John Reed Stark

Lost amidst all of the turmoil surrounding the dramatic swings in the value of digital currencies is that the original idea for these digital assets is that  they might actually be used as exchange media, in place of traditional currencies. Whether or not someone might use cryptocurrency to, say, buy a cup of coffee at Starbuck’s, Ohio residents, at least, may now use bitcoin to pay their state taxes. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at Ohio’s recent bitcoin move and reviews what it might mean – for Ohio, and in general. A version of this article previously was published on CybersecurityDocket.com. I would like to thank John for allowing me to publish his guest article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.

***************************************

In the celebrated John Wick thriller films, John Wick, played by Keanu Reeves, is an international assassin who frequents the Continental, a hotel that functions as neutral territory for hired cutthroats and murderers.

To serve its criminal clientele, the Continental Hotel uses its own uniquely branded gold coins as currency.  All services in the Continental are paid by the coins including weapons and munitions supply (from the Continental’s Sommelier) or body armor (from the Continental’s seamstress).  All the criminals Wick encounters seem to accept the coins – which can pay off expenses ranging from a bar tab to an invoice from the contractor Wick hires to dispose of the typically 20-30 bodies he leaves behind after a particularly deadly negotiation or dispute.

Only a few years ago, the Continental’s coin-based barter exchange may have seemed limited to the imaginary universe of Hollywood blockbusters — but the Continental’s in-house currency system and the John Wick economy are no longer fiction — and are now happening right in our midst.  But instead of the Continental’s exclusively minted gold coinages, there has emerged a broad range of so-called cryptocurrencies, mined on virtual servers, rather than forged in iron and fire.  And the biggest virtual currency of them all is bitcoin, which has become a household name despite its having been around for barely a decade.

Last week, bitcoin hit yet another milestone when Ohio began accepting bitcoin payments for taxes, the brainchild of its visionary State Treasurer, Josh Mandel, who apparently has ambitions to transform Ohio into a real-life version of John Wick’s Hotel Continental.

Ohio’s accepting of bitcoin is a first for any U.S. government agency, and while perhaps a boon for the John Wicks of the world, the rest of us, not so much. This article discusses why Ohio’s treasury, or any other state or federal government entity, should be the very last institutions to even consider accepting this dubious form of payment. But first, a little background.

The Birth of Bitcoin

Ten years ago, on October 31, 2008, bitcoin was born — and in the past 10 years bitcoin has evolved from an anti-establishment hobby among coders to a common discussion topic on Wall Street.

Supposedly invented by an anonymous cryptographer going by the pseudonym Satoshi Nakamoto, bitcoin’s founding white paper, issued on Halloween, kicked off the phenomenon.  Bitcoin’s original goal, according to its white paper, was straightforward: A “purely peer-to-peer version of electronic cash which would allow online payments to be sent directly from one party to another without going through a financial institution.”

Bitcoin is a virtual or digital currency that uses encryption techniques for governance and security and operates independent of any central bank. A token is a digital asset that can be used in many ways — for example, as a unit of value or as means of providing access to and transactional value inside a particular blockchain system (e.g., Siacoin allows access to electronic data storage space in Sia’s blockchain ecosystem). Tokens are built on top of blockchain technology, a form of distributive ledger technology, which is a digital database that is consensually shared and synchronized across networks spread across multiple sites, institutions or geographies.

Like the world of John Wick, bitcoin also traces its origins as the currency of choice for criminals within the dark web marketplace. In fact, four primary areas of criminal activity lend themselves nicely to cryptocurrency: tax evasion, money laundering, contraband transactions, and extortion – not to mention the theft of cryptocurrency itself, which is all too easy with bitcoin.

Indeed, cryptocurrency and criminal activity have remained inexorably linked ever since the 2011 launching of The Silk Road, who began using bitcoin as its main currency in their virtual marketplace for buying and selling drugs, weapons, and all things illicit on the dark web.  Until shut down by law enforcement in 2013 and then again in 2014 and finally going offline in 2017 due to loss of funding.

Silk Road served as a glaring example of the crimes so easily facilitated by cryptocurrency (in 2015 Silk Road’s creator, Ross Ulbricht, was sentenced to life in prison).  After Silk Road was shut down, bitcoin’s price plummeted, and many crypto-pundits expected demand to dry up. But in the following years, the opposite seemed to happen.

Tyler Winklevoss and Cameron Winklevoss, the twins who famously battled Mark Zuckerberg over the origins of Facebook, notably opted to invest in bitcoin in 2013 – and bitcoin’s value shot up to almost $1,000 that year.  Around that same time, cryptocurrency trading platform Coinbase, recently valued at $8 billion, was founded and several years later, bitcoin gained status as a retail investor darling during its 1,300 percent price rise and march to nearly $20,000 in 2017. Here is the gist of what the Winklevoss brothers had to say about bitcoin back in 2013.

