Bitcoin Law: Compliance and Avoidance Strategies
Bitcoin lawyer Marco Santori takes an in-depth look at compliance and avoidance strategies for bitcoin businesses in the US.
Marco Santori is a blockchain and bitcoin specialist who leads the FinTech practice at law firm Cooley LLP.
In this multi-part series, Santori gives a basic primer on the state of US law as it applies to digital currency entrepreneurs.
In the first two parts of the series, we covered the law of money transmission on the federal and state-level in the United States. We learned that not all digital currency businesses need to register or obtain a license, but for those that do, the process can prove expensive and time-consuming.
So, how can a business effectively comply with the registration and licensing requirements? What alternatives exist? How can a business avoid them altogether?
You can seek licenses, but it’s expensive
The first and most obvious option for complying with state and federal requirements is to register with FinCEN and seek licenses from each of the states in which your customers reside.
Registration with FinCEN is a fairly simple exercise: 15 minutes and a few mouse clicks on FinCEN’s website will satisfy that obligation. The real burden here comes from the ongoing costs of compliance, like verifying customer information and filing Suspicious Activity Reports.
Likewise, compliance on the state level is expensive.
For more information on federal compliance, see part one of this series. For compliance on the State level, see part two. If that process is not appetizing to you, you’re not alone. Many businesses have sought to avoid US customers altogether.
You can avoid US customers, but it takes work
Plenty of businesses, some of my own clients included, have decided that the US market just isn’t for them.
They’ve either soured on the idea of servicing US clients altogether, or have decided to launch and wait it out in jurisdictions like Canada until the US sees regulatory reform.
This can be both profitable and practical, but simply incorporating the overseas market isn’t going to cut it.
The smart business will develop a set of policies and procedures reasonably calculated to keep US residents out. A competent attorney can help guide you through this process, and I can give some very basic principles here.
Both customer and business can take affirmative steps: the customer can be required to click a button stating “I affirm that I am a resident of *country*,” and the business can require verifying documentation, like a passport or utility bill.
Several providers offer these kinds of onboarding services. Your business should develop a risk profile for each of its customers in real time setting forth the probability that the customer is a US resident.
The risk profile should take into account different factors like: (i) whether the customer registers a US bank account with your business, (ii) how many transfers to US bank accounts the customer requests (if you offer such a service), and (iii) how many times the customer accesses your service from within the US after setting up a new account.
A customer whose activities, over time, start to resemble those of a US resident, might be a US resident – and your business should consider closing that customer’s account.
Once these policies are in place, your business should implement them and record the results in case of future enforcement by a US regulatory body.
The record shouldn't just show that your business followed its own policies, but that those policies worked. If push comes to shove, a judge and jury would probably like to see that, every once in a while, your procedures actually caught a US resident trying to use your service, and that you closed his or her account.
Finally, it should go without saying that your business should not advertise to US customers. This all might seem excessive for, or inapplicable to, your business and indeed it might be. The proper set of procedures will depend heavily upon the details of your business model and your degree of risk tolerance.
For some, even crafting and implementing these policies may be just as unappetising as compliance. There is, in fact, a way to service US customers and avoid these burdens.
Namely, you can become the agent of a Bank or Credit Union, as existing MSB Certified agents of banks, credit unions and money services businesses are typically exempt from registration and licensure requirements.
Functionally, becoming an agent means hiring an attorney to negotiate and execute an agreement with the bank, credit union or MSB (called the “principal”) setting forth your relative rights and obligations.
Second, you will not avoid the compliance requirements altogether. To be sure, your business won’t need to seek out state licenses or to register with FinCEN, but it will still have to comply with any anti-money laundering and know your customer (KYC) requirements put in place by the principal.
Furthermore, your business will need to implement those requirements in the way the principal wants them implemented – which may or may not map onto your business plan.
For a digital currency business, an agency relationship might be difficult to find.
Existing money transmitter license holders are wary of alienating their current agents by signing on an untested and exotic digital currency business.
Worse, banks and credit unions have yet to develop a compliance program properly tailored to digital currency technology. If no existing licensee is interested, or the ongoing costs of compliance are still too high, not all is lost.
Your business model can fit into an exception, or avoid the MSB rules entirely
There are several exceptions to the MSB registration requirements. The most popular – at least in my experience – are the so-called “payment processor” exemptions.
Businesses that merely perform payment processing services for a merchant are exempt from registration with FinCEN, even though they otherwise fit the definition of a money transmitter. These businesses can thrive in the digital currency ecosystem without ever having to verify their customer’s identifying information or file a Suspicious Activity Report.
To the attorney’s lament, many clients would prefer to beg forgiveness rather than ask permission. For those who value peace of mind, though, the best way to find out is for your attorney to prepare a “request for ruling” to FinCEN and ask them directly.
I talked about this process in the context of state regulatory bodies in part two, but the same is true for the federal regulators at FinCEN.
The real-world permutations here are literally infinite, but two simplistic examples might be helpful.
Firstly, a business that would otherwise be a payment processor, but also offers hosted wallet functionality, might offload that responsibility to a third party, or require the customer to provide his own wallet address.
Secondly, an institutional bitcoin miner might, instead of selling his mined bitcoins for dollars, sell his hashing power in bulk to customers who can either hold their mined coins or sell them for dollars themselves.
Another very specific example of adjusting a business model to comply with regulation is a time-tested practice: pass the buck to someone else.
You can white label your product
You’ve probably heard of white labeling. It means developing your product to completion and bringing it to the cusp of launch, but instead of dealing with the regulation required to use it, selling it or licensing it to someone else.
This has the effect of passing the regulatory burden onto the customer and can be successful whether your product is hardware or software. For example, the manufacturer of a Bitcoin ATM machine need not operate it. The manufacturer can successfully sell machines to a third party who will plug it in, collect the cash and deal with the regulatory worries.
The same is true for developers of Bitcoin exchange software. Developers can always operate the exchange in-house under its own brand and manage the regulatory risk.
Alternatively, it can license the exchange Software As A Service (you’ve probably heard the expression “SAAS”) to a third party in a jurisdiction with less stringent regulatory requirements. A competent attorney can guide your business through this process, and prepare the contracts required to get the job done correctly.
This completes the Bitcoin money transmission trilogy.
In part one, we learned about the federal requirements for money transmitters. In part two, we discussed how state money transmission laws could make or break a digital currency business. In this article, part three, we canvassed some strategies for complying with and avoiding those requirements.
What would you like to see in Part 4?
Marco Santori is a business attorney in New York City with Pillsbury Winthrop Shaw Pittman LLP. He is a lawyer, but he is not your lawyer, and this is not legal advice. You can reach Marco at email@example.com.
Dollar Stack image via Shutterstock
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.