AML/KYC

Subscribe to AML/KYC via RSS

In July 2025, President Donald Trump signed the bipartisan-supported Guiding and Establishing National Innovation for U.S. Stablecoins Act (the “GENIUS Act” or the “Act”) into law. The GENIUS Act is the first major federal law that specifically regulates the cryptocurrency industry, establishing a comprehensive regulatory framework for payment stablecoins in the U.S. The Act, which will take effect by January 2027 (or earlier if final regulations implementing the Act are issued), significantly reshapes the legal landscape for digital assets in the U.S. and may provide momentum for further Congressional actions in the digital assets space.

Generally speaking, a stablecoin is a type of cryptocurrency designed to maintain a stable value by being pegged to a reserve asset, such as a fiat currency, a commodity, or a basket of reliable assets. Stablecoins aim to provide price stability, making them useful for everyday transactions, trading, and decentralized finance (DeFi) applications, including liquidity pools for collateral in lending and borrowing and as payments for low-cost borderless transactions. Stablecoins collectively represent hundreds of billions of dollars in market cap, underscoring the significance of the Genius Act’s goal to provide legal clarity and a structured framework for stablecoin issuance and oversight. The law also seeks to enhance trust and reduce the custodial and operational risks of stablecoins that were evidenced in recent years during a major algorithmic stablecoin collapse and a “depegging” incident of a major stablecoin. Overall, the law covers digital finance regulation, consumer protection, anti-money laundering (AML) compliance, federal and state regulatory frameworks, bankruptcy, and U.S. monetary policy in general.

To do this, the Act:

  • Formally defines “payment stablecoins”
  • Limits the integration of algorithmic stablecoins into the mainstream financial system and only recognizes fiat-backed stablecoins as permitted payment stablecoins
  • Establishes a federal licensing framework for domestic and foreign issuers
  • Sets standards for reserves and redemption and prohibits “rehypothecation”
  • Clarifies regulatory oversight between federal and state regulators and expressly states that licensed stablecoins are not securities or commodities
  • Enhances transparency and consumer protections, including in the event of issuer insolvency
  • Contains provisions related to anti-money laundering (AML) compliance
  • Seeks to legitimize stablecoins under U.S. law, incentivize the use of U.S. Treasury bonds as reserve assets and generally position the U.S. as a leader in digital finance

U.S. government agencies continue to take action against cryptocurrency mixing services that enable cybercriminals to obfuscate the trail of stolen proceeds on public blockchains stemming from illicit cyber activity. On November 29, 2023, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) sanctioned another virtual currency mixing

Last month, the Commodity Futures Trading Commission (CFTC) announced settled charges against three decentralized finance (DeFi) protocols for various registration and related violations under the Commodity Exchange Act (CEA) during the relevant period of investigation.  As a result, each entity paid a civil monetary penalty and agreed to cease violations of the CEA.  According to a statement by Commissioner Kristin N. Johnson, these latest settlements are the first time the CFTC charged a DeFi operator (e.g., Opyn, Inc. and Deridex, Inc.) with failing to register as a swap execution facility (SEF) or designated contract market (DCM). Moreover, these latest enforcements against DeFi entities arrive soon after the CFTC’s successful enforcement and default judgment against Ooki DAO, which the CFTC alleged was operating a decentralized blockchain-based software protocol that functioned in a manner similar to a trading platform and was violating the CEA (prior coverage of the Ooki DAO enforcement can be found here).

Unlike traditional corporate entities with a typical hierarchical structure, a decentralized autonomous organization (“DAO”) – a management structure that uses blockchain technology – functions as a leaderless entity. Without a formal corporate structure, DAOs instead operate by distributing governance rights among persons who hold a specific governance token. Consequently, federal and state courts have been grappling with how to consider a DAO under existing laws that were traditionally interpreted against long-standing corporate entities.

As discussed in a prior post, DAOs allow individuals to organize and coordinate at arms-length, and rely on code (a “protocol”) to govern and execute functions traditionally determined by governing documents, like operating agreements and articles of formation, and undertaken by executives. A DAO’s protocol is committed to a public ledger on a blockchain, which guarantees accessibility and transparency. Each member is granted governance rights – the ability to propose and approve initiatives, called proposals – through a governance token. In light of their unique makeup, DAOs lack centralized leadership and a typical top-down management structure.

Accordingly, parties have debated whether a DAO should be recognized as a general partnership under state corporation laws (i.e., N.Y. P’ship Law §10: “an association of two or more persons to carry on as co-owners a business for profit….”) or, in the case of the Commodity Futures Trading Commission’s (“CFTC”) Ooki DAO enforcement, whether a DAO could be deemed an “unincorporated association” under the Commodity Exchange Act (“CEA”). Following the filing of the CFTC’s enforcement action, it is not surprising that the structure of the Ooki DAO, and the CFTC’s enforcement action against the DAO itself, has garnered a lot of media attention and industry reaction, and has raised novel legal issues.

Several questions have arisen in recent years regarding the potential liability of DAO members:

  • While DAOs are emerging as a viable structure in the DeFi space, does their non-traditional makeup necessarily shield them from real world liability?
  • Does a DAO’s structure render its activities “enforcement proof” or, at the very least, difficult to effect traditional service of process upon?
  • Can a DAO be an “unincorporated association” under federal or state law?
  • Who should be liable for the decisions made by a DAO?
  • Because token holders participate in the DAO’s governance, can they be deemed personally liable for its actions (akin to the general partners in a general partnership), even if each governance token holder is essentially unknown to the other DAO members, who likely reside in multiple jurisdictions?

