How much knowledge is too much for businesses in the UK’s regulated sector when it comes to the history of their cryptoasset transactions?
“They say a little knowledge is a dangerous thing, but it’s not one half so bad as a lot of ignorance.”
– Terry Pratchett, Equal Rites.
The recent alleged hack of the FTX exchange highlights the legal risks of cryptoassets “tainted” by illegal activity, particularly in the UK’s regulated sector. Further to new and anticipated developments in UK regulation and English case law, market participants may be at risk of criminal liability under the Proceeds of Crime Act 2002 if they deal with tainted cryptoassets or fail to report suspicions of money laundering.
The alleged FTX hack and fall-out
Following an alleged hack of the FTX exchange, commentators have identified that cryptocurrencies equivalent to around 447m USD may have been stolen via the hack then (mostly) converted into Ethereum, which is in the process of being dissipated by transfers and conversion into other cryptoassets.
This is a situation perhaps unique to cryptoassets; a crime has allegedly occurred but, unlike in a traditional “real world” theft like a bank robbery, the entire world is able to watch the alleged hacker seek to dissipate their allegedly ill-gotten Ethereum gains in real time.
Of course, this is not a new phenomenon – a core function of most distributed ledger technologies is the ability to trace all on-chain transactions (including those associated with illegality). However, increasing regulation and new case law are now throwing up novel legal issues for market participants when it comes to “tainted” cryptoassets like those allegedly stolen from FTX.
The Proceeds of Crime Act 2002 (“POCA”)
Tainted cryptoassets can give rise to criminal liability for participants in the regulated sector if they fail to disclose their knowledge or suspicion of money laundering1 pursuant to ss.330 and 331 of POCA.
By way of summary, a person in the regulated sector commits an offence where they know, suspect or have reasonable grounds to suspect that another person is engaged in money laundering and they fail to disclose that suspicion to the UK’s National Crime Agency. There are various ways that money laundering can be committed, but all involve some form of dealing with criminal property.
Can cryptoassets be criminal property?
For criminal property to exist, there must first be property. As explored previously, the English courts are amenable to recognising cryptoassets (including NFTs) as legal property under English civil law. Other jurisdictions are following suit. The definition of property for POCA purposes is broad in any event and in fact the English civil courts have already accepted that various cryptocurrencies are capable of constituting “other intangible or incorporeal property” for the purposes of a different section of POCA2.
For property to become criminal property, a person must know or suspect that it represents or constitutes the benefit of conduct that would constitute an offence in the UK. While the facts of the alleged FTX hack remain unclear, a hack can give rise to a variety of UK criminal offences, meaning the cryptocurrencies in question may well constitute criminal property, subject to the requirement for knowledge or suspicion (more on that later).
The money laundering offences
Money laundering in this context means the ss.327 to 329 POCA offences of concealing, acquiring, using or possessing criminal property or becoming involved in an arrangement in relation to the use etc. of such criminal property. The offences are drafted broadly such that doing almost anything in relation to “criminal property” can amount to money laundering, including simply owning it.
In fact, a press release from the English Crown Prosecution Service suggests it may already have been successful in procuring money laundering convictions in respect of cryptoassets. It therefore appears at least one court and prosecutor considers that the money laundering offences apply to cryptoassets.
The regulated sector and the failure to disclose offence
The additional ss. 330 and 331 POCA offences for failing to disclose knowledge or suspicion of money laundering offences only apply to those within the “regulated sector”.
A wide variety of businesses fall within the regulated sector including banks and law firms. The regulated sector also includes cryptoasset exchanges and custodian wallet providers.3
These cryptoasset businesses and other market participants may therefore have exposure to criminal liability in the UK if they have knowledge or suspicion of dealing with tainted cryptoassets and don’t do anything about it.4
Knowledge or suspicion
Because knowledge or suspicion are required before property can be criminal property, and a similar requirement exists for the failure to disclose offence, it is often the key question when it comes to these POCA offences. It is at this point where cryptoassets present some novel issues. Unlike traditional financial assets, cryptoassets generally come with a fully populated and notionally irrefutable back-history – the full transaction history for Ethereum or Bitcoin is all there on the chain.
As evidenced by the alleged FTX hack example, “tainted” cryptoassets can therefore often be traced in real time with absolute clarity from addresses associated with illegal activity to the recipients.
This transparency has already precipitated issues in the sanctions space. Following OFAC’s sanctioning of TornadoCash (a DeFi protocol that “mixes” cryptocurrencies to conceal their origins), “dusting attacks” appear to have been carried out that transferred small amounts of Ethereum from sanctioned addresses associated with Tornado Cash to addresses associated with various celebrities. While this may be an example of “trolling”, technically those recipients could now be at risk of breaching sanctions.
For a market participant in the regulated sector of the UK, receipt of such “dusted” cryptocurrency from an address known to be associated with TornadoCash (or from the alleged FTX hack) could, in addition to the sanctions risks, also potentially give rise to a reporting obligation in the UK if they are aware of the origin of the funds (and potential criminal liability if such a report is not made).
Crucially here, the failure to disclose offence contains an objective element: it can be committed if a person “has reasonable grounds for knowing or suspecting, that another person is engaged in money laundering.” So, if a person in the UK regulated sector were to receive tainted cryptoassets, the fact that they didn’t subjectively know that those cryptoassets were tainted would not be a defence on its own (in contrast to the core money laundering offences, where the knowledge required is subjective).
It remains to be seen what constitutes “reasonable grounds” in circumstances where a person could know the entire transaction history of a given Ethereum token with a few minutes of googling. In particular, if a person in the UK regulated sector did receive tainted cryptoassets from the FTX hack it may prove very difficult to claim there are not reasonable grounds for suspicion given the availability of detailed on-chain transaction information and the worldwide coverage of the collapse of FTX.
The travel rule
From 1 September 2023 UK regulated sector market participants are likely to find it even more difficult to claim there are no such reasonable grounds. On that date new requirements referred to as the “travel rule” will come into force that will, for the first time, require in-scope cryptoasset businesses that transfer cryptoassets to include information about the originator and beneficiary of cryptoasset transactions with the transfer.
This new requirement to identify and confirm the details of cryptoasset transactions will mean that in-scope market participants may well gain actual knowledge of the derivation of tainted cryptoassets in transactions they facilitate.
However, even without actual knowledge, the combination of these new requirements with the full on-chain transaction history of many cryptoassets may make it significantly more difficult to argue that there were no “reasonable grounds” for knowledge or suspicion of money laundering in respect of tainted cryptoassets. Market participants in the UK regulated sector, including exchanges, may well be forced to make a large number of precautionary notifications to the UK National Crime Agency as a result, rather than risk potential criminal liability.
The regulation of cryptoassets continues to evolve as market participants, regulators and law enforcement authorities grapple with new technology, new case law and new regulations. The FCA and Advertising Standards Authority have already shown their teeth in this space but it remains to be seen how the National Crime Agency will deal with a groundswell of cryptoasset-related notifications in light of the travel rule.
Much like the collapse of FTX itself, this is yet another area where the promise of intangible and decentralised assets is increasingly meeting real-world issues and friction, with huge amounts at stake.