CFTC and FinCEN Impose $100 Million Penalty on BitMEX

by H. Christopher BoehningWalter BrownJessica S. CareyManuel S. FreyMichael E. GertzmanMark F. MendelsohnRachel FiorillJacobus J. Schutte, and Bailey K. Williams

On August 10, 2021 the Commodity Futures Trading Commission (CFTC) and the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) announced $100 million in civil money penalties against BitMEX, a convertible virtual currency (CVC) derivatives exchange, for violations of the Currency Exchange Act (CEA) and the Bank Secrecy Act (BSA).[i]  This was FinCEN’s first enforcement action against a futures commission merchant (FCM), and the latest in a series of regulatory enforcement actions in the cryptocurrency space. 

Key Takeaways

  • U.S. regulators have made clear that they expect digital asset market participants to abide by the same standards of conduct that have long-applied to more traditional financial market participants. Underscoring this, CFTC Director of Enforcement Vincent McGonagle noted that the regulations established for the traditional derivatives market “apply equally in the growing digital assets market” and that cryptocurrency trading platforms must obtain appropriate registration and implement robust Know Your Customer (KYC) and anti-money laundering (AML) programs.[ii]  FinCEN’s Deputy Director AnnaLou Tirol also stressed that it was important for cryptocurrency platforms to “build in financial integrity from the start, so that financial innovation and opportunity are protected from vulnerabilities and exploitation.” [iii] 
  • FinCEN emphasized BitMEX’s lack of timely communication and full cooperation, as well as its failure to voluntarily disclose BSA violations to FinCEN—even after it learned it was being investigated by other government entities—as factors weighing in favor of the significant penalty. As regulatory attention increases, cryptocurrency companies operating in the U.S. should consider proactive engagement with U.S. regulators to ensure that they are meeting regulatory expectations.

The CFTC Resolution

BitMEX operates as a peer-to-peer “cryto-products trading platform” domiciled in the Seychelles that allows users to trade in cryptocurrency derivatives, including derivatives on bitcoin, ether and litecoin.  The CFTC had previously filed a civil enforcement action, in October 2020, charging five entities that operated BitMEX and their three founders for operating an unregistered trading platform and violating multiple CFTC regulations by illegally offering leveraged retail commodity transactions, futures, options and swaps on cryptocurrencies while “fail[ing] to implement the most basic compliance procedures required of financial institutions that impact U.S. markets.”[iv] 

The CFTC complaint charged the BitMEX entities and their founders with operating a significant portion of the business from the United States while unlawfully soliciting U.S-based retail and institutional customers and accepting orders and funds from U.S. customers to trade cryptocurrency derivatives.[v]  BitMEX also acted as a counterparty to certain transactions on its platform, including through its internal “market-making” desk, that could assume a customer’s position under certain circumstances.  BitMEX failed to conduct these transactions on a registered board of trade, and it was not registered as a foreign board of trade.[vi]  The CFTC noted that BitMEX collected over $1 billion in fees from trillions of dollars in digital asset derivatives transactions without registering with the CFTC, offering leveraged retail commodity transactions, futures, options and swaps, operating as an unregistered FCM, and operating a facility for trading swaps without being registered as a swap execution facility (SEF) or designated contract market (DCM) in violation of the CEA.  Additionally, BitMEX failed to maintain required records, establish rules to minimize conflicts of interest, or implement any rules or procedures to achieve compliance with the “core principles” required of DCMs or SEFs under the CEA, including (i) ensuring that contracts are not readily susceptible to manipulation; (ii) preventing market participants from engaging in manipulation or disruptive trading; and (iii) disciplining market participants who engage in misconduct.[vii] 

The CFTC complaint also noted that in addition to possessing internal reports indicating that U.S.-based traders were using the BitMEX platform, BitMEX also had knowledge that U.S. customers were using VPNs to mask their U.S. IP addresses in order to access the BitMEX platform and that U.S.-based individuals openly utilized its “affiliate” program to solicit other customers to trade on the BitMEX platform in exchange for compensation from BitMEX.[viii]  According to the CFTC, BitMEX took deliberate steps to evade, rather than comply with, U.S. regulations, including by coaching U.S.-based trading firms to incorporate offshore entities to open BitMEX trading accounts while at the same time representing that it did not service U.S.-based customers.[ix] 

