Cryptocurrency SARs: What do we know?

The Take-Away: Data on cryptocurrency SARs is patchy at best. There is no checkbox on the SAR form for cryptocurrency. To truly understand financial crime involving cryptocurrency, better data and analysis of that data is needed.

Cryptocurrency is Not a SAR Option

The Suspicious Activity Report (SAR) form includes options for 29 different financial products and instruments. Financial institutions select the financial product/instrument(s) from the list to indicated that the product was used in a given suspicious activity.

Bitcoin has been in existence since 2009. The daily transaction value of Bitcoin and other cryptocurrencies is in the billions of dollars. The Pew Research Center reported that 16% of American have invested, traded or owned cryptocurrency. The regulation of cryptocurrency is a topic of constant debate in Washington.

Yet, cryptocurrency is not a financial product/instrument option on the SAR form.[i]

Mining for Cryptocurrency SAR Data

There is no easy way to research the number of cryptocurrency SARs filed by financial institutions. FinCEN sprinkled nuggets of information on cryptocurrency SARs throughout their website. These bits of information are found in conference prepared remarks, old SAR Stats, and occasionally in Advisories.

2014 Cryptocurrency SARs

March 2014

The first mention of cryptocurrency SARs I found was in prepared remarks for David Cohen, Treasury Under Secretary for Terrorism and Financial Intelligence:

Since FinCEN issued this guidance [on virtual currency in March 2013], dozens of virtual currency exchangers and administrators have registered with FinCEN, and FinCEN is receiving an increasing number of Suspicious Activity Reports (SARs) from these entities

David Cohen, Treasury Under Secretary for Terrorism & Financial Intelligence at Bloomberg News event.

The Under Secretary’s comments discuss cryptocurrency exchange SARs but not necessarily cryptocurrency as the financial product used in the suspicious activity. For example, a new customer could wire funds to a cryptocurrency exchange but close the account without a crypto transaction. In this case, the wire would be financial product associated the suspicious activity.

July 2014

The earliest mention of cryptocurrency SARs by FinCEN was in July 2014 SAR Stats :

FinCEN is observing a rise in the number of SARs flagging virtual currencies as a component of suspicious activity.

FinCEN July 2014 SAR Stats

FinCEN did not provide a count of cryptocurrency SARs in the July 2014 SAR Stat report.

2018 Cryptocurrency SARs

June 2018

I was unable to find any other mention of cryptocurrency SARs by FinCEN for almost four years.

Finally, on June 20, 2018, Thomas Ott, Associate Director, FinCEN Enforcement Division testified before the House Committee on Financial Services:

[W]e have seen an increase in SAR filings by financial institutions identifying illicit virtual currency activity. Since 2003, BSA information identifying suspicious activity involving virtual currency has grown rapidly, increasing 90 percent from 2016 to 2017.

These reports have identified many thousands of virtual currency addresses tied to a wide range of suspected criminal activity and have proven immensely useful to investigations. 

Thomas Ott, Associate Director, FinCEN Enforcement

August 2018

It was not until August 2018, when FinCEN first provided a count of cryptocurrency SARs. FinCEN Director, Kenneth Blanco speaking at the 2018 Chicago-Kent Block (Legal) Tech Conference stated:

One great success we have seen recently is the substantial increase in virtual currency SAR filings over the past few years.

We now receive over 1,500 SARs per month describing suspicious activity involving virtual currency, with reports coming from both MSBs in the virtual currency industry itself and other financial institutions. 

Kenneth Blanco, FinCEN Director

Comparatively, in 2018 there were on average each month 65,802 Funds Transfers SARs, 18,937 Credit Card SARS, and 2,411 Residential Mortage SARs. There were more cryptocurrency SARs filed each month than HELOCs, mutual funds, forex, and travelers’ checks SARs.

Average Monthly SARs filed in 2018 by Product or Instrument

2019 Cryptocurrency SARs

August 2019

Casinos were put on notice by Director Blanco in August 2019 when he stated:

One area of concern is that we appear to have a gap in [cryptocurrency SAR] reporting in this area by casinos. While FinCEN has received some filings from casinos regarding cyber-enabled crimes, CVC-related SAR filings by casinos have not been as robust as expected since the May CVC guidance and advisory were published.

