Submitting various reports to FIUs is a key aspect of crypto compliance across numerous jurisdictions.
The two main types of reports COs need to be acquainted with are those for 1) suspicious behavior and 2) large transactions. For suspicious behavior, these include (but are not limited to); the Suspicious Activity Report (SAR) and the Suspicious Transaction Report (STR). For large transactions those include; the Currency Transaction Report (CTR) and the Large Virtual Currency Transaction Report (LVCTR).
The use of SARs and STRs for compliance requirements are particularly ubiquitous. SARs in the U.S. must be filed to FinCEN by exchanges for client or counterparty suspicious activity that could potentially be crime-related. For the same reason, in Hong Kong, SARs must be sent to the Joint Financial Intelligence Unit under the jurisdiction’s Anti-Money Laundering and Countering-Terrorism Financing Ordinance. STRs must be submitted to Singapore’s MAS under the Notice PSN02 Prevention of Money Laundering and Countering the Financing of Terrorism.
The U.S.’ BSA also requires exchanges to file an IRS/FinCEN Form 8300 (CTR) to FinCEN for amounts transacted of 10,000 USD or over in a single transaction or in a string of multiple transactions (within a given 24 hour period). LVCTRs submitted to Canada’s FINTRAC have similar thresholds as those of CTRs in the U.S., at a value of 10,000 CAD or more for two or more transactions received in the form of crypto within a 24-hour window.
Another U.S. NPRM – the Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets or ‘FinCEN’s Self-Hosted Wallet Rule’ – proposed rule published in December 2020, would require Virtual Asset Service Providers (VASPs) to conduct KYC, maintain records of crypto asset transactions larger than 3,000 USD, and submit CTR-like reports for transactions over 10,000 USD, if a transaction counterparty utilizes an unhosted (noncustodial) or “otherwise covered” wallet. It defines “otherwise covered” wallets as those held at an exchange not subject to the Bank Secrecy Act and is located in a foreign jurisdiction identified by FinCEN as being of serious money laundering concern, (e.g. North Korea and Iran).
SARs must be submitted to an FIU in cases of suspicion of a range of illicit activities such as;
Under the EU’s AMLD5 – which a majority of member states have now transposed into law – crypto-asset involved businesses became ‘obliged entities’, and as such must maintain the same standard of compliance as other obliged entities. However, as of the current date of publication of this guide, not all suspicious activity must be reported to FIUs by crypto-asset exchanges.
For example, it is only in the European Union’s 6th Anti-Money Laundering Directive (AMLD6), that cybercrime (i.e. ransomware attacks) is a predicate offense, and as such, must be reported to the relevant authority once it has been transposed into EU member states’ respective legislations. Almost all other instances of suspected illicit activity such as money laundering, terrorism financing, fraud, etc, are covered by AMLD5 as predicate offenses necessary to be reported to an EU member’s FIU. In the U.S., all states require any entity that has suffered a breach with a serious economic impact to its operations to submit a SAR to the relevant authority.
Insider trading of financial securities is another crime that is heavily regulated in traditional capital markets with severe financial and criminal penalties imposed upon guilty parties but not yet in crypto-asset markets as many ‘coins’ in the asset class fall outside of derivatives, securities or commodities laws and are deemed by various regulators to be assets of which few legal rulings have been made. However, the EU’s proposed law, Markets in Crypto-assets or ‘MiCA’ – widely regarded as one of the most comprehensive pieces of legislation in the blockchain space – insider trading will be covered under Art. 78, unlawful disclosure of inside information under Art. 79 and market manipulation under Art 80.
Whilst exchanges with their main operating bases in certain jurisdictions that do not yet have AML or other compliance legislation for crypto assets – a smaller and smaller number of nations – do not have to have AML compliance practices in place, they must do so if they are serving customers in another jurisdiction (e.g. an exchange serving clients domiciled in Canada must submit SARs to Canada’s FIU, FINTRAC).