Contents
Cryptocurrency businesses in the U.S. face a complex regulatory landscape, that’s primarily overseen by the Financial Crimes Enforcement Network (FinCEN) and the U.S. Department of the Treasury.
These agencies enforce strict obligations, including registration, recordkeeping, reporting, and compliance with anti-money laundering (AML) rules under the Bank Secrecy Act (BSA).
As financial technology continues to grow, FinCEN has issued specific guidance to regulate virtual currencies, ensuring businesses remain compliant while combating financial crimes.
This article dives into the key aspects of FinCEN cryptocurrency regulation and provides actionable steps to help businesses meet these obligations effectively.
But first, let’s analyze the basics of FinCEN cryptocurrency regulation.
See also:
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013. If you need assistance with compliance or fintech regulations, click here.
Who Regulates Crypto in the USA?
When dealing with any regulatory landscape, the first important step is to know which regulatory bodies make the rules. When it comes to cryptocurrency in the United States, these are:
Financial Crimes Enforcement Network (FinCEN): FinCEN regulates all crypto assets for purposes of AML and combating the financing of terrorism.
US Securities and Exchange Commission (SEC): the SEC regulates those crypto assets that could be considered to be securities under the Howey test , focusing on investor protection and disclosure.
The Commodity Futures Trading Commission (CFTC): The CFTC governs cryptocurrencies classified as commodities, ensuring market integrity and protecting against fraud and manipulation.
Officer of the Comptroller of Currency (OCC): The OCC regulates banks participating in cryptocurrency-related activities, including custody services and stablecoin reserves.
What are Cryptocurrencies for FinCEN?
FinCEN defines “virtual currency” (cryptocurrency) as a “medium of exchange that can operate like currency but does not have all the attributes of ‘real’ currency… including legal tender status.”
FinCEN also uses the term “convertible virtual currency” (CVC) to describe a kind of virtual currency that either:
Has an equivalent value as ‘real’ currency; or
Acts as a substitute for ‘real’ currency.
Consequently, CVCs are those virtual currencies that could be exchanged for real, hard currency. This includes the majority of existing cryptocurrencies, like Ethereum or Bitcoin, with the exception of digital assets with legal tender status (i.e. China’s digital yuan).
CVCs also includes stablecoins, such as Dai or Tether. These are digital assets designed to maintain a stable market price by tethering the value of the cryptocurrency to an external framework, like a fiat currency.
To address the evolving landscape of virtual currencies, FinCEN has issued comprehensive guidance to clarify how the Bank Secrecy Act (BSA) applies to emerging business models. Notable milestones include:
In 2013, FinCEN became the first U.S. regulatory agency to issue interpretive guidance on virtual currencies. This effort clarified the application of the BSA to various roles within the ecosystem, including “users,” “administrators,” and “exchangers.”
In 2019, FinCEN issued CVC guidance, consolidating all of the associated administrative rulings and guidance for the 2011–2019 period. With this guidance, FinCEN provided its interpretation of the BSA juxtaposed against many activities involving CVCs.
In 2023, FinCEN expanded its regulatory scope by addressing new risks associated with CVC mixing services, which are increasingly exploited by cybercriminals, terrorist groups, and rogue state actors to obscure the source of illicit funds. A recent Notice of Proposed Rulemaking (NPRM) designates international CVC mixing transactions as a significant money laundering concern, mandating heightened transparency and reporting requirements for financial institutions involved in such transactions
Four Important Money Services Business Considerations for FinTech Companies
With cryptocurrencies becoming more widespread and veering on the cusp of mass adoption, companies must take into account all regulatory implications of engaging in virtual currency activities. Crucially, it is important to:
1. Determine whether your company is a Money Services Business
The BSA states that a Money Services Business (MSB) is a legal entity that operates within the United States, even if not on a regular basis or as a formally organized business. This includes businesses functioning as money transmitters.
In general, a money transmitter is a “person that provides money transmission services,” which includes accepting currency, funds, or any value that substitutes for currency from one person and transmitting it to another person or location by any means.
Under the BSA, it is also established that natural persons acting as money transmitters but not for profit and not on a frequent basis—such as consumers using payment apps—are exempt from having an MSB status.
FinCEN’s 2013 Virtual Currency Guidance clarified that users of virtual currencies that acquire CVCs for purchasing goods or services are not an MSB. However, administrators of virtual currency that accept and transmit CVCs or buy or sell CVCs do qualify as money transmitters and are, as such, subject to BSA requirements for MSBs.
