The High Cost of Noncompliance: Making Sense of BitMEX’s $100 Million AML Penalty

THE BANK SECRECY ACT VIOLATIONS

The BitMEX conviction and penalty stem from the company’s July 2024 decision to plead guilty to violating certain provisions of the Bank Secrecy Act (BSA) as alleged in a criminal information filed by the US Attorney’s Office for the Southern District of New York (SDNY). According to SDNY prosecutors, from November 2014 through September 2020, BitMEX and its founders solicited and accepted orders for trades in futures contracts and other derivatives tied to the value of cryptocurrencies, including bitcoin. In so doing, prosecutors alleged that BitMEX acted as a futures commission merchant (FCM) that was required to comply with the BSA. SDNY further alleged that BitMEX and its founders and executives knew at least in or around September 2015 – when the CFTC issued an order extending AML requirements to cryptocurrencies, including bitcoin – that AML requirements would apply when BitMEX served US customers or operated in the United States.

Thereafter, as set forth in the criminal information, BitMEX and its founders and executives willfully violated the BSA by knowingly failing to establish, implement, and maintain an adequate AML program, including an adequate customer identification program (more commonly referred to as a “know your customer” or “KYC” program). Under the BSA, any financial institution, including an FCM, must establish an AML program that includes, at a minimum, “policies, procedures, and internal controls reasonably designed to prevent the financial institution from being used for money laundering or the financing of terrorist activities.” Further, an FCM must also implement a written KYC program that includes “risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable.”

Despite these applicable BSA/AML requirements, according to SDNY, BitMEX, as an FCM, did not adopt or implement any formal AML policies, procedures, or internal controls, nor did it implement a written KYC program for verifying the identity of its customers. Notably, prior to August 2020, BitMEX customers could register to trade on the platform anonymously without providing any identifying information or documentation. More specifically, BitMEX was accused of permitting new clients to register by providing only a verified email address. During the same period, prosecutors alleged BitMEX also failed to file any suspicious activity reports (SARs) regarding suspected illegal activity on its platform, as FCMs are required to do for any suspicious transactions of $5,000 or more.

Previously, in August 2021, BitMEX settled a parallel civil action brought by the CFTC alleging that BitMEX, among other entities, failed to register with the CFTC and violated multiple regulations, including AML requirements, though the company did not admit or deny the allegations. The $100 million settlement with the CFTC also resolved a related action brought against BitMEX by the Financial Crimes Enforcement Network. Relatedly, between February and May 2022, three of BitMEX’s founders pleaded guilty to violating the BSA and each paid a $10 million fine.

THE $100 MILLION PENALTY AND AGGRAVATING FACTORS

In sentencing BitMEX, US District Judge John G. Koeltl rejected the company’s argument that no additional fines were warranted beyond those already paid by BitMEX and its executives in connection with the CFTC settlement. Judge Koeltl noted that BitMEX represented for several years that it was not operating in the United States even though US customers constituted a significant share of the company’s business. Yet, the $100 million penalty imposed by Judge Koeltl fell well short of the $417 million fine sought by the US government and below the sentencing guidelines, which called for a monetary penalty between $231 million and $471 million. Judge Koeltl indicated that a penalty on the higher end of such a range would be too severe given the $130 million in penalties already imposed on BitMEX and its founders and executives. In addition to the monetary penalty, Judge Koeltl imposed a two-year probationary period on BitMEX, rejecting the company’s request to avoid probation.

Several aggravating factors merit discussion in light of the sentence imposed against BitMEX:

• According to the criminal information, despite BitMEX’s founders and executives knowing as of at least September 2015 that the company could not serve US customers without complying with AML and KYC requirements, BitMEX actively encouraged or allowed US customers to use its platform and failed to take steps to effectively restrict such customers from doing so.
• The US government alleged that BitMEX engaged in various marketing activities intended to attract US customers, including advertising the lack of documentation required for identity verification and expressly stating on its website that “[n]o real-name or other advanced verification is required on BitMEX.”
• As part of its effort to willfully violate the BSA, BitMEX made false statements to a foreign bank in order to convince the foreign bank to open an account that BitMEX could surreptitiously use for its operations.

KEY TAKEAWAYS

• The obligations imposed by the BSA, while significant, can be met through development of a risk-based AML program. Outside counsel can help financial institutions design new BSA programs or assist in tailoring and updating existing programs to ensure compliance.
• As illustrated by the civil and criminal resolutions for BitMEX, the consequences of noncompliance can be substantial, including parallel enforcement actions, criminal indictment, and severe fines and financial penalties. As happened with BitMEX, the court in the SDNY criminal case rejected the company’s suggestion that the $100 million settlement it had already paid to the CFTC could adequately address the criminal violations.
• Cryptocurrency exchanges that decide to enter the US market during what is expected to be a pro-crypto regulatory environment should still consider the lessons learned from the BitMEX prosecution. Apparently, Judge Koeltl was not moved by BitMEX’s argument that no additional fine was necessary because its offending conduct began in 2014, during a time of regulatory uncertainty.