Though bitcoin traversed from the digital to physical world with the first-ever bitcoin ATM at a Vancouver coffee shop in 2013, bitcoin’s use as a real currency has not truly caught on.  The U.S. government has never recognized bitcoin as a currency – rather, bitcoin and all other cryptocurrencies are simply property or, as lawyers would say, chattel.

Meanwhile, bitcoin and other cryptocurrencies have continued to serve as the payment mechanism of choice for unlawful transactions – from buying a fake I.D. or a bottle of opiates, to receiving a cache of credit card numbers or stolen identities, to collecting a ransomware payment demand or even for funding terrorist-related activities.

In its October/November 2017 issue, AARP’s magazine warned its senior citizen readers about bitcoin, in plain English, perhaps sarcastically (?) capturing the nuances of bitcoin quite well:

“A bunch of computer code that a bunch of criminals, idealists and speculators agree is worth “real” money. Sadly, its real-money value swings widely, making it impractical except for criminals, idealists and speculators.” 

Nonetheless, Overstock.com, Newegg, Expedia, Microsoft, Dish Network, OKCupid, CheapAir and Etsy are among the companies that have reportedly accepted bitcoin for certain kinds of transactions.

Ohio and Bitcoin

In late November, 2018, Ohio became the first U.S. state and one of the first governments in the world to allow businesses to pay taxes, including sales and public utility taxes, with bitcoin. Businesses that operate in Ohio can now use bitcoin to pay for 23 different types of taxes, with  a one percent fee will be levied on each transaction.

Companies can now go to OhioCrypto.com, enter their tax information, then third-party payment processor Bitpay verifies the transaction on blockchain. Bitpay then converts the cryptocurrency into U.S. dollars and transfers those dollars to the state of Ohio.  For now, taxpayers will be able to use only bitcoin, but the Ohio Treasurer’s office said it might allow other cryptocurrencies in the future.

The idea to accept bitcoin for taxes was the brainchild of state Treasurer Mandel, who has held the office since 2011 and started taking an interest in bitcoin several years ago. Mr. Mandel, 41 years old, views the new program both as a convenience for filers and an opportunity for “planting a flag” for Ohio in the currency’s adoption.

“I do see bitcoin as a legitimate form of currency,” Mr. Mandel told the Wall Street Journal, adding that he hopes other states will follow Ohio’s example.  Mr. Mandel, who is an elected official, also told the Wall Street Journal he can direct his office to accept bitcoin without approval from the legislature or governor. That seems like a lot of power for one person.

Ohio’s Crypto-Friendly Posture: Seems Like a Good Idea, Right?

What better way to attract the business of fintech than to create a financially friendly environment where a company’s cryptocurrency fanaticism is not only inventively crafted and philosophically championed — but also enthusiastically embraced as consideration for tax liabilities. You can watch a news interview with Ohio Treasurer Josh Mandel, touting his bitcoin foray here.  Per the Ohio Department of Treasury’s website, paying taxes in bitcoin enjoys a vast array of benefits:

 

 

In fact, crafting cryptocurrency fee arrangements for taxes might seem like a no-brainer, in line with the lessons of Basic Marketing 101, including:

  • The Medium Can Become the Message. By accepting cryptocurrency as payment, Ohio  is demonstrating its commitment to creativity, modernization and originality – traits that companies might appreciate and find compelling. States tend to compete for software engineers and new businesses, and by being open to bitcoin, the idea is that blockchain companies may follow and set up their headquarters in Ohio;
  • Cheaper Payment Solution.  While there is no fee to pay taxes with a check, or ACH deposit, paying by credit card incurs a 2.5 percent fee. Paying in bitcoin is a 1 percent fee, collected by Bitpay;
  • Payment Flexibility.  Payment flexibility can attract business in and of itself. Given that accepting debit and credit cards online can make a state more appealing to current and potential businesses, so too can accepting other forms of payment, including cryptocurrencies; and
  • Winning the Blockchain Arms Race. With an “arms race” of sorts occurring among states angling to be the center of blockchain and fintech, there will undoubtedly sprout more state laws in the future encouraging development of such technologies, and Ohio wants to be out in front.  By allowing bitcoin tax payment collections, Ohio can demonstrate tangible support for the technological enterprise of its citizenry and the future of digital currency.  Moreover, Ohio can set themselves apart from other states who remain content to observe the crypto-revolution from the safety and shelter of the sidelines.

Unfortunately, while the above marketing claims might have some populist appeal, they are not at all compelling.  Simply stated, accepting bitcoin or any other cryptocurrency runs a perilous gamut of legal, regulatory, financial, ethical and reputational dangers. And Ohio’s accepting of cryptocurrency as a tax payment in today’s crypto-manic environment is, despite all of the bus dev allure, just not worth it.