Kenneth Blanco, FinCEN Director Blanco

November 2019

Director Blanco provided an updated count of cryptocurrency SARs and the portion filed by cryptocurrency entities (VASPs) in November 2019:

[W]e have seen significant reporting that discusses convertible virtual currency. Since FinCEN issued its convertible virtual currency advisory and guidance in May of this year, we have received over 10,000 SARs related to convertible virtual currency. Of these 10,000 approximately 6,600 — two-thirds of them — are from convertible virtual currency entities including kiosks, exchanges, and peer-to-peer exchangers.

Kenneth Blanco, FinCEN Director Blanco at Chainalysis Blockchain Symposium

The types of entities filing the cryptocurrency SARs was also discussed:

I point this out because before our May advisory, reports from convertible virtual currency entities only made up approximately half of our convertible virtual currency-related filings. But as of November 2019, over 1,900 unique filers have directly referenced the advisory key terms. It is encouraging that convertible virtual currency entities, dozens of whom had never filed a SAR report prior to the May advisory, are using the red flags and reporting back to us….

FinCEN is seeing an increase in filings from exchanges identifying potential unregistered, foreign-located money services businesses (MSBs), specifically, Venezuela-based P2P exchangers. Convertible virtual currency kiosk operators have also increased their reporting on activity indicative of scam victims upon identification of new customers who have limited knowledge of convertible virtual currencies, particularly those in vulnerable populations, including the elderly.

Kenneth Blanco, FinCEN Director

December 2019

On December 10, 2019, Director Blanco spoke at the American Bankers Association/American Bar Association:

Since FinCEN issued its CVC advisory [in May 2019] and guidance, we have seen a significant increase in reporting related to CVC—more than 11,000 SARs in that time. Of these, approximately 7,100 (two-thirds) are from CVC entities including kiosks, exchanges, and peer-to-peer exchangers.

I point this out because before our May advisory, reports from CVC entities made up about half of our convertible virtual currency-related filings. But as of November 2019, over 2,100 unique filers have referenced the advisory key terms directly. It is encouraging that CVC entities, dozens of whom had never filed a SAR report prior to the May advisory, are using the red flags and reporting suspicious activity back to us.

Kenneth Blanco, FinCEN Director

Director Blanco characterized that the number of SARs significantly increased after May 2019. However, in August 2018–prior to the May 2019 advisory, FinCEN stated that “more than 1,500” cryptocurrency SARs were filed each month. The 11,000 SARs filed between May 9, 2019 and Dec 10, 2019 would average out to 1,571 per month, an increase but perhaps not as significant as described.

2020 Cryptocurrency SARs

May 2020

Speaking at the CoinDesk Consensus conference, Director Blanco 2020 stated:

Since 2013, FinCEN has received nearly 70,000 Suspicious Activity Reports (SARs) involving virtual currency exploitation. 

Just over half of these reports come from virtual currency industry filers, likely many of you participating today.  We also get valuable reporting from more traditional financial institutions that also have a unique window into illicit financial flows involving virtual currency, such as banks that may see ransomware payments made by customers or MSBs that see funds transfers derived from account takeovers. 

Kenneth Blanco, FinCEN Director Blanco at Coindesk Consensus conference

A subsequent Coindesk headline declared “Less Than 1% of FinCEN’s Suspicious Activity Reports Since 2013 Mentioned Crypto.” Coindesk found that the figure represents just 0.59% of the more than 12 million reports FinCEN received between 2014 and 2019.

December 2020

FinCEN issued a Proposed Notice of Rulemaking published in the Federal Register on December 23, 2020. The proposal was regarding “Certain Transactions Involving Convertible Virtual Currency or Digital Assets.” The proposal noted:

FinCEN received approximately $119 billion in suspicious activity reporting associated with CVC taking place wholly or in substantial part in the United States. By industry measures, this would equate to approximately 11.9% of total CVC market activity being relevant to a possible violation of law or regulation.

