Five Minutes on Fintech

February 2023

In honor of Valentine’s Day, we reflect this month on a few of the gifts the Fintech community received recently from federal and state regulators and law enforcement. High on the list is new DOJ guidance informing calculations around voluntary self-disclosure that regulated Fintechs may have to make, as well as New York DFS guidance on expectations for providing custody services for digital assets. We also run down some key takeaways from the DOJ’s Bizlato prosecution, and throw in an update on current FinCEN penalty amounts. We’re glad there are no holidays in March . . .

  1. What Does the DOJ’s New Self-Disclosure Policy Mean for Regulated Fintechs?
  2. The Bizlato Case Sets Forth the DOJ’s Blueprint for Prosecuting Cryptocurrency Crimes
  3. Setting the Bar: NY DFS Crypto Custody Guidance
  4. Bank Secrecy Act Penalties Increase
  1. What Does the DOJ’s New Self-Disclosure Policy Mean for Regulated Fintechs?

The decision to self-disclose information to a government agency is never easy. When a company discovers a problem, there may be both a scramble to understand the nature and scope of the problem while also considering a voluntary self-disclosure. Absent a strict liability scenario (e.g., OFAC sanctions), there are often fundamental questions about whether the problem is the kind that even demands a self-disclosure, along with uncertainty about the benefit of self-disclosure in any resulting negotiations over regulatory enforcement action.

In January, the DOJ issued an update to its corporate enforcement policy, the “Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy,” seeking to clarify the potential credit a company can receive with respect to voluntary self-disclosures, cooperation, and remediation. The new policy encourages self-disclosures by specifying and increasing the “credit” a company can receive off the calculated resolution, and offering the possibility of no prosecution even where there are aggravating factors. The DOJ provides informative definitions of a “voluntary self-disclosure” and “cooperation,” requiring that the disclosure occurred promptly after discovery and included all relevant non-privileged facts, proactive and timely updates were made, and relevant records were collected and retained. An effective compliance program is a highly important factor under the policy.

Of course, the DOJ’s policy applies to potential corporate criminal misconduct, and not directly to the regulatory obligations of supervised financial services entities. So how relevant is it to a regulated Fintech company?

The DOJ’s guidance on self-disclosures is worth paying attention to because it reflects the thinking of government enforcers and regulators broadly, and provides a useful reference point in discussions or negotiations that may occur with regulators. OFAC’s voluntary self-disclosure rules, contained in its Economic Sanctions Enforcement Guidelines, are another relevant data point. Like the DOJ’s policy, OFAC requires proactive, prompt, and full disclosure of facts with robust details. Again, the effectiveness of an existing compliance program and the quality of affirmative cooperation will play a role in the outcome, which could range from no action to a civil monetary penalty to a criminal referral.

The broadest takeaway from the DOJ’s new policy is this: There is a whole-of-government approach to emphasizing strong compliance programs, and that focus is growing. A strong compliance program is the best complement to a voluntary self-disclosure. Beyond that, cooperation credit should be available to those who can demonstrate they disclosed before they had to, and were transparent in the details they provided. (Contact: Laurel Loomis Rimon)

  1. The Bizlato Case Sets Forth the DOJ’s Blueprint for Prosecuting Cryptocurrency Crimes

On January 18, 2023, the DOJ arrested Anatoly Legkodymov in Miami, Florida on charges that he operated an unlicensed money transmitting business. According to the complaint, Legkodymov was a co-founder and senior executive of Bizlato Limited, a Hong Kong registered cryptocurrency exchange that allowed its customers (including users in the United States) to open accounts and conduct transactions with little or no know-your-customer (KYC) checks. As a result, Bizlato is alleged to have allowed its customers to conduct hundreds of millions of dollars in illegal transactions and engage in money laundering. In particular, the DOJ alleged that Bizlato had a close reciprocal relationship with the Hydra Marketplace, which until it was shut down in April 2022, was a darknet market that facilitated the sale of illegal drugs, stolen financial information, and money laundering services. Moreover, the DOJ alleged that Legkodymov and other senior executives at Bizlato were aware of the lack of adequate KYC and illegal activities of its customers.

The DOJ’s arrest of Legkodymov is important because it reflects several parts of the DOJ’s blueprint for prosecuting cryptocurrency crimes:

1.  Targeting cryptocurrency platforms in addition to primary illegal actors. In October 2021, Deputy Attorney General (DAG) Lisa Monaco announced that the DOJ would be focused on prosecuting “cryptocurrency exchanges, infrastructure providers, and other entities that are enabling the misuse of cryptocurrency and related products to commit or facilitate criminal activity.” Given the difficulty of identifying, let along locating, criminals involved in using cryptocurrency to commit crimes, it is not surprising that the DOJ continues to focus on the platforms and associated individuals that facilitate those criminals by failing to have sufficient compliance programs under, for example, the Bank Secrecy Act (BSA) or economic sanctions laws.

2.  Section 1960 Remains a Favorite Tool of Prosecutors. The charging documents against Legkodymov alleged violations of 18 U.S.C. § 1960(b)(1)(A), which prohibits the unlicensed operation of a money transmitting business. While the facts alleged in the complaint appear to support criminal liability for more serious crimes, it is not surprising that prosecutors chose to initially rely upon 1960. The elements of this crime are simple, and as a general matter only require the government to prove that the defendant knowingly operated a money transmitting business without obtaining an appropriate state license (if it is a crime to do so in that state) or registering with FinCEN. Notably, the crime does not require the government to prove that the defendant knew that he was engaging in illegal conduct. Moreover, Section 1960 provides for serious penalties, including the potential forfeiture of any property “involved in” the violation. It is not surprising that Section 1960 has been a powerful tool for charging digital asset crimes, including the DOJ’s prosecution of e-gold over 17 years ago in 2006. We expect that once Legkodymov is formally indicted, additional charges will be included, but the fact that prosecutors chose Section 1960 as the initial charging tool shows the continued importance of this provision in their toolbox for cryptocurrency crimes.