Ohio’s Crypto-Gamble

By accepting cryptocurrency payments for taxes, beginning with bitcoin, Ohio is taking a serious risk not just for its reputation but the safety and security of the financial future of its citizens.

For starters, taking on all of the associated risk with cryptocurrency payment arrangements is not for the faint of heart. Federal and state law enforcement and regulatory efforts pertaining to all things crypto have increased dramatically in the past year, and some cryptocurrency institutions that seem to be thriving at the moment, might not even be doing business in the future. The risks are broad and myriad.

Liquidity, Fraud and Manipulation Risks

The logistics of accepting cryptocurrency are unique, complicated and problematic. It is not as if Ohio’s state controller can stroll across the street and convert cryptocurrency to U.S. dollars, record the data in Ohio’s accounting software, and be back in time for lunch.  First, Ohio must identify a reliable and trustworthy financial institution to safeguard the cryptocurrency and to convert the cryptocurrency upon demand.

Where can Ohio find this kind of honorable, respected and U.S. registered financial institution? Not among Wall Street’s traditional ranks for sure. The institutions servicing cryptocurrency clients are barely in their infancy. There is no central regulatory authority; no state or federal team of bank auditors, insurance examiners and compliance experts monitoring transactions and policing for manipulation; no existing federal licensure for any of the participants at the cryptocurrency institutions – it’s not just the Wild West, it’s global anarchy.

Ohio selected Bitpay for the job, a company founded in 2011, which will convert taxpayer bitcoin into dollars for the state of Ohio and, after taking a one percent fee, pay those dollars directly to the Ohio State Treasury. The only problem?  Bitpay is not registered to provide money-related services in in Ohio.

Bitpay Has Not Registered as an Ohio Money Transmitter 

Under Ohio statute, regardless of the location of a person, its facilities, or its agent, if a person receives, directly or indirectly and by any means, money or its equivalent for transmission from a person located in Ohio, a money transmitter license is required.  Ironically, Ohio is notorious amongst AML practitioners as having one of the most onerous money transmitter regulatory regimes in the U.S., with a vast and unforgiving jurisdictional reach.

Moreover, registration means that an Ohio money transmitter will be subject to significant state scrutiny of its operations, and a lengthy laundry list of very rigorous regulatory requirements enforced by FinCEN, including:

  • Providing CPA audited financial statements for the most recent fiscal year;
  • Maintaining robust Bank Secrecy Act, OFAC (see below) and Patriot Act compliance programs;
  • Hiring an independent compliance officer;
  • Having an independent AML audit; and
  • Posting a bond of as much as $2,000,000.

But Bitpay is not registered as an Ohio money transmitter, in possible violation of one of Ohio’s more exacting and cumbersome financial regulations. Bitpay told me in an email that while Bitpay has “numerous money transmitter licenses,” Bitpay’s money transmitter registration application with Ohio is “pending.”  Neither Ohio nor Bitpay could state for certain when, or if, the Bitpay money transmitter application would receive approval.

This means that the money transmitter hired by the State of Ohio to process tax payments is not licensed to conduct money transmitter business in Ohio. This is a bit like the Cleveland Clinic offering health insurance to its employees where the only preferred provider is an unlicensed hospital in the Caribbean.  The choice is unsettling and makes little sense.

Failure to register as a money transmitter in a state can, under certain conditions, even generate criminal prosecutorial interest. Pursuant to 18 US Code §1960, captioned Prohibition of Unlicensed Money Transmitting Businesses:

“Whoever knowingly conducts, controls, manages, supervises, directs, or owns all or part of an unlicensed money transmitting business, shall be fined in accordance with this title or imprisoned not more than 5 years, or both.” 

Section 1960 then goes on to list three categories of unlicensed money transmitting businesses, which are, in a summarized fashion:

  1. Those operating in a state that requires that business to be licensed and makes it a misdemeanor or felony not to do so;
  2. Those that fail to comply with Treasury Department regulations covering such a business (e.g., registering with FinCEN); and
  3. Those that transmit money known to the transmitter to come from or intended to finance criminal activity.

It is also critical to note that, in most cases, Section 1960 is not a specific intent statute. As part of the USA Patriot Act, Congress amended Section 1960(b)(1)(A) to provide that a defendant can be convicted of operating an unlicensed money transmitting business “whether or not the defendant knew that the operation was required to be licensed or that the operation was so punishable.” This is a useful and potentially devastating federal “hook” for DOJ prosecutors seeking a slam dunk trial victory.

Price Volatility Risks  

Because the cryptocurrency’s value can vary drastically in a single day, its unprecedented volatility creates serious challenges to using bitcoin as a method of payment.

Bitcoin’s volatility has even entered the realm of pop culture. Season five of HBO’s Silicon Valley, started its cryptocurrency saga with a creepy alert set up for the price of bitcoin — whenever the volatile virtual currency’s price fluctuated, a network engineer’s computer would blast out Napalm Death’s two-second long song, You Suffer.