The CFTC’s August 2021 Consent Order with BitMEX, which resolved the prior action, found that from at least November 2014 through October 2020, BitMEX violated the CEA by (i) operating a facility to trade or process swaps without regulatory approval and (ii) operating as a FCM without CFTC registration.  The CFTC also found that BitMEX violated CFTC regulations by failing to implement (i) procedures that would enable BitMEX to identify U.S. customers utilizing its platform, and (ii) an AML program.[x]

The CFTC Consent Order notes that BitMEX has engaged in remedial measures, including the development of an AML and user verification program, and has further certified that anyone located in the U.S. is prohibited from accessing the BitMEX platform and all U.S. users have been blocked from trading or utilizing the BitMEX platform.  BitMEX also confirmed that it no longer maintains significant business operations or functions in the U.S.[xi]

The FinCEN Resolution

The FinCEN Assessment[xii] against BitMEX covers roughly the same time period as the CFTC resolution, i.e., the period while BitMEX was operating as an FCM in the United States and accepting orders from U.S. customers.  FinCEN found that BitMEX willfully (i) failed to implement and maintain a compliant AML program; (ii) failed to implement and maintain a compliant customer identification program (CIP) and (iii) failed to report certain suspicious activity.  The significant $100 million fine assessed on BitMEX reflects the “extensive scope and grave seriousness of the violations,” including FinCEN’s assessment of the possible harm to the public and amounts involved[xiii] and will be satisfied by $80 million in payments to FinCEN and the CFTC now, with an additional $20 million penalty suspended pending completion of a SAR lookback and independent consultant reviews of BitMEX’s AML policies, procedures and controls.  

FinCEN considered the following factors in determining the amount of the civil money penalty and required undertakings:

  • BitMEX operated one of the largest bitcoin derivatives platforms in the world and collected over $1 billion in commissions and fees without establishing any AML program, CIP, or SAR reporting regime, openly advertised its lack of customer due diligence, and even operated a mirror site to assist customers in masking their IP addresses and identities while conducting transactions on the BitMEX platform.
  • BitMEX denied law enforcement critical information by failing to file a single SAR from 2014 to 2020.
  • The pervasiveness of wrongdoing at BitMEX included the complicity of senior management in the underlying violations. BitMEX owners and senior leadership knowingly and openly disregarded their regulatory obligations, maintaining that, even in instances of terrorist financing, BitMEX would not report suspicious activity unless it was first contacted by law enforcement.
  • The systematic nature and extended duration of the violations, which existed at BitMEX since its inception and continued until BitMEX was approached by the U.S. government in 2020. Although BitMEX began remedial actions in late 2020, FinCEN ultimately concluded that the lack of timely and complete cooperation and failure to voluntarily disclose BSA violations to FinCEN weighted in favor of a significant monetary penalty and robust undertakings.

Willful Failure to Maintain a Compliance AML Program

FinCEN found that BitMEX willfully failed to implement a written AML program that was approved by senior management and satisfied all AML program requirements under the BSA and implementing regulations.[xiv]  Specifically, FinCEN noted that internal communications between BitMEX’s founders and senior management concerning BitMEX’s licenses and legal obligations demonstrated senior management was “aware of their AML obligations at the beginning of [BitMEX’s] operations, including specifically how providing services to U.S. [c]ustomers could affect the company […],” but failed to implement any of the requirements of an AML program.[xv]  The FinCEN Assessment also cited inquiries from U.S.-based financial institutions about BitMEX’s AML policies, procedures and internal controls, noting that at least one U.S.-based institution refused to conduct business with BitMEX after BitMEX’s co-founder and CEO admitted that BitMEX did not conduct any Office of Foreign Assets Control (“OFAC”) screening, and did not perform any other KYC screening beyond verifying a customer’s email address.[xvi]  The FinCEN Assessment also identified widespread deficiencies at BitMEX, for example, from 2014 through 2020, BitMEX:

  • failed to hire a designated compliance officer or conduct any AML training or independent testing of its AML program;
  • failed to conduct required customer due diligence, allowing customers to create an account with only an email address and failing to collect, maintain, update or verify any additional customer information at all;
  • failed to implement any policies, procedures or internal controls to review bitcoin transactions and identify potentially suspicious transactions occurring through the BitMEX platform, which allowed thousands of transactions with suspicious counterparties that included darknet markets, high-risk jurisdictions and unregistered money service businesses (MSBs);
  • failed to implement additional policies, procedures and internal controls specifically related to jurisdiction screening, including or otherwise exclude U.S. customers from using the BitMEX platform despite BitMEX representing, at times, that it only did business outside of the U.S.; and
  • failed to collect metadata, including IP addresses of users utilizing IP anonymizers such as torrent web browsers, and even providing BitMEX customers with a mirror website to actively facilitate transactions without implementing any risk-based policies, procedures or internal controls until 2016.

