Crime and crypto: Concrete steps to address money laundering

Mainstream media stories about crypto tend to focus on eye-catching allegations of illicit financial activity, particularly when cryptocurrency is used to launder the proceeds of a hack, ransomware attack, or other cybercrime activity. As former prosecutors who spent a substantial part of our careers putting away bad guys  — including money launderers —  our interest is not in making headlines, but rather in helping Congress and other policymakers figure out which measures will be most effective in catching bad actors and reigning in illicit financial activity in the emerging crypto industry. In brief, the U.S. government should address criminal acts by foreign bad actors who are the principal threat. Below are some suggestions for how it can do so.

To begin, let’s first discuss two critically important issues for addressing the use of crypto in money laundering.

First, combating money laundering is really hard. Money launderers mimic legitimate activity so that illicit financial flows hide in plain sight. Accomplishing this requires using a variety of financial techniques that take advantage of opaque corners in the financial system. There is no silver bullet to combating this activity in either the traditional financial world or the crypto ecosystem. It takes forensic skills and time to unravel any illicit financial scheme, including those involving cryptocurrencies.

Second, and perhaps more importantly, money laundering is never the cause of criminal activity. Money laundering facilitates the profitability of the underlying crimes. It’s used to “wash” the illicit proceeds: think of Walter White on the TV show Breaking Bad buying a car wash to hide his profits from dealing meth. As a result, it shouldn’t be surprising that money laundering is not a crypto-specific problem. Money laundering and illicit finance have long been significant problems in traditional finance — as evidenced by FinCEN and the Department of Justice’s recent actions against TD Bank, which showed three different money laundering networks moving $670 million through the bank over several years. 

But here’s the thing: We don’t ban automobiles just because bank robbers use them as getaway vehicles. And it’s widely acknowledged that we don’t and shouldn’t prosecute coders for developing software. Ransomware and other cybercrime existed well before the advent of crypto and used a variety of techniques including money mules and PIN cashing to launder their illicit proceeds. In the absence of crypto, the profitability of ransomware attacks will merely drive the few criminals who use crypto to other tools to move or conceal their ill-gotten gains. 

At its core, what we are talking about is a cyber problem arising from at least three factors: the vulnerability of our critical digital infrastructure; the use of bullet-proof hosting providers in jurisdictions beyond the reach of U.S. authorities; and ransomware-as-a-service. None of these factors is crypto-specific. Singling out crypto — whether through new restrictive legislation or through so-called lawfare tactics — is unfair to the millions of law-abiding U.S. citizens who use blockchain technologies and could cause more harm by driving crypto transactions underground or into shadowy corners of the traditional global financial system. 

Acknowledging these stubborn facts does not mean accepting defeat. But it does mean that we have to do the hard work of understanding how to staunch the flow of illicit crypto activity. The good news is that thanks to the transparency and auditability of most blockchain transactions, blockchain analytics firms and law enforcement agencies have already done much of this hard work. We know, for instance, that the bulk of illicit financial activity in the crypto ecosystem moves through just a handful of exchanges in jurisdictions with weak or non-existent anti-money laundering regimes. We also know that this activity is performed by foreign actors who typically cannot be reached through existing U.S. enforcement mechanisms. For this reason, introducing laws that would attempt to regulate peer-to-peer transactions between private individuals in the same way we regulate banks and other financial intermediaries would ultimately not address the core issues. 

So what should the U.S. government do instead? It should address criminal acts by continuing to fortify the resilience of our digital critical infrastructure, while expanding powers that the Treasury Department has to attack bad foreign actors. We support three such expansions — and, conveniently, so does Treasury. We’ll get into the details of these proposals, but to summarize they are:

1. Amend the International Emergency Economic Powers Act (IEEPA) and the Bank Secrecy Act (BSA) to clearly authorize extraterritorial jurisdiction under certain circumstances; 
2. Increase Treasury’s enforcement capabilities to address compliance failures; and
3. Expand information sharing between the government and private sector.

Stop allowing overseas bad actors from using their foreign domicile to escape the law. 

First, Congress should pass legislation clarifying that IEEPA applies to any entity’s conduct abroad if they have significant touchpoints with the U.S. IEEPA already authorizes Treasury to impose sanctions on bad foreign actors, and Treasury has already used it to effectively target money laundering and cyber crime. An explicit grant of extraterritorial jurisdiction would make it crystal clear that Treasury’s Office of Foreign Assets Control (OFAC) can regulate foreign transactions that impact U.S. markets. OFAC could then take action against entities that have established relationships with U.S. businesses that operate abroad, or those that provide services to U.S. residents. 

This change could prevent virtual asset service providers and covered digital asset platforms from locating abroad and engaging in jurisdictional arbitrage to avoid regulations. This proposal would not have a negative impact on legitimate crypto businesses or the lawful financial activity occurring through them, and would not undermine the decentralized architecture of blockchains, which is so important to maintaining their security and resilience.

