Contents
Cryptocurrency businesses in the US face a complex regulatory landscape that’s primarily overseen by the Financial Crimes Enforcement Network (FinCEN) and the US Department of the Treasury.
These agencies enforce strict obligations, including registration, recordkeeping, reporting, and compliance with Anti-Money Laundering (AML) rules under the Bank Secrecy Act (BSA).
As financial technology continues to grow, FinCEN often issues specific guidance to regulate virtual currencies, helping businesses remain compliant while mitigating financial crimes.
This article dives into the key aspects of FinCEN cryptocurrency regulation and provides actionable steps to help businesses meet these obligations effectively.
See also:
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013. If you need assistance with compliance or fintech regulations, click here.
Who Regulates Crypto in the US?
The US cryptocurrency market is subject to oversight from several regulators, each with its own scope and responsibilities. Understanding their roles is critical to navigating compliance effectively.
These key agencies include:
Financial Crimes Enforcement Network (FinCEN): FinCEN regulates all crypto assets for purposes of AML and combating the financing of terrorism.
US Securities and Exchange Commission (SEC): The SEC regulates crypto assets that qualify as securities under the Howey Test, focusing on investor protection and disclosure.
Commodity Futures Trading Commission (CFTC): The CFTC governs cryptocurrencies classified as commodities, upholding market integrity and protecting against fraud and manipulation.
Office of the Comptroller of the Currency (OCC): The OCC regulates banks participating in cryptocurrency-related activities, including custody services and stablecoin reserves.
What are Cryptocurrencies for FinCEN?
FinCEN defines “virtual currency” (cryptocurrency) as a “medium of exchange that can operate like currency but does not have all the attributes of ‘real’ currency, including legal tender status.”
FinCEN also uses the term “convertible virtual currency” (CVC) to describe a kind of virtual currency that either:
Has an equivalent value as “real” currency; or
Acts as a substitute for “real” currency.
Ultimately, CVCs are virtual currencies that can be exchanged for real currency. This includes the majority of existing cryptocurrencies, like Ethereum or Bitcoin, except for digital assets with legal tender status (i.e., China’s digital yuan).
CVCs also include stablecoins, like Dai or Tether. These digital assets are designed to maintain a stable market price by tethering the cryptocurrency's value to an external framework, such as a fiat currency.
FinCEN Cryptocurrency Updates
To address the evolving landscape of virtual currencies, FinCEN has issued comprehensive guidance to clarify how the BSA applies to emerging business models. Here are some of the notable milestones:
In 2013, FinCEN became the first US regulatory agency to issue interpretive guidance on virtual currencies. Here, FinCEN sought to clarify the application of BSA to “users,” “administrators,” and “exchangers” of virtual currency.
In 2019, FinCEN issued CVC guidance, consolidating all of the associated administrative rulings and guidance for the 2011–2019 period. With this guidance, FinCEN provided its interpretation of the BSA regarding many activities involving CVCs.
In 2023, FinCEN expanded its regulatory scope by addressing new risks associated with CVC mixing services—increasingly exploited by cybercriminals, terrorist groups, and rogue state actors to hide the source of illicit funds. A recent Notice of Proposed Rulemaking (NPRM) identifies international CVC mixing transactions as a significant money laundering concern, mandating heightened transparency and reporting requirements for financial institutions involved in such transactions.
Four Important Money Services Business Considerations for FinTech Companies
With cryptocurrencies becoming more widespread, companies must take into account all regulatory implications of engaging in virtual currency activities. It is important to:
1. Determine whether your company is a Money Services Business
The BSA defines a Money Services Business (MSB) as any legal entity operating in the US, regardless of frequency or formal organization. This includes businesses that function as money transmitters.
In general, a money transmitter is a “person who provides money transmission services,” which includes accepting currency, funds, or any value that substitutes for currency from one person and transmitting it to another person or location by any means.
The BSA also establishes that natural persons acting as money transmitters but not for profit and not on a frequent basis—such as consumers using payment apps—are exempt from having an MSB status.
According to FinCEN’s 2013 Virtual Currency Guidance, virtual currency users who acquire CVCs to purchase goods or services are not MSBs. However, administrators of virtual currency who accept and transmit CVCs or buy or sell CVCs do qualify as money transmitters and are, as such, subject to BSA requirements for MSBs.
Additionally, the FinCEN 2019 guidance emphasized that MSB status depends on the nature of the activities performed, not on the business’s formal status. For example, peer-to-peer exchanges or decentralized applications may fall under MSB regulations based on their operations.
