No Foolish Transactions: A Few Guidelines for NFT Marketplace Participants to Mitigate Anti-Money Laundering Risks
The global NFT (non-fungible token) market now is worth dozens of billions of dollars annually. Innovators and early adopters, marketplaces, and sellers, are all eager to join this market but may have questions about how to avoid bad actors or illicit funds and how to limit regulatory risk. As we've noted previously, U.S. regulators generally have stayed silent on new NFT-specific rules so far—but that silence does not preclude liability based on existing laws, including being "willfully blind" to transactions involving illegal sources of funds and similar exposure under other money laundering and related prohibitions. Given the growth of this new digital market, and increasingly well-funded enforcement, we have prepared some tips that diligent NFT marketplaces and sellers should consider to minimize money laundering risks.1
In general, an NFT marketplace participant should:
Say What Now?
Though awarded "Word of the Year" for 2021, readers may be excused for not fully grasping what an NFT is—and is not.
NFTs are not (only) digital art; instead, NFTs are digital certificates registered on a blockchain. Other blockchain tokens (such as cryptocurrencies) are fungible—one is the same as any other, like a dollar bill. NFTs, on the other hand, are unique, proving ownership of a specific asset. These assets can take the form of photos, videos, or other collectibles. Notably, NFTs are not limited to digital assets but instead can be used to prove ownership of any item, digital or not. NFTs can represent ownership of a physical asset such as a painting, a baseball card, or a pair of sneakers.
Anti-Money Laundering and Know-Your-Customer Considerations
Generally, so long as an NFT marketplace or seller is not a "financial institution," it will not be required to have any particular anti-money laundering (AML) or know your customer (KYC) policies in place. And there is not yet any activity inherent in NFT sales that should qualify an NFT seller as a "financial institution." However, there are risks to which NFT sellers should be attentive in order to (a) avoid categorization as a financial institution (unless prepared to meet the attendant regulatory obligations) and (b) minimize exposure under the criminal money laundering statutes and economic sanctions rules.
A. Implications of Categorization as a "Financial Institution"
"Financial institutions," such as banks and broker-dealers, have a variety of AML obligations, including development of an AML program. Money Services Businesses (MSBs) are a category of financial institution encompassing, among other business types, money transmitters, dealers in foreign exchange, and providers and sellers of prepaid access, each further explained below. MSBs are required to register with the U.S. Department of Treasury's Financial Crimes Enforcement Network (FinCEN). To prevent categorization as a financial institution, NFT marketplaces and sellers should avoid engaging in the activities (described below) that would trigger categorization as an MSB.
A money transmitter2 is a person that either provides money transmission services or is otherwise engaged in the transfer of funds. Examples include companies like PayPal and Venmo that provide services enabling one user to transfer money to another user, as well as administrators and exchangers of convertible virtual currencies, like Bitcoin. There are several important carve-outs from the definition of money transmitter, including for persons that transfer funds "integral to" the sale of a service or product other than money transmission. If a business sells NFTs and engages in money transmission only in connection with the sale of NFTs, then the "integral to" exception likely applies and the NFT seller likely should not be deemed a money transmitter.
A dealer in foreign exchange3 is a person that accepts funds legally recognized in one country in exchange for funds legally recognized in another country in an amount greater than $1,000 for any other person on any one day in one or more transactions. Exchange services often found in airports are illustrative; such services now are often found online.
A provider of prepaid access4 is the participant within a prepaid program (i.e., a program to provide access to funds paid in advance) that serves as the principal conduit for access to information from other participants. For example, in a typical department store gift card program (gift cards being a type of prepaid access), the department store is the provider of prepaid access. There are carve-outs, however, if the program is a "closed loop" program (where the funds can only be spent at a defined merchant) and the funds are capped at $2,000 per access device (e.g., the card) per day, or if the program is an "open loop" program (the funds can be spent at unaffiliated merchants) but the funds are capped at $1,000 per access device per day, and certain other criteria are satisfied.5
Even if a company is not a provider of prepaid access, the company still could be a seller of prepaid access.6 A seller of prepaid access generally is an entity that receives funds in exchange for loading prepaid access—such as a pharmacy that sells Visa gift cards—where the seller of the prepaid access (a) sells more than $10,000 in prepaid access to any single person in any one day and has not implemented policies and procedures to prevent sales in excess of the $10,000 threshold, or (b) does not verify the identities of the purchaser of prepaid access in advance and the prepaid access exceeds the $2,000 "closed loop" or $1,000 "open loop" carve-outs referenced above.
