The Intersection of Cryptocurrencies and National Security
Chainalysis Links Conference
May 19, 2022
Hello and thank you for that kind introduction. I’m Alessio Evangelista, and I’m the Associate Director of the Enforcement and Compliance Division of the Financial Crimes Enforcement Network, or FinCEN. I’m excited to be here today, and I really appreciate the invitation to speak about the intersection of cryptocurrencies, compliance, and national security. It’s at the core of FinCEN’s mission.
Safeguarding the financial system from illicit use is fundamental to protecting U.S. national security. Keeping illicit activity out of the cryptocurrency sector also helps instill confidence in the financial system by ensuring that the public, including customers in the cryptocurrency space, can feel comfortable that their assets and their transactions will be secure. And that they won’t be taken advantage of by bad actors, including criminals, or malign state actors.
And, that’s a key focus for us at FinCEN. We work to combat money laundering and the financing of terrorism—and related crimes, like cybercrime, ransomware, drug trafficking, and human trafficking, just to name a few.
But we don’t do it alone at FinCEN. “Network” is in our name. We are only one part of the overall effort. We are part of a whole-of-government effort that includes others at Treasury, law enforcement, other regulators, Congress. And to be effective, we require intensive collaboration and engagement with you, the industry, the private sector, and civil society.
The President’s recent Executive Order on digital assets outlined the U.S. government’s approach to digital assets, including cryptocurrencies. The Executive Order said, “The United States has an interest in responsible financial innovation, expanding access to safe and affordable financial services, and reducing the cost of domestic and cross-border funds transfers and payments, including through the continued modernization of public payment systems.” The E.O. also made clear that achieving these goals can’t come at the cost of other priorities. Priorities like national security, the prevention of illicit finance, consumer protection, and financial stability.
Instilling confidence in the system is what will help the cryptocurrency sector grow and achieve its full potential. One of the roles that FinCEN plays in this space is that we are a regulator, with a focus on combating illicit finance. We draft rules and regulations to implement the Bank Secrecy Act, our basic law. And, we work to foster and ensure compliance.
Many of you probably remember FinCEN because in 2020 we issued notices of proposed rulemaking related to compliance with the so-called “Travel Rule” in the cryptocurrency industry and rules related to transactions with unhosted wallets. I know you’re familiar with those proposals, because collectively we received more than 10,000 comments from industry and other stakeholders. We really appreciated all of the feedback. It is important to us that we hear from you. We read every single comment and we are carefully considering them as we move forward.
Addressing the illicit finance and national security risks related to Travel Rule compliance and unhosted wallets remains top of mind for us. But, as we think through next steps, and in line with the broader U.S. Government approach, we try to approach rules and regulations in a way that recognizes not only the risks that innovations pose, but the opportunities that they present. And we do recognize that the cryptocurrency industry and its underlying technologies present opportunity.
I want to go back to the quote that I read from the Executive Order, to draw your attention to one phrase, beyond all others, that I think encapsulates FinCEN’s approach to this space. And that’s “responsible financial innovation.” We want to support responsible innovation. Innovation that has compliance embedded in its DNA. Innovation that is executed in a way that is mindful of and helps to protect our national security interests and to protect people from harm.
What does this mean? Responsible innovation means that financial institutions that operate in the cryptocurrency space have the same obligations as all other financial institutions to ensure that their new offerings can leverage innovations while still protecting consumers, reducing cybercrime, combating illicit financial activity, and ensuring their platforms are not used to harm our national security interests.
It means that financial institutions implement controls that are commensurate with the risks posed by the products and services they offer, such as services offered to customers that involve anonymity-enhanced cryptocurrencies.
It means ensuring that compliance is baked into new products at conceptualization and launch, is built into the fundamental architecture of your companies, and is given serious and ongoing consideration. It can’t just be an afterthought. Companies should not adopt the mentality of “build first, comply later.” VASPs that do not take this approach undermine trust in cryptocurrency-enabled finance and threaten national security.
