Financial Crime Compliance Requirements for Stablecoins

Lauren Pryor: Hi everyone, welcome to Financial Services Focus, our podcast discussing the latest insights at the intersection of business law and policy. I'm Lauren Pryor, one of the co-leads of the Financial Services product team. In this episode, we'll provide a comprehensive yet accessible overview of the financial crime compliance requirements for stablecoin. It will cover the key anti-money laundering and sanctions provisions while highlighting real-world examples and emerging trends.

Listeners will gain a clear understanding of the risks for the market, along with practical insights for navigating this evolving area. Today, I'm joined by my partners, Matt Bisanz and Brad Resnikoff from our Washington DC office. Matt Bisanz is a regulatory partner covering banking, digital assets and derivatives. Brad Resnikoff represents non-bank and domestic financial institutions on issues related to financial crime prevention and enforcement, including with respect to the new financial technologies and digital assets.

Welcome to the Financial Services Focus Podcast. Matt, let me start with you. So at a high level, what is a stablecoin and why are we talking about them now?

Matt Bisanz: Thank you, Lauren. Stablecoins are a type of digital asset. are a subset. So not all digital assets are stablecoins. They are digital assets that are intended to be used for a payment or settlement mechanism and for which the issuer of the stablecoin is obligated to repurchase or redeem them for a fixed amount or a monetary value of a fiat currency. So I like to think of them as being similar to a gift card where I go into a store, I purchase a gift card, I now have $100 on the gift card, but I can only use it at stores that take the gift card. Now, the great thing about stablecoins is unlike a gift card, can fractionalize it. can take that $100 and spend $12 giving money to Brad, $13 to you. And also with the stablecoin, I'm not limited to the gift store of the issuer that really anyone who's willing to take the stablecoin can have it. It's like a much improved version of prepaid access cards. Also, it's been compared to a transferable money market fund because again, it's intended to have a fixed value. It's defined by reference to a fiat currency. So one stablecoin equals one US dollar. It's not gonna go up and down in value. It's not for appreciation.

And so that's what makes it intended for payment purposes is that unlike other types of crypto currencies that we've seen where people buy them for investments and you know you look at the price of Bitcoin and it goes up and down depending on the economy and any number of other features stablecoins are intended to and for the most part do stay fixed at one unit of stablecoin per one unit of fiat currency. That is that's at a high level what a stablecoin is.

Lauren Pryor: That was very helpful. So what is the GENIUS Act's general approach to AML requirement for stablecoin issuers?

Brad Resnikoff: Thanks, Lauren. AML and sanctions rules and guidance weren't drafted with digital assets or blockchain technology in mind. The consequence has been a set of rules that simply do not fit in many different ways. And this is where the GENIUS Act comes into play. It's intended to fill the void. when it comes to regulation of digital assets, including in the financial crimes compliance space. The GENIUS Act requires FinCEN to amend its AML rules to add a new category of financial institution, covered financial institution under the Bank Secrecy Act, for permitted payment stablecoin issuers and to issue rules specific to them. This makes good sense, at least in theory, because by creating a new category of financial institutions for these issuers, and implementing bespoke rules specific to their activities, we can hopefully avoid the square peg, round whole issue we've seen over the last many years when it comes to applying existing AML regulations to digital assets.

Lauren Pryor: So what are some of the AML issues that stablecoin issuers will need to address in that case?

Brad Resnikoff: So there are many things still up in the air, but the act is explicit as well in many respects. So at a high level, issuers will need to maintain effective AML compliance programs that start with risk assessments. There will need to be a responsible BSA officer. There will be record keeping requirements, transaction monitoring, and also suspicious activity reporting. Effectively, these issuers are going to have to stand up a CIP program, customer identification program and conduct enhanced due diligence as well in the face of heightened risk.

Lauren Pryor: So Matt, back to you. Will FinCEN require training and independent testing of an issuer's AML compliance program?

