Skip to main content
Sujets à suivre
Featured Insights
Voir tout
Voir tout
À propos de notre cabinet d’avocats
  • Accueil
  • Insights
  • Virtual Currency Exchange Pleads Guilty to Criminal Charges Related to Anti-Money Laundering Violations and Pays Multi-Million Dollar Fine to FinCEN
décembre 23 2025

Virtual Currency Exchange Pleads Guilty to Criminal Charges Related to Anti-Money Laundering Violations and Pays Multi-Million Dollar Fine to FinCEN

Auteurs:
Télécharger le PDF
Share

On December 9, 2025, the US Department of Justice (“DOJ”) announced a guilty plea by a peer-to-peer convertible virtual currency exchange (the “CVC Exchange”) for conspiring to: (i) violate the Travel Act; (ii) operate an unlicensed money transmitting business; and (iii) violate the Bank Secrecy Act’s (“BSA”) anti-money laundering (“AML”) program requirements. In parallel, the Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) announced that it had entered into a consent order with the CVC Exchange for willful violations of the Bank Secrecy Act (“BSA”) and its implementing regulations.

The DOJ and FinCEN’s enforcement actions concern the CVC Exchange’s willful violations of AML laws and regulations, including transmitting funds derived from criminal offenses such as prostitution and fraud, as well as its failure to implement and maintain an effective AML compliance program. Notably, even though DOJ indicated that the criminal fine was $112.5 million, the DOJ assessed a criminal penalty of only $4 million based on the CVC exchange’s ability to pay. Notwithstanding the Administration’s overall industry-friendly approach to digital assets, these enforcement actions demonstrate that it will continue to prosecute egregious AML violations that cause real-world harm. 

This Legal Update summarizes the DOJ and FinCEN’s enforcement actions, key AML compliance considerations identified by FinCEN, and takeaways for financial institutions.

DOJ and FinCEN’s Enforcement Actions

DOJ Plea Agreement

The plea agreement between the CVC Exchange and the DOJ and the United States Attorney’s Office for the Eastern District of California (collectively, the “Offices”) includes the following charges:

  • Conspiracy to Willfully Fail to Maintain an Effective AML Program: The CVC Exchange agreed to plead guilty to conspiring to willfully fail to maintain an effective AML program from July 2015 through at least November 2019. The CVC Exchange’s AML program deficiencies facilitated the transfer of proceeds derived from illegal activities, including fraud, prostitution, child sexual abuse material, and hacks by malign state actors on its CVC platform. Among other things, the plea agreement identifies several AML program deficiencies, including:
    • Marketing the exchange to customers as a platform that did not require “Know-Your-Customer” (“KYC”)and/or that allowed “buying without ID;”
    • Facilitating the transfer of funds between customers without conducting KYC, despite knowing the exchange was required to do so, falsely claiming that it outsourced KYC procedures to its vendors;
    • Presenting fake AML and KYC policies to financial institutions that it knew were not, in fact, implemented or enforced at the CVC Exchange; and
    • Failing to file a single suspicious activity report (“SAR”), until on or around November 2019, despite knowing that its users were engaged in suspicious and criminal activity.
  • Conspiracy to Operate an Unlicensed Money Transmitting Business: The CVC Exchange agreed to plead guilty to knowingly conspiring to operate as an unlicensed money transmitting business from January 2017 to September 2019. During this period, it obtained approximately $29.7 million in proceeds derived from criminal offenses or supporting unlawful activity.
  • Conspiracy to Violate the Travel Act: The CVC Exchange agreed to plead guilty to conspiring to violate the Travel Act by promoting illegal prostitution through interstate commerce. The CVC Exchange knowingly transferred virtual currency on behalf of its customers, including Backpage, an online advertising platform for illicit prostitution and similar crimes. In July 2015, the CVC Exchange, through its co-founders and others, targeted Backpage as a customer, despite knowing that it was engaged in criminal misconduct that had caused it to lose the ability to use credit card processing services for customer payments.

While the Offices and the CVC Exchange agreed that a $112.5 million criminal penalty was appropriate based on the law and the facts, the DOJ assessed a criminal penalty of only $4 million on the CVC Exchange based on its ability to pay. The CVC Exchange also agreed to extensive compliance commitments and reporting requirements.

FinCEN Consent Order

FinCEN’s consent order, based largely on the same facts as the DOJ’s plea agreement, focuses on the CVC Exchange’s willful violations of the BSA and its implementing regulations, including the violations listed below.

