The NYU Program on Corporate Compliance and Enforcement (PCCE) is following the recent federal enforcement actions against Binance, the world’s largest cryptocurrency exchange, and its founder Changpeng Zhao. In this post, crypto experts, former prosecutors, and the former Superintendent of the New York Department of Financial Services offer their expert insights on these developments.
Left to right: Maria Vullo, Eugene Ingoglia, Daniel Payne, Ijeoma Okoli, and Paul Krieger (Photos courtesy of authors)
Binance – The Importance of Financial Intermediation and Anti-Money Laundering Laws
The recent criminal guilty pleas and related actions involving Binance Holdings Limited (“Binance”)[1] and its Chief Executive Officer Changpeng Zhao demonstrate the importance of rigorous enforcement of Bank Secrecy Act (“BSA”) laws and regulations. In its consent order with Binance, the Financial Crimes Enforcement Network (FinCEN), the federal agency principally responsible for BSA anti-money laundering (AML) rulemaking and enforcement, sets forth in alarming detail how Binance, the world’s largest cryptocurrency exchange, engaged in transactions through a virtually non-existent compliance system in willful violation of the most basic requirements of BSA/AML and economic sanctions laws.[2] The Binance actions reinforce the necessity that financial transactions, whether in fiat or crypto currency, must be intermediated through regulated financial institutions that implement and maintain effective AML and sanctions compliance systems. With U.S. national security, foreign policy, terrorist financing, and illicit activities at stake, there is no place for an unregulated financial firm that allows users to be anonymous or for any user to engage in unmonitored financial transactions.
Binance will pay a total monetary penalty of $4.316 billion, with $3.4 billion of that penalty imposed by FinCEN along with additional undertakings.[3] The 92-page FinCEN Consent Order details egregious conduct over a six-year period in violation of each of the five pillars of a required AML program. Most strikingly, Binance failed to register as a money services business (MSB) and filed not a single suspicious activity report (SAR) with FinCEN, despite having over a million U.S. users.[4] FinCEN describes willful misrepresentations by Binance to U.S. authorities that it was not serving U.S. customers, and its instructions to users that they change their identification information in order to hide their U.S. connection. Further, Binance’s “paper only” AML program lacked an effective customer identification program (i.e., ”know-your-customer” requirements); employed an unqualified and complicit chief compliance officer; had no personnel training; and lacked independent review.[5]
The U.S. financial system is structured with regulated banks that “intermediate” U.S. dollar transactions. FinCEN MSB registration requirements, as well as state money transmitter licensing laws, also require nonbanks engaged in currency transactions for customers to comply with BSA/AML and sanctions laws.[6] This financial intermediation system protects the public from criminal activity, and SAR filing requirements provide law enforcement with necessary information to investigate and prosecute crime. Without access to the financial system, terrorists, money launderers, drug and human traffickers, and their financiers, are stymied in their capacity to commit crimes. Yet, the FinCEN consent order sets forth in alarming detail how Binance facilitated transactions involving international terrorist organizations such as Al-Qaeda, ISIS and Hamas, militant Iraqi groups, Iranian and other sanctioned counterparties, and child sexual exploitation wallet addresses.[7] The consent order further shows the complicity of Binance senior management in the violations and that the company was “recalcitrant” in responding to FinCEN information requests.[8]
The Binance investigation details wholly undermine the claim that crypto users should be permitted to conduct anonymous peer-to-peer transactions or that the crypto industry’s principal purpose is to “democratize finance.” Following on the heels of the FTX/Alamada Research criminal convictions, the Binance actions leave no doubt that cryptocurrency firms should be subject to the same regulatory requirements applicable to banks and money transmitters. Indeed, FinCEN has made clear for years that virtual currency firms are subject to AML laws, and the Anti-Money Laundering Act of 2020 explicitly provided that virtual currency firms are subject to the BSA.[9] The continued evasion of AML and sanctions laws by firms that find foreign safe havens is a wake-up call for Congress to act to establish a strong regulatory framework for this industry that mirrors bank regulatory requirements, beyond and apart from the current impasse on whether individual cryptocurrencies constitute securities or commodities.[10] The heart of the U.S. system of financial intermediation is industries’ longstanding role in national security and financial crime prevention.