If NFT sellers want to avoid falling into any of the MSB categories above, they may want to adhere to the following guidelines:
B. Criminal Money Laundering and Economic Sanctions Considerations
(i) Due Diligence and Sanctions Screening
As long as a seller of NFTs is not an MSB, as discussed above, that seller should not be required to register with FinCEN or develop any particular type of AML program. However, NFT marketplaces and sellers should also be aware of the criminal money laundering statutes.7 To avoid exposure under these statutes, NFT marketplaces and sellers should ensure that they are not "willfully blind" to transacting with and/or accepting illegally derived money or engaging in transactions that facilitate or conceal illegal activity. The criminal money laundering statutes prohibit involvement in such transactions. Performing customer due diligence, which ideally should be formalized in a written program, reduces these money laundering risks.
Customer due diligence is also essential to minimize risks arising from U.S. economic sanctions, which prohibit or limit conducting transactions with certain countries (such as Cuba, Iran, North Korea, Syria, and certain regions of Ukraine), as well as specified entities, groups, and individuals. More specifically, NFT marketplaces and sellers should screen all customers, or at least counterparties that are not in the United States, against the prohibited parties lists maintained by the U.S. Treasury and State Departments. Screening can prevent unwittingly dealing with a person that is the subject of targeted or comprehensive sanctions. While screening technically is not mandated under the economic sanctions regulations, those regulations generally impose a "strict liability" standard under which a company may be liable for violations even if it had no reason to know that the counterparty was a prohibited person. Accordingly, failure to screen parties can create acute risks. A robust screening process, even if it does not prevent all unwitting errors, may be a mitigating factor in a potential enforcement action. Screening therefore is strongly advisable.
(ii) Other Safeguards: A $10k Threshold, Customer Certification, and Identifying Potential Red Flags
To limit the risk of accepting payments of criminally tainted money, NFT marketplaces and sellers may want to consider limiting sales to less than $10,000.
Why the $10,000 threshold? Although violations of the criminal statutes can occur with amounts under $10,000 (which is one reason why NFT sellers should ensure they are never willfully blind to illegally derived proceeds in any amount), the proposed $10,000 threshold may help rebut a willful blindness allegation and, further, one of the broadest money laundering statutes (18 U.S.C. § 1957) is relevant only to transactions involving $10,000 or more. In addition, $10,000 is a threshold relevant to other AML regulatory requirements (such as the requirement for businesses to report cash transactions greater than $10,000 by filing IRS Form 8300).
In addition, if there are any concerns regarding the source of funds (whether above or below the $10,000 threshold), it is advisable to have a buyer complete a certification document attesting that no funds used in the transaction were derived illegally.
Finally, NFT sellers should consider training sales staff to identify and report certain red flags when making NFT sales. These include:
None of the actions described above will fully eliminate AML risk. However, each affirmative step a marketplace or seller takes to limit the possibility that it accepts criminally tainted or other illicit funds as payment will each demonstrate to law enforcement, and customers, that the seller is working to minimize the prospect of serving as an unwitting money laundering participant.
For more information about limiting AML risk, please contact Wilson Sonsini attorneys Stephen Heifetz, Jahna Hartwig, Amy Caiazza, Josh Kaplan, Jonathan Davey, or Troy Jenkins, or any member of the national security practice.
[1] Please note that NFTs may raise additional regulatory, IP, and other considerations not addressed in this alert.
[2] See 31 C.F.R. Part 1010.100(ff)(5) for full definition.
[3] See 31 C.F.R. Part 1010.100(ff)(1) for full definition.
[4] See 31 C.F.R. Part 1010.100(ff)(4) for full definition.
[5] To rely on the exemption from FinCEN’s provider of prepaid access in connection with an “open loop” program, in addition to the $1,000 cap per access device per day, the prepaid program must prohibit (a) funds or value to be transmitted internationally, (b) transfers between or among users of prepaid access within a prepaid program, and (c) loading additional funds or the value of funds from non-depository sources. See 31 C.F.R. Part 1010.100(ff)(4)(iii)(D).