FinCEN Imposes $3.5 Million Civil Penalty Against Paxful For BSA Violations

In December, the Department of Treasury's Financial Crimes Enforcement Network (FinCEN) announced a $3,500,000 civil penalty against Paxful, Inc. and Paxful USA, Inc. ("Paxful"), pursuant to a consent order.

Paxful is an exchanger of convertible virtual currencies ("CVC"), operating both a CVC wallet service and a marketplace for peer-to-peer ("P2P") buyers and sellers of CVC. The company describes itself as "the world's largest P2P marketplace," enabling users to buy and sell digital currencies across 140 markets with hundreds of payment methods, send cash or cryptocurrency instantly, and "become a peer-to-peer market maker." According to the consent order, between February 2015 and April 2023, Paxful conducted transactions with over 4 million users, including over 50 million trades valued at a total of several billion dollars. These transactions ranged across products including CVC, prepaid access cards, and fiat currencies. In that time period, Paxful's customers engaged in over 20 million external crypto transactions worth more than $10 billion.

In the order, Paxful admitted to three types of violations. First, Paxful failed to maintain its registration with FinCen. Second, it failed to implement an effective AML program. Third, it failed to identify and report suspicious activity. Paxful agreed to pay a $3,500,000 civil penalty for these violations, which FinCEN described as "egregious" and having "caused extensive possible harm to the public."

Failure to Register as a Money Services Business

The Bank Secrecy Act ("BSA") requires all "money services businesses" to register with FinCEN as an MSB within 180 days of beginning operations, and to renew its registration every two years. Paxful is treated as an MSB because it is a "money transmitter," one of seven categories of businesses required to register as MSBs. While Paxful initially registered with FinCEN in July 2015, it allowed its registration to lapse. MSBs are required to renew their registrations by the last day of the calendar year before two-year renewal period—here, Paxful was required to re-register by December 31, 2016. It failed to do so until September 3, 2019, and therefore operated as an unregistered MSB for 974 days.

Failure to Develop, Implement, and Maintain an Effective AML Program

Much of the consent order details Paxful's failure to implement a compliant AML program. At the outset, Paxful did not have any AML program in place for its first four years of operation, only implementing a program for the first time in February 2019. The program Paxful eventually implemented still fell short of FinCEN's requirements in numerous respects, including:

• Know your customer protocols. The know your customer ("KYC") protocols Paxful put in place only applied to users whose activity exceeded $1,500, and Paxful made no effort to prevent users from evading controls by structuring transactions around this minimum.
• Customers acting as unregistered MSBs. While Paxful identified a risk that smaller P2P exchangers could use Paxful, it did not implement controls to identify unregistered MSBs.
• Geographic spoofing. Paxful did not assess customers' locations, or take any action to identify circumstances where users used geographic spoofing to hide their true location—in many cases concealing activity from locaitons the government considers high-risk jurisdictions.
• Transaction monitoring. Although Paxful's products and services could be used for money laundering, its AML program provided no mechanism for the company to identify and report suspicious activity, as required by law.
• Prepaid access transactions. Paxful operates a prepaid access program, which was a substantial portion of its business. Between May 2015 and December 2019, the top payment methods on the platform were iTunes and Amazon prepaid access cards. Despite knowing that illicit actors were exploiting this market, Paxful prioritized its development, and failed to implement controls to monitor and illicit activity taking place within it.
• North Korean, Iranian, and terrorist finance transactions. One result of Paxful's failure to implement sufficient internal controls is that it facilitated transactions with what the consent order describes as hostile nation-states and state-sponsored cybercriminals, including from Iran and North Korea. The Lazarus Group, which is designated a North Korean state-sponsored cyber-criminal group, conducted thousands of trades on Paxful's platform. Paxful took no steps to address this for several years after receiving law enforcement inquiries about it.
• Compliance Officer. Although MSBs are required to designate a person ensure compliance with internal compliance programs and the BSA, Paxful operated without any designated compliance officer. When it did begin listing a compliance officer, that individual had never received any BSA or AML training, and during that person's tenure, Paxful still had what the government describes as "egregious lapses in compliance."
• Independent Testing. MSBs must obtain independent reviews of their compliance program, with the scope and frequency depending on the risks associated with the MSB's services. Paxful only conducted one test in the multi-year period at issue on the consent order, which the government described as "not even remotely commensurate with the volume of transactions processed or risks associated with the products and services offered by Paxful."

Failure to Report Suspicious Activity

The consent order states that Paxful "facilitated transactions involving over $500 million in suspicious activity[.]" These transactions were associated with ransomware attacks, darknet and other illicit marketplaces, unregistered MSBs, child sexual abuse material, elderly financial exploitation, terrorist financing, high-risk jurisdictions, and stolen funds or other illicit proceeds. Despite this, Paxful did not file a single suspicious activity report before November 2019, and its reporting after that date remained deficient.

BSA Violations and Penalty

The consent order noted that Paxful employees had identified and discussed many of these deficiencies with senior leadership, who in some instances dismissed the concerns, and in other instances claimed that the concerns would be addressed. In some circumstances, the consent order states that Paxful leadership instructed employees not to raise or report issues, and that Paxful employees actively worked to build its relationships with and presence on high-risk platforms. For example, Paxful actively sought to be utilized on Backpage.com, a platform well-known for its role in promoting sex trafficking, including child sexual abuse, even after its widespread illicit activity was made public by a government investigation.

Based on these actions and deficiencies, FinCEN found that Paxful willfully violated the BSA and associated regulations, specifically finding:

1. Paxful willfully failed to register as an MSB in violation of 51 U.S.C. § 5330 and 31 C.F.R. § 1022.380;
2. Paxful failed to develop, implement, and maintain an effective AML program reasonably designed to prevent its programs from being used to facilitate money laundering and the financing of terrorist activities in violation of 31 U.S.C. § 5318(h)(1) and 31 C.F.R. § 1022.210; and
3. Paxful willfully failed to accurately, and timely, report suspicious transactions to FinCEN, in violation of 31 U.S.C. § 5318(g)(1) and 31 C.F.R. § 1022.320.

In discussing its decision to impose a civil money penalty, FinCEN noted the "egregious" nature of the violations, which it determined "caused extensive possible harm to the public." FinCEN further discussed that it determined there was a "culture of noncompliance throughout" Paxful, whose leadership were aware of their obligations under the BSA and still failed to comply. Based on these, and other factors, FinCEN imposed a $3.5 million civil penalty.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.