Notably, the FinCEN Assessment highlights BitMEX’s conflicting public statements regarding its U.S. customer base, citing conflicting public statements from BitMEX’s co-founder and CEO indicating that BitMEX explicitly served U.S. customers[xvii] and representations from BitMEX that it only conducted business outside of the U.S.[xviii]  The FinCEN Assessment describes how, in practice, BitMEX leadership was aware of internal reports indicating that BitMEX served U.S.-domiciled customers, actively ignored signs that U.S. customers traded on the platform, failed to screen for customers that used a VPN to circumvent IP monitoring and ignored a 2018 report that identified BitMEX customers registered in the U.S., Cuba, Iran, Syria, North Korea and Sudan.  FinCEN further noted that the BitMEX co-founders directly altered customer information to mask the location of BitMEX’s U.S. customers, and instructed other U.S. customers to establish shell companies in foreign jurisdictions in order to trade on the BitMEX platform.

Willful Failure to Maintain a Customer Identification Program

The FinCEN Assessment notes that by its own admission, BitMEX never established or implemented a written CIP as required by the BSA and did not collect or verify any information regarding the majority of its customers from November 2014 through December 2020.[xix]  In fact, BitMEX deliberately implemented policies and procedures that violated these requirements.  For example, BitMEX’s registration page stated that “[s]ign up takes less than 30 seconds and requires no personal information.”[xx]  The FinCEN Assessment cited internal communications between BitMEX’s senior management as evidence that BitMEX was aware of the requirement to collect and verify customer information, but refused to change its practice of collecting anything more than a customer’s email address unless they “come under significant government pressure.”[xxi]

Willful Failure to File Suspicious Activity Reports

FinCEN found that at least $209 million worth of transactions were conducted by, at or through BitMEX with counterparties linked to known darknet markets or unregistered MSBs, in addition to transactions involving high risk jurisdictions and alleged fraud schemes.  FinCEN determined that BitMEX failed to file SARs on at least 588 transactions totaling $15 million which included transactions between BitMEX customers and darknet markets, Iranian CVC exchanges, unregistered MSBs providing “mixing” services[xxii] as a method for anonymizing users and obfuscating bitcoin transactions, as well as transactions with counterparties engaged in publicly identified fraud operations, including large-scale pyramid and elder financial exploitation schemes.[xxiii]

SAR Lookback and U.S Controls Undertakings

The FinCEN Assessment requires BitMEX to hire a qualified independent consultant to conduct a lookback on all transactions or attempted transactions by, at or through the BitMEX platform from November 1, 2014 through December 12, 2020 to determine whether suspicious activity was properly identified and reported, and to file SARs on all transactions identified by the independent consultant.  The FinCEN Assessment notes that the additional SAR filing is a “one-time filing by [BitMEX] as part of the settlement and does not constitute acceptance by BitMEX that it is subject to SAR filing requirements pursuant to the BSA and its implementing regulations.”[xxiv]

Additionally, BitMEX is required to hire a qualified independent consultant to perform two reviews of BitMEX’s operations, policies, procedures and controls, including its User Verification Program, to confirm that they are effective and reasonably designed to ensure that BitMEX is not operating in the United States or conducting business directly or indirectly with U.S. customers.

Footnotes

[i]        In the Matter of HDR Global Trading Limited, et al., No. 2021-02, at 4, (hereinafter, “FinCEN Assessment”) available here (403 KB).

[ii]        Commodity Futures Trading Commission, CFTC Charges BitMEX Owners with Illegally Operating a Cryptocurrency Derivatives Trading Platform and Anti-Money Laundering Violations, CFTC Press Release 8270-20, (Oct. 1, 2020), (hereinafter “CFTC Press Release”) available here.