Additionally, the FinCEN 2019 guidance emphasized that MSB qualification depends on the nature of the activities performed, not on the business’s formal status. For example, peer-to-peer exchanges or decentralized applications may fall under MSB regulations based on their operations.
In 2024, FinCEN proposed enhanced requirements for MSBs to adopt effective, risk-based AML/CFT compliance programs. These programs must:
Include a thorough risk assessment process that evaluates money laundering and terrorism financing risks tied to the entity’s products, services, and customers.
Be approved by senior management or the board of directors to ensure accountability.
Incorporate ongoing reviews of reports such as Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) to identify patterns and emerging threats.
Additionally, MSBs are now expected to align their compliance strategies with FinCEN’s national AML/CFT priorities, updated in 2024, which highlight risks such as ransomware, cybercrime, and geopolitical sanctions
2. Ensure your MSB has registered with FinCEN
If you determine your company to be an MSB and are operating in the U.S., you must register as such with FinCEN. This is the first crucial step for ensuring your operational framework is BSA compliant.
The registration is done via FinCEN’s BSA E-Filing System and FinCEN Form 107.5. This registration must be renewed biannually. failure to which could result in the company being subjected to monetary penalties and even criminal prosecution.
Fines for failing to register can be quite steep. For example, in 2015, FinCEN found that Ripple Labs “willfully violated the mandatory registration requirement for MSBs,” among other things. Ripple Labs and its subsidiary XRP II LLC were required to pay $700,000 in penalties for multiple BSA violations. Additionally, FinCEN referred the issue to the US Attorney’s Office for the Northern District of California, for resolving any potential criminal charges.
3. Ensure your MSB has a quality AML program
All MSBs must have an effective, risk-based AML program in writing. There are certain minimum requirements for these programs. MSBs must devise, deploy, and keep in place an AML program that is sufficient to refrain the MSB from money laundering and terrorism financing activities.
These AML programs must be adequate to cater to unique risks associated with money laundering and the factual conditions of the MSB – for example, the geographic areas in which it operates, the structure of its client base, and the types of goods, services, and products it offers.
It is prudent for an MSB to consult with the most up-to-date list of “jurisdictions with strategic deficiencies in their AML regimes,” published by the Financial Action Task Force (FATF). Additionally, MSB AML programs must fulfill the aforementioned minimum requirements, including training all relevant personnel on their AML responsibilities, having a designated AML compliance officer, and having an independent audit function in place to ensure proper reviewing of the AML program’s appropriateness.
4. Ensure your MSB is compliant with all recordkeeping and reporting requirements
All MSBs face a large number of BSA recordkeeping and reporting requirements. For example, most MSBs must submit a suspicious activity report (SAR) via FinCEN Form 111 regarding activities or transactions related to potential legal and regulatory violations.
In the case that an MSB knows, suspects, or has a reason to suspect the existence of suspicious transactions that are conducted or attempted to be conducted by, at, or through an MSB – and that involve, or aggregate, funds or assets worth $2000 or more – the MSB must file a SAR.
FinCEN Funds Transfer Rule
The FinCEN Funds Transfer Rule, also known as the Travel Rule, requires financial institutions to collect and retain specific information on funds transfers and transmittals exceeding $3,000. This ensures transparency and accountability in financial transactions, particularly for combating money laundering and terrorist financing.
On March 15, 2019, FinCEN Director Kenneth A. Blanco was speaking at a Blockchain Symposium when he stated that the FinCEN Funds Transfer Rule should apply to all CVCs. Mr. Blanco also stated that: “FinCEN, through delegated examiners at the Internal Revenue Service, has been conducting examinations that include compliance with the Funds Travel Rule since 2014. In fact, to date, it is the most commonly cited violation by the IRS against MSBs engaged in CVC money transmission”.
FinCEN’s 2019 guidance clarified the application of the Travel Rule to cryptocurrency businesses, reinforcing that compliance is mandatory for Virtual Asset Service Providers (VASPs), such as cryptocurrency exchanges and Bitcoin ATMs. The Financial Action Task Force (FATF) also issued Recommendation 16, requiring VASPs to share Know-Your-Customer (KYC) and Personal Identifiable Information (PII) between transacting parties before executing transactions.
In 2024, FinCEN updated the Travel Rule to address emerging risks, explicitly including high-risk transactions involving CVC mixing services linked to money laundering and terrorism financing. Financial institutions must ensure complete transfer of critical transaction data, verify sender and receiver identities, and maintain compliance across intermediaries. Risk-based approaches, including threat assessments, SAR and CTR analysis, and monitoring virtual currency typologies, are now required.
