Security Implications of Extraterritorial Application of U.S. Law on Cryptocurrency Markets

Privacy and Data Security

Recent action by the U.S. government reminds us that engaging in the cryptocurrency markets continues to present counterparty risk in the context of with whom you are doing business. Whether a company is buying cryptocurrency to respond to ransomware demands, to hedge markets or chase yield, to convert legitimate payments it received in cryptocurrency (for an online product it offers) into a hard currency, or for any other legitimate reason, the company needs to be mindful of with whom to enter the crypto markets. Recent action from the U.S. Department of Justice and the Commodity Futures Trading Commission (CFTC) serves as a reminder that the U.S. government expects cryptocurrency wallets (and others involved in cryptocurrencies who meet FinCEN’s definition of a money services business) to comply with the Bank Secrecy Act and conduct anti-money laundering/know-your-customer (AML/KYC) procedures on their customers.

For many individuals, a primary appeal of cryptocurrencies is that they could be fully anonymous, self-regulated and decentralized: Because of the nature of the underlying blockchain, the promise goes, no one controls the ledgers that prove ownership, and the currency itself is limited to a finite amount (thus, in their estimation, with the intrinsic value of gold). And because of this, these currencies are often the choice of criminal and threat actors pursuing ransom payments—a fiat currency, in other words, only limited.

Even so, cryptocurrencies are connected to the financial system. Like other entry points or intermediaries in the financial system, the exchanges that handle cryptocurrency transactions are required to comply with the AML/KYC laws in the Bank Secrecy Act or a local equivalent in other countries. That makes sense. If the participants are not known, the relative anonymity of a cryptocurrency wallet and the 0s and 1s making up the underlying blockchain ledger make it appealing for money laundering transactions and other transactions involving illicit or criminal activities.

Earlier this month, founders and executives of an offshore cryptocurrency derivative exchange, BitMEX, were indicted on federal charges for allegedly violating AML laws, and the platform itself was sued by the CFTC on similar grounds. Briefly stated, the allegations are that, even though the exchange knowingly served U.S. customers, the exchange was set up in a jurisdiction thought to impose lower AML and KYC requirements, without appropriate registration with the U.S. derivatives regulator, the CFTC. According to the CFTC’s complaint, the exchange had U.S. operations, it had half of its employees in the United States and it solicited a large U.S. customer base—but the exchange also directed customers to connect to the exchange through a virtual private network (VPN) in an attempt to evade BitMEX’s block of U.S. IP addresses. A company could block U.S. IP addresses for a variety of potential reasons, including that, the company could argue, it was not purposefully targeting its products to U.S. customers because it had created technical hurdles to prevent U.S. customers from connecting to its systems through U.S. IP addresses—much like some U.S. companies reroute European IP addresses to special websites in order to address GDPR concerns. Using a VPN, however, would typically mask the IP address.

The BitMEX charges illuminate several important points about the intersection of cryptocurrencies, cybersecurity and the reach of national laws:

First, if a company is seeking to avoid application of the laws of specific foreign countries for any reason—it could be as simple as avoiding a trademark dispute arising from conflicting trademarks or some other truly legitimate reason—it should consider blocking both IP addresses originating in that country and connections from known VPN endpoints, as some do already. In making that determination, companies have to balance multiple, competing considerations: They should consider the security risk of malicious attackers using VPNs to access their systems and hide their tracks. They should consider, as the cases against BitMEX indicate, the legal risk that VPN access by customers creates a nexus to a country whose laws they wish to avoid being subject to. And they should consider their business model and the inconvenience to customers who may be using VPNs for non-nefarious purposes, such as browsing the Internet without being tracked by their ISP.

Facing that choice, a company could reasonably decide against blocking connections from known VPN endpoints, but the company could still block access for IP addresses located in a specific country. If so, the company should not encourage use of VPNs from individuals in that country, as the CFTC’s complaint alleges BitMEX did. And it will bear residual risks if a government can develop facts (again, as the CFTC alleges against BitMEX) that the company had regular awareness of the use of VPN connections by individuals in a country whose IP addresses the company blocks.

Second, a company engaging in cryptocurrency transactions needs to understand whether any such transaction will likely fail for reasons of fraud or other cybersecurity concerns. To address that, the company may want to consider the nature of the cryptocurrency market and its ability to trust that the transaction isn’t fraudulent. The first consideration is the type of market: centralized or decentralized. A cryptocurrency market can be truly decentralized, with no organization providing a matchmaking function and each participant relying upon the honesty of the others that the transaction will actually occur as negotiated. Or it’s centralized: The market is run by an organization that provides custodial or similar services to prevent transaction failures. BitMEX was a centralized exchange, which required (according to the indictment) “only a verified email address” to open an account.

A centralized market can prevent transaction failures but may also have fewer participants because of AML compliance obligations and the removal of the possibility of anonymous participation by counterparties. The recent case against BitMEX makes clear that governments expect market organizers (think the NYSE and its market makers) to comply with AML laws in their countries. As governments continue to push extraterritorial application of their laws (in the privacy and security context and otherwise), centralized cryptocurrency markets, like financial institutions in tax havens, will need to consider how to balance local privacy laws against AML laws of foreign countries whose citizens or residents participate in the market. Of course, this runs contrary to the very idea of cryptocurrency held by many of its advocates: currency free of government control and intervention. More important, as extraterritorial application continues, under the cover of preventing money laundering, a government could demand offshore exchanges apply its KYC requirements to all the exchange’s customers and in turn comply with that country’s cybersecurity laws, to prevent (as the indictment alleges) trading by criminals based in a sanctioned country in order to launder funds acquired through hacking activity. In this way, a country with strict cybersecurity and data onshoring laws could effectively capture offshore markets.

Consequently, individuals and entities interested in trading cryptocurrencies are faced with the choice of either using a centralized market—which, as the BitMEX charges and claims lay bare, needs to engage in meaningful AML/KYC procedures—or finding a decentralized exchange where they can trade in cryptocurrencies in relative anonymity.

Think of a decentralized market as similar to a giant swap meet: a thing that permits buyers and sellers to come together but that isn’t involved in facilitating the transaction itself. At a swap meet, buyers can show sellers their ability to pay and sellers can show that they have items for sale; on a virtual decentralized market, buyers and sellers need to demonstrate the same to each other. Otherwise, exchange participants bear significant risk of transaction failure—by fraud or for some other reason. Offsetting that risk requires careful thought and design of privacy and data security issues by the creator of the decentralized market or by its participants: How do participants exchange information conveying trustworthiness in a manner that protects their privacy, and how is the exchange structured to ensure that transaction information is protected and that participants can be confident that their trustworthiness information will not be stolen or misused? Here, then, if a company engages in transactions on a decentralized market, the company will need to tread carefully to ensure that it won’t be defrauded and to otherwise minimize the risk of transaction failure.

Ultimately, extraterritorial application of AML laws serves as a reminder of the complexities around use of cryptocurrency. Remember that the blockchain ledger underlying any cryptocurrency is immutable—and because it’s immutable, the transactions involving a specific unit of any cryptocurrency can be traced easily. Put differently, if the participants in a transaction are known, money laundering with cryptocurrencies doesn’t work.



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved