© 2013 Promontory Financial Group, LLC. All rights reserved.

WASHINGTON, D.C. ATLANTA BRUSSELS DENVER DUBAI HONG KONG LONDON MILAN NEW YORK PARIS SAN FRANCISCO SINGAPORE SYDNEY TOKYO TORONTO

A Practical Guide to Bitcoin Regulation & Compliance

December 10, 2013

Bill HarafManaging Director

wharaf@promontory.com

Adam ShapiroDirectorashapiro@promontory.com

2© 2013 Promontory Financial Group, LLC. All rights reserved.

Today’s Regulatory Environment

• Innovator culture vs. Regulator cultureo Speed and creativity vs. caution and controlso Increased regulatory skepticism about benefits of innovations, particularly

post financial crisis

• Financial institutions and markets are under more scrutiny than ever beforeo In addition to safety and soundness, high level of oversight of BSA

compliance, data security, consumer protection, third party vendor relationships, agency relationships, fairness and privacy programs

o Compliance programs are being held to “six sigma” standardso Very large fines for BSA/OFAC violations

• These considerations have made banks and other FIs cautious about accepting “high risk customers” such as digital currency firms

3© 2013 Promontory Financial Group, LLC. All rights reserved.

Impact on Digital Currency Ecosystem

• Digital currencies are now receiving a high level of attention in Washington DC and across the states

o From policymakers, regulators and law enforcemento Key states such as California and New York getting close to decisions about

how to regulate digital currencies

• Current posture, generally speaking, is “watchful waiting” o Don’t stifle innovation, but be cautious about potential risks and benefitso E.g., Homeland Security & Banking Committee hearings last month

• Belief that the current regulatory framework can be adapted to accommodate without major modifications, perhaps with definitional changes

o Money transmitter rules, futures and forwards, market making and dealing, securities issuance

4© 2013 Promontory Financial Group, LLC. All rights reserved.

Regulatory Risk Management

• Are you currently doing business in the U.S. and/or with U.S. customers?

• Could your business be subject to licensing and/or registration requirements?

• If so, are you taking regulatory and/or legal risk that can potentially put your business in jeopardy and subject you to criminal sanctions?

• How much regulatory risk do you want to take? You can argue that your business doesn’t require licensing and/or registration, but the regulators’ views will generally prevail in the courts

• Potential for personal liability, especially if law enforcement discovers unlawful activity

• Do you think your company’s future is brighter as a component of mainstream finance or outside of it?

5© 2013 Promontory Financial Group, LLC. All rights reserved.

Licensing – Strategic Considerations

• Access to capital and banking relationships are critical success factors for digital currency firms, but often difficult, at least today, to achieve

o Some banks are willing to provide services, as long as potential partner firms have licenses or have started the licensing process

o Some larger investors now requiring licensing plans as a condition of investment – heightened concern about personal liability of directors

• A license can be a “Good Housekeeping Seal of Approval”o Demonstrates approvable financial and managerial resources and

attentiveness to an appropriate control environmento The process can be onerous, but considerations are appropriate for a

company handling “other people’s money”o Can protect your company from reputational damage caused by the unlawful

actions of unlicensed actors

• So what does the licensing application look like, and how is it judged?

6© 2013 Promontory Financial Group, LLC. All rights reserved.

The Money Transmitter License Application

• Requirements vary state-by-state, but key components include:o Background and qualifications of management, board and major shareholderso A Business Plano Flow-of-Funds descriptions/diagramso Financial resources and stability of company, both now and against strategic

planso Descriptions of actual/planned systems and controls, particularly those

focused on: Protection of customer funds Anti money laundering (“AML”) and sanctions compliance Privacy and data security

• The licensing application decision process involves regulatory judgment – not everything is black & white

7© 2013 Promontory Financial Group, LLC. All rights reserved.

Successfully Transitioning to Regulation

• Firms that are successful in minimizing regulatory concerns:o Understand the public policy concerns regulators have in relation to digital

currencies and can articulate how the firm addresses themo Devote resources and management time to the application processo Set a positive tone for the regulatory relationship from the outseto Invest appropriately in compliance staff and systems based on size and

activities Key areas of regulatory focus currently are BSA/AML and protection of

customer fundso Ensure that all employees recognize:

The importance of compliance The need for greater process formality, documentation and record-

keeping in areas of regulatory focuso Maintain good relationships with regulators and avoid “surprises”

8© 2013 Promontory Financial Group, LLC. All rights reserved.

Effective Compliance Programs

• BSA/AML Programs

• Industry-wide BSA/AML Challenges

• Other Significant Compliance Issues

9© 2013 Promontory Financial Group, LLC. All rights reserved.

The Four Pillars of BSA/AML Programs

• Internal controls based upon the MSB’s risk assessment, which are designed to detect and deter money laundering and terrorist financing

• A designated BSA/AML compliance officer with the stature and qualifications to implement and supervise the BSA/AML Program

• Independent testing of the MSB to measure compliance with the BSA

• Evidence of BSA/AML training for appropriate personnel

10© 2013 Promontory Financial Group, LLC. All rights reserved.