FinCEN also urges Virtual Asset Service Providers (VASPs) to adopt innovative tools like blockchain analytics and secure data-sharing platforms to meet these standards and align with global AML/CFT priorities.
Recordkeeping and Travel Rules
In 1995, the Board of Governors of the Federal Reserve and FinCEN issued a joint Rule for banks and other non-bank financial institutions. This Rule had to do with the information required to be included on transfers of funds and is made up of two parts – the Recordkeeping Rule and the Travel Rule.
The Recordkeeping Rule mandates that financial institutions collect and keep hold of the very same information that the Travel Rule pertains to. The Travel Rule mandates that each time a transfer of funds occurs, certain information has to be passed along and “travel” to each following financial institution in the transfer chain.
To be compliant with the FinCEN Funds Transfer Rule, the following information is needed:
The name of the transmitter
The account number of the transmitter
The address of the transmitter
The identity of the financial institution
The transferred amount
The transfer date
FinCEN made clear that the financial institution of the recipient should retain the same information as the originator, as long as that information has been provided by the originating MSB.
In 2024, FinCEN expanded these requirements to include certain investment advisers, compelling them to establish anti-money laundering (AML) and countering the financing of terrorism (CFT) programs, report suspicious activities, and adhere to the Recordkeeping and Travel Rules. This extension aims to enhance transparency and prevent illicit financial activities within the investment advisory sector.
2020 Modifications and Updates to the Rules
The Board of Governors of the Federal Reserve System and FinCEN issued a joint Notice of Proposed Rulemaking (NPRM) in October of 2020. The authorities sought to gather public comments on proposed amendments seeking to modify the Recordkeeping and Funds Transfer Rules by:
Lowering the requirement for collecting, retaining, and transmitting information when transferring and transmitting funds from $3,000 to $250, in the case where transactions are ending or have begun outside of the U.S.
Including CVCs in the existing definition of money
Later, in December of 2020, FinCEN issued an NPRM that would mandate cryptocurrency exchanges, banks, and MSBs to gather KYC data on any person transferring crypto equivalent to or greater than $3,000 in value, both from or to a private wallet. The NPRM would also require MSBs and banks to gather, maintain, and report all information about customers that take part in virtual currency transactions with unhosted wallets.
Equivalent requirements would also be placed on hosted wallet transactions held by a financial institution to which the BSA does not apply and that are located in any of the jurisdictions found on the FinCEN Foreign Jurisdictions List.
The NPRM would mean that impacted businesses would have to increase their KYC efforts - by collecting and storing data on, as well as reporting on more transactions than ever before. This would only increase the pressure on companies to invest more efforts in order to remain compliant.
Implementing a Risk-Based Approach to Prepare for FinCEN’s Funds Transfer Rule
The Funds Transfer Rule could structurally change how Virtual Asset Service Providers operate going forward. As documented by FATF, the best way of preparing for this is for cryptocurrency exchanges to utilize a risk-based approach based on FinCEN’s guidelines and have clear and defined procedures and policies in place. For example:
Risk-assessing unhosted wallets. Incorporating risk assessment into the AML program of a crypto organization allows for higher levels of both protection and detection of suspicious unhosted wallet transactions. Using software that enables denial and freezing of transactions to achieve compliance is highly recommended.
Third-party risk management. Having risk management procedures and standards for dealing with third parties will help transactions to be communicated within the ambit of BSA guidelines.
Analyzing the market. Smaller firms should assess their market position with the utmost care and caution to ensure optimal doing of business. Making sure that best industry practices are being employed in order to prevent regulatory probes and, consequently, financial and reputational damage is of paramount importance.
The best way to ensure compliance with FinCEN Funds Transfer Rule is to have a strong Customer Due Diligence (CDD) and KYC process that collects crucial information while onboarding customers. The most advisable course of action is to engage an established, experienced expert on the matter, thus ensuring that your business is in good hands and remains fully compliant.
See also:
FinCEN Customer Due Diligence Rule
The FinCEN Customer Due Diligence Rule (CDD) amended BSA regulations to improve financial transparency and help prevent terrorists and other criminals from abusing companies to mask their illegal activities and launder money.
The CDD clarifies and reinforces customer due diligence requirements for U.S. banks, mutual funds brokers or dealers in securities, and futures commission merchants while introducing brokers in commodities and adding another requirement. It places a new requirement on covered financial institutions to identify and confirm the identity of natural persons who are the ultimate beneficial owners of legal entities that control, own, and make profits from companies when accounts are opened.