Bitcoin’s volatility is remarkably extreme, since January, bitcoin has fallen roughly 70 percent and recently fell below $3,500 for the first time in 14 months, losing 30 percent in over seven days. Bitcoin recovered slightly afterwards but continues to experience dramatic, unpredictable and startling price swings.

To combat price volatility challenges, Bitpay asserts that it will assume all  of the risks – but the volatility is so extreme — Ohio’s website explains:

“Bitpay sets the exchange rate for a 15 minute allotted time window for each transaction once a business taxpayer begins to make their payment at  OhioCrypto.com . . . Bitpay assumes the risk of any market fluctuations during the allotted time window.”   

However, what about the Ohio taxpayer’s risk?  By rolling out the red carpet for bitcoin, Ohio has proclaimed a not-so-subtle endorsement of investing in bitcoin – which is replete with too many risks to mention.  This seems irresponsible and reckless — and also dangerous.

Bitpay and the NYDFS

To its credit, in July of 2018, Bitpay became only the eighth company to receive a BitLicense from the New York State Department of Financial Services (NYDFS).

New York’s Bitlicense application, which is thirty pages long and includes a five-thousand-dollar application fee, asks numerous questions about the history of the business, as well as information about its owners and operators, financials, and the company’s anti-money laundering and compliance procedures.  Compliance with the BitLicense also requires the appointment of a dedicated compliance officer, written compliance and anti-fraud procedures, and the maintenance of minimum capital reserves. Additionally, any company which plans to introduce a “material change” to their business model, such as a new product or service, must notify and obtain consent from the superintendent of the NYSDFS.

Permission from the NY Superintendent is also required for any merger or acquisition of any company holding a BitLicense.  The BitLicense requires that records be kept for up to seven years of every cryptocurrency transaction carried out by a company.  Sensitive information, such as the physical addresses, bank statements, and names of customers who are parties to that transaction, must also be recorded and be made available to the NYSDFS upon request.

Bitpay may well be an honest and trustworthy institution – but who can say that for sure?  A large part of the ethos surrounding cryptocurrencies is a desire for privacy and freedom from intrusive government regulation, and bitcoin devotees loathe subjecting themselves to any sort of regulations.  Compliance systems, reporting mechanisms and the like represent a betrayal of the fundamental values of cryptocurrency enthusiasts – and has actually led to a cryptocurrency exodus from the State of New York.

It is not surprising that the image on the front side of the gold coins in the John Wick films has the phrase Ens Causa Sui, or “Something Generated Within Itself and on the reverse side is the phrase Ex Unitae Vires, or “Out of Unity Comes Strength.” These notions represent some of the sentiments behind bitcoin fanaticism.

Overall, despite Bitpay’s NY Bitlicense (which is to be commended but only applies to activities in NY), the list of federal and global regulatory safeguards concerning Bitpay remains physically and virtually vacant:

  • Unlike banks, financial firms, insurance companies and the like, Bitpay has no federal liquidity, net capital or other depository or financial requirements of any kind;
  • Bitpay is not examined or audited by any federal agency such as the Federal Reserve or the U.S. Securities and Exchange Commission (SEC);
  • Bitpay’s operations and employees are not registered and licensed with any federal government agency or quasi-government agency such as the Financial Industry Regulatory Authority (FINRA).
  • Bitpay’s property such as bitcoin (bitcoin is not recognized as an official currency) is not insured by any federal agency, such as the Federal Deposit Insurance Corporation;
  • Bitpay does not have any federal accounting requirements with respect to its assets;
  • Unlike banks, brokerages and other financial firms, Bitpay does not report its financial condition to the federal government in any form of official government filing, such as an annual report or SEC Form 10-K;
  • Bitpay does not have any SEC record-keeping requirements with respect to its operations, communications or any other aspect of its business;
  • Bitpay has no federal requirements regarding the pricing of any cryptocurrency trading transaction, the use of employees of its payment systems or any federal anti-manipulation requirements (though Bitpay could be sued for fraud and other crimes by any federal agency with appropriate jurisdiction); and
  • Bitpay does not have any sort of SEC compliance requirements or other code of conduct requirements like investment companies, brokerages and other financial firms, most of whom spend millions (or tens of millions) of dollars every year on compliance and customer-protection-related infrastructure.

This lack of a formal bank, insurance or securities firm structure creates enormous challenges for law enforcement to monitor and apprehend any individuals who use cryptocurrencies for illegal activities. Indeed, the range of safeguards relating to U.S. financial institutions have taken shape after decades of scrutiny, analysis and testing and are historically rooted in the U.S. marketplace, the safest and most admired in the world.

But all is not as free-reigning as many crypto promoters believe. Despite the lack of a formal federal regulatory scheme for all things crypto, there remain several critical federal financial rules and regulations that likely apply to crypto-related activities, beginning with anti-money laundering responsibilities.

