Analyze This: The NYDFS Sets Clear Crypto Transaction Monitoring Expectations

The past year has seen a flurry of crypto-related activities by the federal financial regulators, including the issuance of reports, guidance, joint statements, and interpretive letters. For example, in November 2021, the President’s Working Group on Financial Markets, along with the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC), released a long-awaited Report on Stablecoins, recommending comprehensive federal legislation for stablecoins. In December 2021, the federal banking agencies released a statement announcing the establishment of “crypto-asset policy sprints,” to generate coordinated guidance from the agencies.[1] And in March 2022, President Biden signed an Executive Order calling on federal agencies to take a unified approach to regulating and overseeing digital assets. But while the industry still awaits comprehensive federal regulation, the New York Department of Financial Services (DFS) has moved forward with guidance for virtual currency business entities licensed under 23 NYCRR Part 200 or chartered as limited purpose trust companies under the New York Banking Law (VCEs).[2] This marks the first clear guidance from a U.S. regulator, state or federal, on expectations regarding transaction monitoring and the use of blockchain analytics for the virtual currency industry.

Blockchain Analytics

The guidance encourages VCEs to adopt blockchain analytics tools as a best practice to detect, prevent, and manage suspicious activities in the virtual currency industry. Virtual currency activities can involve different sources, destinations, and funds flow types than are found in more traditional, fiat-currency contexts. These characteristics trigger compliance challenges with regard to anti-money laundering (AML) and economic sanctions issues. Due to these challenges, the DFS emphasizes the importance of blockchain analytics to VCEs in addressing, among other issues, AML and sanctions requirements.

Superintendent Adrienne A. Harris noted that, “Blockchain analytics tools provide companies with an efficient, data-driven way to conduct customer due diligence, transaction monitoring, and sanctions screening, among other things, which are all critical elements of our virtual currency regulation . . . . We expect regulated entities to utilize best practices to uphold the safety and soundness of the virtual currency market and to protect consumers.”

While a VCE may outsource its compliance obligations to third-party service providers, the VCE ultimately remains responsible for compliance. A VCE must have clearly documented policies, processes, and procedures with regard to how blockchain analytics tools are integrated into its control framework, consistent with its risk profile.

The guidance emphasizes a risk-based approach to compliance. Specifically, a VCE’s risk mitigation strategy must take into account the VCE’s business profile, the types of virtual currencies involved, and their particular characteristics. While blockchain analytics tools may assist a VCE with compliance, the tools may have limited effectiveness depending on the virtual currencies used.

In particular, the guidance sets out the following expectations for VCEs:

• Augmented Know Your Customer (KYC) Controls: VCEs must obtain and maintain information regarding their customers and potential customers, and use this information to understand and effectively address risk. There are useful tools available that allow for obtaining identifying information that ties directly to pseudonymous on-chain data. While these products and services may help VCEs in certain ways, e.g., to identify wallet addresses associated with known high-risk wallet addresses, the DFS cautions that these tools have limitations.
• Transaction Monitoring of On-Chain Activity: VCEs must institute risk-based transaction monitoring control measures to monitor and identify unusual activity tailored to the VCE’s risk profile. This depends on comprehensive policies, processes, and procedures that allow the VCE to trace transaction activity, monitor for applicable typologies and red flags, and address other risk considerations. Common typologies for illicit virtual currency business activity include a virtual currency: (1) with substantial exposure to a high-risk jurisdiction; (2) that is processed through a mixer or tumbler; (3) which is sent to or from a darknet marketplace; or (4) which is associated with scams, ransomware, or other illicit activity. The VCE should have written case management and escalation processes and clearly delineate roles and responsibilities across the business and compliance functions.
• Sanctions Screening of On-Chain Activity: VCEs must conduct sanctions screening of on-chain activity and, in particular, establish and maintain policies, processes, and procedures to identify transaction activity involving virtual currency addresses or other identifying information associated with sanctioned individuals and entities listed on the Specially Designated Nationals List or located in sanctioned jurisdictions. Transaction monitoring and investigation software can assist with sanctions screening.

The Bigger Picture

The DFS noted that it aims to maintain a robust regulatory regime, while remaining a favorable jurisdiction for VCEs. The guidance was informed by conversations between the DFS and stakeholders, and the DFS stated its intent to continue engaging with industry, other regulators, and experts in the field. This echoes the language of recent government-wide issuances, which require a risk-based approach to compliance and increased virtual currency regulation, but in the context of a cautious welcome to industry players. In October 2021, the Office of Foreign Assets Control released sanctions compliance guidance for the virtual currency industry.[3] The Financial Crimes Enforcement Network has issued multiple releases on combating risks in the virtual currency space.[4] Issuing guidelines, advisories, and the like represents an implicit acceptance of the industry and its associated risks, while setting standards for best practices. A few weeks ago, the FDIC announced that FDIC-supervised institutions must notify the FDIC if engaging in crypto asset activities. The release emphasized that crypto activities pose risks, but also that the FDIC supports safe and sound innovation. Similarly, in January 2021, the OCC considered the permissibility of national banks and federal savings association acting as nodes on independent node verification networks and engaging in related stablecoin activities. The OCC concluded that these financial institutions could use new technologies to conduct bank-permissible functions.[5] However, shortly thereafter, under the Biden administration, the OCC issued a purported clarification that such activity was permissible only once a financial institution has demonstrated, to its supervisory office’s satisfaction, that the financial institution has adequate controls in place for such activity.[6]

More robust federal regulation of the virtual currency industry is undoubtedly forthcoming, and it is possible that other states may follow the DFS’s lead as well. VCEs should engage with the DFS, and other applicable regulators, to ensure a role in the development of future guidance and regulations. VCEs must also take steps to implement the guidance and should carefully review and update existing policies and procedures as needed.

[1] For more information, please see our Client Alert.

[2] The guidance is not intended to limit the scope or applicability of any law or regulation.

[3] For more information, please see our Client Alert.

[4] See, e.g., FIN-2019-A003 (May 9, 2019), and more recently, FIN-2022-Alert001 (Mar. 7, 2022).

[5] For more information, please see our Client Alert.

[6] For more information, please see our Client Alert.