Marco Santori is a blockchain and bitcoin specialist who leads the FinTech practice at law firm Cooley LLP.
In this multi-part series, Santori gives a basic primer on the state of US law as it applies to digital currency entrepreneurs.
Bitcoin businesses are in a tough spot. Payment startups that once coasted quietly under the regulatory radar are becoming bright, interesting new blips on government monitors. 22 companies involved in bitcoin were subpoenaed by the state of New York earlier this week; a US judge ruled that bitcoin is a form of money; and the Bitcoin Foundation received a cease and desist letter from the state of California.
If the last few months have taught us anything, it is that there will soon exist a new and evolving body of law: The Law of Digital Currency, or, as some would prefer it: Bitcoin Law.
I will explain, using examples from my own practice and the industry at large, how businesses have been affected by recent US regulation on a granular level. Perhaps most importantly, I'll set forth some strategies for efficiently complying with those regulations, and for avoiding them altogether.
I will use "digital currency", "virtual currency" and "bitcoin" interchangeably here, though I acknowledge that bitcoin is only one type of digital currency, that "virtual currency" is something of a loaded term, and that bitcoin may not even be best described as a currency at all.
What regulation is involved?
What digital businesses are affected by US regulation? At minimum, businesses either physically located in the United States, servicing US customers, or sometimes merely soliciting US customers, are governed principally by two regimes: money transmitter regulation (enforced by the Department of the Treasury) and securities regulation (enforced by the Securities and Exchange Commission).
The consensus among legal professionals is that two more government agencies might soon have a hand in the market as well: the Commodity Futures Trading Commission and the Consumer Financial Protection Bureau. This primer will address each of the realities as they stand today, and some possibilities of what the regulation might be tomorrow.
The first regime, and the regime that has received the most press over the past few months, is the law of money transmission. The classic description of a money transmitter is a business, Business A, that accepts money from Person B and transmits that money to Person C, either at a later time or a different place.
Western Union's services are well-known examples. In the United States, compliance with money transmission law means compliance with both federal government and state government regulations. In this part of the primer, I'll address the federal level.
Money transmission on the federal level
The Financial Crimes Enforcement Network ("FinCEN") is the bureau of the US Department of the Treasury that enforces federal regulation of money services businesses in the United States.
On March 18, 2013, FinCEN published guidance announcing that it would make no distinction between transmitters of government (or "fiat") currency and transmitters of bitcoin, which it now famously referred to as a "decentralized convertible virtual currency", rather than by name itself.
Thus, businesses that transmitted, sold or exchanged bitcoin were now Money Services Businesses, specifically "money transmitters", required to register with FinCEN and satisfy ongoing record-keeping and reporting requirements. From the perspective of the federal government, an entire industry of visionary startups that had not already registered, and had no intention of registering, became potential criminal enterprises overnight.
As you might imagine, this announcement was an earth-shattering development for the digital currency space. Some have called it bitcoin's "watershed moment" because of its clear, unequivocal positive message: bitcoin is not illegal. The negative consequence, though, was just as obvious: Many bitcoin businesses models are illegal.
Some aspects of the FinCEN guidance were comforting. Some were troubling. Some were death knells for otherwise successful businesses. Some could only be described as confusing. Here are the highlights:
- Individuals who merely exchange bitcoin for goods and services (and vice versa) are merely "users" of a virtual currency, not money transmitters.
- Businesses that accept bitcoin from one person and send it to another are money transmitters, and are not exempt from money transmission regulation simply because they do not deal in fiat currency.
- Individual bitcoin miners who convert their "created" coins to fiat are money transmitters, even though they never act "as a business," nor accept value from one person to transfer it to a third person.
- Any business that exchanges fiat currency for virtual currency – or even one virtual currency for another – is a money transmitter.
Struggling with this guidance, many bitcoin entrepreneurs have understandably felt like modern square pegs being jammed into round regulatory holes meant for ancient business models. Take mining for example.
The guidance did not specifically use the term "miners", and, as we all know, miners don't actually "create" bitcoins. The coins are awarded by the network itself.
Nonetheless, the guidance seems to be referring to miners, and miners – especially those large miners pushing multiple terahashes through the network – are right to worry that they could be classified as money transmitters. The (albeit anecdotal) consensus among legal professionals is that despite the terminological confusion, FinCEN did, in fact, mean to specifically call out miners.
There is another level of confusion: miners don't actually transmit anything, except presumably when they exchange their mined coins for fiat. But how does having mined the coins make miners any more of a "transmitter" than anyone else who exchanges coins for fiat? The guidance does not defend this point in any detail.
As if that wasn't enough, the FinCEN guidance states that all "persons", not just businesses, who exchange their mined coins for fiat are money transmitters. This is contrary to the basic premise that operating "as a business" is the fundamental predicate for the definition of a Money Services Business. The guidance's treatment of individual miners is only one example of the round peg, square hole problem endemic to the federal treatment of the industry.
