Following the Illicit Funds

If a business qualifies as a Money Services Business (MSB), compliance with federal regulations is mandatory. MSBs must:

• Register with FinCEN and adhere to Bank Secrecy Act (BSA) requirements
• Implement a comprehensive Anti-Money Laundering (AML) program
• Monitor transactions and file regulatory reports as required, such as SARs and CTRs

The elements of an AML/CFT program for MSBs are similar to those that apply to banks:

• Senior Management Commitment – Leadership including the Board and senior management must actively support the AML/CFT program by allocating resources, ensuring compliance integration into business operations, and fostering a strong culture of compliance.
• Designation of a Compliance Officer – A qualified individual must be appointed with responsibility for overseeing the AML/CFT program.
• Internal Policies, Procedures, and Controls – The business must establish formalized policies, procedures, and controls to detect and prevent financial crime.
• Ongoing Employee Training – To ensure staff understand and fulfill their responsibilities, they must be provided with regular AML/CFT training appropriate to their role, such as red flags for suspicious activity.
• Independent Audit Function – The effectiveness of the AML/CFT program must be regularly assessed by an independent function and any gaps must be remediated.

Depending on the state in which they are registered, MSBs also have regulatory obligations imposed at the state level.

Suspicious Activity Report (SAR) – Identifying Red Flags

Sometimes, transactions just don’t add up. Maybe a customer is moving funds in an unusual pattern, or a brand-new account suddenly starts making large, rapid transfers. When financial institutions spot activity that raises suspicion, they must file a Suspicious Activity Report (SAR) with the Financial Crimes Enforcement Network (FinCEN).

💡 What could trigger a SAR?

SARs aren’t filed for every unusual transaction, but they’re required when patterns suggest potential illicit activity, such as attempts to obscure the origin of funds, to break the “money trail”, or to hide the real entities or individuals involved in a transaction.

Some of the red flags that may trigger an investigation, which could potentially result in a SAR, include:

🚩 Structuring transactions – Breaking large transactions into smaller ones in an attempt to avoid attracting attention. In crypto, this can involve splitting a large transfer across multiple wallets or exchanges in an attempt to avoid triggering alerts.

🚩 Velocity increases – Sudden and unexplained increases in trading activity (e.g., trading once a week to trading 10 times per week)

🚩 Rapid fund movement – Fast, high-volume transfers between unrelated accounts, including “chain-hopping”, meaning exchanges between different digital assets which can be used in attempts to hide the transaction trail

🚩 Anomalous activity – Activity that doesn’t fit the expected customer profile (e.g., a new account immediately making high value transactions, whereas during onboarding they stated an intention to make infrequent low volume transactions, or fiat-to-crypto or crypto-to-fiat exchanges without a clear purpose)

🚩 Use of multiple accounts or exchanges to obfuscate ownership – Customers creating multiple accounts across different exchanges and transferring assets between them in a pattern inconsistent with legitimate trading

🚩 Rapid inflows and outflows of funds – A sudden influx of crypto into an exchange wallet followed by immediate withdrawals to multiple external wallets, which may indicate layering in a money laundering scheme

🚩 High-volume transactions across multiple jurisdictions – Crypto transactions moving through jurisdictions with high risk of illicit finance, such as those with lack of transparency, weak AML/CFT regimes, or sanctions exposure

🚩 Use of privacy coins or mixers – Use of privacy-enhancing assets such as Monero (XMR) or mixers such as Mixero, Tumbler.io, or Tornado Cash, which may indicate attempts to obscure the transactional trail or ownership of assets

🚩 Interaction with sanctioned entities or blacklisted wallets – Transactions involving wallets associated with sanctioned individuals, darknet markets, or known illicit actors

🚩 Common unknown counterparties – Addresses where the ownership is unknown and which are counterparties for multiple users, especially with high volume or high value activity (e.g. where multiple customers interact with an address that is not a known service such as an exchange, where multiple customer interactions would be expected)

💡 Actions to take

Before filing a SAR, an organization should undertake an internal investigation to identify whether the trigger (“unusual” activity) is actually “suspicious”. It may be that upon more detailed analysis, there is a valid explanation for a transaction and there is no requirement to file a SAR. Alternatively, the investigation may identify further red flags indicating that the activity meets the definition of “suspicious”. Importantly, a customer must not be “tipped off” that they are under investigation.

Currency Transaction Report (CTR) – Tracking Large Cash Movements

Currency Transaction Reports (CTRs) are mandatory whenever a customer attempts to deposit or withdraw more than $10,000 in cash. Like SARs, CTRs are filed with FinCEN.

The reason for CTRs is that large cash transactions can signal attempts to launder illicit funds or evade detection, especially in cases related to the proceeds of drug trafficking, fraud, or other criminal activity. By monitoring large cash movements, CTRs help authorities track suspicious financial flows and uncover criminal networks.

Crypto businesses registered as MSBs are subject to CTR filing requirements, just like traditional financial institutions. Although most crypto businesses don’t handle cash, there are some that do. One example is a crypto ATM in which fiat cash is exchanged for crypto. Cashing out crypto into cash, or exchanging cash into crypto, both trigger CTR requirements.

💡 What are key considerations relevant to CTRs?

