It’s common for cryptocurrency business owners to be unfamiliar with law enforcement requests. If you’re unsure of how you’d handle a law enforcement request should you receive one, this post will answer your questions.
Cryptocurrency money services businesses (MSBs) may receive law enforcement requests from time to time. While it’s natural to want to help law enforcement, as a crypto MSB, you need to consider applicable laws before you respond.
Why wouldn’t you instantly respond to a request from law enforcement for information about your customers?
The answer is privacy laws.
It’s essential that you protect the privacy of your customers and adhere to the regulations of the Gramm-Leach Bliley Act and the Right to Financial Privacy Act (RFPA) on the federal level as well as with state and local laws, which vary from state to state and between municipalities.
Bottom-line, law enforcement requests can get very confusing for cryptocurrency businesses, which is why it’s so important to develop and adhere to specific response policies as part of your overall cryptocurrency compliance program.
We’re continuing our series of cryptocompliance 101 posts to help cryptocurrency business owners understand the regulatory landscape, its nuances, and what steps need to be taken to strengthen their compliance. Today, we’re focusing on law enforcement requests – what they are, what to do if you receive one, and how to fit them into your AML compliance program.
What are law enforcement requests?
Typically, law enforcement requests ask for two types of information: customer identity or transaction activities. Requests can come from the FBI, police, or any other law enforcement organization (federal, state, and local). You might receive them via letter, email, phone, or other correspondence.
Just like other financial institutions, your crypto business is required to respond to valid law enforcement requests when they follow appropriate legal process, but it’s important to understand that accepting a request does not mean you waive your business’ right to object to it.
Remember, your goal is two-fold: to protect your customers’ private data as required by law and to assist law enforcement efforts, particularly as they relate to anti-money laundering and the Bank Secrecy Act.
With that said, it’s critical that you have a process in place to accept and respond to law enforcement requests in your compliance program, so there is never a doubt that your team is doing the right thing.
What do crypto MSBs need to do with law enforcement requests?
The most important thing to do when you receive a law enforcement request is to ask for a subpoena – whether you have the information being requested or not.
Asking for a subpoena isn’t combative. It’s necessary to ensure your business and your customers are protected.
Imagine that you received a request for information related to a customer with a common name, such as John Smith. It’s likely you have multiple customers with a common name, so it’s imperative that you are provided specific details about the customer in the law enforcement request. This way, you can accurately identify him or her.
It’s equally important that the request is specific and narrow in nature, so you’re only asked to provide necessary information to law enforcement. Whatever you do, don’t provide information that is not requested.
By asking for a subpoena, you’re ensuring the process goes through the proper legal channels and that requests are valid. You don’t want to be sued for providing the wrong information or too much information, so requiring a subpoena is also important for recordkeeping.
While there isn’t a written law related to how long MSBs need to retain law enforcement request details, the best practice is to document and retain all information and correspondence for at least five years. If you get called into court, you’ll be glad you have these documents and records!
How does law enforcement request response fit into AML compliance?
Your compliance program should include policies and procedures related to law enforcement requests, and employees should be trained to understand and follow these procedures.
When someone on your team receives a law enforcement request, they should already know exactly what to do with it and who to give it to. This isn’t just a best practice. FinCEN reminds all financial institutions that it’s actually part of the Bank Secrecy Act/Anti-Money Laundering compliance program requirements.
Your BSA Compliance Officer should be responsible for creating, accepting, and responding to law enforcement requests. He or she should also be the point person for all communications with law enforcement.
Your law enforcement request procedures should be modeled after traditional financial compliance, so like traditional financial institutions, your compliance policy should include the following at a minimum:
- Who your company accepts law enforcement requests from
- How your company accepts law enforcement requests and who is responsible for each step in the process of evaluating and responding to these requests
- Who within your company law enforcement requests should be addressed to
- What information must be included in the law enforcement request
- What information can and cannot be provided based on current federal, state, and local laws
- SAR procedures on accounts that have received law enforcement requests or on accounts that a law enforcement agency asks you to keep open for monitoring
- How employees will be trained, how often they’ll be monitored for compliance, and how often they’ll be retrained
- Who will write the training program and materials and how often the training will be updated
Bottom-line, your AML compliance program should include clear instructions for law enforcement requests so receiving them creates the least amount of stress and disruption possible.
Key takeaways about law enforcement requests for your cryptocurrency company
Law enforcement requests are common in the financial world, but they can be very confusing. With a clear understanding of what they are and how to respond to them, your crypto MSB can stay in compliance with all regulations related to these requests and your customers’ privacy.
The keys are developing the right policies and procedures, keeping them current, and keeping your employees trained.
If you have questions about AML compliance in the context of cryptocurrency business ownership, reach out to our team today for a free consultation.