There are four core requirements in the CDD Rule. Covered financial institutions are required to set up and maintain written policies and procedures that are devised to:
Identify and verify customer identity
Identify and verify the identity of ultimate beneficial owners of those companies that open accounts
Develop customer risk profiles and, to that end, understand the underlying customer relationships, their nature, and purpose
Perform ongoing monitoring to identify and report any and all suspicious transactions and to maintain and renew customer information based on risk.
For the purposes of these new requirements concerning beneficial ownership relations, financial institutions have to focus on any and all individuals that own a stake of 25% or more in a company and those who exert control over a company.
Need help with blockchain compliance?
Fill out the form below and our experts will get back to you.
FinCEN Ruling Examples
Finally, to help further illustrate the landscape of FinCEN cryptocurrency regulation, we’ve created a short, non-exhaustive compendium of some FinCEN rulings. The following is an instructive list. Careful considerations must be provided for each and every aspect of your business and corporate operations based on your company’s individual requirements.
1. Regulation: FIN 2014 R001
Situation: A company mines bitcoin, and the coins that were mined have not yet been transferred or use. The company could decide to: use the coins to procure goods/services, convert coins into legal tender, or transfer coins to the company owner.
Ruling: The company is a user of bitcoin and not an MSB if the mined coins are: for paying for goods/services or previously incurred debts, or for being distributed to owners, or if fiat currency or another virtual currency is purchased, as long as the currency is only used for making payments or invest.
2. Regulation: FIN 2014 R002
Situation: A company produces software that enables virtual currency purchase via automated collection of funds and payment in currency or legal tender. The company limits activities to convertible virtual security investments for its own account.
Ruling: The company is a user of the currency and not an MSB if it invests in convertible virtual currency for its own account. Any transfers to third parties on account of its counterparties, owners, or creditors could cause an MSB designation.
3. Regulation: FIN 2014 R007
Situation: A company rents mining systems to third parties, allowing them to mine virtual currencies. The system was devised by the company, and the third party provides mining pool information. All virtual currency the third party mines stays with it.
Ruling: The company is not an MSB if it solely rents the system to the third party, thus allowing it to obtain convertible virtual currency to fund exchange activities.
4. Regulation: FIN 2014 R011
Situation: A company sets up a trading platform for buying/selling virtual currency for legal tender. The company maintains a set of accounts for customers to deposit funds in, to cover exchanges - customers submit orders to sell or buy and the platform matches buy/sell orders. The company prohibits third party funding, payments from a customer to a third party, or inter-account transfers.
Ruling: The company is an MSB because it exchanges virtual currency. It is not a user because it accepts CVC from one person and transfers it to another.
5. Regulation: FIN 2014 R012
Situation: A company sets up a virtual currency payment system for merchants wanting to be paid in, for example, bitcoin, from their customers. The company provides payments to merchants in their own jurisdiction. The company receives payment from buyers in legal tender and transfers the equivalent amount of the virtual currency to the seller.
Ruling: The company is an MSB due to it accepting currency, funds, or other value that substitutes for currency from one person and transfers it to another location or person.
6. Regulation: FIN 2015 R001
Situation: A company provides internet brokerage services for buyers/sellers of precious metals. The company buys/sells precious metals on its own account and holds metals for buyers in a digital wallet on a blockchain. The company obtains transaction fees for transfers of digital certificates as well as a custody fee for metals held.
Ruling: The company is an MSB due to the use of customer-third party transfer of funds.
Listen to the Experts
With all of these numerous requirements, regulatory bodies, and regulations, developing a robust corporate compliance department is crucial.
If your company is a FinTech, or if you’re considering implementing Fintech solutions within your existing business structure, consider reaching out for outside expertise and experience. Engaging a specialized professional to craft a custom compliance solution like InnReg will not only save costs for your company but will actively put it ahead.
To access a more detailed, in-depth pool of analytical knowledge, contact InnReg today and consult a qualified, highly-experienced external expert on the matter. InnReg can help you and your business ensure a high level of ongoing FinCen cryptocurrency compliance while maintaining an optimal corporate structure that supports a good balance of costs and profits.
How Can InnReg Help?
InnReg is a global regulatory compliance and operations consulting team serving financial services companies since 2013.
We are especially effective at launching and scaling fintechs with innovative compliance strategies and delivering cost-effective managed services, assisted by proprietary regtech solutions.
If you need help with blockchain compliance, reach out to our regulatory experts today:
Published on May 30, 2022
Last updated on Aug 7, 2023
Related Articles
Latest LinkedIn Posts