In 2024, FinCEN proposed enhanced requirements for MSBs to adopt effective, risk-based AML/CFT compliance programs. These programs must:
Include a thorough risk assessment process that evaluates money laundering and terrorism financing risks tied to the entity’s products, services, and customers.
Be approved by senior management or the board to maintain accountability.
Incorporate ongoing reviews of reports such as Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) to identify patterns and emerging threats.
Additionally, MSBs are now expected to align their compliance strategies with FinCEN’s national AML/CFT priorities, updated in 2024, which highlight risks such as ransomware, cybercrime, and geopolitical sanctions.
2. Confirm that your MSB has registered with FinCEN
If you determine that your company is an MSB and you are operating in the US, you must register with FinCEN. This is the first crucial step in making your operational framework BSA-compliant.
The registration is done via FinCEN’s BSA E-Filing System and FinCEN Form 107.5. Its registration must be renewed biannually. Failure to do so could cause monetary penalties and even criminal prosecution.
Fines for failing to register can be quite steep. For example, in 2015, FinCEN found that a company “willfully violated the mandatory registration requirement for MSBs,” among other things. This company and its subsidiary were required to pay $700,000 in penalties for multiple BSA violations.
Additionally, FinCEN referred the issue to the US Attorney’s Office for the Northern District of California to resolve any potential criminal charges.
3. Verify that your MSB has a quality AML program
All MSBs must have an effective, risk-based AML program in writing with certain minimum requirements. For starters, MSBs must devise, deploy, and keep in place an AML program that is sufficient to refrain the MSB from money laundering and terrorism financing activities.
These AML programs must address the specific risks of money laundering based on the MSB's operations, customer base, and geographic location.
It is also important for an MSB to consult with the most up-to-date list of “jurisdictions with strategic deficiencies in their AML regimes,” published by the Financial Action Task Force (FATF).
Additionally, MSB AML programs must meet the minimum requirements. These include training all relevant personnel on AML responsibilities, appointing a designated compliance officer, and implementing an independent audit function to review the program’s effectiveness.
4. Confirm that your MSB complies with all recordkeeping and reporting requirements
All MSBs face many BSA recordkeeping and reporting requirements. For example, most MSBs must submit a suspicious activity report (SAR) via FinCEN Form 111 regarding activities or transactions related to potential legal and regulatory violations.
If an MSB knows, suspects, or has a reason to suspect the existence of suspicious transactions that are conducted or attempted to be conducted by, at, or through an MSB—and that involve or aggregate funds or assets worth $2000 or more—the MSB must file a SAR.
FinCEN Funds Transfer Rule
The FinCEN Funds Transfer Rule, also known as the Travel Rule, requires financial institutions to collect and retain information on transfers over $3,000. This promotes transparency and accountability in financial transactions, particularly in combating money laundering and terrorist financing.
On March 15, 2019, FinCEN Director Kenneth A. Blanco stated at a Blockchain Symposium that the FinCEN Funds Transfer Rule should apply to all CVCs.
Mr. Blanco also said that “FinCEN, through delegated examiners at the Internal Revenue Service, has been conducting examinations that include compliance with the Funds Travel Rule since 2014. In fact, to date, it is the most commonly cited violation by the IRS against MSBs engaged in CVC money transmission.”
FinCEN’s 2019 guidance clarified the application of the Travel Rule to cryptocurrency businesses, reinforcing that compliance is mandatory for Virtual Asset Service Providers (VASPs), such as cryptocurrency exchanges and Bitcoin ATMs.
The Financial Action Task Force (FATF) also issued Recommendation 16, requiring VASPs to share Know-Your-Customer (KYC) and Personal Identifiable Information (PII) between transacting parties before executing transactions.
In 2024, FinCEN updated the Travel Rule to address emerging risks, explicitly including high-risk transactions involving CVC mixing services linked to money laundering and terrorism financing.
Financial institutions are now required to facilitate the complete transfer of critical transaction data, verify sender and receiver identities, and maintain compliance across all intermediaries. These updates also mandate a risk-based approach, which includes conducting threat assessments, analyzing SARs and CTRs, and monitoring virtual currency typologies.
FinCEN also urges Virtual Asset Service Providers (VASPs) to adopt innovative tools, such as blockchain analytics and secure data-sharing platforms, to meet these standards and align with global AML/CFT priorities.
Recordkeeping and Travel Rules
In 1995, the Board of Governors of the Federal Reserve and FinCEN issued a joint Rule for banks and other non-bank financial institutions. This Rule defined what information must be included in fund transfers. This two-part rule consists of the Recordkeeping Rule and the Travel Rule.