3. Aggressive targeting of international companies and international defendants. In announcing the charges against Legkodymov, DAG Monaco stated that “whether you break our laws from China or Europe—or abuse our financial system from a tropical island—you can expect to answer for your crimes inside a United States courtroom.” Her message was that the DOJ would actively pursue cryptocurrency defendants doing business in substantial part in the U.S., even if their operations are located outside of the country. Similarly, the fact that Legkodymov was a Russian national living in China also did not stop the DOJ from charging him. As Monaco recently stated in a speech last September, “prosecutors should not be deterred from pursuing appropriate charges just because an individual liable for corporate crime is located outside the United States.” It is apparent that the investigation had been ongoing long before Legkodymov stepped foot into the U.S.

4.  International Coordination on the Investigation. One of the great challenges for law enforcement in pursuing cryptocurrency crimes is that such crimes ignore jurisdictional boundaries. Prior cryptocurrency cases have highlighted the need to address this issue through close coordination between the DOJ and its international partners. The Bizlato case is no different. In the press release announcing the charges, the DOJ stated that the investigation was conducted “in close coordination” with French law enforcement authorities, and also recognized the assistance of EUROPOL and Belgian authorities for offering operational expertise, coordination, and information sharing. As countries continue to expand and solidify their relationships in working cryptocurrency investigations, we should assume that the DOJ (and other U.S. agencies) are working closely and sharing information with their international partners. (Contact: Leo Tsao)

  1. Setting the Bar: NY DFS Crypto Custody Guidance

On January 23, NY DFS released updated guidance that lays out standards and expectations for virtual currency businesses providing services to New York customers. In particular, these guidelines establish standards to ensure that consumer funds held by virtual currency businesses are protected from misappropriation and over-leveraging.

Under the guidance, custodians must:

  • Separate the accounts of each customer’s virtual currency from their own corporate assets and those of affiliated entities as a part of maintaining their books and records;
  • Receive virtual currency from customers only for purposes of custody and safekeeping services (not to establish a debtor-creditor relationship);
  • Implement sub-custody arrangements when third parties are involved, so long as it is consistent with DFS guidance; and
  • Scrutinize and ensure the adequacy of their disclosures, including clear terms specifying that the services establish a custodial relationship and not a debtor-creditor relationship. These terms should also specify processes for segregation of accounts in custody, and retained property interests.

In issuing guidance, the DFS is clearly establishing its expectations for regulated virtual currency businesses and setting a bar with which it can take enforcement actions against non-complying institutions. New York’s bitlicense laws have regulations imposing these requirements on its licensed businesses, including the custody requirements contained in 23 NYCRR part 200.9, the advertising and marketing requirements in 23 NYCRR part 200.18, and the consumer disclosure requirements in 23 NYCRR part 200.19. By issuing this guidance, DFS is emphasizing its expectations in light of these regulations and recent public events undermining confidence in cryptocurrency platforms.

The fast pace of innovation in cryptocurrency, as well as traditional financial services, can often result in operations practices unintentionally shifting outside of regulatory requirements. While this is a constant risk, regulatory guidance such as this clarifies the risk of regulatory action. (Contact: Braddock Stevenson)

  1. Bank Secrecy Act Penalties Increase

Inflation is a popular topic of conversation these days. While the price of a dozen eggs at your local supermarket is more likely to capture your attention, companies governed by the BSA should take note that civil monetary penalty amounts are also increasing.

On January 19, FinCEN published the final rule for its annual adjustments to the statutory maximum and penalty range for violations of FinCEN’s anti-money laundering rules in the Federal Register. FinCEN’s penalty adjustments are a statutory requirement under the Federal Civil Penalties Inflation Adjustment Act of 1990 (as further amended by the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015) and based on federal Office of Management and Budget guidance that ties changes to the penalty amounts to the Consumer Price Index. The new Penalty Adjustment and Table is codified in 31 CFR § 1010.821.

The new penalty amounts apply to all civil monetary penalties assessed after January 19, so long as the underlying violations occurred after November 2, 2015. Importantly, the penalty amounts are based on when the fine is handed down by FinCEN, even if the alleged violative conduct occurred several years earlier.

The increases can make a substantial difference when aggregated across multiple violations. For example, the penalty range for willful violations of the BSA increased from $62,689-$250,759 to $67,544-$270,180. A violation is deemed to have occurred each day the conduct occurs or continues, as defined by 31 U.S.C. 5321(a)(1). Nonetheless, it remains to be seen if the new fines will reflect a greater bump from inflation, since the actual penalty amounts assessed as part of an enforcement action are usually a product of negotiation between the agency and the target. (Contacts: Braddock Stevenson and Ben Seelig)

To continue to receive the latest Five Minutes on Fintech, please click here to subscribe.

Five minutes on Fintech professionals

Image: Leo Tsao
Leo Tsao

Partner, Litigation Department


Image: Braddock J. Stevenson
Braddock J. Stevenson

Of Counsel, Corporate Department


Get In Touch With Us

Contact Us