Introduction to the case
In the wake of U.S. regulatory scrutiny, cryptocurrency giant Binance, has seen its 60% market share halved. The crackdown came in response to Binance’s failure to comply with regulations. It failed to report over 100,000 suspicious transactions involving organizations linked to terrorist groups and engaged in various illegal activities. This case is a lesson in the risks and costs of an unethical corporate culture and not complying with government regulations.
Details of the fraud
Binance operates an online financial platform for crypto exchange and is a money service business (MSB) operating in the U.S.
By its nature and design, transactions involving cryptocurrency are considered high risk because they are susceptible to being used in illicit activities. With the promise of greater anonymity and free-flowing cross-border transactions, cryptocurrency has become a popular medium for criminal trade.
Hence, regulators around the world have put greater scrutiny on cryptocurrency businesses, including Binance. The U.S. Securities Exchange Commission (SEC) found that Binance had facilitated various illicit activities on its platform from July 14, 2017, through July 30, 2023.1
Binance’s failure to comply with its monitoring and reporting obligations under the U.S. Bank Secrecy Act (BSA) helped facilitate the movement of illicit funds and finance criminals and terrorists.
It failed to register as a money service company with the U.S. Financial Crimes Enforcement Network (FinCEN).
It did not develop, implement, or maintain any anti-money laundering (AML) programs, including know-your-customer (KYC) procedures, which is a direct violation of U.S. money laundering laws.
How did the fraudsters commit the crime?
- Binance had a culture of facilitating client transactions, including overriding internal controls or disregarding regulatory requirements. Such disregard included developing a process to notify VIP users if they had become the subject of a law enforcement inquiry.1
- FinCEN found that Binance’s senior management attempted to conceal the existence of U.S. VIP users on its platform. An employee was instructed to change internal reports by reclassifying country codes from ‘U.S.’ to ‘UNKNWN,’ and to restrict access to view information about these users within the company.1
- Binance conducted business in the U.S., with the platform hosting over 1 million American users.1 It employed over 100 individuals based in the U.S., partnered with a U.S. financial institution (Paxos Trust Company), and acquired a U.S. company (Voyager Digital). Despite soliciting and serving U.S. customers, Binance did not register with FinCEN and operated as an unregistered MSB from August 2017 to October 2022.1
- VIP users2 accounted for two-thirds to three-quarters of both trading volume and trading revenue on binance.com. FinCEN found that Binance took steps to help these valuable U.S.-based VIP customers hide their U.S. nexus to circumvent internal controls. FinCEN also found that Binance’s senior management, including its former chief executive officer and chief compliance officer, had endorsed Binance’s encouragement of U.S. VIP customers to use virtual private networks to mask IP addresses, thereby circumventing geofencing controls that Binance had in place.1
- Binance allowed users to open accounts and trade without providing any identifying information (e.g., anyone with an email address could have set up an account).1 Binance began requiring all users to provide KYC information in August 2021 (four years after binance.com launched) but allowed users who had not previously provided KYC information to continue trading on the exchange until May 2022. In doing so, FinCEN found that Binance was involved in facilitating crypto transactions from darknet sites, hacks, ransomware, and fraud.1 For example, in September 2020, a North Korean hacking group called Lazarus stole $5.4 million worth of virtual currency from a Slovakian crypto exchange, as part of a series of cyber heists aimed at funding North Korea's nuclear program. In about nine minutes, the hackers took advantage of Binance’s weak client opening/verification KYC requirements and used encrypted email addresses to quickly open dozens of accounts on the Binance platform to launder the stolen funds.
- In 2019, Binance announced that it would block U.S. customers and launched a separate U.S. exchange. As part of its KYC process, Binance claimed that U.S. users would be identified based on their IP addresses and through self-certification.1 However, not only were the U.S. users not blocked, Binance continued processing transactions where it had received contradictory information between IP addresses and users’ self-certification.1
- Under the BSA, Binance is required to identify and report suspicious transactions that involve or aggregate to at least $2,000.1 However, FinCEN found that Binance did not have a process to monitor transactions. It did not file suspicious activity reports with FinCEN from approximately July 2017 to July 2023. Binance is also required to file suspicious activity reports for transactions involving sanctioned jurisdictions.1 Binance processed 1.1 million transactions worth over $898 million between U.S. users and Iranian accounts from January 2018 to May 2022. It did not file any reports in respect of these transactions.
What was the outcome?
- Binance agreed to pay a fine of ~$1.8 billion and to forfeit assets of ~$2.5 billion, a total settlement of ~$4.3 billion.
- Binance is required to implement new compliance rules and enhance current ones.
- Binance will be subject to an extensive ongoing monitoring program to ensure its compliance over the next three years, to be conducted by an independent third-party approved by regulatory agencies.
- Binance’s former CEO pleaded guilty to breaching U.S. AML regulations in failing to maintain an effective AML program and is required to step down.
- The former CEO settled a criminal penalty fine amounting to $50 million and will be subject to civil penalties totalling $150 million.
How could this have been prevented?
A number of contributing factors led to Binance’s situation. However, there are some key takeaways and learnings to reduce the risk of your organization being susceptible to similar failures in corporate governance and regulatory compliance.
- Understand the regulations and regulatory obligations that apply to your business.
- Assign roles and responsibilities to specific individuals to ensure the business complies with the regulatory requirements.
- Develop a code of conduct and complementary policies that encapsulate what ethical standards mean for your organization.
- Communicate your code of conduct and policies to all employees, including education sessions to ensure understanding of the policies and processes available to encourage compliance.
- Review existing internal controls and assess whether they are effectively identifying and mitigating relevant risks.
- Consider how controls can be overridden and design procedures to monitor these risk areas. Continuously evaluate controls and modify them as appropriate as your organization evolves.
- Provide ongoing and targeted training for employees on ethics (e.g., how to make difficult and ethical decisions) and practical examples of ethical dilemmas they are likely to encounter.
- Training topics can be tailored to specific groups of an organization where particular risks or deficiencies are identified.
- Provide a whistleblower hotline service for the reporting of concerns.
How BDO can help
BDO’s Forensic Disputes & Investigations and Risk Advisory Services teams can help money service businesses and other reporting entities design and establish a tailor-made AML control framework that incorporates risk-based KYC standards, ongoing monitoring, and suspect transaction screening and identification. Our professionals are experienced in the identification, assessment, and mitigation of risks with respect to fraud, money laundering, and financial crimes.
Our professional teams can also assist financial and law enforcement institutions with transaction lookbacks, investigations, and fund tracing of potential money laundering activities.
Footnotes:
* All amounts expressed in U.S. dollars unless otherwise stated.
1 Consent Order Imposing Civil Money Penalty, Number 2023-04, FinCEN, Nov. 21, 2023.
2 Since inception, Binance had a ‘VIP Program’ that catered to high volume and commercially important users. The VIP users would benefit from favourable trading fees and higher limits on the number of orders that they could submit through the exchange.