Footnotes
[1] Binance, a Cayman Islands registered company, was founded by Zhao in 2017 and controls, among other entities, the Binance.com virtual currency exchange. According to the DOJ information, through Binance.com, millions of users in more than 180 countries have conducted transactions involving hundreds of types of virtual assets in volumes equivalent to trillions of U.S. dollars. See Binance Information, par. 3.
[2] FinCEN Consent Order 2023-04, FinCEN Consent Order Number 2023-04. Although the Office of Foreign Assets Control (OFAC) is responsible for U.S. economic sanctions laws, in addition to terrorist and militant groups, FinCEN’s consent order provides troubling information regarding Binance’s facilitation of the evasion of such laws involving Iran, Iraq, and Syria. (Consent Order, pp. 45-52) The DOJ adds Cuba and Ukrainian regions, with all sanctions offenses violating the International Emergency Economic Powers Act (IEEPA). See Binance Information par. 59-79.
[3] FinCEN credits against its $3.4 billion penalty the $2.47 billion paid to the U.S. Department of Justice and the Commodity Futures Trading Commission and has suspended $150 million of the remaining amount pending Binance’s satisfaction of the undertakings set forth in the consent order. Those undertakings include three independent reviews: a five-year independent compliance monitor, an independent consultant to conduct a SAR lookback, and an independent AML program consultant to conduct a full AML program review. The DOJ Plea Agreements also require certain compliance undertakings, as well as the resignation of Zhao as CEO.
[4] Binance.US registered as an MSB in 2019, though the consent order details how this action was intended to distract U.S. regulators from Binance’s U.S. presence. (Consent Order, p. 27)
[5] Consent Order, pp. 32-43. Binance admits that it willfully violated the BSA. Consent Order, p. 71.
[6] MSB registration is required for any business that provides money transmission services for its customers. Binance, like most cryptocurrency firms, provides currency exchange services for its customers, involving the exchange of fiat and crypto currency. This jurisdictional basis for AML laws is entirely separate from the question as to whether a specific type of digital asset is a commodity or a security.
[7] Consent Order, pp. 50-51.
[8] Consent Order, pp. 55-58.
[9] See also, e.g., FIN-2019-G001 (May 9, 2019), https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20Guidance%20CVC%20FINAL%20508.pdf.
[10] A bipartisan bill has been introduced in the U.S. Senate to strengthen AML laws applicable to crypto businesses, see https://www.warren.senate.gov/imo/media/doc/Digital%20Asset%20Anti-Money%20Laundering%20Act%20of%202023.pdf, but a statutory framework that would subject crypto firms more broadly to bank regulatory standards (as opposed to securities and/or commodities standards) has not been proposed.
Maria T. Vullo is a Senior Fellow with PCCE. She is the former Superintendent of Financial Services of the State of New York and currently is CEO of Vullo Advisory Services, PLLC, and an Adjunct Professor of Law at Fordham Law School.
The U.S. Seeks to Keep Enforcement Hooks in Binance to Ensure Ongoing Compliance with AML Laws
Apart from the landmark nature of the charges and pleas, there are two other aspects that strike me as most interesting: (1) the requirement that the company be subject to an outside independent monitor; and (2) that no settlement was announced between the company and the SEC.
An outside monitor
The DOJ agreement
The agreement between the company and DOJ requires the imposition of an independent outside monitor for a period of three years. The monitor is to “assess and monitor the Company’s compliance with the terms of the Agreement, including the Company’s compliance programs, policies, procedures, codes of conduct, systems, and internal controls, including its anti-money laundering and U.S. sanction compliance programs … to specifically address and reduce the risk of any recurrence of the Company’s misconduct.”