  • Failure to Maintain an AML Compliance Program: FinCEN found that the CVC Exchange failed to implement a written AML program for more than four years after commencing operations. When the exchange finally did adopt an AML program in July 2019, it was ineffective. Among other things, FinCEN highlighted the following violations related to the CVC Exchange’s failure to adopt a written AML program and having a materially deficient AML program after its implementation:
    • Lack of KYC Processes: The CVC Exchange lacked any KYC processes between at least July 2015 and February 2019. Even after it announced new mandatory KYC requirements in 2019, these controls were deficient and only applied to users with transactions exceeding $1,500, without any controls to identify which users sought to evade these controls by structuring transactions.
    • Failure to Identify and Address Geographic Spoofing: The CVC Exchange failed to implement effective policies, procedures, and controls to detect the use of geographic spoofing intended to obscure customer locations. For example, prior to January 2018, the exchange failed to implement any meaningful Internet Protocol (“IP”) address restrictions, permitting customers to transact with then-comprehensively sanctioned jurisdictions, including North Korea, Iran, Syria, and Cuba.
    • Facilitating Transactions with Hostile Nation States and Cyber Criminals: The CVC Exchange’s AML program deficiencies enabled illicit actors, including state-sponsored cyber criminals and individuals eventually designated by OFAC, to exploit its platform.
    • Failure to Effectively Monitor Prepaid Access Transactions: The CVC Exchange failed to implement appropriate policies, procedures, and internal controls to meaningfully monitor and report illicit activity taking place in its prepaid access sales across its platform, even though this was a substantial portion of it’s business activity during the relevant time period.
  • Failure to Register as a Money Services Business: Consistent with the DOJ action, FinCEN determined that the CVC Exchange failed to register as a money services business (“MSB”).
  • Failure to File SARs: Despite facilitating hundreds of suspicious transactions totaling more than $500 million, the CVC Exchange did not file a single SAR until November 2019. It also did not identify and report any transactions associated with CVC mixers, which anonymize CVC addresses and obscure CVC transactions, despite known red flags associated with these services. The CVC Exchange’s leadership refused to improve SAR reporting for years, even instructing employees not to file SARs.

The CVC Exchange admitted to willfully violating the BSA. FinCEN assessed a $3.5 million civil money penalty and noted mitigating factors, including the exchange’s decision to terminate its relationship with leadership who oversaw its operations at the time the willful violations took place and subsequent remediation efforts. FinCEN credited the $1.75 million payment to the DOJ against the $3.5 million assessed by FinCEN.

AML Compliance Considerations

FinCEN’s press release regarding the consent order highlights the following compliance considerations:

  • Effective AML Programs: Effective AML programs should be risk-based and commensurate with the risks posed by the location and size of the institution and the nature and volume of the financial products and services provided by the institution. For CVC platforms and other virtual asset service providers (“VASPs”), an AML program must be commensurate with the specific risks posed by the entity’s products and services, such as peer-to-peer products, cross-border CVC transactions, and CVC transactions involving prepaid cards. In addition, businesses engaged in money transmission services should ensure that they register and maintain registration as an MSB.
  • Reporting Suspicious Activity: Financial institutions dealing in CVC and prepaid access cards are obligated to identify and report suspicious activity involving these products that take place by, at, or through the financial institution. CVC platforms and other VASPs should confirm that their procedures for monitoring suspicious activity are developed to address the specific risks posed by different products and services, as well as transaction volume.
  • Customer Identification and Verification Procedures: FinCEN states that financial institutions with obligations to verify customer identity should ensure they maintain appropriate processes to comply with this requirement. CVC platforms and other VASPs should use IP address and geolocation data to mitigate exposure to high-risk and/or sanctioned jurisdictions and prohibited parties. CVC platforms and other VASPs should also consider the nature of their customers’ businesses to mitigate the risk that customers may be engaged in illicit activities.
  • Mitigating Deficiencies: Financial institutions should ensure they have a robust culture of compliance, including an appropriate “tone at the top.” FinCEN also encourages financial institutions to promptly remediate reporting issues when they are identified to ensure timely and accurate reporting of SARs. CVC platforms and other VASPs should continue to implement risk-based policies, procedures, and controls—including transaction monitoring for all types of products and services and independent testing of AML compliance programs—to identify, report, and remediate issues as necessary.

Takeaways

The DOJ and FinCEN’s enforcement actions against the CVC Exchange demonstrate that US authorities are still actively pursuing willful violations of the BSA, its implementing regulations, and other financial crimes laws, including in the cryptocurrency sector. This is the second action brought by FinCEN this year involving violations related to failing to register as an MSB; failing to develop, implement, and maintain an effective AML program; and failing to file SARs. FinCEN’s enforcement actions highlight how registration obligations remain crucial, and businesses engaged in money transmission—including virtual-asset platforms—must register and maintain registration as an MSB when required. Financial institutions should continue to prioritize maintaining risk-based AML policies, procedures, and internal controls; maintain appropriate customer identification and verification processes; and act promptly to remediate identified AML deficiencies. Finally, this action highlights the intersection between AML and sanctions compliance for financial institutions: failure to maintain an effective AML program, including monitoring transactions and customer location, can cause financial institutions to process prohibited transactions involving sanctioned persons and jurisdictions.

Auteurs

Compétences et Secteurs liés

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe

Follow us

© 2025 Mayer Brown. All Rights Reserved

 

 

Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong LLC (“PKW”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong Pte. Ltd. More information about the individual Mayer Brown Practices and PKW can be found in the Legal Notices section of our website.

“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.

Attorney Advertising. Prior results do not guarantee a similar outcome.