On August 10, 2021, the Commodities Futures Trading Commission (“CFTC”) and the Financial Crimes Enforcement Network (“FinCEN”) announced a $100 Million settlement with BitMEX, a company claiming to be the largest cryptocurrency derivatives platform in the world. BitMEX offered derivatives trading in bitcoin, ether and litecoin.
As part of the settlement, BitMEX agreed to: (i) pay a fine of $100 Million, (ii) block U.S. persons’ access to its platform, (iii) provide user-verification of all active users, (iii) prevent unverified users from accessing its site, and (iv) limit its U.S. presence.
While it is difficult to provide hard and fast rules given the uncertainty around cryptocurrency regulations, the following are some of the takeaways from the case and its settlement.
If You Offer Crypto Derivatives to U.S. Persons You Need to Register with the CFTC
If you offer futures, options, bids, puts, calls, guarantees, swaps or contracts of sale (collectively “derivatives”) for cryptocurrencies to U.S. persons, then you need to register with the CFTC.
In BitMEX’s case, the CFTC stated that BitMEX should have registered: (i) either as a designated contract market or a swap execution facility, (ii) as a futures commission merchant, and (iii) as a board of trade.
If you do not want to register with the CFTC, then do not offer derivatives to U.S. persons.
If You Offer Crypto Derivatives to U.S. Persons You Need to Have KYC Procedures
Based on the BitMEX complaint and settlement, it is critical for derivatives platforms to implement know your customer (“KYC”) procedures commonly found in the financial services industry.
Taking the position that crypto industry is somehow exempt from the Commodity Exchange Act is not a tenable position in the current environment.
The CFTC expects derivatives trading platforms to be able to determine the true identity of their customers through a customer identification program that consists of KYC procedures and user verification.
FinCEN was more specific in its criticism stating that BitMEX should have had a customer identification program that consisted of, at a minimum: (i) collection and verification of specific customer information, and (ii) detailed record-keeping.
If You Offer Crypto Derivatives to U.S. Persons You Need to Have User Verification
The CFTA mentioned the fact that BitMEX failed to implement a user verification program several times.
The settlement agreement required BitMEX to have a system for user verification and to ban unverified users from its site.
If You Offer Crypto Derivatives to U.S. Persons You Need to Have an AML Program
The final piece of the puzzle for derivatives platforms is implementing an Anti-Money Laundering (“AML”) program that satisfies the Bank Secrecy Act (“BSA”). An AML program is intended to detect and prevent terrorists and bad actors, including the Office of Foreign Assets Control watchlist persons, from using the platform.
FinCEN noted that for an AML program to satisfy the BSA it must include the following: (i) the establishment and implementation of policies and procedures designed to prevent the financial institution from being used for money laundering or financing of terrorist activities and to achieve compliance with the BSA, (ii) independent testing for compliance, (iii) designation of an individual or individuals responsible for monitoring operations and internal controls, (iv) ongoing training of relevant personnel, and (v) risk-based procedures for conducting ongoing customer due diligence.
U.S. regulators in particular are very focused on national security and criminal activity on crypto platforms so adopting a robust AML program is crucial to avoid the appearance of involvement in illegal activity.
If You Offer Crypto Derivatives to U.S. Persons You Need to Comply with the Bank Secrecy Act
FinCEN determined that BitMEX was a financial institution under the BSA and was therefore required to meet certain obligations under the BSA.
Specifically, FinCEN stated that BitMEX: (i) failed to implement an AML program, (ii) failed to implement and maintain a customer identification program, and (iii) failed to report suspicious activity.
While implementing these changes may be costly, it is a smart use of funds for companies operating in the U.S. and can provide some protection for platforms in non- U.S. jurisdictions that are seeking to regulate cryptocurrency platforms.