In addition, “the monitor will evaluate . . . the effectiveness of the Company’s Compliance Programs as they relate to its current and ongoing compliance with the law prohibiting money laundering, laws requiring anti-money laundering programs, and laws prohibiting violations of U.S. sanctions.”
Finally, the monitor’s review “shall include an assessment of the Company governing authority’s and senior management’s commitment to, and effective implementation of, the compliance commitments described in . . . the Agreement.”
The FinCEN agreement
The agreement between the company and FinCEN requires an outside independent monitor for a period of five years. The monitor’s mandate is broad, and its primary responsibility is described as “to: (i) assess and monitor Binance’s compliance with the terms of the Consent Order . . . so as to specifically address and reduce the risk of any recurrence of Binance’s misconduct; (ii) evaluate the effectiveness of Binance’s compliance with Relevant BSA Provisions and related implementing regulations applicable to MSBs … ; (iii) assess and monitor senior management’s commitment to, and effective implementation of, Binance’s AML and sanctions compliance programs; and (iv) assess and monitor Binance’s compliance with the applicable terms of the settlement agreement between Binance and OFAC, the consent order between Binance and the CFTC, as well as the applicable terms of Binance’s plea agreement with the Department of Justice (collectively, the Mandate).”
This is no small thing. It signals that the U.S. government wants to keep compliance hooks in the company to ensure that the government’s anti-money laundering and sanctions compliance regimes continue to be honored into the future. It also suggests that the U.S. expects that the company will survive these resolutions; and that the U.S. hopes to impact the industry, and Binance’s counterparties, by enforcing these changes within the company.
The SEC action
Conspicuously missing from last week’s announcement was any settlement with the Securities and Exchange Commission, which previously had brought charges against the company and its then CEO. In a perfect world, a company would want to resolve its exposures across all the agencies, but in the real world there can be an unbridgeable gap between the wanting and the having. It makes me wonder what was happening behind the curtain.
Was a settlement involving the SEC in the works, but bogged down over some critical disagreement? If so, could it be revived? Or, are the parties hellbent on prevailing on key issues that have divided them, such as the SEC’s views on certain digital assets as securities, or the SEC’s contention that the company’s risk controls are deficient and their suggestion that customer funds could be at risk — contentions that the company has vigorously rejected.
This is an aspect I will be watching going forward.
Eugene Ingoglia is a Partner at Allen & Overy LLP and a former Assistant United States Attorney at the U.S. Attorney’s Office for the Southern District of New York (SDNY).
The Calculus of Operating a Cryptocurrency Exchange in the United States
by Daniel Payne
On November 21, 2023, Binance Holdings Limited (“Binance”) and its Chief Executive Officer, Changpeng Zhao (“CZ”) pleaded guilty to criminal charges in U.S. federal court. The plea agreement is a new, instructive data point in the ongoing calculus that cryptocurrency exchanges must master to operate in the U.S. The company’s statement on the plea deal acknowledges that it moved fast – “grew at an extremely fast pace” – and broke things – “made misguided decisions.” Was following Silicon Valley’s famous mantra the right move?
The settlement includes guilty pleas to charges relating to anti-money laundering, sanctions, and money transmission; a $4.3 billion penalty; and CZ’s agreement to step down from the company. CZ’s sentencing is set for February 2024 and the New York Times has reported prosecutors will seek an 18-month sentence. On the other hand, Binance was able to grow into the world’s largest cryptocurrency exchange prior to the settlement, and it will continue to operate even as CZ keeps his ownership interest in the company. Some prognosticators think CZ will get probation like BitMEX’s founder in an analogous case in 2022.
“Move fast and break things” has been the default strategy for most cryptocurrency exchanges in the U.S. The outcomes of this strategy have been widely divergent. FTX famously imploded into bankruptcy in November 2022 and its CEO, Sam Bankman-Fried, is now looking at decades in prison. BitMEX entered a settlement similar to Binance’s: guilty pleas for similar charges; $100 million penalty; and probation for its founder. BitMEX no longer does business in the U.S. Coinbase has fared much better: it is engaged in high-stakes litigation with the SEC, but it has not faced any criminal investigations.