Money Laundering Risks

FinCEN’s anti-money laundering (AML) requirements combined with state law money services business (MSB) licensing and bonding requirements (such as Ohio’s money transmitter licensure requirement) not only create a hefty, burdensome and onerous federal and state regulatory burden and concern – they also enhance the risk significantly for the state of Ohio and for crypto-intermediaries like Bitpay

Theoretically, anyone with an Internet connection and a digital wallet can own bitcoin – which, of course, opens the door for those with criminal motives. Given that cryptocurrency transactions are pseudonymous, encrypted and decentralized by nature, virtual currencies offer a convenient method of transferring funds obtained from illegal activities without an audit trail, thereby making it harder for any central authority or law enforcement agency to track each of the transactions made, and to identify the individuals behind any of them.

On the other hand, transactions involving traditional financial firms, such as banks, brokers and dealers, and money service businesses, are subject to strict U.S. anti-money laundering laws and regulations aimed at detecting and reporting suspicious activity, including money laundering and terrorist financing, as well as securities fraud and market manipulation.

Along these lines, the New York State Attorney General’s office (NYAG) asked 14 popular crypto trading platforms to respond to answer a detailed questionnaire covering a wide range of topics, from trading fees to anti-money-laundering policies to methods for keeping customer assets secure.

Ten chose to comply, and the September, 2018 report of their responses illuminates the shadowy inner workings of cryptocurrency trading platforms, raising serious questions regarding the growing connection between cryptocurrency and money laundering — as well as a range of market manipulation concerns.

Not surprisingly, the notion of terrorists and criminals being able to launder money anonymously has not escaped the attention of U.S. law enforcement agencies, who have vowed to crack down on the cryptocurrency warehousing and conversion firms who serve criminals, even those operating outside the United States. DOJ, acting in cooperation with the Financial Crimes Enforcement Network (FinCEN), has become increasingly active in policing criminals exploiting cryptocurrencies, leveraging AML statutes and regulations as the preferred statutory prosecutorial weapon.

For instance, as far back as 2015, in addition to being charged for conspiracy to commit bank fraud and conspiracy to obstruct an examination of a financial institution, Anthony Murgio, the son of a Palm Beach County School Board member, Bitcoin exchange operator, also pled guilty to operating as a money transmitter without a license, and was sentenced to 5 ½ years in prison. Federal prosecutors alleged Murgio and his co-conspirators benefitted from transactions providing victims with Bitcoin to pay off ransomware demands. The indictment states:

“As part of the unlawful Coin.mx scheme, Anthony P. Murgio, the defendant, and his co-conspirators knowingly processed and profited from numerous Bitcoin transactions conducted on behalf of victims of ransomware schemes . . . By knowingly permitting ransomware victims to exchange currency for Bitcoins through Coin.mx, Murgio and his co-conspirators facilitated the transfer of ransom proceeds to the malware operators while generating revenue for Coin.mx.”   

Not just a part of the ransomware payment process, Murgio allegedly facilitated the ransomware transactions with unclean hands – possessing the kind of nefarious intent required for money laundering criminal liability, which is probably why the Murgio prosecution also addresses AML liability. Specifically, the issues relate to the failure of Murgio and his cohorts to:

  • Register with the Financial Crimes Enforcement Network (FinCEN);
  • Maintain an effective AML program;
  • Comply with AML record-keeping requirements; and
  • File with FinCEN Suspicious Activity Reports(SARs) regarding customers who use cryptocurrencies for nefarious purposes.

The Murgio indictment also alleges that Murgio and another defendant had undue influence on a federally insured credit union that handled the trading platform’s banking operations for a period of time, and that they tried to “trick” major financial institutions about the nature of their business. The Murgio defendants allegedly exchanged at least $1.8 million bitcoins for cash for certain customers who claimed they were ransomware attack victims needing bitcoins to “pay off” ransomware attackers.

FinCEN, MSBs and Cryptocurrency

MSBs have been required to register with FinCEN since 1999, when the MSB regulations first went into effect. An entity acting as an MSB that fails to register (by filing a Registration of Money Services Business (“RMSB”), and renewing the registration every two years per 31 U.S.C. § 5330 and 31 C.F.R. § 1022.380), is subject to civil money penalties and possible criminal prosecution.

MSBs have historically been recognized by FinCEN to include: (1) currency dealers or exchangers; (2) check cashers; (3) issuers of traveler’s checks, money orders, or stored value; (4) sellers or redeemers of traveler’s checks, money orders, or stored value; and (5) money transmitters.