To give a more specific example at the intersection of innovation and national security, it means making sure that platforms have appropriate protocols and controls in place to protect consumers from having their assets stolen by hackers looking to fund North Korea’s nuclear missile program.
Just recently, Treasury’s Office of Foreign Assets Control designated a mixer for the first time. The reason for the designation is that the mixer, Blender.io, was involved in processing a portion of the proceeds of a $620 million hack—the largest cryptocurrency heist to date. And the group behind the hack? The North Korean state-sponsored Lazarus Group. These funds were stolen to support a totalitarian regime that spends its money on developing weapons at the expense of feeding its citizens.
Other state actors whose malign activities pose a threat to our national security—Iran, Russia, and Venezuela—have publicly stated their intentions to use or develop digital currencies and/or cryptocurrencies for illicit activity, including sanctions evasion. The same goes for terrorist organizations. The connection between responsible innovation and national security is clear.
There’s been a lot of discussion recently about Russia turning to cryptocurrency to evade the growing net of U.S. and international sanctions. We’ve acknowledged that large-scale sanctions evasion using cryptocurrency by a state actor like Russia is not that practicable. As my Treasury colleagues have said before, “You can’t flip a switch overnight and run a G20 economy on cryptocurrency.”
Nonetheless, as we said in our FinCEN alert from early March, “individual sanctioned persons, illicit actors, and their related networks may attempt to use [cryptocurrency] and anonymizing tools to evade U.S. sanctions and protect their assets around the globe.” We need all of you to be vigilant.
That’s what “responsible innovation” means to us. And I want to recognize that we are already seeing examples of responsible innovation and compliance-focused product development across many facets of the industry, including mining, DeFi, stablecoins, sanctions screening, blockchain tracing, and more.
We’re seeing things like innovative Travel Rule solutions, geo-blocking capabilities, the development of protocols that embed Customer Due Diligence and sanctions screening. This is all great progress and an important signal that responsible innovation is a growing part of the compliance culture in this space.
Some of the innovations we’re seeing would have been almost inconceivable not so long ago, and they have proven that concepts like compliance and cybersecurity are not the enemy of innovation.
As Deputy Secretary Adeyemo said in November: “…there may be a misperception about the relationship between the blockchain industry and the government…There’s a belief, that we are at odds; But this is not how we see things. When we regulate, rather, it’s with an eye toward trying to foster innovation that creates economic opportunity and advances U.S. financial leadership while stamping out crime, abuse, and risks. We believe these goals go hand in hand with innovation.”
The industry can only achieve its full potential if VASPs proactively adopt and uphold high standards for compliance. What does this mean? That you implement a rigorous risk-based approach to compliance and to your customer relationships and transactional activity. To do so, one of the first steps is to develop a deep understanding of the risks that you face, the customers you serve, and the parties with which you transact.
One area that is unique to the cryptocurrency sector is the amount of information available to you, by virtue of the public nature of many blockchain ledgers. This means that you have a lot of information at your fingertips that can be used to inform your understanding of risk and shape your compliance programs. This information can provide companies in the cryptocurrency space with valuable insight into risk, fueling the more effective implementation of a risk-based approach to compliance.
It is obviously not the only source of information about risk, but this data can be an important factor in companies’ policies and procedures to, for example, review transactions and customer activity. You can do this at onboarding and on a periodic or event-triggered basis thereafter to ensure you don’t bring on or provide services to customers whose activities fall outside of your risk appetite. You can monitor this activity to ensure that you can recognize when a customer is acting in an unusual or potentially suspicious way.
It can empower you to identify and use new information and important red flags when they become available about a wallet address. New information and red flags like an address being added to OFAC’s SDN list, but not just that. I’m also talking about new information and red flags that, for example, link a wallet address to a cluster of wallet addresses that have been involved in illicit activity like ransomware.
Too often, we see VASPs that are willing to do business with problematic companies up until the day of an OFAC designation or criminal indictment, even when there were clearly observable red flags and indicators of wrongdoing that they could—and arguably should—have taken note of long ago.