Establishing clear rules of the road by codifying current practice and guidance by Treasury’s Financial Crimes Enforcement Network (FinCEN) into statute or regulation would also help deter bad actors. For example, while FinCEN’s 2019 virtual asset guidance has been the clearest roadmap provided by regulators to the industry, codification would remove uncertainty that has arisen from intervening litigation in the years since its publication. 

In addition, FinCEN has already taken the position that the BSA applies to money transmitters outside the United States, including centralized cryptocurrency exchanges, when they do business wholly or in substantial part in the U.S. Codifying this extraterritorial standard in legislation would remove any litigation risk on an issue that has not yet been tested in court. It would allow authorities to pursue bad foreign actors more aggressively. An amendment could also be designed to allow covered foreign entities to comply with their home jurisdiction’s requirements provided those requirements meet certain minimum standards, such as those established by the Financial Action Task Force.

Step up Treasury’s enforcement capabilities to address compliance failures, particularly by entities that operate in countries without established regulations.

Noncompliance by exchanges, kiosks, and other money transmitters is the greatest illicit finance risk in the blockchain industry. Serious punitive consequences for regulatory failures and criminal violations will help deter money services businesses that offer fiat on- and off-ramps for the blockchain ecosystem from facilitating money laundering and sanctions evasion. 

And, of course, even though the government is well positioned to use its existing authorities to address such failures, agencies need sufficient resources to enforce the law. Put simply, we can’t fight illicit behavior without the right people and tools. In addition to enforcement actions, we recommend increasing criminal penalties and giving additional funding to Treasury and related law enforcement agencies to attract and retain personnel and to increase government access to blockchain and data analytics tools.  

The number of employees at FinCEN tasked with policing the entire industry for noncompliance is, frankly, too low. There’s a parallel here with earlier cybercrime efforts: The first attempts to fight cybercrime included specialized units with the expertise to investigate those violations, but these units were soon overwhelmed by cases. Law enforcement became more effective once specialized cyber forensic tools became broadly available, and when their employees were trained to use them. Similarly, blockchain analytics should cease to be a forensic specialty within law enforcement agencies; they should  become a basic tool used by all investigators.

Expand information sharing among the relevant agencies and private sector participants. 

Cybersecurity-related hacks and thefts of digital assets provide a known source of funding for sanctioned state actors like the DPRK. Rapid information sharing between the private and public sector is crucial to addressing this problem. Federal agencies should establish real-time information-sharing mechanisms and task forces with participation from both the private and public sectors to address cybersecurity incidents — including events like the DPRK hacks of digital asset platforms, bridges, and applications. FinCEN could host a 24/7 line similar to what it has done with Business Email Compromise incidents, particularly for ransomware attacks. Information gleaned from these mechanisms could be shared with investigative agencies so that they can take immediate action to freeze assets where possible. 

***

In addition to addressing the reality of cybercrime, these three proposals have the further advantage of being “tech neutral.” They would also help the government root out money laundering in traditional financial systems. 

No one is more interested in addressing bad behavior that involves cryptocurrency than responsible industry players. But imposing wholesale regulatory restrictions that are neither technically feasible nor practically suited risks driving innovation offshore, leading to an increase in crypto money laundering, not a decrease. 

And crypto — a technology that has the potential to give us a cheaper, faster, and more global financial system, and a fairer internet — should have a home in the United States. Crypto is a new technology that, like all technologies, can be used for good and ill. Crypto is not inherently criminal — just ask the millions of law-abiding Americans who use it and the many entrepreneurs who are building with it. So let’s stop acting like it is and instead start working together to find solutions that actually address the underlying threats. 

***

Michele Korver is the Head of Regulatory at a16z crypto where she helps our web3 portfolio companies to navigate the regulatory landscape.  Prior to joining the firm, she spent more than 25 years in government and law enforcement, including as a federal prosecutor and as the  Justice Department’s first dedicated subject matter expert in cryptocurrency-related prosecutions and forfeitures. She also served as Chief Digital Currency Advisor at the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). 

Jai Ramaswamy oversees the legal, compliance, and government affairs functions at Andreessen Horowitz as Chief Legal Officer. He was previously the Chief Risk & Compliance Officer at Celo, a layer one blockchain project. Jai also spent several years in the financial services industry as the Head of Enterprise Risk Management at Capital One and the Global Head of AML Compliance Risk Management at Bank of America/Merrill Lynch. Before joining the private sector, he served for over a decade at the Justice Department, as Chief of the Asset Forfeiture Section and as a white collar crime prosecutor in  the computer crimes section and in the Southern District of New York.

***

The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://a16z.com/investments/.

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.