There is no cost for FinCEN registration, which is a simple procedure explained in detail on FinCEN’s website – and Bitpay has filed this simple form.  However, acceptance of a FinCEN MSB filing is not a recommendation, certification of legitimacy or endorsement of the MSB registrant by FinCEN or any other government agency.  The registration of the MSB merely serves as a first step in establishing the compliance framework for applicable FinCEN regulations designed to help mitigate the risks of criminal abuse of MSBs for money laundering and terrorist financing as the MSB seeks to provide financial services to customers for legitimate purposes.

The Bank Secrecy Act (BSA) and its implementing regulations require an MSB to develop, implement and maintain an effective written AML program that is reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities. For entities like Bitpay, this would require, among other things, meticulously recording transactions; definitively knowing who customers are; and reporting suspicious activity to law enforcement. Is Bitpay conforming to these requirements – tough to tell because MSB regulation is state-based — with each state promulgating its own priorities and requirements ranging from record-keeping and bonding to audits and reporting.

For instance, a cryptocurrency firm could be subject to on-site audit and scrutiny of individual transaction activity for AML compliance, which in turn could lead to institutional and management civil liability, penalties, fines, license revocation — even potential criminal exposure for individuals caught intentionally circumventing AML obligations.

Indeed, in January, 2018, New York State Financial Services (DFS) Superintendent Maria T. Vullo announced that Western Union agreed to pay a $60 million fine as part of a consent order with the DFS for violations of New York Bank Secrecy Act (BSA) and AML regulations. An investigation by DFS found that Western Union failed to implement and maintain an anti-money laundering compliance program to deter, detect and report on criminals’ use of its electronic network to facilitate fraud, money laundering and the illegal structuring of transactions below amounts that would trigger regulatory reporting requirements.

Superintendent Vullo stated at the time:

“Western Union executives put profits ahead of the company’s responsibilities to detect and prevent money laundering and fraud, by choosing to maintain relationships with and failing to discipline obviously suspect, but highly profitable, agents. DFS will not tolerate unlawful activity that undermines anti-money laundering laws and endangers the integrity of our financial system.”  

Watch this video to hear Vullo’s take on bitcoin, it becomes clear that New York State, by taking on the mammoth regulatory responsibility of overseeing all things crypto in its territory, may have bitten off way more than it can chew.

FinCEN’s MSB Expansion

Recently, FinCEN has begun to expand its definition of an MSB even further, to include not only virtual currency trading platforms but also cryptocurrency platforms which act as enablers or financial intermediaries for criminal schemes.

For instance, in a July 2017 AML enforcement action, FinCEN, in a joint prosecution by the U.S. Attorney’s Office for the Northern District of California, assessed a $110 million civil money penalty against BTC-e a/k/a Canton Business Corporation (BTC-e) for willfully violating U.S. AML laws. Russian national Alexander Vinnik, one of the operators of BTC-e, was also arrested in Greece, and FinCEN assessed a $12 million penalty against him for his role in the violations.

BTC-e is an Internet-based, foreign-located money transmitter that exchanges fiat currency as well as the convertible virtual currencies bitcoin, Litecoin, Namecoin, Novacoin, Peercoin, Ethereum, and Dash. By volume, BTC-e is one of the largest virtual currency trading platforms in the world. In so doing, the trading platform facilitated numerous transactions connected to a variety of criminal activities ranging from illegal drug sales on dark web markets like Alpha Bay to public corruption.

FinCEN asserted jurisdiction because BTC-e conducts business as an MSB in substantial part within the United States (including $296 million of U.S. customer transactions through U.S servers.) The BTC-e FinCEN action marks just the second case by FinCEN involving a cryptocurrency trading platform and the first FinCEN action against a foreign-based trading platform that did substantial business in the United States.

In announcing the AML fines and prosecutions, Jamal El-Hindi, then Acting Director for FinCEN, stated:

“We will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. anti-money laundering law. This action should be a strong deterrent to anyone who thinks that they can facilitate ransomware, dark net drug sales, or conduct other illicit activity using encrypted virtual currency. Treasury’s FinCEN team and our law enforcement partners will work with foreign counterparts across the globe to appropriately oversee virtual currency exchangers and administrators who attempt to subvert U.S. law and avoid complying with U.S. AML safeguards.”  

Ohio officials should carefully review FinCEN’s guidance on the Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies and obtain compliance advice and counsel when necessary. If Bitpay conducts business with shady characters, their actions could nonetheless raise AML red flags by facilitating such transactions.

Clearly, the noxious mix of AML and MSB federal and state regulatory requirements not only creates a foggy, deadly compliance labyrinth for any cryptocurrency firm – but is also replete with risk for anyone (or any U.S. state) doing business with them.

Cryptocurrency OFAC Concerns: A Matter of Life and Death

Aside from a deep due diligence process of a crypto-paying taxpayer, Ohio and Bitpay might also have to conduct other verification processes for offshore taxpayers such as those required by the U.S. Treasury’s Office of Foreign Assets Control (OFAC).  Ohio published a list of the 23 types of taxes for which Ohio will accept bitcoin, ranging from petroleum activity taxes to international fuel agreement taxes – surely some offshore entity will fall into one or more of these categories.