[iii]       Financial Crimes Enforcement Network, FinCEN Announces $100 Million Enforcement Action Against Unregistered Futures Commission Merchant BitMEX for Willful Violations of the Bank Secrecy Act, (Aug. 10, 2021), (hereinafter “FinCEN Press Release”) available here.

[iv]       CFTC Press Release at 1.  The U.S. Attorney’s Office for the Southern District of New York also indicted Hayes, Delo, Reed and another individual named Gregory Dwyer on federal charges of violating the BSA and conspiracy to violate the BSA.  They have pleaded not guilty to criminal charges and the August 10, 2021 settlement does not resolve their cases.  See United States v. Hayes, No. 20 CR. 500 (S.D.N.Y. Oct. 13, 2020).  

[v]        See Commodity Futures Trading Commission v. HDR Global Trading Ltd. et al., No. 20-cv-8132 (S.D.N.Y. Oct. 1, 2020) (hereinafter “CFTC Complaint”), available here (PDF 403 KB).

[vi]       Id. at 15-16.  

[vii]      Id. at 9-10.

[viii]      Id. at 21-22.

[ix]       Id. at 27.

[x]        This client alert describes the allegations contained in the consent order, which BitMEX did not admit or deny.  See Commodity Futures Trading Commission v. HDR Global Trading Ltd. et al., No. 20-cv-8132 (S.D.N.Y. Oct. 1, 2020), available here (PDF 403 KB).

[xi]       Id. at 9.

[xii]      In the Matter of HDR Global Trading Limited, et al., No. 2021-02, at 4, available here (PDF 403 KB).

[xiii]      FinCEN Assessment at 27.

[xiv]      These requirements include, (i) establishment and implementation of policies, procedures and internal controls reasonably designed to prevent the financial institution from being used for money laundering or the financing of terrorist activities and to achieve compliance with the BSA and implementing regulations; (ii) independent testing for compliance; (iii) designation of an individual or individuals responsible for implementing and monitoring the operations and internal controls of the program; (iv) ongoing training of appropriate personnel; and (v) appropriate risk-based procedures for conducting ongoing customer due diligence, including, but not limited to understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile and conducting ongoing monitoring to identify and report suspicious transactions.  See FinCEN Assessment at 5; see also 31 U.S.C. §§ 5318(h)(1), (2); 31 C.F.R. § 1026.210(b).

[xv]       Id. at 6.

[xvi]      Id. at 8.

[xvii]     FinCEN Assessment at 11-12 (citing statements from BitMEX’s co-founder and CEO in 2015 indicating that BitMEX would only stop doing business in New York State effective August 16, 2015 and stating that BitMEX “accept[ed] customers globally except for [New York] State.”).

[xviii]    FinCEN Assessment at 12 ( “While BitMEX continued to represent that it only did business outside the U.S. – at times, representing that the U.S. was the only jurisdiction where transactions were prohibited – in practice BitMEX actively ignored signs that U.S. Customers traded on the platform and chose to overlook or alter data indicating that customers were located in the U.S.”).

[xix]      Id. at 14.

[xx]       Id.

[xxi]      Id. at 15.

[xxii]     FinCEN guidance issued in 2019 states that “mixers” who provide CVC  anonymizing services are considered money transmitters under FinCEN regulations and must comply with BSA obligations, including by tracking the CVC through different transactions and implement procedures to obtain the identity of transmitter or recipient of the value.  See U.S. Dep’t of Treas., Fin. Crimes Enf’t Network, FIN-2019-G001, Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies, (2019), available here (PDF 477 KB).  In October 2020, FinCEN assessed a $60 million civil money penalty against the founder of two CVC “mixers” Helix and Coin Ninja, the first bitcoin “mixer” penalized by FinCEN for violating AML laws.  See Financial Crimes Enforcement Network, First Bitcoin “Mixer” Penalized by FinCEN for Violating Anti-Money Laundering Laws (Oct. 19, 2020), available here.

[xxiii]    FinCEN Assessment at 15-18.

[xxiv]     Id. at 23.

H. Christopher BoehningWalter BrownJessica S. CareyManuel S. FreyMichael E. Gertzman, and Mark F. Mendelsohn are partners, Rachel FiorillJacobus J. Schutte are of counsel, and Bailey K. Williams is an associate at Paul, Weiss, Rifkind, Wharton & Garrison LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.