Where does the calculus point today?[1] Avoiding government investigations and litigation appears highly difficult across the board, so waiting for the “all clear” does not appear to be a viable business strategy. Exchanges are generally moving faster than the regulators, which is leading to enforcement and criminal cases sooner or later. Solving the calculus involves at least one non-negotiable approach: safeguarding customer funds. Almost any other transgression is survivable. Now, exchanges in the U.S. can start figuring out this problem: if you want to be the biggest exchange in the world, you may be able to get away with some lax and highly risky practices if you’re willing to pay a ten-figure penalty and face down time in prison. Is it worth it?
Footnotes
[1] Remember, this calculus is optional. Bittrex looked around at the state of play and decided to leave the U.S. in early 2023. (It got an SEC enforcement action on its way out the door for good measure).
Daniel Payne is a Senior Fellow at the International Congress of Blockchain Advisors and serves as in-house counsel to blockchain brands.
FinTech Meets the Long Arm of US Law
by Ijeoma Okoli
The oft-cited approach to technological innovation, ‘moving fast and breaking things’, while ignoring regulation certainly doesn’t work when such innovation involves financial services. Financial services in the U.S. are heavily regulated and there is no hiding anywhere in the world from the long arm of U.S. law, as Binance Holdings, Limited and its CEO, Changpeng Zhao (who hopped around the world and famously claimed that Binance had no physical headquarters[1]), learned the hard way with a record-breaking $4.3 billion fine[2] (the “Binance Settlement”) imposed by a combination of the Department of Justice, the Department of Treasury, and the Commodity Futures Trading Commission.
Participants in the traditional financial services sector know all too well the seemingly global reach of U.S. law which essentially means that, as Treasury Secretary Janet Yellen reminded the crypto sector in connection with the Binance Settlement, “[a]ny institution, wherever located, that wants to reap the benefits of the U.S. financial system must also play by its rules.”[3] This requirement to comply with US law does not go away because new technology is used in connection with operating in the financial system.
Given Binance’s record-breaking fine (the largest enforcement action in Treasury Department history according to Secretary Yellen), requirements for external monitors to review and assess Binance’s activities to ensure compliance with U.S. law (including in connection with the operation of binance.com, even though Binance is removing the ability of U.S. customers to access binance.com), as well as other requirements imposed on Binance under threat of additional enforcement action if Binance does not comply with its obligations under the Binance Settlement, a key lesson that the crypto sector must heed is that regardless of where firms incorporate in the world, if they have U.S. persons accessing their services, they must comply with U.S. law.
Some questions remain, though, in connection with the Binance settlement, including:
- As noted by Acting U.S. Attorney Tessa M. Gorman for the Western District of Washington “[Mr. Zhao] knowingly operated a financial platform without basic anti-money laundering safeguards, …. caus[ing] illegal transactions between U.S. users and users in sanctioned jurisdictions”[4] including between January 2018 and May 2022, [when] Binance willfully caused over $898 million in trades between U.S. users and users ordinarily resident in Iran.”[5] Pursuant to the Binance Settlement, Binance will be required to report all suspicious activity that it has not reported to the Office of Foreign Assets Control of the Department of Treasury (“OFAC”) to date. So, do the revelations thus far, and any additional revelations that may come to light as a result of the suspicious activity reports to be filed, mean that the Justice Department and/or OFAC may also target Binance’s U.S. customers/persons for violating U.S. sanctions in connection with the over 1.5 million[6] virtual currency trades that Treasury estimates violated U.S. sanctions? The settlement agreement between OFAC and Binance included an agreement by Binance to cooperate with OFAC in relation to “any and all matters under investigation by OFAC including any investigation of Respondent…, or any other party,”[7] so enforcement action against other currently unknown parties is a possibility.
- Lastly, as one of the market regulators with jurisdiction over swaths of the crypto sector and with charges filed against Binance and Mr. Zhao in June 2023[8], why was the SEC conspicuously missing from the Binance Settlement?