Every U.S. person and business is required to avoid engaging in financial transactions with certain individuals, entities and countries that are subject to U.S. economic sanctions. Accordingly, if Ohio’s collection of bitcoin triggers OFAC compliance, it is Ohio and Bitpay’s obligation to ensure that none of its business taxpayers are on the list of prohibited individuals or entities maintained by OFAC. Ohio and Bitpay might also need to be sure that Ohio taxpayers are not based in countries subject to broader economic sanctions.

For its part, OFAC recently released guidance, issued in the form of Frequently Asked Questions (FAQs).  The FAQs explain that transactions involving cryptocurrencies will be treated the same as other transactions—a position that multiple Treasury Department officials have signaled for several months.

In addition, in late November, OFAC took the significant step of adding digital currency addresses to its list of identifiers for certain designated individuals, stating that similar to traditional identifiers, “these digital currency addresses should assist those in the compliance and digital currency communities in identifying transactions and funds that must be blocked and investigating any connections to these addresses.”  Over 7,000 transactions in bitcoin, worth millions of U.S. dollars, have processed through these two addresses – some of which involved SamSam ransomware derived bitcoin.

Announced as part of the Treasury Department’s joint action with DOJ, in which charges were filed against an alleged Iranian hacking enterprise involved in a ransomware scheme, where two Iran-based individuals “helped exchange digital currency (bitcoin) ransom payments into Iranian rial on behalf of Iranian malicious cyber actors involved with the SamSam ransomware scheme that targeted over 200 known victims.

The Treasury Department identified the two alphanumerical wallet addresses utilized by the defendants and included them on the list of identifiers for designated individuals. By listing them, any person or business that engages in transactions with these two addresses “could be subject to secondary sanctions.”  The decision to include digital currency wallet addresses on the OFAC’s Specially Designated Nationals And Blocked Persons List (SDN) not only alerts those entities that transact in digital assets and incentivize them to take appropriate action but also sounds the alarm about the dangers of these kinds of transactions.

Compliance with the economic sanctions programs administered by OFAC and compliance with the AML laws established under the BSA are often considered in the same breath. However, while effective OFAC screening and AML programs will certainly have areas of overlap, namely a robust customer identification procedure, they are two separate and distinct programs and responsibilities, requiring separate and distinct procedures for each.

With respect to OFAC and AML considerations, it is also important to recognize and appreciate that cryptocurrency is a global phenomenon. This makes identifying the source of cryptocurrency, or in the least, confirming that the cryptocurrency is not somehow tainted by unlawful conduct, especially challenging if not impossible.

Like accepting a $50,000 roll of $100 bills – the cash’s very existence raises questions pertaining to its purity.  Moreover, merely because a $50,000 roll of $100 bills does not have blood stains on it, does not alleviate the obvious suspicion about its origin.

Tax Liability Implications

Ironically, Ohio’s tax payment plans could also trigger additional tax liability aggravation for its participants. Payment of taxes in cryptocurrency creates an interesting problem: If a taxpayer has purchased bitcoin some time ago and has an unrealized gain, discharging a liability such as an Ohio tax obligation, with such an appreciated asset will lead to a taxation of the gain. In other words, payment of taxes in bitcoin may trigger more taxes – or perhaps even an IRS inquiry into the origin of that bitcoin payment.

An Ohio tax payment in bitcoin could also provide a useful roadmap for the U.S. Internal Revenue Service, who could investigate the bitcoin payment and audit the taxpayer on the tax liability. The IRS engaged in a similar investigation in late 2017 involving Coinbase about the transactions of over 14,000 users.  Coinbase was America’s largest platform exchanging bitcoin into U.S. dollars by the end of 2015, claiming to have served 5.9 million customers and exchanged $6 billion in bitcoin through its buy/sell trading functionality. The IRS served a “John Doe” summons on Coinbase seeking information from a wide range of records and documents regarding U.S. persons conducting convertible virtual currency transactions at any time from 2013 through 2015.

Coinbase refused to comply, resulting in an IRS enforcement action, and a U.S. federal magistrate judge ordered Coinbase to turn over the relevant records, ruling that virtual currency holders were clearly not outside the IRS’s reach. To read the judge’s order, click here.

Ohio’s taxpayers will need to insure proper accounting for any bitcoin capital gains while the State of Ohio should warn its taxpayers that they cannot avoid any state or federal taxation of any bitcoin gain merely because the taxpayer made the bitcoin payment to satisfy a tax bill.

