Bitcoin Law: Compliance and Avoidance Strategies

Bitcoin lawyer Marco Santori takes an in-depth look at compliance and avoidance strategies for bitcoin businesses in the US.

AccessTimeIconDec 12, 2013 at 12:00 p.m. UTC
Updated Sep 10, 2021 at 12:03 p.m. UTC

Marco Santori is a blockchain and bitcoin specialist who leads the FinTech practice at law firm Cooley LLP.

In this multi-part series, Santori gives a basic primer on the state of US law as it applies to digital currency entrepreneurs.

money, dollars
money, dollars

In the first two parts of the series, we covered the law of money transmission on the federal and state-level in the United States. We learned that not all digital currency businesses need to register or obtain a license, but for those that do, the process can prove expensive and time-consuming.

So, how can a business effectively comply with the registration and licensing requirements? What alternatives exist? How can a business avoid them altogether?

You can seek licenses, but it’s expensive

The first and most obvious option for complying with state and federal requirements is to register with FinCEN and seek licenses from each of the states in which your customers reside.

Registration with FinCEN is a fairly simple exercise: 15 minutes and a few mouse clicks on FinCEN’s website will satisfy that obligation. The real burden here comes from the ongoing costs of compliance, like verifying customer information and filing Suspicious Activity Reports.

Likewise, compliance on the state level is expensive.

The up-front costs alone of obtaining 48 state money transmission licenses can exceed six-figures for some applicants. On top of that, satisfying the ongoing state requirements is a business unto itself.

For more information on federal compliance, see part one of this series. For compliance on the State level, see part two. If that process is not appetizing to you, you’re not alone. Many businesses have sought to avoid US customers altogether.

You can avoid US customers, but it takes work


Plenty of businesses, some of my own clients included, have decided that the US market just isn’t for them.

They’ve either soured on the idea of servicing US clients altogether, or have decided to launch and wait it out in jurisdictions like Canada until the US sees regulatory reform.

This can be both profitable and practical, but simply incorporating the overseas market isn’t going to cut it.

The smart business will develop a set of policies and procedures reasonably calculated to keep US residents out. A competent attorney can help guide you through this process, and I can give some very basic principles here.

Firstly, a pre-emptive response to a question I get asked weekly: geofiltering incoming IP addresses is only the beginning. The business itself should detect the jurisdiction of the customer’s IP address, display that address, and ask the customer to confirm that this is his or her jurisdiction.

Both customer and business can take affirmative steps: the customer can be required to click a button stating “I affirm that I am a resident of *country*,” and the business can require verifying documentation, like a passport or utility bill.

Several providers offer these kinds of onboarding services. Your business should develop a risk profile for each of its customers in real time setting forth the probability that the customer is a US resident.

The risk profile should take into account different factors like: (i) whether the customer registers a US bank account with your business, (ii) how many transfers to US bank accounts the customer requests (if you offer such a service), and (iii) how many times the customer accesses your service from within the US after setting up a new account.


A customer whose activities, over time, start to resemble those of a US resident, might be a US resident – and your business should consider closing that customer’s account.

Once these policies are in place, your business should implement them and record the results in case of future enforcement by a US regulatory body.

The record shouldn't just show that your business followed its own policies, but that those policies worked. If push comes to shove, a judge and jury would probably like to see that, every once in a while, your procedures actually caught a US resident trying to use your service, and that you closed his or her account.

Finally, it should go without saying that your business should not advertise to US customers. This all might seem excessive for, or inapplicable to, your business and indeed it might be. The proper set of procedures will depend heavily upon the details of your business model and your degree of risk tolerance.

For some, even crafting and implementing these policies may be just as unappetising as compliance. There is, in fact, a way to service US customers and avoid these burdens.

Namely, you can become the agent of a Bank or Credit Union, as existing MSB Certified agents of banks, credit unions and money services businesses are typically exempt from registration and licensure requirements.