This raises questions for us about the extent to which those institutions are taking a critical look at the information that is available to them. The extent to which they are applying a rigorous risk-based approach to their operations and their decisions. VASPs that provide a platform for problematic firms like these are allowing them to continue doing harm and putting their own reputations at risk.
As responsible members of the global financial system, VASPs need to help ensure that they are not allowing their businesses to be exploited by criminal elements and the non-compliant VASPs that facilitate criminal activity. Financial institutions—including VASPs—must not only have compliance policies and procedures in place. They also must implement their compliance programs effectively. They need to make risk-based decisions and to file suspicious activity reports appropriately. We know the existence of a compliance program on paper does not always result in compliance.
We know this because major themes that we see in our enforcement actions are the complete lack of meaningful compliance programs, the existence of what we call “paper programs,” and firms that transparently prioritize growth over compliance.
That’s where our enforcement efforts come in. There’s sometimes a misperception that FinCEN’s enforcement efforts are a “gotcha” enterprise. That a single misstep can put you on the wrong end of a sizable fine. In reality, though, and as I think the public enforcement actions on our website show, we continue to prioritize cases where we identify significant non-compliance and threats to the U.S. financial system. Where there is a willful disregard for regulatory requirements. I encourage you to review these actions—cases against both banks as well as cryptocurrency exchanges or administrators. The themes are the same.
These public enforcement actions take time because it is important that we get them right. Along with other public actions like the release of advisories and guidance, they are an important part of how we communicate our requirements and expectations to the financial industry. I think we’ve sent a clear message through these channels: AML/CFT requirements apply to financial institutions dealing in cryptocurrencies and other digital assets the same way they do to financial institutions dealing in fiat currency.
Before we start delving into the Q&A portion of this session, I just want to emphasize that we believe that the cryptocurrency and digital assets industry has an immense opportunity to raise the bar for the next generation of financial services.
We can collectively facilitate higher industry standards for transparency, accountability, and innovation. Governments cannot function without partners. We need all stakeholders, including VASPs, to prioritize transparency and accountability, and to share information. Together, we can ensure that we’re safeguarding our national security.
###
Chainalysis Links Conference
May 19, 2022
Hello and thank you for that kind introduction. I’m Alessio Evangelista, and I’m the Associate Director of the Enforcement and Compliance Division of the Financial Crimes Enforcement Network, or FinCEN. I’m excited to be here today, and I really appreciate the invitation to speak about the intersection of cryptocurrencies, compliance, and national security. It’s at the core of FinCEN’s mission.
Safeguarding the financial system from illicit use is fundamental to protecting U.S. national security. Keeping illicit activity out of the cryptocurrency sector also helps instill confidence in the financial system by ensuring that the public, including customers in the cryptocurrency space, can feel comfortable that their assets and their transactions will be secure. And that they won’t be taken advantage of by bad actors, including criminals, or malign state actors.
And, that’s a key focus for us at FinCEN. We work to combat money laundering and the financing of terrorism—and related crimes, like cybercrime, ransomware, drug trafficking, and human trafficking, just to name a few.
But we don’t do it alone at FinCEN. “Network” is in our name. We are only one part of the overall effort. We are part of a whole-of-government effort that includes others at Treasury, law enforcement, other regulators, Congress. And to be effective, we require intensive collaboration and engagement with you, the industry, the private sector, and civil society.
The President’s recent Executive Order on digital assets outlined the U.S. government’s approach to digital assets, including cryptocurrencies. The Executive Order said, “The United States has an interest in responsible financial innovation, expanding access to safe and affordable financial services, and reducing the cost of domestic and cross-border funds transfers and payments, including through the continued modernization of public payment systems.” The E.O. also made clear that achieving these goals can’t come at the cost of other priorities. Priorities like national security, the prevention of illicit finance, consumer protection, and financial stability.
Instilling confidence in the system is what will help the cryptocurrency sector grow and achieve its full potential. One of the roles that FinCEN plays in this space is that we are a regulator, with a focus on combating illicit finance. We draft rules and regulations to implement the Bank Secrecy Act, our basic law. And, we work to foster and ensure compliance.