Cybersecurity Risks

By registering and interacting with any cryptocurrency institution, Ohio is inviting not just possible identity theft but also exposing its operations to a potential cyber-attack. Unlike Fed-insured banks and SEC registered broker-dealers and investment advisors, cryptocurrency platforms and operators like Bitpay might not abide by a rigorous regime of cybersecurity rules and requirements, and may lack not only appropriate cybersecurity practices, policies and procedures, but also skilled data security personnel and hardened cyber-infrastructure. This creates vulnerabilities not just to external threats but threats from their own internal employees, customers, contractors and operators.

Looking Ahead

The odd popularity of bitcoin, with its anti-establishment and libertarian appeal, has grown almost exponentially over the past few years, achieving cultural icon status, even appearing within the plots of a range of popular television shows.

For instance, Showtime’s Billions explored virtual currencies in their most recent season, with its central character using an unnamed cryptocurrency to hide his ill-gotten trading profits, bribes and other criminal payoffs. The show featured a hardware wallet Ledger Nano S, which is used to physically store virtual currencies, and Nano S remains thrilled about the “endorsement.”

Bitcoin has also enjoyed references in The Big Bang TheoryThe Good Wife, and honorary mentions on The Simpsons, Jeopardy, Silicon Valley, House of Cards, Supernatural, Family Guy – and the list goes on.

But cryptocurrency visionaries and financiers leaping aboard the cryptocurrency bandwagon are in trouble. A recent bulletin from the eminent law firm Arnold & Porter sums this notion up perfectly:

“If there was ever a regulatory grace period for virtual currencies and blockchain technology, it is officially over. Five federal regulators—The Financial Crimes Enforcement Network of the US Treasury Department (FinCEN), the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Internal Revenue Service (IRS) and the Office of Foreign Assets Control (OFAC)—all recently issued statements or took actions in which they clarified their positions on the scope of their jurisdiction over multiple aspects of virtual currency and certain types of blockchain enterprises. State, foreign and multilateral regulators have also taken actions to reign in virtual currencies. Companies and investors that are now working with these technologies, or that are exploring how they might fit into their existing business strategies, must be ready to justify their activities on a comprehensive basis from regulatory, compliance, tax and business perspectives.” 

Not to mention that for the most part, the entire cryptocurrency system resides amid an unregulated, mysterious and arguably sinister environment — certainly unnecessary risks for a State like Ohio, whose investment strategy should be reliable, conservative and stable.

This is probably why the club of commercial enterprises most interested in accepting cryptocurrency is of an ilk not typically including state governments. For instance, at present, there is a notable (or perhaps better described as “notorious”) group of merchants and customers, who are willing to put up with cryptocurrency’s many logistical and regulatory inconveniences, including:

What also bothers me about Ohio’s entrance into the seedy and unregulated world of bitcoin is that it seems more of a political ploy and publicity grab, rather than an earnest attempt at benefiting Ohio taxpayers and businesses.

Ohio State Treasurer Josh Mandel is a decorated Iraqi war veteran who  served two tours, and based on public reports seems to be doing a terrific job in Ohio, ushering in an era of transparency and accountability that has garnered tangible results.  However, Mandel has also unfortunately made the Ohio bitcoin effort more about himself than about Ohio.  He seems to have acted almost unilaterally (!) and his name appears everywhere throughout the crypto-process – even in the self-serving Ohiocrypto.com FAQs which reads more like a campaign stump speech than objective taxpayer guidance:

“Why did the Treasurer’s office create OhioCrypto.com?

Treasurer Mandel believes in leveraging cutting-edge technology to provide Ohioans more options and ease while interfacing with state government. The Treasurer’s office is also working to help make Ohio a national leader in blockchain technology. 

Treasurer Mandel has a proven record of leveraging technology to change how citizens interact with government. In 2014, Treasurer Mandel launched OhioCheckbook.com which set a new national standard for government transparency and, for the first time in Ohio history, put all state spending information on the internet. OhioCheckbook.com has earned Ohio the #1 ranking in the country for government transparency as evaluated by the U.S. Public Interest Research Group.” 

Being the first U.S. state to accept bitcoin for tax payments may have gotten Mandel the national headlines every politician craves, but at what cost for the safety and security of the finances of Ohio?

Ohio Treasurer Josh Mandel seems like an earnest public servant who served his country bravely and honorably. But my take is that Mandel is not a pioneer or some kind of crypto-superhero. Instead, Mandel will at best go down in history as a good-hearted hypebeast who let down his guard and allowed the allure of Blockchain to cloud his better judgment. In the end, only time will tell.

For now, before betting the farm on crypto-digital fiscal and financial scatterings like bitcoin (yes, scatterlings), Ohio’s governor, state legislature or even federal authorities need to find a way to push back on their crypto-loving state treasurer. It’s the right thing to do — before it’s too late.

______________________________

John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He has taught most recently as Senior Lecturing Fellow at Duke University Law School Winter Sessions and will be teaching a cyber-law course at Duke Law in the Spring of 2019. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook.”