Functionally, becoming an agent means hiring an attorney to negotiate and execute an agreement with the bank, credit union or MSB (called the “principal”) setting forth your relative rights and obligations.

Becoming an agent implies two important consequences. First, you will lose some control over your business. As the agent, you will act at the principal’s direction. The principal will likely possess more leverage in the negotiation of the agreement and its performance.

Second, you will not avoid the compliance requirements altogether. To be sure, your business won’t need to seek out state licenses or to register with FinCEN, but it will still have to comply with any anti-money laundering and know your customer (KYC) requirements put in place by the principal.

Furthermore, your business will need to implement those requirements in the way the principal wants them implemented – which may or may not map onto your business plan.

For a digital currency business, an agency relationship might be difficult to find.

Existing money transmitter license holders are wary of alienating their current agents by signing on an untested and exotic digital currency business.

Worse, banks and credit unions have yet to develop a compliance program properly tailored to digital currency technology. If no existing licensee is interested, or the ongoing costs of compliance are still too high, not all is lost.

Your business model can fit into an exception, or avoid the MSB rules entirely

There are several exceptions to the MSB registration requirements. The most popular – at least in my experience – are the so-called “payment processor” exemptions.

Businesses that merely perform payment processing services for a merchant are exempt from registration with FinCEN, even though they otherwise fit the definition of a money transmitter. These businesses can thrive in the digital currency ecosystem without ever having to verify their customer’s identifying information or file a Suspicious Activity Report.

The answer to the question: “Am I a payment processor?” is not always obvious, and even then, not all business owners necessarily want to know the answer for sure. After all, the answer might be “no”.

To the attorney’s lament, many clients would prefer to beg forgiveness rather than ask permission. For those who value peace of mind, though, the best way to find out is for your attorney to prepare a “request for ruling” to FinCEN and ask them directly.

I talked about this process in the context of state regulatory bodies in part two, but the same is true for the federal regulators at FinCEN.

Sometimes better than fitting into an exception, some digital businesses have found success in avoiding the money transmission regime entirely. They accomplish this by carefully structuring their business model to avoid the common characteristics of money transmission.

The real-world permutations here are literally infinite, but two simplistic examples might be helpful.

Firstly, a business that would otherwise be a payment processor, but also offers hosted wallet functionality, might offload that responsibility to a third party, or require the customer to provide his own wallet address.

Secondly, an institutional bitcoin miner might, instead of selling his mined bitcoins for dollars, sell his hashing power in bulk to customers who can either hold their mined coins or sell them for dollars themselves.

Another very specific example of adjusting a business model to comply with regulation is a time-tested practice: pass the buck to someone else.

You can white label your product


You’ve probably heard of white labeling. It means developing your product to completion and bringing it to the cusp of launch, but instead of dealing with the regulation required to use it, selling it or licensing it to someone else.

This has the effect of passing the regulatory burden onto the customer and can be successful whether your product is hardware or software. For example, the manufacturer of a Bitcoin ATM machine need not operate it. The manufacturer can successfully sell machines to a third party who will plug it in, collect the cash and deal with the regulatory worries.

The same is true for developers of Bitcoin exchange software. Developers can always operate the exchange in-house under its own brand and manage the regulatory risk.

Alternatively, it can license the exchange Software As A Service (you’ve probably heard the expression “SAAS”) to a third party in a jurisdiction with less stringent regulatory requirements. A competent attorney can guide your business through this process, and prepare the contracts required to get the job done correctly.

This completes the Bitcoin money transmission trilogy.

In part one, we learned about the federal requirements for money transmitters. In part two, we discussed how state money transmission laws could make or break a digital currency business. In this article, part three, we canvassed some strategies for complying with and avoiding those requirements.

What would you like to see in Part 4?

Marco Santori is a business attorney in New York City with Pillsbury Winthrop Shaw Pittman LLP. He is a lawyer, but he is not your lawyer, and this is not legal advice. You can reach Marco at

Dollar Stack image via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Read more about