On September 22, 2022, the CFTC announced an order simultaneously filing and settling charges against bZeroX, LLC (“bZeroX”) and its creators for illegally offering leveraged and margined retail commodity transactions in digital assets, operating as an unregistered futures commission merchant and failing to conduct KYC on its customers. According to the CFTC, a month prior to this settlement announcement, bZeroX transferred control of the bZx Protocol to the bZx DAO, a decentralized autonomous organization (“DAO”), which later renamed itself as the Ooki DAO.  On the same day as the bZeroX settlement was announced, the CFTC filed an enforcement action against the Ooki DAO (successor to bZeroX) for violating those same regulations.  The CFTC stated that bZeroX and its creators engaged in this unlawful activity in connection with their decentralized blockchain-based software protocol that functioned in a manner similar to a trading platform.  The transactions executed on bZeroX, and subsequently on the Ooki DAO, were required to take place on a registered designated contract market.  Additionally, the complaint asserted that bZeroX and Ooki DAO were operating as unregistered futures commission merchants by soliciting and accepting orders from customers, accepting money or property as margin and extending credit.

The structure of Ooki DAO, and the CFTC’s enforcement action against the DAO itself, has garnered a lot of media attention (and industry reaction) and raised novel legal issues.

In late October, a New York district court refused to dismiss the Department of Justice’s (DOJ) indictment against defendant Nathaniel Chastain, who was charged with wire fraud and money laundering relating to his using insider knowledge to purchase non-fungible tokens (NFTs) prior to them being featured on OpenSea, an online NFT marketplace, and later selling them at a profit. (U.S. v. Chastain, No. 22-cr-305 (S.D.N.Y. Oct. 21, 2022)). Despite the headlines and the fact that the DOJ’s press release labeled this enforcement as charges brought in “the first ever digital asset insider trading scheme,” the Chastain indictment was not actually based on the typical insider trading statutes involving securities law violations, but instead the federal wire fraud statute.  Indeed, despite having an insider trading flavor, the word “security” does not appear in the indictment and the court, in refusing to dismiss the DOJ’s wire fraud claim, ruled that the Government’s wire fraud claim does not require the presence of a “security.”

Back in 2013, the first cryptocurrency matter hit our desks. That was the beginning of the exponential growth of our digital assets practice. Recognizing the importance of the area, we launched this blog, Blockchain and the Law. In our first cluster of posts, we covered topics such as cryptocurrency taxation, blockchain and privacy, and issues surrounding initial coin offerings (or ICOs), one of the hottest issues at that time and a practice that still garners SEC scrutiny in 2022 (interestingly, there is still no consensus around when a digital asset, outside of Bitcoin, which is considered a commodity, is a “security”).

Today, blockchain-based innovations continue apace, continuously offering new opportunities (and raising challenges). In the push toward Web3 – with its decentralized, permissionless, tokenized core – there are a variety of new technologies and innovations, from DeFi to DAOs to NFTs to fan tokens to the Merge to the metaverse.  We have been privileged to work with many of the most dynamic clients in helping them build businesses around these advances.

We were thrilled to host a three-day symposium from September 19-21, 2022 to highlight some of the hottest legal and business issues affecting digital assets, featuring a full slate of discussions among our attorneys and guests from the industry.  At the symposium, we programmed virtual panels across a range of topics: SEC enforcement and securities regulation of digital assets, asset manager considerations surrounding digital assets, employee compensation and benefits issues, cryptocurrency AML considerations, digital assets in bankruptcy, decentralized autonomous organizations (DAOs), and sports and media trends and issues in Web3.  The final day of the event culminated in an in-person reception and a “Voices from the Industry” panel featuring an eclectic group of executives from across the digital asset space talking about issues that are top of mind.  In the span of a few days, we learned a lot.

In what is the New York Department of Financial Services’ (NYDFS) first enforcement action against a NYDFS-licensed “virtual currency business,” on August 1, 2022, the agency announced $30 million settlement with cryptocurrency investing platform Robinhood Crypto, LLC (“RHC”).  The settlement addressed  charges stemming from what the NYDFS cited as various deficiencies during 2019-20 of RHC’s Bank Secrecy Act (BSA) and anti-money laundering (AML) program and RHS’ cybersecurity obligations under the agency’s Virtual Currency “BitLicense” regulation (23 NYCRR Part 200) and Cybersecurity Regulation (23 NYCRR Part 500), among other things

NYDFS has been active in crypto regulation for many years. In 2015, New York was the first state to promulgate a comprehensive framework for regulating virtual currency-related businesses. The keystones of the BitLicense regulations are consumer protection, anti-money laundering compliance and cybersecurity rules that are intended to place appropriate “guardrails” around the industry while allowing innovation. In addition, NYDFS’s Cybersecurity Regulation went into effect in March 2017 and generally requires all covered entities, including licensed virtual currency businesses, to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of its information systems. Licensed virtual currency companies are subject to the same AML and cybersecurity regulations as traditional financial services companies.