Every year, federal agencies (primarily the FBI) issue thousands of National Security Letters (NSLs) to gather information they believe will help national security-related investigations and protect against terrorism and “clandestine intelligence activities.”
While cryptocurrency businesses don’t receive NSLs often, the number of NSLs issued has been growing every year, so there is a strong possibility that business owners running crypto MSBs and other companies will receive one from time to time.
Any form of contact from the FBI can be intimidating, but don’t panic. Still, an NSL is a delicate matter with implications for your compliance, so it’s best to be prepared in your response.
We’re continuing our series of cryptocompliance 101 posts to help cryptocurrency business owners understand the regulatory landscape, its nuances, and what steps need to be taken to strengthen their compliance.
Today, we’re focusing on National Security Letters – what they are, how to respond if you receive one, and how to incorporate National Security Letter policies into your cryptocurrency compliance program.
What Are National Security Letters?
A National Security Letter is an administrative subpoena (that’s a fancy legal term for an investigative tool) that the federal government uses to collect information in support of national security investigations.
NSLs can be authorized under three different statutes, but MSBs are most likely to receive them under the Right to Financial Privacy Act (RFPA). In this case, the NSL will request customer financial records.
NSLs are actually quite controversial because they don’t require a judge’s approval and they must be kept secret indefinitely. Here’s what you need to know about the NSL non-disclosure requirements:
- When you receive a National Security Letter, you can’t tell anyone about it – not your coworkers, friends, family, the person named in the NSL, or anyone else you can think of.
- However, you can discuss the NSL with the individuals who need to help you gather the requested information, usually your employees.
- Also, you can discuss the NSL with your attorney because you can challenge the NSL in court, including the non-disclosure order.
Keep in mind, the NSL gag order is indefinite and can only be removed by a judge’s order.
If you or anyone in your cryptocurrency business violates the non-disclosure requirement of the NSL, the penalties defined in the USA Patriot Act are harsh and include up to five years in prison.
The bottom line, take the gag order seriously.
How Should Cryptos Respond To NSLs?
If your MSB receives a National Security Letter, the first thing you should do is stay calm. You’re not in trouble!
Still, there is a right way to respond thoughtfully. Here are some steps to include in your procedure:
1. Verify The Request
Confirm that the request is legal and legitimately from the FBI. NSLs are usually issued by the FBI Director, an Assistant Director at the FBI, or a commanding officer at an FBI field office referred to as a Special Agent in Charge.
2. Review The Demands
Review the information being sought in the NSL and confirm that you have access to that information. Keep in mind, some NSLs can be very broad. Consult with an attorney if you need help understanding a demand or determining if an NSL is over-reaching and asking for more information than you’re legally required to provide.
3. Adhere To The Gag Order
Adhere to the non-disclosure requirements of the NSL and make sure you don’t tell anyone about it except the people who will help you gather the requested information and your attorney if you decide to fight any aspect of the NSL.
4. Respond To The NSL
Gather the demanded information and provide it to the FBI based on the requirements included in the NSL.
Keep in mind, in emergency situations, the FBI may verbally request financial records from you. This is allowed under the RFPA in situations that create an imminent danger of serious property damage, physical injury to a person, or flight by a suspect to avoid prosecution.
Just remember that you’re not in trouble. You’re simply being asked to provide information. As long as you provide that information in the time allotted in the NSL and you don’t tell anyone about the NSL, you’ll be compliant and stay out of trouble.
You might be wondering how NSLs fit into your suspicious activity (SAR) reporting. It’s simple. NSLs are secret, so any SAR filed after you receive a National Security Letter should not mention the NSL at all.
As far as your SAR reports are concerned, the NSL doesn’t exist. It’s that much of a secret. Your SAR filings should only include suspicious transactions that you or your employees identify, not those identified through NSLs.
How Does NSL Response Fit Into Cryptocompliance?
Large financial institutions, internet service providers, and telecommunications companies receive FBI requests often, including NSLs. They have policies in place to respond to NSLs, and so should you.
Your NSL response policy should be included in your overall cryptocompliance program and your Chief Compliance Officer should take responsibility for creating, maintaining, and implementing it as well as training employees on their roles in compliance, including NSL non-disclosures.
Here are key components that your NSL response policy should have to ensure your MSB is always in compliance with relevant laws:
- Identify who should receive and respond to NSLs.
- Identify whose support will be needed to collect the information demanded.
- Explain how you’ll respond to demands (unless otherwise directed in the NSL).
- State when you’ll respond to demands (unless otherwise directed in the NSL).
- Describe how you’ll keep NSLs secret.
How do you turn this into a written policy? Here’s a brief example to help you get started (replace [MSB] with your cryptocurrency business name):
[MSB] will respond to National Security Letters (“NSLs”) to obtain financial records, among other things, by querying its records to determine whether the individual, entity, or organization named in an NSL has engaged in any transactional activities. [MSB] is required to report matches no later than fourteen (14) calendar days after the date of request. The receipt of an NSL is highly confidential.
No member of [MSB] will disclose to any person that a government authority or the FBI has sought or obtained access to records of each individual, entity, or organization named in the NSL. If a SAR is filed after receiving an NSL, the SAR will not contain any reference to the receipt or existence of the NSL.
You can adapt this text to your business and processes, and add more information to meet your needs. The point is to have a written policy in place and trained employees who are ready to put the policy into action if you receive a National Security Letter.
Key Takeaways For Crypto Businesses
If you ever receive a National Security Letter, you do need to be prepared to thoughtfully respond in a timely manner.
There are a lot of nuanced ways in which your policy on NSL response fits into your overall AML compliance. We’re experts in adapting traditional financial compliance obligations to the cryptocurrency space, so if you need help developing an AML cryptocompliance that includes a policy for responding to NSLs and other law enforcement requests, contact us here to schedule a free consultation.