Two U.S. authorities recently announced actions against four individuals and numerous entities associated with BitMEX, an online trading platform for futures contracts and other derivative products tied to the value of cryptocurrencies.  Both actions allege that BitMEX failed to put in place required anti-money laundering programs and procedures, and serve as a reminder that institutions offering new and innovative financial products should assess the potential applicability of and compliance with U.S. anti-money laundering laws and regulations.

BitMEX’s Background

According to the court filings, BitMEX has described itself as the world’s largest cryptocurrency derivatives platform in the world.  Among other offerings, BitMEX offered commodity futures, options, and swaps on digital assets, including Bitcoin, Ether, and Litecoin.

Department of Justice Criminal Case

The U.S. Attorney’s Office for the Southern District of New York (“SDNY”) charged four individuals with causing a financial institution to violate the Bank Secrecy Act (“BSA”).  The indictment asserts that BitMEX served customers located in the United States, and therefore was a futures commission merchant (“FCM”) that had to comply with the BSA.  The defendants, all executives of BitMEX, allegedly failed to establish, implement, and maintain an adequate AML program, including adequate customer identification and “Know Your Customer” (“KYC”) programs.  The BSA and its implementing regulations require FCMs to establish AML programs that include, at a minimum, the following:

(1) policies, procedures, and internal controls to prevent the FCM from being used for money laundering or terrorist financing;

(2) independent testing;

(3) designation of an individual or individuals responsible for implementing and monitoring the internal controls;

(4) ongoing training for appropriate persons; and

(5) appropriate risk based procedures for conducting ongoing customer due diligence.[1]

Other relevant requirements for FCMs under the BSA’s implementing regulations include, but are not limited to, filing suspicious activity reports (“SARs”) and implementing a written KYC program that includes procedures for verifying the identify of each customer to the extent reasonable and practicable.

The indictment asserts that the individual defendants knew that BitMEX had to comply with AML and KYC requirements if it served U.S. customers or operated within the United States.  The defendants allegedly took steps to exempt the company from the application of U.S. laws and regulations; for example, the indictment claims that the defendants incorporated BitMEX in the Seychelles, believing they could still serve U.S. customers but avoid having to adopt BSA-compliant AML and KYC programs.  According to the indictment, BitMEX did not adopt a formal compliance program, processes, or internal controls; “could not and did not monitor its customer transactions for money laundering and sanctions violations”; and did not file any SARs between its launch in November 2014 and September 2020.

The indictment also focuses on BitMEX’s alleged failure to know the true identities of its customers.  Customers could register to trade anonymously without providing any identifying information or documentation, and BitMEX’s initial marketing advertised that it did not require advanced verification.  Moreover, the government alleged that the steps that BitMEX did take, such as implementing an internet protocol (“IP”) address check in response to CFTC public enforcement orders, were intentionally designed to be ineffective.  The IP address check only prevented using a U.S. IP address to register with BitMEX.  After successfully registering, a customer could freely access BitMEX’s platform from U.S. IP addresses or by using a virtual private network (“VPN”), which permitted the customer to circumvent the IP address check and which BitMEX took no steps to preclude.

Customers could register to trade anonymously without providing any identifying information or documentation, and BitMEX’s initial marketing advertised that it did not require advanced verification.

The indictment asserts that, because of its failure to implement AML and KYC programs, BitMEX made itself available as a vehicle for money laundering and sanctions violations, and that some of the individual defendants knew that money laundering and sanctions violations occurred on the platform, including servicing sanctioned customers located in Iran.

CFTC Action

Similarly, the Commodity Futures Trading Commission (“CFTC”) brought a civil enforcement action charging three individuals and five entities doing business as BitMEX with operating an unregistered trading platform and violating multiple CFTC regulations, including failing to implement required AML or KYC procedures or a customer information program (“CIP”).  The CFTC complaint alleges that BitMEX did not collect any documents to verify the identity or location of the vast majority of its users, and advertised that customers could register to trade in minutes.  The complaint continues that BitMEX deleted records for numerous accounts in cases where a user was found to be in the U.S. or another restricted jurisdiction. A 2015 investor presentation asserted that “bitcoin derivatives are completely unregulated worldwide,” despite receiving guidance from a compliance consultant that informed BitMEX’s founders of the need to know the identity of BitMEX’s customers.

The complaint states that in August 2020, BitMEX announced plans to begin conducting KYC on customer accounts, but that, until that point, executives had made deliberate decisions to refrain from implementing KYC and AML procedures.  For example, in 2016, in responding to a U.S.-based exchange’s query about BitMEX’s policies, BitMEX asserted that it blocked U.S. residents from using the platform, but performed “no other KYC as we are not required to under Seychelles law for the products that we offer.” However, according to the complaint, “thousands of U.S. persons were in fact trading on BitMEX’s platforms.”  The CFTC’s release announcing the complaint emphasized BitMEX’s “operation of the platform from the U.S. and its extensive solicitation of and access to U.S. customers.”

                                                           *          *          *

These actions contain at least two key takeaways for cryptocurrency companies.  First, companies incorporated in jurisdictions outside the U.S. may be subject to U.S. laws and regulations based on, among other factors, marketing to U.S. persons, where their customers are located, and whether any of their business is conducted from the U.S., as was the case with BitMEX.  The SDNY and FBI, when announcing the indictment of the four executives, derided BitMEX’s efforts to establish itself as an “off-shore” exchange.  On this point, the indictment is in keeping with prior enforcement actions, such as the 2013 action against Costa Rican digital currency company Liberty Reserve.[2]  Second, cryptocurrency companies should examine their obligations under the BSA and its implementing regulations, which require that certain financial institutions have AML and KYC programs in place.  Cryptocurrency companies should carefully balance the desire to provide relatively easy and quick access to their platforms with the need to meet applicable regulatory standards so as not to risk enforcement action by criminal authorities, the CFTC, the Financial Crimes Enforcement Network (“FinCEN”), or the Office of Foreign Assets Control (“OFAC’), among others.

[1] 31 C.F.R. § 1026.210.

[2] Although incorporated in Costa Rica, Liberty Reserve had more than 200,000 users in the United States.  Liberty Reserve and multiple individuals were charged with money laundering and operating an unlicensed money transmitting business. The investigation was described at the time as possibly the largest international money laundering prosecution in history.