In October, the Commodity Futures Trading Commission (CFTC) and the U.S. Department of Justice (DOJ) filed enforcement actions against the entities and individuals that own and operate the Bitcoin Mercantile Exchange (BitMEX), a trading platform for cryptocurrency derivatives.
The CFTC alleges that since 2014 BitMEX has operated an unregistered trading platform and violated CFTC regulations by, among other things, failing to implement required anti-money laundering (“AML”) procedures. The DOJ in turn is charging BitMEX’s three founders and its first employee with criminal violations of the Bank Secrecy Act (BSA) and conspiracy for willfully failing to establish, implement and maintain an adequate AML program.
The BitMEX actions signal an expansion of regulatory scrutiny. These actions also emphasize that U.S. regulators will work together to hold individuals responsible for registration violations and inadequate compliance protocols.
While BitMEX is a highly centralized exchange platform where the founders allegedly still collectively exercise 90% ownership and control, the BitMEX actions also have implications for decentralized finance (DeFi). If DeFi platforms offer financial products to U.S. residents, such as derivatives, that would trigger registration or AML obligations for a centralized entity, what is happening to BitMEX suggests the platform and its founders may still face scrutiny from U.S. regulators.
Background
Being registered in the Seychelles allowed BitMEX users to trade cryptocurrency derivatives. As of last year, according to the regulators, BitMEX has allegedly earned more than $1 billion in user transaction fees since 2014. The CFTC asserts BitMEX violated the Commodities Exchange Act by failing to register as a future commissions merchant. The CFTC and DOJ also allege BitMEX failed to implement compliance procedures required of financial institutions active in U.S. markets, such as AML protocols. Users allegedly could register with BitMEX by providing a verified email address and were not required to provide any documents to verify their identity or location.
The DOJ alleges BitMEX’s conduct constitutes a willful violation of the BSA. The CFTC and DOJ each assert jurisdiction over BitMEX based on allegations of defendants’ business in the U.S., and the soliciting and accepting of orders and funds from U.S. users. The government alleges BitMEX’s “maze” of offshore entities was meant to obscure its significant contacts with the U.S. Despite being registered in the Seychelles, BitMEX allegedly has no physical presence there, but does have many subsidiaries and affiliates in the U.S. The CFTC also points out:
- Approximately half of BitMEX’s workforce is based in the U.S.
- It developed and runs its website in the U.S.
- One founder allegedly lived in the U.S.
- Another founder, while residing abroad, owns his interest through a Delaware LLC and has a U.S. bank account
- BitMEX actively solicited and marketed to U.S. residents through participation in industry events and the development of a bounty program for U.S. users
The government alleges BitMEX’s withdrawal from the U.S. in 2015 was a ruse and that U.S. residents’ continued access to BitMEX was an “open secret” because BitMEX only required IP verification upon creating an account and allowed users to sign in through the Tor Network and VPN.
The government also alleges the defendants attempted to avoid U.S. law by incorporating in the Seychelles, allegedly barring – but knowingly allowing – U.S.-based users to participate, and deleting evidence of U.S.-based users. The DOJ alleges these steps to circumvent U.S. law reveal the defendants’ willful violation of the BSA.
Key lessons
Blockchain-based platforms involved in both centralized finance (CeFi) and DeFi can learn the following from the BitMEX actions:
Offshore registration and living offshore are not enough to avoid the jurisdiction of U.S. law enforcement. In assessing whether U.S. law applies to an exchange or platform, regulators will look beyond form and determine whether the substance of an individual’s or entity’s conduct provides sufficient jurisdictional basis.
Avoiding U.S. markets is only effective if you actually avoid U.S. markets. Though tautological, a business can only avoid U.S. regulation by truly staying outside of U.S. markets. According to the U.S. government, it is not enough to disclaim U.S. contacts and take half-measures to achieve that goal. Notably, the government focused in this case on BitMEX’s continued marketing efforts in the U.S.
Founders and employees may have exposure for a platform’s activity if steps are not taken to comply with applicable law. If a platform has contacts within the U.S. or has not taken affirmative, reasonable steps to exclude U.S. persons from the platform, U.S. regulators may seek to establish jurisdiction. Even absent centralized ownership or founder control, regulators may target individuals within the company, including those who developed or created the digital asset, protocol or platform, if it was designed and launched without taking into account compliance obligations.
The absence of immediate legal repercussions is not proof of an absence of liability. The DOJ and CFTC cite conduct from more than five years ago. Law enforcement need not, and rarely will, charge a defendant at the first sign of potential illegality. Thus, compliance with applicable laws should be a continuing priority, regardless of whether a company faces immediate regulatory scrutiny.
BitMEX has developed a reputation as one the largest and most successful offshore digital currency exchanges. The government’s actions show how U.S. regulators will work together in bringing enforcement actions, bringing scrutiny to even those that might initially appear beyond the reach of U.S. law.