This past Monday, October 19, 2020, FinCEN announced a $60 million civil fine against Larry Dean Harmon, operator of cryptocurrency mixing services Helix and Coin Ninja, following his original indictment in February. This complaint reaffirms previous guidance from FinCEN stating that mixers are money transmitters and therefore governed by the Bank Secrecy Act and other regulations around financial compliance, including the need for anti-money laundering (AML) and combating the financing of terrorism (CFT) programs. Moving forward, it will be interesting to see how many mixers can continue to operate while implementing know your customer (KYC) protocols and other elements of a successful compliance program, given that many of these services pitch themselves as privacy enhancers and receive a disproportionate amount of funds from criminal sources.
However, the Helix story is also an important reminder that not all violations of financial regulations are likely to be punished with the same severity, especially in a nascent space like cryptocurrency. The scale of the violations, as well as the business’ promptness in addressing them and willingness to cooperate with regulatory bodies such as FinCEN, will influence how companies are penalized. Monday’s complaint indicates that Helix’s brazenness in violating BSA rules, and its lack of communication with regulators upon being notified of these violations, contributed to the severity of the punishment. Operators of mixers and other cryptocurrency services can look at Helix as a cautionary tale and example of how not to behave when notified of potential wrongdoing. Below, we walk you through the key parts of FinCEN’s complaint against Helix to show you how the agency decided on the civil punishment.
Background on Helix and Coin Ninja
Larry Dean Harmon started Helix in 2014, running it alongside a dark web search engine called Grams, which allowed users to search for items for sale on darknet markets. According to FinCEN, Harmon marketed Helix to darknet market users and others explicitly as a means of transferring cryptocurrency without having to complete KYC procedures. In 2017, Harmon shut down Helix and began Coin Ninja, another mixing service that functioned in much the same way.
While operational, Helix and Coin Ninja processed over $311 million worth of cryptocurrency on behalf of users without ever conducting KYC procedures, setting up an AML/CFT program, or filing suspicious activity reports (SARs) on suspicious transactions. FinCEN’s blockchain analysis shows that during this time, Harmon’s companies processed over $121 million worth of transactions from criminal sources. The vast majority of that figure came from darknet markets, but the companies also mixed funds deposited from the notorious child sexual abuse material (CSAM) marketplace Welcome to Video, as well as online white supremacist groups.
On February 6, 2020, one week before announcing the indictment against Harmon and his companies, FinCEN sent Harmon a written pre-assessment notice (PAN) outlining the allegations, explaining how a potential civil fine would be determined, and explaining how Harmon could respond. One month later on March 6, Harmon and his legal team requested more time to respond, but in the subsequent eight months never followed back up with FinCEN, which brings us to the civil complaint and $60 million fine announced Monday.
How did FinCEN determine the size of the fine?
FinCEN’s complaint shows that the agency determined Harmon’s civil fine using a two-part process:
- An assessment of the daily penalties associated with each of the companies’ BSA violations, which determines the maximum possible civil fine; and
- A consultation of the penalty consideration factors, which is a set of ten criteria the agency uses to consider the context and intent of an offending business’ violations to inform where within the allowable range the fine should be.
First, we’ll look at the daily penalties. FinCEN alleges that while operating Helix and Coin Ninja, Harmon violated the BSA in three ways:
- Failing to register his companies as money services businesses (MSB)
- Failing to implement and maintain an AML program
- Failing to report suspicious activity on the two platforms
The first two violations call for daily fines for each day the violations continued, which in this case means every day of the period between 2014 and 2020 during which the companies operated. Failure to register as an MSB calls for a fine of $8,457 per day, while failure to implement an AML program calls for a fine of $57,317 per day. Based on those numbers, FinCEN says the maximum possible fine for Harmon was $209,144,554 — much more than the $60 million fine levied — and that’s before we consider the failures to report suspicious activity on the platform.
Second, FinCEN analyzed the conduct of Harmon in running Helix and Coin Ninja alongside its ten penalty consideration factors. We summarize FinCEN’s findings on Harmon’s behavior judged against each of those factors below:
- Nature and seriousness of violations and harm to public. FinCEN considers Harmon’s violations extremely serious, as his mixing services helped darknet markets and other cybercriminal enterprises launder hundreds of millions of dollars’ worth of cryptocurrency.
- Impact of violations on FinCEN’s mission to safeguard the financial system. In refusing to collect KYC information or file any SARs, Helix hampered the agency’s ability to investigate several potential crimes. In fact, through blockchain analysis, FinCEN identified at least 245,817 suspicious transactions that should’ve prompted SARs, yet none were filed.
- Pervasiveness of wrongdoing within the institution. Rather than implement policies to comply with the BSA, Harmon did the exact opposite and built features specifically designed to allow darknet market customers and vendors to evade law enforcement detection.
- History and duration of violations. Helix and Coin Ninja operated in violation of the BSA for their entire existence.
- Failure to terminate violations. Harmon never took steps to stop the violations. FinCEN points out that even after closing down Helix in 2017, he simply began operating Coin Ninja in the same manner.
- Financial gain or benefit as a result of violation. Harmon’s businesses took in significant revenue from fees charged for laundering funds on behalf of darknet marketplaces and other cybercriminal entities. FinCEN also points out that the businesses obtained greater profits because they spent nothing on compliance.
- Cooperation. FinCEN gave Harmon positive marks on this criteria, pointing out that he agreed to two statute of limitations tolling agreements during the proceedings.
- Systemic nature of violations. FinCEN concludes that Harmon’s business’ violations were systemic in nature, and that these violations prevented BSA databases from capturing three years’ worth of data on suspicious activity.
- Timing and timely disclosure of violations. FinCEN was neutral on Harmon’s conduct as to this criterion.
- Penalties by other government entities. This factor wasn’t relevant here, as FinCEN is the sole government regulator with authority to pursue these violations.
Overall, FinCEN concluded that Helix and Coin Ninja’s regulatory violations were compounded when considered alongside seven of the ten penalty consideration factors. Therefore, while other businesses may have been treated more leniently, FinCEN decided in this case to levy the steep fine of $60 million.
Cryptocurrency businesses that operate in good faith can weather regulatory scrutiny
FinCEN’s complaint against Helix makes two things clear. First, cryptocurrency businesses that explicitly aim to facilitate illicit activity or undermine compliance rules likely won’t fare well in their dealings with regulators. Agencies like FinCEN can identify the businesses doing this based on what they build and how they promote themselves, and will take that ill intent into account when determining penalties. Second, cryptocurrency businesses found to be violating BSA regulations can greatly improve their outcomes by cooperating with authorities. By refusing to communicate with FinCEN following the delivery of the PAN in February, Harmon significantly reduced the likelihood that FinCEN would take into account any context favorable to Harmon while setting the penalty.
Nothing about the Helix complaint should lead anyone to conclude that FinCEN has ill will toward the cryptocurrency space. Harmon’s businesses face a large fine largely due to their brazenness in flouting financial regulations and unwillingness to cooperate after being indicted. Cryptocurrency businesses that operate in good faith — meaning, those that diligently strive to comply with their regulatory obligations and work with regulators when problems arise — can weather regulatory scrutiny.