The Recordkeeping Rule mandates that financial institutions collect and retain the same information required by the Travel Rule, which must also be shared with each financial institution involved in the transfer process.
Compliance with the FinCEN Funds Transfer Rule requires the following information:
The name of the transmitter
The account number of the transmitter
The address of the transmitter
The identity of the financial institution
The transferred amount
The transfer date
FinCEN made it clear that the recipient’s financial institution should also retain the same information as the originator as long as the originating MSB provided it.
In 2024, FinCEN expanded these requirements to include certain investment advisers, compelling them to establish AML and counter the financing of terrorism (CFT) programs, report suspicious activities, and adhere to the Recordkeeping and Travel Rules.
2020 Modifications and Updates to the Rules
The Board of Governors of the Federal Reserve System and FinCEN issued a joint Notice of Proposed Rulemaking (NPRM) in October 2020. They sought to gather public comments on proposed amendments seeking to modify the Recordkeeping and Funds Transfer Rules by:
Lowering the requirement for collecting, retaining, and transmitting information when transferring and transmitting funds from $3,000 to $250 in cases where transactions begin or end outside the US.
Including CVCs in the existing definition of money
Later, in December 2020, FinCEN issued an NPRM that mandated cryptocurrency exchanges, banks, and MSBs to gather KYC data on any person transferring crypto equivalent to or greater than $3,000 in value, both from or to a private wallet.
The NPRM also required MSBs and banks to gather, maintain, and report all information about customers who conduct virtual currency transactions with unhosted wallets.
Equivalent requirements would be placed on hosted wallet transactions held by a financial institution to which the BSA does not apply and that are located in any of the jurisdictions found on the FinCEN Foreign Jurisdictions List.
The NPRM meant that impacted businesses would have to increase their KYC efforts by collecting, storing data, and reporting on more transactions than ever before. This would only increase the pressure on companies to invest more effort to remain compliant.
Implementing a Risk-Based Approach to Prepare for FinCEN’s Funds Transfer Rule
The Funds Transfer Rule could structurally change how Virtual Asset Service Providers operate going forward. As documented by FATF, the best way of preparing for this is for cryptocurrency exchanges to utilize a risk-based approach based on FinCEN’s guidelines and have clear and defined procedures and policies in place.
This could be through:
Risk-assessing unhosted wallets: Incorporating risk assessment into the AML program of a crypto organization allows for higher levels of both protection and detection of suspicious unhosted wallet transactions. Using software that enables denial and freezing of transactions to achieve compliance is highly recommended.
Third-party risk management: Risk management procedures and standards for dealing with third parties will help ensure transactions are communicated within BSA guidelines.
Analyzing the market: Smaller firms should assess their market position with the utmost care and caution to optimize business operations. Employing best industry practices is critical to prevent regulatory probes and, consequently, financial and reputational damage.
To follow the FinCEN Funds Transfer Rule, implement an efficient Customer Due Diligence (CDD) and KYC process that collects crucial information while onboarding customers.
See also:
FinCEN Customer Due Diligence Rule
The FinCEN Customer Due Diligence (CDD) Rule amended BSA regulations to improve financial transparency and help prevent terrorists and other criminals from abusing companies to mask their illegal activities and launder money.
The CDD clarifies and reinforces customer due diligence requirements for US banks, mutual funds brokers or dealers in securities, and futures commission merchants. It also introduces brokers in commodities and adds another requirement.
Financial institutions must identify and verify the ultimate beneficial owners of companies—entities that control, own, or profit from a company when opening accounts.
There are four core requirements in the CDD Rule. Covered financial institutions must set up and maintain written policies and procedures that are devised to:
Identify and verify customer identity
Identify and verify the identity of ultimate beneficial owners of those companies that open accounts
Develop customer risk profiles and, to that end, understand the underlying customer relationships, their nature, and purpose
Perform ongoing monitoring to identify and report any and all suspicious transactions and to maintain and renew customer information based on risk
For the purposes of these new requirements financial institutions need to focus on any and all individuals who own a stake of 25% or more in a company and those who exert control over a company.
Need help with blockchain compliance?
Fill out the form below and our experts will get back to you.
FinCEN Ruling Examples
Finally, to help further illustrate the landscape of FinCEN cryptocurrency regulation, we’ve created a short, non-exhaustive list of FinCEN rulings:
1. FIN 2014 R001
Situation: A company mines bitcoin, and the mined coins have yet to be transferred or used. The company could decide to: use the coins to procure goods/services, convert them into legal tender, or transfer them to the company owner.
