In our previous article, we discussed the increasing problem of cybersecurity breaches resulting in businesses faced with paying ransom, often in the form of cryptocurrency, vs. remaining locked out of their networks. In particular, we considered the tax and reporting implications of businesses choosing to simply make the ransomware payment in the form of cryptocurrency in return for continued access to their networks rather than reporting the attack.
Now, following the U.S. Treasury Department’s recent announcement that cryptocurrency will be subject to additional reporting requirements, businesses should also consider these new developments when completing ransomware payments in cryptocurrency.
Aside from previously announced general reporting obligations under the Securities and Exchange Commission (SEC) and the Financial Crimes Enforcement Network (FinCEN), on May 20, 2021, the Treasury Department announced that it intends to implement its own expanded reporting requirements for various cryptocurrency transactions. According to the announcement, beginning in tax year 2023, just as it has done with cash and cash equivalents received by businesses, the Internal Revenue Service (IRS) would extend these reporting requirements to cryptocurrency transactions. Thus, any business that receives crypto assets with a fair market value of more than $10,000 must report the exchange to the IRS. Additionally, the IRS announced it intends to require various third parties to report certain cryptocurrency exchanges.
This increase in reporting requirements to track cryptocurrency transactions comes as no surprise given the recent actions of the IRS and publicized goals of the Biden administration. President Biden has made clear during the first few months of his presidency his intent to increase funding for the IRS and lower “the gap” between tax reported and tax collected. It is obvious that the IRS has identified the cryptocurrency space as a way to capture additional uncollected tax.
Not only did the IRS for the first time require taxpayers using Form 1040 to report their federal individual income tax to affirmatively answer the question of whether or not they had a financial interest in cryptocurrency, but the IRS has also turned its focus to third parties facilitating cryptocurrency transactions.
Earlier this year, the IRS sought approval from federal courts to enforce John Doe summonses against digital currency exchanges. A John Doe summons is a way for the IRS to identify taxpayers belonging to a specific class that may have failed to comply with their tax burdens. In the past, John Doe summonses have been served on third-party credit card companies to identify taxpayers that have specific types of foreign accounts to confirm taxpayers that were using same as tax shelters, for example. However, in March, the IRS successfully petitioned a Massachusetts District Court to allow it to enforce a John Doe summons on a digital currency transaction facilitating company, Circle Internet Financial Inc. The John Doe summons pursued taxpayer information for any taxpayer in Circle’s system that partook in a minimum of $20,000 worth of cryptocurrency transactions between 2016 and 2020. A similar John Doe summons was pursued in California in April against another cryptocurrency exchange company.
Thus, considering the above judicial actions taken by the IRS, the recent announcement that the IRS may begin to require certain new reporting obligations for cryptocurrency transactions does not come as a surprise to many. As of now, the proposed plan would require various financial institutions, payment settlement entities, and others facilitating cryptocurrency exchanges to report account flows in relation to cryptocurrency sales they facilitate. The Treasury provided that this effort is an attempt to minimize potential tax evasion and the problem with detecting same in the cryptocurrency space.
In the context of ransomware payments made in the form of cryptocurrency, it is important for businesses faced with this issue to consider this new focus from the IRS on such transactions. While payment of the ransomware may seem like the quickest and easiest solution, if such payment is made using cryptocurrency, it could pose additional reporting and tax implications for the business.