Open Navigation

3 tips for crypto startups preparing for continued compliance

Stephen Aschettino Mayling Blanco Matthew Niss 1 year
Stephen Aschettino Contributor
Stephen Aschettino is head of fintech, United States, at law firm Norton Rose Fulbright US LLP.
More posts by this contributor
Mayling Blanco Contributor
Mayling Blanco represents corporations and individuals in white collar defense, government investigations and commercial litigation matters, notably concentrating her practice on the Foreign Corrupt Practices Act and corporate fraud, as well as matters implicating criminal tax exposure.
Matthew Niss Contributor
Matthew Niss focuses on complex litigation, investigations and regulatory issues on behalf of both companies and individuals in a variety of industries such as financial services, aviation and insurance, including Bermuda Form insurance.

Between the decline in cryptocurrency prices and the bankruptcy of several large players in the industry, today’s cryptocurrency companies face no shortage of challenges. However, cryptocurrency companies should not lose sight of their day-to-day obligations, particularly those concerning compliance.

In fact, both state and federal regulators continue to bring enforcement actions against cryptocurrency companies over alleged compliance deficiencies, resulting in substantial monetary penalties and, in extreme cases, even arrest of the companies’ founders.

The risk posed by inadequate compliance shows no signs of abating. Early-stage cryptocurrency companies can lay a foundation for future success by continually assessing their compliance obligations through a risk-based approach and quickly addressing any deficiencies, particularly during periods of rapid expansion, as well as by vigilantly monitoring for new regulatory developments.

It is no secret that cryptocurrency regulation remains complicated, with several government regulators adopting differing and sometimes competing approaches.

1. Assess your business’s compliance risk and build a well-resourced compliance function

Cryptocurrency companies of all shapes and sizes would benefit from undertaking a dispassionate assessment of the compliance risks facing the company. The Financial Action Task Force (FATF), an independent, intergovernmental body that publishes global anti-money laundering compliance standards for both companies and governments, recommends that financial institutions, including cryptocurrency companies, adopt a risk-based approach to compliance.

This approach involves considering a company’s products, services, business model, customers, geography and other factors in order to assess, and then address, the greatest risks to the company. As a company evolves and grows over time, these risks should be continually reevaluated to ensure the company stays ahead of any developing compliance risks.

Cryptocurrency companies are often regulated by an alphabet soup of government entities. Some of the most common and well-known regulations include, for example:

  • Registration and licensure requirements. Cryptocurrency companies are frequently required to register with various government regulators in order to operate, although companies may not always immediately recognize the requirement. For example, many cryptocurrency exchanges or ATMs are required to register as money services businesses with the U.S. Department of the Treasury’s Financial Crimes Enforcement Network. Similarly, the New York State Department of Financial Services (NYSDFS) requires cryptocurrency companies to obtain a “bit license” if they conduct business in New York or with New York residents, which will likely include many companies that are not physically based in New York.
  • Anti-money laundering and know your customer regulations. Many cryptocurrency companies must comply with Know Your Customer (KYC) regulations, which require these companies to collect substantial information regarding their customers during the onboarding process. Anti-money laundering (AML) laws also require that companies monitor transactions and report potentially suspicious activity. Together, these laws are designed to combat criminal activity and terrorist financing, as well as prevent transactions with sanctioned entities and individuals. Although these laws are widely known, in practice compliance can prove difficult, and cryptocurrency companies continue to be cited for alleged AML/KYC compliance failures.

Once early-stage companies understand the risks they face, they should work to build a well-resourced compliance function to address those risks, prioritizing the most pressing ones, and meet the regulatory requirements applicable to the company. A strong compliance department is one staffed by a sufficient number of compliance professionals who are given enough tools and resources commensurate to the risks facing the company.

A robust compliance function can benefit cryptocurrency companies in particular by helping them avoid costly financial penalties imposed by regulators, as well as the reputational hit that companies facing regulatory scrutiny typically suffer. Establishing a well-resourced compliance division can also provide additional comfort to potential investors, industry partners or other counter-parties who may have concerns about the recent volatility in the cryptocurrency industry.

2. Continue to invest in compliance, particularly during periods of rapid growth

If an early-stage company finds its footing and begins to grow rapidly, company leadership will likely face innumerable challenges and demands on its time. However, it is particularly important that the company not lose sight of its compliance obligations during this period. Although a company may have developed what it believes to be an adequate compliance function, during periods of growth a company’s compliance department may quickly become overwhelmed by its rapidly growing responsibilities.

For example, this was the case for cryptocurrency trading platform Coinbase, Inc., which recently agreed to pay $100 million in fines and compliance program enhancements to settle the NYSDFS’s investigation into its allegedly deficient compliance program. Although NYSDFS acknowledged that Coinbase had made substantial efforts to improve its compliance department, it nevertheless concluded that substantial weaknesses remained, driven, at least in part, by the rapid operational growth experienced by Coinbase during 2020 and 2021.

Coinbase’s compliance department was allegedly inadequately staffed and unable to keep up, resulting in a large backlog of unreviewed transaction monitoring alerts and incomplete customer due diligence that permitted suspicious transactions to take place on the platform.

3. Continually monitor the latest regulatory developments and guidance

It is no secret that cryptocurrency regulation remains complicated, with several government regulators adopting differing and sometimes competing approaches, notably the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC). Along with the collapse of several high-profile cryptocurrency companies, these divergent approaches have led to renewed calls for further, unified regulation of the cryptocurrency industry.

However, as at least in the short-term a piecemeal approach to cryptocurrency regulation appears likely to continue, it is vital that cryptocurrency companies remain aware of shifting regulatory guidance and enforcement trends, which will allow them to more accurately assess the compliance risks faced by their company.

For example, the SEC recently announced that regulation of “emerging technologies and crypto-assets” would be one of its priorities for 2023. In particular, the SEC intends to conduct examinations of broker dealers and investment advisers dealing with “crypto or crypto-related assets” to assess whether they (1) followed their “respective standards of care when making recommendations, referrals, or providing investment advice” regarding these assets, and (2) whether they “routinely reviewed, updated, and enhanced their compliance, disclosure, and risk management practices.” A company that regularly monitors regulatory guidance would be aware of heightened risk in these areas and may be able to adjust accordingly.

Further, the SEC’s “regulation by enforcement” approach makes staying aware of developments in both regulation, and even notable cryptocurrency litigation, of heightened importance to many cryptocurrency companies. This is particularly true regarding the open question of which cryptocurrencies, if any, should be considered “securities” under the federal securities laws. For example, crypto firm Paxos Trust Co. will reportedly soon face a SEC lawsuit arguing that a stablecoin it issued, Binance USD, or BUSD, was a security. Such a development would be of particular importance to the risk-assessment performed by the issuers of similar stablecoins.

These examples show that frequently monitoring for further regulatory guidance will allow a company to better assess, and therefore address, its greatest compliance risks.

Regulators’ efforts to ensure robust compliance programs in the cryptocurrency space will continue into the next year and beyond. Given the turbulent state of the cryptocurrency industry, avoiding the substantial burdens of regulatory scrutiny is likely of paramount importance to many companies. By establishing a robust, risk-based compliance function, ensuring it is able to scale up alongside a growing business, and staying abreast of the latest regulatory guidance, cryptocurrency companies can better position themselves to weather the crypto winter.