Footnotes
[1] Binance CEO CZ Still Says His Company Has No Headquarters – Decrypt; Binance Doesn’t Have a Headquarters Because Bitcoin Doesn’t, Says CEO (yahoo.com).
[2] Office of Public Affairs | Attorney General Merrick B. Garland Delivers Remarks Announcing Binance and CEO Guilty Pleas to Federal Charges in $4B Resolution | United States Department of Justice.
[3] Office of Public Affairs | Binance and CEO Plead Guilty to Federal Charges in $4B Resolution | United States Department of Justice.
[6] Remarks by Secretary of the Treasury Janet L. Yellen at Press Conference Announcing New Treasury Action Against Illicit Finance | U.S. Department of the Treasury.
[7] Settlement Agreement dated November 21, 2023 between the U.S. Department of Treasury’s Office of Foreign Assets Control and Binance Holdings, Ltd. (20231121_binance_settlement.pdf (treasury.gov)).
[8] SEC.gov | SEC Files 13 Charges Against Binance Entities and Founder Changpeng Zhao.
Ijeoma Okoli is a finance and regulatory lawyer and strategic adviser on digital assets; a co-Director of the Digital Economy Initiative and a founding member and limited partner of Impact X Capital Partners. She previously was an Executive Director and Digital Currency Risk Management Lead at JPMorgan.
Contrasting Charges Against Binance and Zhao
by Paul Krieger
At first glance, headline-grabbing fines and DOJ rhetoric seem to paint both Binance and its CEO, Changpeng Zhao, with the same broad brush. Acting Assistant Attorney General Nicole Argentieri, for instance, highlighted “Binance’s and Zhao’s willful violations of anti-money laundering and sanctions laws” alike. Indeed, settlement documents reflect various conversations among the CEO and other senior executives that lay out a facially strong case for criminal IEEPA charges against these individuals. But, unlike the company, Zhao pleaded guilty only to a single BSA charge of failure to maintain an effective AML program and other senior Binance executives have, so far, avoided criminal charges altogether.
Settlement documents from DOJ and OFAC suggest that standalone IEEPA charges against individuals were not out of the question. Zhao’s plea agreement, for example, details how he was “specifically warned” about legal risks — such as “arrest[] for sanctions violations” — that stemmed from the fact that “both U.S. users and users in comprehensively sanctioned jurisdictions” transacted through Binance. ¶9(k). “[A]t least $890 million in transactions” involving Iran did in fact occur, as well as those involving “Cuba, Syria, and the Ukrainian regions of Crimea, Donetsk, and Luhansk.” ¶9(o). Binance’s plea agreement, moreover, suggests that Zhao and at least three unnamed senior executives understood that the company’s lack of sanctions controls violated U.S. law while feigning remediation. See Statement of Facts at ¶¶63–80. And OFAC’s Enforcement Release asserts that “senior Binance management” knowingly permitted sanctions violations not only by “disregarding known sanctions risks” but also by actively “undermin[ing the company’s] own compliance function.”
Granted, we do not know whether the totality of nonpublic evidence against Zhao met IEEPA’s “willful[]” mens rea requirement, 50 U.S.C. § 1705(c), or what other factors contributed to the decision not to bring IEEPA charges against individuals so far. IEEPA carries a 20-year statutory maximum, in contrast with 31 U.S.C. § 5322(b)’s 10-year and § 5322(a)’s 5-year maximums. Clearly, obtaining any criminal conviction against Zhao was a significant accomplishment for the DOJ. Nevertheless, the fact that Zhao and potentially other executives avoided more serious charges — despite the evidence detailed throughout the abovementioned documents — reinforces the lesson that in resolving high profile matters, the DOJ is prepared to treat companies more harshly than their executives for whom a criminal resolution has, almost by definition, a more direct, personal, and immediate impact.
Paul Krieger is a Co-Founder and Partner at Krieger Kim & Lewin LLP. Previously, he was Chief of the Complex Frauds and Cybercrime Unit of the SDNY.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).