• Structuring – Splitting a transaction into smaller amounts to stay below the $10,000 reporting threshold, for example using two cash deposits of $5,000 instead of one deposit of $10,000. In these circumstances, a CTR must still be filed.
• Potential extension of comparable requirements to digital assets – in December 2020, a proposed rule was issued by FinCEN that would require reporting of some types of digital asset transactions that exceed $10,000 in one day. While this would be a separate reporting requirement – and while it hasn’t been implemented as a final rule yet – crypto businesses should monitor for further developments.
• Exemptions – Since the objective of CTRs is to identify potentially illicit activity, there are some situations where the known characteristics of the customer mean that even if large cash transactions are involved, the risk of illicit activity is very low. To ensure that the focus remains on transactions with a higher risk of illicit finance, exemptions from CTR requirements are possible.

Designation of Exempt Persons (DOEP)

Designation of Exempt Person (DOEP) allows financial institutions to nominate customers as being exempt from CTR filing requirements, provided they meet specific criteria. Like CTR reports, DOEP filings are made with FinCEN.

💡 Who can qualify for DOEP?

At a high level, the following types of customers may meet requirements to be nominated as an “exempt person”:

✅ Banks – To the extent of their domestic operations

✅ Government agencies and publicly traded companies – Includes federal, state, and local government entities

✅ Publicly traded companies and their subsidiaries – Domestic operations of companies listed on the NYSE, American Stock Exchange, and NASDAQ, as well as their majority-owned (51% or more) U.S. subsidiaries

✅ “Non-listed businesses” that meet specified criteria – Domestic operations of U.S. businesses that have maintained a transaction account with the bank for at least two months and regularly engage in cash transactions over $10,000 as part of their legitimate business operations

✅ Payroll customers – Businesses that frequently withdraw cash exclusively for payroll purposes and meet account duration and transaction history requirements

💡 Who does NOT qualify?

The following types of customers may not qualify for DOEP:

❌ Financial institutions – Financial institutions cannot be exempt under the “non-listed” businesses exemption

❌ Certain high-risk businesses, as specified by FinCEN – Including businesses primarily engaged in gambling, pawn brokerage, and other high-risk industries

SAR and CTR: Actions and Outcomes

While SARs and CTRs are both used to detect illicit activity, there are some important differences:

• CTRs must be filed within 15 days. SARs must be filed within 30 calendar days from the date of detecting the suspicious activity, which can in some circumstances be extended to 60 days.

• SARs must be filed for any suspicious activity, regardless of whether a transaction is involved or its size (e.g., multiple customers sharing a Social Security Number is suspicious, regardless of whether they have transacted). The criteria for filing a CTR is defined solely by transaction size.

• CTR regulations specify the information that must be included. SARs are usually more detailed and include the parties involved, transaction details, wallet addresses and/or account numbers, and the reasons for suspicion.

Importantly, the SAR and CTR requirements are parallel but independent. This means that a CTR is not an alternative to a SAR. A SAR must be filed for anything suspicious, even if a CTR has also been filed for that transaction.

In addition to fulfilling the regulatory requirements for filing SARs and CTRs, organizations can also take additional actions including:

• Subjecting the customer to enhanced monitoring

• Undertaking a trigger KYC/CDD review

• Restricting products, services, or transaction sizes

• Exiting a customer

Fulfilling the regulatory requirements to file SARs and CTRs not only ensures that an organization remains compliant, it also makes a critical contribution to providing the information necessary for effective joint action between the public and private sector to protect the integrity of the financial system.

FBAR: Do Crypto Firms Need to Report Foreign Accounts?

In addition to business-level compliance obligations, some crypto users and companies may also have individual reporting requirements, including Foreign Bank Account Reports (FBARs).

FBARs, also known as FinCEN Form 114, require reporting of non-U.S. financial accounts. FBARs are filed with FinCEN and are designed to assist with identifying and taking action against illicit financial flows.

The requirement to file an FBAR applies to U.S. persons including:

• U.S. citizens
• U.S. residents (including Green Card holders and “resident aliens”)
• Entities organized under U.S. law, including: corporations, partnerships, Limited Liability Companies (LLCs), trusts and estates

If you’re a U.S. person, including a business or entity, where the aggregate value of your foreign accounts exceeds $10,000 at any time during the year, you’ll need to file an FBAR.

💡 What about crypto?

Right now, U.S. persons are not required to include their holdings in foreign cryptocurrency exchanges or custodial wallets on the FBAR, unless those accounts also contain reportable assets besides digital assets. In December 2020, FinCEN announced plans to update FBAR requirements to include digital assets, though a final decision hasn’t been made.

Crypto businesses should monitor FinCEN’s evolving stance on foreign asset reporting and be prepared for their clients to be subject to reporting requirements in future.

As crypto grows, so does regulatory oversight. From SARs and CTRs to MSB registration and potential FBAR requirements, crypto businesses are now firmly within the scope of financial regulations. Meeting these obligations is not just about compliance—it’s about building trust, ensuring transparency, and safeguarding the integrity of the financial system. By staying ahead of regulatory changes and embracing a proactive compliance approach, crypto businesses can navigate the evolving space with confidence and position themselves for long-term success.