Matt Bisanz: Well, this is what Brad was getting at when he said that while there are some specific obligations in the GENIUS Act, that also there will be a wide range of issues to be implemented through regulation. So while I think most of the existing financial institutions like banks think of an effective AML compliance program as including training and independent testing, that's one of the five pillars of AML compliance.

The GENIUS Act itself doesn't specify at that level of detail of saying, well, an effective AML compliance program includes these five criteria. And that's where it will be really important where for the industry and others to provide feedback on the rule makings. And as I'll talk about, there's some areas where it will go further than existing institutions that really the GENIUS Act is a framework and it has to be given life by the agencies.

And so I would expect there to be training and independent testing requirements, whether they will be the same as exists for current financial institutions. I'm not sure. I think, you know, current financial institutions, there's guidance saying, well, you should have testing done every 12 months, 18 months, 24 months. There really isn't a lot of criteria around who can do it, what to do if you're a small organization. And so I think this might be an opportunity where if FinCEN goes down that route of designing a training program requirement, for example, or a testing requirement, that it actually gives some specificity to what its expectations are.

Lauren Pryor: Brad, do you think that FinCEN will limit issuer AML compliance obligations for secondary market transactions?

Brad Resnikoff: I hope so. But this is among the most significant open questions. For a long time and still today, there's, I think, been a misimpression that digital assets and transactions involving digital assets lack transparency and therefore are the preferred method of transferring the proceeds of crimes.

Certainly bad actors have used digital assets in connection with misconduct, but they've done so not necessarily because of opacity, but for many of the same reasons as legitimate actors, right? The speed, the instantaneous nature of these transfers, the finality, the reduced costs and so on. But the fact is that there's a lot of transparency in the blockchain and that can be a real benefit in the financial crimes prevention context.

There are also powerful tools that you can use to exploit this. So, you know, at a high level, we think of this in three phases in terms of the life of a stablecoin. have issuance on the front end, redemption on the back end, and then everything that happens in between. Right. And so issuance is fairly straightforward. You go through your customer identification verification processes, just as you would when onboarding a new customer, you know, and assuming it all checks out, you issued the coin.

Redemption is similar, right? You're presented with a redemption request. You're generally able to see all transactions involving your stablecoin from the time of issuance. And there are tools that can be employed to confirm whether the coin is or was in the possession of a sanctioned party, for example, or if it was traded on an exchange known for criminal activity. You know, if there's an alert that comes up when you do your checks, you can freeze the stablecoin. If not, you redeem.

Everything in between is where things get a little bit more difficult. You can see every transaction on the blockchain in real time, but you don't necessarily have information relating to each party, to each transaction that has occurred. You may have wallet addresses and you can cause your system to alert and freeze a coin if it hits a sanctioned wallet, for example. But if a wallet isn't sanctioned, but happens to be owned by a sanctioned person.

How are you going to know that as the issuer? There's always a lag. We can't know that a specific wallet is owned by an SDN until OFAC sanctions the wallet and we're able to add to the filter. And the third parties involved in the transactions over the life of the coin, they're not the issuers' customers. You don't have KYC on them. So this presents a real challenge because even if you can monitor transactions in real time post issuance, there are going to be transactions about which you will not have complete information, including information that you would need to determine whether there's potentially illicit activity in connection with the coin.

Lauren Pryor: Matt, similar question to you. Anything to add on whether FinCEN will impose a separate AML compliance obligation on parties to secondary market transactions?

Matt Bisanz: I’m not sure. I don't think it will necessarily in the context of the GENIUS Act rulemaking. I think it may further define it at a later date. But I like to think about it in the stock market context that if Mayer Brown were a public company and we issued equity securities, once we issue them in our IPO, we don't really have a lot of visibility, as Brad was saying, into what goes on in the secondary market.

We probably don't know when they're traded on an exchange. might be in street name on a central securities depository. And so the financial crime risks are different. Again, with stablecoin there is a ledger, so we should be able to see everything, but it still is difficult to assign the same types of financial crime compliance obligations to the issuer and the secondary market parties.

