Off‐Shore Crypto Exchange to Pay Up to $100 Million to Resolve Enforcement Action with U.S. Regulators

The Financial Crimes Enforcement Network (FinCEN) and the Commodity Futures Trading Commission (CFTC) reached one of the largest-ever resolutions with a cryptocurrency exchange on August 10, 2021.  BitMEX is virtual currency derivatives exchange that exists mainly outside the United States, including in the Seychelles, Hong Kong, and Bermuda, and has a complex ownership structure involving numerous related business affiliates.  BitMEX’s connections to the United States included maintaining a Delaware incorporated affiliate, having an office in New York, and soliciting and doing business with U.S. customers.  FinCEN and the CFTC found that BitMEX was operating as an unregistered futures commission merchant under the Bank Secrecy Act (BSA) and that it failed to comply with anti-money laundering (AML) obligations under the BSA.  BitMEX will settle the allegations for $100 million, with $20 million suspended as described below.

Findings:  Both FinCEN and the CFTC allege that BitMEX solicited orders from United States customers and conducted portions of its operations and maintained a presence within the United States through its U.S. customer base, physical presence in New York, and Delaware affiliate.  BitMEX used its platform to facilitate crypto-based financial transactions including leveraged trading of crypto-currency derivatives like futures, options, and swaps.  Consequently, BitMEX acted as a futures commission merchant required to register with the CFTC and a financial institution subject to the BSA. 

FinCEN found that because BitMEX was a financial institution, it was required, but failed, to have an adequate AML compliance program that satisfies the “five pillars” of BSA compliance.  According to FinCEN, BitMEX had no adequate AML policies, procedures, or internal controls.  The company did not have appropriate compliance personnel in place, including no compliance officer.  It also failed to train its employees or conduct any independent testing.  Lastly, BitMEX did not conduct any customer due diligence, identification, verification, or transaction monitoring—it failed to understand its customer relationships, did not develop risk profiles, and did not monitor for or report suspicious activity.

The regulators note that BitMEX’s conduct was willful—company leadership knew of their regulatory obligations, failed to comply, and took intentional steps to hide the true location of U.S. customers in order to avoid those obligations.  Civil enforcement actions and criminal charges against BitMEX’s founders are pending.

Resolution: BitMEX agreed to a global settlement the allegations, which have been pending since October 2020, and agreed to the following:

• Fine: BitMEX will pay regulators $100 million—$50 million to the CFTC pursuant to a consent order and up to a $50 million civil monetary penalty to FinCEN. $20 million of the $100 million will be suspended.
• Remediation: $10 million of the FinCEN penalty will be suspended pending BitMEX’s completion of a suspicious activity report (SAR) lookback to November 1, 2014.BitMEX must hire an independent consultant to review all transactions during that period and report to FinCEN by the end of this year any covered transactions for which SARs were required, and then file SARs for those transactions.
• Prevention: An additional $10 million will be suspended pending the company’s successful efforts in ending all operations within the U.S. and no longer serving any U.S. customers.BitMEX must also hire an independent consultant to ensure compliance with those requirements.

Conclusion:  The BitMEX settlement marks yet another large extraterritorial enforcement action by U.S. financial regulators against a cryptocurrency company.  For example, in 2017, FinCEN fined the virtual currency exchange BTC-e $110 million for facilitating illicit transactions in crypto-currency.  Both BTC-e and BitMEX were ostensibly foreign-located, but in both cases, U.S. regulators were able to successfully assert jurisdiction.  Companies dealing in digital assets should take note that (1) U.S. regulators will assert jurisdiction over foreign companies when their conduct sufficiently touches or impacts the U.S. and (2) this action marks a continuing trend of increased regulatory activity related to digital assets.