseudonymous, with nothing on the face of the transfer tying back to the originator, beneficiary, or underlying beneficial owners. In addition, the effectiveness of existing blockchain analytics tools can vary depending on the particular virtual currency in question.
Given the above-noted characteristics of virtual currencies, the Department emphasizes the importance of blockchain analytics to VC Entities in addressing, for example, anti-money laundering requirements under 23 NYCRR § 200.15, and across a range of BSA/AML and OFAC-related compliance controls,1 including but not limited to:
- Augmenting Know Your Customer (or “KYC”)-related controls
- Conducting transaction monitoring of on-chain activity; and
- Conducting sanctions screening of on-chain activity.
VC Entities can use third-party service providers or internally developed blockchain analytics products and services for additional control measures, whether separately or in combination. To the degree that VC Entities outsource such control functions, the VC Entities must have clearly documented policies, processes, and procedures with regard to how the blockchain analytics activity integrates into the VC Entity’s overall control framework consistent with the VC Entity’s risk profile.
As part of their KYC responsibilities, VC Entities must obtain and maintain information regarding, and understand and effectively address the risks presented by, their customers and potential customers.
Potentially useful in this regard are products and services that allow their users to obtain identifying information (e.g., location of a wallet address on a specific exchange for custodial transactions) that ties directly to the pseudonymous on-chain data, particularly in combination with customer-provided information. These products and services typically can identify wallet addresses associated with an institution (e.g., a VC Entity) as well as known high-risk wallet addresses such as darknet marketplaces, but such tools may not be able to identify underlying owners, including ultimate beneficial owners, and may have limited attribution capability, absent further “off-chain” verification methods integrating customer-provided data.
For example, VC Entities must have policies, processes, and procedures to assess counterparty exposure for virtual currency funds transfers (e.g., beneficiary institutions for outbound transfers). For example, certain vendor products or internally developed tools provide numerical scores or tiered rankings to represent the risk of the counterparty institution, typically based on on-chain transaction data supplemented with other factors such as strength of the institution’s BSA/AML Program.
VC Entities must also have in place appropriate control measures to monitor and identify unusual activity tailored to the VC Entity’s risk profile. Accordingly, it is important for VC Entities to have policies, processes, and procedures for the tracing of transaction activity for each type of virtual currency the entity supports and the flow of funds through the blockchain for any inbound or outgoing activity (often described as “provenance tracing” or “transaction tracing”). For example, FinCEN recently noted: “It is critical that all financial institutions, including those with visibility into CVC [convertible virtual currency] flows, … identify and quickly report suspicious activity associated with potential sanctions evasion, and conduct appropriate risk-based customer due diligence or, where required, enhanced due diligence.” For instance, it is important that VC Entities evidence appropriately tailored transaction monitoring coverage against applicable typologies and red flags, identify deviations from the profile of a customer’s intended purposes, and address other risk considerations as applicable. Relevant typologies related to virtual currency business activity include but are not limited to: assessing whether a virtual currency (1) has substantial exposure to a high-risk or sanctioned jurisdiction; (2) is processed through a mixer or tumbler; (3) is sent to or from darknet markets; (4) is associated with scams/ransomware; and (5) is associated with other illicit activity relevant to the VC Entity’s business model.
Documentation must describe case management and escalation processes, with clearly delineated roles and responsibilities across the business and compliance functions, including the VC entity’s approach where there are any doubts (e.g., related to source of funds).
The Department also emphasizes the importance of risk-based policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the SDN List, or located in sanctioned jurisdictions; and, OFAC notes: “Transaction monitoring and investigation software can be used to identify transactions involving virtual currency addresses or other identifying information (e.g., originator, beneficiary, originating and beneficiary exchanges, and underlying transactional data) associated with sanctioned individuals and entities listed on the SDN List or other sanctions lists, or located in sanctioned jurisdictions.”
CipherTrace and Chainalysis must be making a killing.
The New York State Department of Financial Services alleges that the state’s regulations for cryptocurrency businesses “ensure that New Yorkers have a well-regulated way to access the virtual currency marketplace and that New York remains at the center of technological innovation and forward-looking regulation.” Of course, after the introduction of New York’s “BitLicense” in 2015, Kraken, BitFinex, ShapeShift, Paxful, and many others left the state.
The New York State Assembly just passed bill that places a two-year ban on PoW mining operations that rely on “a carbon-based fuel” (Assembly Bill A7389C) as part of an “Earth Day” package (supporters allege that people are getting too sweaty in New York). The State Senate has not yet voted on the bill, though.
In March, the European Parliament - Committee on Economic and Monetary Affairs voted against a draft of the Markets in Crypto Assets regulatory framework that would have banned PoW mining.
FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts pdf
Advisory on Illicit Activity Involving Convertible Virtual Currency pdf