Ruling: The company is considered a bitcoin user, not an MSB, if the mined coins are used to pay for goods, settle debts, distribute to owners, or purchase other currencies for payments or investments.
Compliance Takeaway: Since the company is classified as a bitcoin user rather than an MSB, it is not subject to FinCEN’s MSB registration, reporting, or compliance requirements. However, if it begins transmitting bitcoin as a service to others, it may trigger MSB status and become subject to AML regulations.
2. FIN 2014 R002
Situation: A company produces software that enables virtual currency purchases via automated fund collection and payment in currency or legal tender. The company limits activities to convertible virtual security investments for its own account.
Ruling: If a company invests in convertible virtual currency for its own account, it is a user of the currency and not an MSB. However, any transfers to third parties on behalf of its counterparties, owners, or creditors could cause an MSB designation.
Compliance Takeaway: Companies developing software for virtual currency transactions must carefully assess their role in fund transfers. Engaging solely in proprietary investments does not trigger MSB status, but facilitating transactions for third parties could require MSB registration and compliance with AML regulations.
3. FIN 2014 R007
Situation: A company rents mining systems to third parties, allowing them to mine virtual currencies. The company devised the system, and the third party provides mining pool information. All virtual currency the third party mines stays with it.
Ruling: The company is not an MSB if it solely rents the system to a third party, thus allowing it to obtain convertible virtual currency to fund exchange activities.
Compliance Takeaway: Renting mining systems without controlling or transmitting the mined virtual currency does not trigger MSB status. However, if the company were to facilitate transfers, custody, or exchanges on behalf of third parties, it could be subject to FinCEN’s MSB regulations and AML compliance requirements.
4. FIN 2014 R011
Situation: A company sets up a trading platform for buying and selling virtual currency for legal tender. The company maintains a set of accounts in which customers can deposit funds to cover exchanges. Customers submit orders to sell or buy, and the platform matches buy/sell orders. The company prohibits third-party funding, customer payments to a third party, and inter-account transfers.
Ruling: The company is an MSB because it exchanges virtual currency. It is not a user because it accepts CVC from one person and transfers it to another.
Compliance Takeaway: Operating a trading platform that facilitates the exchange of virtual currency for legal tender qualifies as money transmission under FinCEN regulations. Even with restrictions on third-party funding and inter-account transfers, the company must register as an MSB and follow AML requirements.
5. FIN 2014 R012
Situation: A company sets up a virtual currency payment system for merchants wanting to be paid in bitcoin by their customers. The company provides payments to merchants in its jurisdiction. The company receives payment from buyers in legal tender and transfers the equivalent amount of the virtual currency to the seller.
Ruling: The company is an MSB as it accepts currency, funds, or other value that substitutes for currency from one person and transfers it to another location or person.
Compliance Takeaway: Acting as an intermediary in virtual currency payments qualifies as money transmission under FinCEN regulations. Since the company facilitates the exchange of legal tender for virtual currency on behalf of merchants and customers, it must register as an MSB and adhere to AML compliance requirements.
6. FIN 2015 R001
Situation: A company provides internet brokerage services for buyers and sellers of precious metals. The company buys and sells precious metals on its own account and holds metals for buyers in a digital wallet on a blockchain. The company obtains transaction fees for transfers of digital certificates and a custody fee for metals held.
Ruling: The company is an MSB due to the use of customer-to-third-party transfer of funds.
Compliance Takeaway: Facilitating the transfer of digital certificates and holding assets on behalf of customers qualifies as money transmission under FinCEN regulations. Since the company enables third-party transfers, it must register as an MSB and follow AML regulations.
Listen to the Experts
With all of these numerous requirements, regulatory bodies, and regulations, developing a robust corporate compliance department is crucial.
Companies in the fintech sector or those considering implementing fintech solutions may find it beneficial to explore outside expertise and experience. Engaging with a specialized consultancy like InnReg to craft a custom compliance solution could potentially lead to cost savings and provide a competitive edge.
To access a more detailed, in-depth pool of analytical knowledge, contact InnReg today and consult with a qualified, deeply experienced compliance expert. InnReg aims to assist you and your business in striving for a high level of ongoing FinCEN cryptocurrency compliance, allowing you to concentrate on other aspects of your business.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with blockchain compliance, reach out to our regulatory experts today:
Published on May 30, 2022
Last updated on Feb 12, 2025
Related Articles
Blockchain
Jan 30, 2025
·
11 min read
Blockchain
Jan 10, 2025
·
30 min read
Latest LinkedIn Posts