Many of you probably remember FinCEN because in 2020 we issued notices of proposed rulemaking related to compliance with the so-called “Travel Rule” in the cryptocurrency industry and rules related to transactions with unhosted wallets. I know you’re familiar with those proposals, because collectively we received more than 10,000 comments from industry and other stakeholders. We really appreciated all of the feedback. It is important to us that we hear from you. We read every single comment and we are carefully considering them as we move forward.
Addressing the illicit finance and national security risks related to Travel Rule compliance and unhosted wallets remains top of mind for us. But, as we think through next steps, and in line with the broader U.S. Government approach, we try to approach rules and regulations in a way that recognizes not only the risks that innovations pose, but the opportunities that they present. And we do recognize that the cryptocurrency industry and its underlying technologies present opportunity.
I want to go back to the quote that I read from the Executive Order, to draw your attention to one phrase, beyond all others, that I think encapsulates FinCEN’s approach to this space. And that’s “responsible financial innovation.” We want to support responsible innovation. Innovation that has compliance embedded in its DNA. Innovation that is executed in a way that is mindful of and helps to protect our national security interests and to protect people from harm.
What does this mean? Responsible innovation means that financial institutions that operate in the cryptocurrency space have the same obligations as all other financial institutions to ensure that their new offerings can leverage innovations while still protecting consumers, reducing cybercrime, combating illicit financial activity, and ensuring their platforms are not used to harm our national security interests.
It means that financial institutions implement controls that are commensurate with the risks posed by the products and services they offer, such as services offered to customers that involve anonymity-enhanced cryptocurrencies.
It means ensuring that compliance is baked into new products at conceptualization and launch, is built into the fundamental architecture of your companies, and is given serious and ongoing consideration. It can’t just be an afterthought. Companies should not adopt the mentality of “build first, comply later.” VASPs that do not take this approach undermine trust in cryptocurrency-enabled finance and threaten national security.
To give a more specific example at the intersection of innovation and national security, it means making sure that platforms have appropriate protocols and controls in place to protect consumers from having their assets stolen by hackers looking to fund North Korea’s nuclear missile program.
Just recently, Treasury’s Office of Foreign Assets Control designated a mixer for the first time. The reason for the designation is that the mixer, Blender.io, was involved in processing a portion of the proceeds of a $620 million hack—the largest cryptocurrency heist to date. And the group behind the hack? The North Korean state-sponsored Lazarus Group. These funds were stolen to support a totalitarian regime that spends its money on developing weapons at the expense of feeding its citizens.
Other state actors whose malign activities pose a threat to our national security—Iran, Russia, and Venezuela—have publicly stated their intentions to use or develop digital currencies and/or cryptocurrencies for illicit activity, including sanctions evasion. The same goes for terrorist organizations. The connection between responsible innovation and national security is clear.
There’s been a lot of discussion recently about Russia turning to cryptocurrency to evade the growing net of U.S. and international sanctions. We’ve acknowledged that large-scale sanctions evasion using cryptocurrency by a state actor like Russia is not that practicable. As my Treasury colleagues have said before, “You can’t flip a switch overnight and run a G20 economy on cryptocurrency.”
Nonetheless, as we said in our FinCEN alert from early March, “individual sanctioned persons, illicit actors, and their related networks may attempt to use [cryptocurrency] and anonymizing tools to evade U.S. sanctions and protect their assets around the globe.” We need all of you to be vigilant.
That’s what “responsible innovation” means to us. And I want to recognize that we are already seeing examples of responsible innovation and compliance-focused product development across many facets of the industry, including mining, DeFi, stablecoins, sanctions screening, blockchain tracing, and more.
We’re seeing things like innovative Travel Rule solutions, geo-blocking capabilities, the development of protocols that embed Customer Due Diligence and sanctions screening. This is all great progress and an important signal that responsible innovation is a growing part of the compliance culture in this space.
Some of the innovations we’re seeing would have been almost inconceivable not so long ago, and they have proven that concepts like compliance and cybersecurity are not the enemy of innovation.
