FinCEN and Bank Secrecy Act Reporting
On March 7, 2022, the Financial Crime Enforcement Network (“FinCEN”), a bureau of the U.S. Department of the Treasury alerted financial institutions “to be vigilant against efforts to evade the expansive sanctions and other U.S.-imposed restrictions implemented in connection with the Russian Federation’s further invasion of Ukraine.” Such restrictions include sanctions actions taken by the Department of Treasury’s Office of Foreign Assets Control (“OFAC”) involving certain Russian and Belorussian persons.
The alert reminds financial institutions of potential red flags for identifying sanctions evasion activity and of financial institutions’ reporting obligations under the Bank Secrecy Act (“BSA”), including those relating to convertible virtual currencies (“CVCs”).
What’s a “Financial Institution”?
The term “financial institution” is a term of art under the BSA and includes the following:
- brokers or dealers in securities;
- money services businesses;
- telegraph companies;
- card clubs;
- futures commission merchants;
- introducing brokers in commodities;
- mutual funds; and
- persons subject to state or federal bank supervisory authority.
FinCEN has taken the position that CVC exchangers and administrators are generally money services businesses, and therefore subject to the BSA.
What’s a CVC?
FinCEN has defined “virtual currency” as “a medium of exchange that can operate like currency but does not have all the attributes of ‘real’ currency . . ., including legal tender status.” A CVC is a “virtual currency that either has an equivalent value as currency, or acts as a substitute for currency . . . .”
What are the Reporting Requirements under the BSA?
As relevant here, a financial institution generally must file a suspicious activity report (“SAR”) if the transaction is conducted or attempted by, at, or through the financial institution, it involves or aggregates at least $5,000 in funds or other assets, and the financial institution knows, suspects, or has reason to suspect:
- the transaction involves funds derived from illegal activities or is intended to hide or disguise funds or assets derived from illegal activities in order to violate federal law or avoid any federal transaction reporting requirement;
- the transaction is designed to evade the requirements of the BSA;
- the transaction has no business or apparent lawful purpose or is an unusual transaction for that particular customer and the financial institution does not know of a reasonable explanation for the transaction; or
- involves the use of the financial institution to facilitate criminal activity (including potential evasion of sanctions).
Upon filing a SAR, a financial institution is required to keep a copy of the SAR and any supporting documentation for five years, which material must be provided upon request by FinCEN or certain enforcement or supervisory agencies.
Additional BSA reporting requirements may include:
- currency transaction reports reporting the deposit, withdrawal, or exchange of currency or other payment or transfer by, through, or to a financial institution involving a transaction in currency of more than $10,000; and
- reports of cash payments over $10,000 received in a trade or business (a requirement that may apply even to persons that are not financial institutions).
What are Possible Red Flags for Sanctions Evasion Activity?
FinCEN’s alert consolidates guidance on red flags that it has provided over the years, which it divides into three categories: 1) sanctions evasion using the U.S. financial system; 2) sanctions evasion using CVCs; and 3) ransomware attacks and other cybercrime.
Sanctions evasion using the U.S. financial system.
FinCEN identifies the following possible red flags for sanctions evasion using the U.S. financial system:
- use of legal entities or arrangements to obscure ownership, source of funds, or countries involved;
- use of shell companies for international wire transfers;
- use of third parties to hide the identity of sanctioned persons or source of ownership of funds;
- accounts in jurisdictions or financial institutions experiencing a rise in value without a clear economic or business explanation;
- jurisdictions previously associated with Russian financial flows, which jurisdictions are identified as having an increase in new company formations;
- new accounts sending or receiving funds from a sanctioned institution or an institution barred from the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”); and
- non routine foreign exchange transactions.
Sanctions evasion using CVCs.
Possible red flags listed by FinCEN for sanctions evasion using CVCs include:
- transactions originating from internet protocol (“IP”) addresses associated with nontrusted sources; locations in Russia, Belarus, jurisdictions identified as having anti-money laundering/countering the financing of terrorism/and counter proliferation deficiencies, and comprehensively sanctioned jurisdictions; or IP addresses flagged as suspicious.
- transactions connected with CVC addresses listed on OFAC’s Specially Designated Nationals and Blocked Persons List; and
- use of a CVC exchanger or foreign located money services business in a high-risk jurisdiction.
Ransomware attacks and other cybercrimes.
FinCEN lists the following possible red flags for ransomware attacks and other cybercrimes:
- receipt of CVC from an external wallet, followed by multiple, rapid trades among multiple CVCs that lack any apparent purpose, followed by a transaction off the platform;
- initiation of a fund transfer involving a CVC mixing service; and
- customers with direct or indirect receiving transaction exposure relating to ransomware.
What Are the Potential Penalties for Failing to Report?
As of January 21, 2022, the maximum civil penalty for willful violations for failing to file SARs is $250,759 per violation, with the minimum penalty being $62,689 per violation. The maximum criminal penalty is a fine of $250,000, imprisonment for up to five years, or both.
 FinCEN, FinCEN Advises Increased Vigilance for Potential Russian Sanctions Evasion Attempts (FIN-2022-Alert-001) at 1 (March 7, 2022) (hereinafter, “FinCEN Advice”).
 FinCEN Advice supra note 1 at 1 (citing Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies (FIN-2019-G001) (May 9, 2019) (hereinafter “Convertible Virtual Currencies”)).
 Convertible Virtual Currencies, supra note 3 at 7. The BSA defines “currency” as:
The coin and paper money of the United States or of any other country that is designated as legal tender and that circulates and is customarily used and accepted as a medium of exchange in the country of issuance. Currency includes U.S. silver certificates, U.S. notes and Federal Reserve notes. Currency also includes official foreign bank notes that are customarily used and accepted as a medium of exchange in a foreign country.
 Convertible Virtual Currencies, supra note 3 at 7.
 See 31 C.F.R. §§ 1020.320(a) (relating to banks), 1021.320(a) (relating to casinos), 1022.320(a) (relating to money services businesses), 1023.320(a) (relating to brokers or dealers in securities), 1024.320(a) (relating to mutual funds), 1025.320(a) (relating to insurance companies), 1026.320(a) (relating to futures commission merchants and introducing brokers in commodities), 1029.320(a) (relating to loan or finance companies), 1030.320(a) (relating to housing government sponsored enterprises); FinCEN Advice, supra note 1 at 5.
 See 31 C.F.R. §§ 1020.320(d), 1021.320(d), 1022.320(d), 1023.320(d), 1024.320(d), 1025.320(d), 1026.320(d), 1029.320(d), 1030.320(d).
 31 C.F.R. §§ 1010.310-313.
 FinCEN Advice, supra note 1 at 2-5.
 Id. at 3 (citing FinCEN, Advisory on Human Rights Abuses Enabled by Corrupt Senior Foreign Political Figures and their Financial Facilitators (FIN -2018-A003) (June 12, 2018)).
 FinCEN Advice, supra note 1 at 4 (citing FinCEN, Advisory on Illicit Activity Involving Convertible Virtual Currency (FIN 2019-A003) (May 9, 2019)).
 FinCEN Advice, supra note 1 at 5 (citing FinCEN, Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic (FIN-2020-A005) (July 30, 2020); FinCEN, Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes (FIN-2019-A005) (July 16, 2019); FinCEN, Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (October 25, 2016)).
 See 31 U.S.C. § 5321(a)(1); 31 C.F.R. § 1010.821(b).