The consequences of money transmitter classification
Because money transmission is such a heavily regulated business, classification as a money transmitter – especially unwitting classification – comes with real legal and practical consequences.
FinCEN regulates money transmitters pursuant to a legislative framework commonly referred to as the Bank Secrecy Act ("BSA"), which includes elements of the Patriot Act and other pieces of legislation. The primary consequence of this regulation is that money transmitters must put in place and enforce Anti Money Laundering ("AML") and Know Your Customer ("KYC") policies designed to aid FinCEN's investigation of potential criminal activity.
The specific AML and KYC requirements of the BSA could (and do!) fill pages. But in short strokes, businesses must collect personally identifying information about their customers, in some circumstances report that information to FinCEN, and sometimes even outright deny service.
Suspicious transactions - or even ministerial transactions over a certain dollar amount - must be reported to FinCEN. In effect, the BSA deputizes financial institutions, requiring them to act as the government's foot soldiers in its war on money laundering.
It's clear why this is a problem for a bitcoin business: privacy (if not anonymity) is one of bitcoin's most popular features. A business that identifies its customers and then reports that identity to the government simply can't cater to the significant swathe of customers who want to keep that identity a secret.
Moreover, the reporting requirements add a level of cost and complexity to many business models. For example, imagine an ATM-type vending machine that dispenses bitcoins or other digital currency. Before the FinCEN guidance, a company looking to roll out a network of such machines in the US could have reasonably catered to customers who were strangers: anyone walking up to the machine could see the machine, purchase bitcoin, and walk away with their coin in a matter of seconds.
After the FinCEN guidance, though, we now know that this wouldn't be so simple. Regulators have dismissively referred to this product as a "laundry machine" – as in money "laundering".
The guidance made clear that a business exchanging fiat for digital currency is a kind of money transmitter. Thus, the business must collect personally identifying information from the customer before entering into the transaction.
At minimum, the business must collect, record, and sometimes verify the customer's name, address and telephone number. In the cases of international or otherwise "high-risk" clients, the business must take even more stringent identification measures.
Instead of catering to a broad customer base (anyone walking up to the machine), the company can only service customers who are pre-authorized and pre-cleared against multiple government watch lists – a significant hurdle for a fledgling product. Accordingly, some businesses simply chose not to register with FinCEN.
Those that didn't register
So it went with Mutum Sigillum. Mutum Sigillum was a US subsidiary of Mt. Gox, the popular digital currency exchange based in Japan that exchanges bitcoins for dollars and other currencies.
Mutum Sigillum allegedly used a US bank account to accept dollars from US customers and send them to Mt. Gox to fund trades on its exchange. Customers could then use Mutum Sigillum's service to transfer dollars from Mt. Gox back to themselves in the US. In its most simplified form, its business was accepting funds from Person A, a customer, holding them temporarily, transmitting them to Person B, Mt. Gox, and back again
As I mentioned above, this is classic money transmission. Yet Mutum Sigillum allegedly did not register with FinCEN (although Mt. Gox since has), nor did it collect or report the required AML/KYC information. In fact, it allegedly lied on its bank account application, failing to disclose that it was engaged in such a business.
On May 14, 2013 the Department of Homeland Security, acting in concert with FinCEN, seized the US assets of Mutum Sigillum and shuttered its business.
Liberty Reserve didn't register either. Liberty Reserve was a Costa Rican payment processor that did not use bitcoin, but did use its own form of centralized digital currency called "Liberty Reserve Dollars". One of its services was accepting funds from Customer A, holding those funds, and then distributing them to Customer B at Customer A's direction using Liberty Reserve Dollars.
Like Mutum Sigillum's business, this was also a classic example of money transmission. It serviced customers across the globe, including the United States, without collecting any of the information or making any of the reports required under the BSA.
In May, 2013, the US federal government seized the Liberty Reserve website and shut down its business, citing, among other things, its operation as an unlicensed money transmitter. The seizure notice is still on its website.
Liberty Reserve and Mutum Sigillum teach us that the penalties for failing to register with FinCEN are real. Yet comparatively speaking, the upfront costs of registration are nil. Registration primarily consists of filling out forms and clicking some buttons on FinCEN's website. The entire affair is over in a matter of minutes. The catch? In addition to requiring registration and the implementation of its own AML and KYC policies, federal law also punishes bitcoin businesses that violate the money transmitter licensing laws of any of the United States.
In Part II, money transmission on the state level, I'll explain whether a digital currency business must obtain a state license, the cost of state licensing, and the odds of actually being awarded a state license.
Marco Santori is a business attorney in New York City with Pillsbury Winthrop Shaw Pittman LLP. He is a lawyer, but he is not your lawyer, and this is not legal advice. You can reach Marco at firstname.lastname@example.org.