As Deputy Secretary Adeyemo said in November: “…there may be a misperception about the relationship between the blockchain industry and the government…There’s a belief, that we are at odds; But this is not how we see things. When we regulate, rather, it’s with an eye toward trying to foster innovation that creates economic opportunity and advances U.S. financial leadership while stamping out crime, abuse, and risks. We believe these goals go hand in hand with innovation.”
The industry can only achieve its full potential if VASPs proactively adopt and uphold high standards for compliance. What does this mean? That you implement a rigorous risk-based approach to compliance and to your customer relationships and transactional activity. To do so, one of the first steps is to develop a deep understanding of the risks that you face, the customers you serve, and the parties with which you transact.
One area that is unique to the cryptocurrency sector is the amount of information available to you, by virtue of the public nature of many blockchain ledgers. This means that you have a lot of information at your fingertips that can be used to inform your understanding of risk and shape your compliance programs. This information can provide companies in the cryptocurrency space with valuable insight into risk, fueling the more effective implementation of a risk-based approach to compliance.
It is obviously not the only source of information about risk, but this data can be an important factor in companies’ policies and procedures to, for example, review transactions and customer activity. You can do this at onboarding and on a periodic or event-triggered basis thereafter to ensure you don’t bring on or provide services to customers whose activities fall outside of your risk appetite. You can monitor this activity to ensure that you can recognize when a customer is acting in an unusual or potentially suspicious way.
It can empower you to identify and use new information and important red flags when they become available about a wallet address. New information and red flags like an address being added to OFAC’s SDN list, but not just that. I’m also talking about new information and red flags that, for example, link a wallet address to a cluster of wallet addresses that have been involved in illicit activity like ransomware.
Too often, we see VASPs that are willing to do business with problematic companies up until the day of an OFAC designation or criminal indictment, even when there were clearly observable red flags and indicators of wrongdoing that they could—and arguably should—have taken note of long ago.
This raises questions for us about the extent to which those institutions are taking a critical look at the information that is available to them. The extent to which they are applying a rigorous risk-based approach to their operations and their decisions. VASPs that provide a platform for problematic firms like these are allowing them to continue doing harm and putting their own reputations at risk.
As responsible members of the global financial system, VASPs need to help ensure that they are not allowing their businesses to be exploited by criminal elements and the non-compliant VASPs that facilitate criminal activity. Financial institutions—including VASPs—must not only have compliance policies and procedures in place. They also must implement their compliance programs effectively. They need to make risk-based decisions and to file suspicious activity reports appropriately. We know the existence of a compliance program on paper does not always result in compliance.
We know this because major themes that we see in our enforcement actions are the complete lack of meaningful compliance programs, the existence of what we call “paper programs,” and firms that transparently prioritize growth over compliance.
That’s where our enforcement efforts come in. There’s sometimes a misperception that FinCEN’s enforcement efforts are a “gotcha” enterprise. That a single misstep can put you on the wrong end of a sizable fine. In reality, though, and as I think the public enforcement actions on our website show, we continue to prioritize cases where we identify significant non-compliance and threats to the U.S. financial system. Where there is a willful disregard for regulatory requirements. I encourage you to review these actions—cases against both banks as well as cryptocurrency exchanges or administrators. The themes are the same.
These public enforcement actions take time because it is important that we get them right. Along with other public actions like the release of advisories and guidance, they are an important part of how we communicate our requirements and expectations to the financial industry. I think we’ve sent a clear message through these channels: AML/CFT requirements apply to financial institutions dealing in cryptocurrencies and other digital assets the same way they do to financial institutions dealing in fiat currency.
Before we start delving into the Q&A portion of this session, I just want to emphasize that we believe that the cryptocurrency and digital assets industry has an immense opportunity to raise the bar for the next generation of financial services.
We can collectively facilitate higher industry standards for transparency, accountability, and innovation. Governments cannot function without partners. We need all stakeholders, including VASPs, to prioritize transparency and accountability, and to share information. Together, we can ensure that we’re safeguarding our national security.
###