Federal Register/ Vol 85, No. 247/ December 23, 2020

2021 Cryptocurrency SARs

October 2021

FinCEN’s October 2021 Financial Trend Analysis: Ransomware Trends in Bank Secrecy Act Data provided some data on cryptocurrency SARs. However, the data it is limited to cryptocurrency used in ransomware and does not address cryptocurrency in any other suspicious activity (ex. scams, account takeover, corruption, drug trafficking, etc.).

FinCEN found:

  • 2,184 SARS involving cryptocurrency & ransomware filed over 10+ years, from January 2011 through June 2021
  • 635 of these SARs were filed in six months, between 01/10/2021 and 6/30/2021
  • The bulk of the SARs were not filed by cryptocurrency exchanges:
    • 63% (290 SARs) were filed by DFIR (Digital Forensics & Incident Response) companies
    • 19% (87 SARs) filed by CVC exchanges (cryptocurrency exchanges)
    • 17% (77 SARs) filed by depository institutions (banks & credit unions)

November 2021

The November 2021 FinCEN Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments found that the typical ransomware event involved several financial institutions:

Processing ransomware payments is typically a multi-step process that involves at least one depository institution and one or more entities directly or indirectly facilitating victim payments, including money services businesses (MSB).

FinCEN Advisory, FIN-2021-A004

The Advisory even provided a helpful graphic. I highlighted in yellow the entities that may have SAR reporting obligations:

The Ransomware Advisory continues:

 A ransomware victim will typically transmit funds via wire transfer, automated clearinghouse, or credit card payment to a CVC exchange to purchase the type and amount on CVC specified by the ransomware perpetrator.

Next, the victim or an entity working on the victim’s behalf sends the CVC, often from a wallet hosted at the exchange, to the perpetrator’s designated account or CVC address.

The perpetrator then launders the funds through various means—including mixers, tumblers, and chain hopping—to convert funds into other CVCs. These transactions may be structured into smaller “smurfing” transactions involving multiple people, and across many different CVC addresses, accounts, and exchanges, including peer-to-peer (P2P) and nested exchanges.

FinCEN Advisory, FIN-2021-A004

Despite the routine involvement of banks and exchanges, these entities only filed 17% and 19% ransomware cryptocurrency SARs respectively.

2021 Cryptocurrency Exchange SARs

DSA’s analysis of unregistered cryptocurrency exchange SARs found that the number skyrocketed in 2021.

It would be reasonable to expect that most of cryptocurrency exchange SARs involve cryptocurrency. Instead, “Fund Transfer” is the leading instrument noted in SARs filed by MSBs in San Francisco County, CA. Fund Transfers SARs increased to 160,108 in 2021 from 4,424 in 2019 filed by SF county MSBs.

Debit Cards also saw a huge jump in filings by SF MSBs increasing to 145,134 in 2021 versus 593 filed in 2019.

2022 Cryptocurrency SARs

January 2022

The GAO publicly released a “public version” of its report titled “Virtual Currencies: Additional Information Could Improve Federal Agency Efforts to Counter Human and Drug Trafficking.” The GAO report included three new data points on cryptocurrency SARs.

1) The number of SARs that referenced virtual currency terms quadrupled during a 4-year period from 10,377 in calendar year 2017 to 42,782 in calendar year 2020.

2)    The number of SARs that involve virtual currency and drug trafficking increased fivefold (from 252 to almost 1,432) from calendar year 2017 to 2020.

3)    SARs that referenced both virtual currency and human trafficking grew from 36 in 2017 to 68 in 2020.

What do we know about cryptocurrency SARs? Not much.

To truly understand financial crime involving cryptocurrency, better data and analysis of that data is needed. A reasonable step would be to include cryptocurrency/virtual assets on the SAR form as a financial product checklist option.

Want more Suspicious Activity Report Insights?

Read DSA’s 202020192018 and 2016 SAR Insights.

Read DSA’s analysis on Unregistered Cryptocurrency Exchange SARs.

Watch “How Covid-19 Impacted SARs“.

[i] FinCEN has referred to cryptocurrency with a variety of terms including: crypto-currency, convertible virtual currency, CVC, virtual currency, digital currency, virtual assets, AEC, and Bitcoin.