Key Resources

• BSA/AML Examination Manual for Money Services Businesses (Financial Crimes Enforcement Network (“FinCEN”), 2008)

• BSA/AML Examination Manual (Federal Financial Institutions Examination Council, 2010). Applicable to banks rather than MSBs, but useful for requirements related to Office of Foreign Assets Control (“OFAC”) compliance and more generally for best practices, particularly in relation to:

o BSA/AML Risk Assessmento Customer Identification Programo Customer Due Diligence

• Risk-Based Approach: Guidance for Money Service Businesses (Financial Action Task Force, July 2009)

• FinCEN and OFAC websites (www.fincen.gov and http://www.treasury.gov/resource-center/sanctions/Pages/default.aspx)

11© 2013 Promontory Financial Group, LLC. All rights reserved.

Key BSA/AML Controls – Program

• Written policy/program (and associated procedures)• Risk assessment

o Inherent Risko Quality of Controls and Residual Risko Proposed Corrective Action/Enhancements

• Staffing• Documentation (if it’s not written down, it didn’t happen)• Risk-based training

o Baseline training for all staff, contractors and board memberso More detailed training for people with key roles implementing the programo Evidence of materials and completion

• Governance and oversighto QA and monitoringo Escalation and whistleblowingo Reporting and action trackingo Tone at the top

12© 2013 Promontory Financial Group, LLC. All rights reserved.

Key Controls – Know Your Customer (“KYC”)

• Customer Identification and Verificationo Scope of program:

All customers? Legal minimum? Somewhere in between (FATF best practice)?

o Cost effective verification: Automation What to do about potential customers that don’t pass

• OFAC/Economic Sanctionso Applies regardless of regulated statuso Broader than KYC (e.g. transaction parties, staff, contractors etc.)o Real-time compliance

• Customer Due Diligence/Enhanced Due Diligenceo Ambiguous application to MSBs…o … but clearly justified on a risk-based basiso FFIEC Manual for banks helps with best practices

13© 2013 Promontory Financial Group, LLC. All rights reserved.

Key Controls – Transaction Monitoring and Investigations

• Transaction Monitoringo Both automated and manualo Key typologies include:

Patterns/smurfing Unusually large transactions Structuring Indications of illicit activity

o Leveraging the block chaino Controls over changes to monitoring thresholds

• Investigationso Investigate all alerts and referralso Review affected customer(s) wider activity for related/similar transactionso If found not to be suspicious, document the reasono If suspicious, file a Suspicious Activity Report within 30 days of detection of

the fact pattern

14© 2013 Promontory Financial Group, LLC. All rights reserved.

Key Controls – Reporting, Recordkeeping and Information Sharing

• Suspicious Activity Reporting

• Currency Transaction Reporting and Currency or Monetary Instruments Reporting (not relevant to many Bitcoin business models)

• Funds Transfer Recordkeeping

• The Travel Rule – not designed with Bitcoin and digital currencies in mind!

• Foreign Bank and Financial Accounts Reporting

• Subpoena handling and other government requests

• 314(b) Information Sharing (at last something that is optional)

15© 2013 Promontory Financial Group, LLC. All rights reserved.

Know Your Counterparty – Bitcoin’s Major BSA/AML Challenge

• U.S. authorities believe that firms need counterparty information for effective transaction monitoring and OFAC compliance

• U.S. expects major payments systems to provide – or make available –beneficiary and originator information to all financial institutions involved in the payment chain (e.g. SWIFT messaging changes)

• Choice for the Bitcoin community – define a workable way to achieve this or risk having an unworkable one imposed for U.S.-related business

• Real tensions between BSA/AML expectations on the one hand and privacy concerns on the other. Needs careful thought:

o A good first step – sharing of non-personally identifiable informationo Ability to tag wallets (hosted or independent) as Identity Verifiedo No transmission of identity information – firms can pull as requiredo Firms store information only when required by recordkeeping requirements

16© 2013 Promontory Financial Group, LLC. All rights reserved.

Other Key Compliance Issues

• Consumer Complianceo Regulation E (and consumer expectations)o Fees, disclosures and receiptso Consumer understanding and market risk

• Information Security & Privacyo Safeguarding of customer funds and privacy of consumer information critical

both to regulatory acceptance and consumer adoptiono Current wave of hacks and thefts unhelpful to both causeso Incumbent on firms to demonstrate

• Compliance beyond money transmissiono Futures and other derivativeso Securitieso Lendingo Fractional reserve banking

17© 2013 Promontory Financial Group, LLC. All rights reserved.

Regulatory Examinations

• Frequency and rigor of examination of small firms is less than for large financial institutions

o Several year cycle typicalo Multi-state (but not all states) coordination process

o Process:o Document requesto Onsite examo Exit meetingo Written findings

o 4 “Cs” of regulatory communication:o Candoro Coherenceo Consistencyo Courtesy

18© 2013 Promontory Financial Group, LLC. All rights reserved.

Thank You!

Questions?

Bill HarafManaging Director

wharaf@promontory.com

Adam ShapiroDirectorashapiro@promontory.com