I think a lot of secondary market parties to date have been treated similar to money services businesses in terms of their AML obligations or as trust companies in terms of their AML obligations. We might see something like that adapted down the road, maybe under a future clarity act or other similar more transactional oriented bill. But I don't think at this point really FinCEN is going to veer into trying to regulate secondary market players that closely, except maybe with respect to some of the sanctions obligations that Brad will discuss.

Lauren Pryor: So as we think about suspicious activity reporting, do you think there's going to be minimum dollar thresholds for reporting? And if so, will those thresholds mirror existing requirements that we see for bank or money services, businesses, or mutual funds, for instance?

Matt Bisanz: I think there will be thresholds. I'm not sure what they will be set at. I have a hope that they will be different from those existing thresholds, that many of those thresholds were set in the 70s. Some were even set in the 1940s. They have not been updated for inflation, that what was $10,000 in 1970, that same amount would have to be something like $70,000 now.

So the current AML rules really are overly inclusive in the number of small dollar transactions relative to actual financial crime that they pick up. And while there's been a long movement within industry, and I think we have hopes for FinCEN addressing some of those antiquated thresholds, my view is why don't we get it right with the GENIUS Act and instead of just adopting the old thresholds, put in what we think is an appropriate number. Is it 50,000? Is it 100,000? I'm not sure what it is, but I think there should be some tailoring for both the nature of stablecoin transactions and also for the modern value of the dollar. I'll also just say that this is an area that financial institutions will need to watch closely because there are surprisingly different thresholds for reporting suspicious activity across banks, broker dealers, money services, businesses, mutual funds.

Recently there was a broker dealer who got tagged in an enforcement action because it was using the bank threshold. And typically we think of banks as the most regulated, but this broker dealer who was affiliated with the bank used the bank's threshold for suspicious activity. The broker dealer threshold is actually more restrictive, so it missed a few transactions and they got tagged. So whatever the threshold is set at, our large financial services conglomerates will have to carefully align their systems to pick up the right thresholds for stablecoin activities versus whatever other types of financial transactions they facilitate.

Lauren Pryor: Brad, do you think that record keeping requirements are going to mirror existing rules? So for instance, the travel rule or be more narrowly tailored for the stablecoin ecosystem.

Brad Resnikoff: I think it would be impracticable for existing rules to be applied in the exact same way to stablecoins. First, I think it's worth noting that the FATF recently came out with best practices for digital assets AML compliance, and they declined the opportunity to provide concrete recommendations for the travel rule.

I think that's because this rule in particular has been quite difficult for the industry to comply with because of fundamental differences between information that is recorded on the blockchain for digital assets transactions as compared with traditional wires, let's say. And look, this is something that FinCEN is well aware of. It's been a pain point for years. And so I would hope that it takes this opportunity to create a bespoke travel rule for stablecoins.

It's also worth mentioning that there have been industry efforts to standardize compliance in a way compatible to blockchain transactions. For example, there's been a certain industry players who have come up with a solution that's meant to allow the receiving exchange in a blockchain transaction to prove that it's the owner of a receiving crypto address before customer information is sent and that customer is transferred from members via encryption.

Lauren Pryor: Do we think that states will impose stricter AML compliance requirements under the substantially similar certification framework? What's the industry thinking in that regard?

Matt Bisanz: So originally, I thought that states might go on a stricter framework like New York has done for banks over the years, that New York imposed stricter AML requirements on its state banks than the federal government had done. I've actually this, when we're recording this, was in Utah this week talking with some of the Western states and they actually have an opposite fear that their concern is that the fact that they can't go in any way lower than or that they can't tailor for a lower risk profile of their state-licensed stablecoin operators means that they won't be an attractive option, that really everyone will either go towards the federal option or towards a state that is identical to the federal option and is in a, say, a higher access to financial services area or in a higher resourced area. So while I initially thought there might be some states who said, we're really concerned with financial crime. We'd like to deviate in the stricter way and probably Treasury would let them. I think now it's actually going to be a how, how close, how precisely can the States make their standards to the federal standard so that there really isn't an incentive to drive away the, people may want to organize under the state licensing regime.

Lauren Pryor: And thinking about the sanctions realm, what makes the GENIUS Act unique? Brad, question for you.

Brad Resnikoff: So the GENIUS Act includes specific sanctions compliance obligations, including a requirement to screen and block transactions. And what's unique about this is that there are no existing prescriptive BSA requirements for sanctions compliance programs. know, financial institutions are the gatekeepers to the U.S. financial system and perhaps play the most important role in sanctions detection. And so any effective risk based AML program is going to have a sanctions component to ensure that the financial institution isn't doing business with sanctioned persons or in sanctioned jurisdictions. But as a matter of law, sanctions compliance is not tethered to AML program compliance in this way, even if practically speaking, they are related.

Lauren Pryor: And follow up question, how might stablecoin issuers be expected to respond to the sanctions requirements?

Brad Resnikoff: Financial institutions have long had robust sanctions compliance programs, particularly the banks. And it was only a few years ago that OFAC provided guidance on best practices. you know, unlike AML, there is no BSA or other statute of regulation that mandates a specific sanctions program requirements. Issuers will now have such obligations.

You know, there will be important differences in the AML and sanctions can find space for these issuers, but at a high level, it's not very different than what we're used to. You know, we need to understand the risks, inherit and stablecoin payments, and we need to put controls in place to account for them. You know, in the sanctions context, the law hasn't changed. U.S. persons can't do business with sanctioned persons or in sanctioned jurisdictions. know, whether you're dealing with fiat currency or digital assets, the obligation is the same. So to the extent that you already have a sanctioned program, you're part of the way there. And so now it's a matter of modifying the program to account for stablecoins moving on the blockchain.

Lauren Pryor: So you're anticipating that sanctions compliance obligations will be integrated into AML compliance program requirements.

Brad Resnikoff: Well, it's unclear at this point, but I think by integrating sanctions compliance into the statute itself, the result may be that there is an expectation that when identifying suspicious activity that includes a potential sanctions violation, issuer would be expected to do more, perhaps a deeper dive investigation beyond just the sort of standard list-based screening something more akin to what you might do in an AML context.

Lauren Pryor: So Matt, final question to you. So who do we anticipate will examine state qualified permitted payments stablecoin issuers for sanctions compliance?

Matt Bisanz: I think this is one of those interesting things that shows just how much the climate has changed over the past few years for financial services that in all likelihood it will be the state regulators for those relevant states. And once upon a time it was a hugely controversial idea when New York said it was going to enforce the federal sanctions requirements against New York financial institutions. The viewpoint was, it's a federal law requirement only affecting international affairs that really is the domain of the federal government. But since then, there has, as Brad said, been this shift to even impose actual sanctions compliance requirements on stablecoin issuers that have an affirmative compliance obligation. And while we might say, look, at the federal level, is FinCEN as an AML source, they can bring in their resources or the IRS's resources to look at and now compliance there really isn't a similar exams water exam resource at the federal level for all fact sanctions that is it is as brad said strict liability no one can break them if you're a corporate who breaks them you're in trouble if you are a bank who breaks them you're in trouble for breaking them plus your banking regulator will get into angry with you for not detecting it.

But really there isn't a model to say, well, we're going to have these entities who are not federally regulated have OFAC compliance obligations. And so I think some states will have to do it, but for states other than maybe New York or a couple others, that's going to be a steep learning curve.

Lauren Pryor: Well, thank you both for joining us today. This is such an interesting emerging area. I mean, this wraps up our episode of Financial Services Focus. Listeners, thank you for joining. If you have any questions about today's podcast or anything else related to Financial Services Focus, please email us at financialservicesfocus@mayorbrown.com. Thanks for listening.