Checking the Bitcoin Box

Published on Feb 26, 2021

On December 20, 2020, the Financial Crimes Enforcement Network (FinCEN), the U.S. Financial Intelligence Unit (FIU) and its primary anti-money laundering (AML) regulator, published a Notice of Proposed Rulemaking (NPRM) that sought to impose new recordkeeping and reporting requirements on virtual currency transactions. The NPRM was met with a torrent of comments, causing FinCEN to extend the comment period twice.

One of these industry responses was from a provider of blockchain compliance tools and services. Looking at the NPRM and the response side-by-side critically, we can identify both the strengths and inadequacies of both sets of arguments.

What FinCEN proposes

FinCEN wants to create new recordkeeping and reporting requirements for banks and money services businesses to report certain transactions in convertible virtual currencies (CVC) such as Bitcoin, and virtual currencies that have the status of legal tender (“legal tender digital assets” or LTDA). In particular, the agency is targeting transactions involving two specific types of digital currency wallets, “wallet” being the technology that permits the owner to receive, store and send virtual currencies. Wallets can be associated with financial institutions, such as banks or digital currency exchanges. In these cases, they function similar to bank accounts, which require the financial institution in order to facilitate transactions. Wallets can also be held apart from an institution, such as in the use of standalone software applications on a party’s computer or mobile device.

FinCEN wants to implement these changes for transactions, including deposits, withdrawals, exchanges of virtual currencies, as well as payments and other transfers, that involve (either as the sender or receiver of these currencies) the second type of wallet (“unhosted wallets”), as well as the first type of wallet when the institution which hosts it is in countries which do not have effective anti-money laundering (AML) regulation and oversight, which FinCEN calls an “otherwise covered wallet.” FinCEN proposes to create a “Foreign Jurisdictions List” to identify the countries in which hosted wallets would be considered “otherwise covered wallets”; initially, the List would be comprised of three countries: Burma (aka Myanmar), Iran and North Korea.

The new reporting requirement would apply to such transactions in excess of $10,000, whether as a single transaction, or as an aggregation of multiple transactions over a 24-hour period (starting with the first qualifying transaction). It should be noted other transactions conducted by the customer, whether involving hosted wallets that are not otherwise covered wallets, or other types of assets, would not be used in the calculation of the aggregate 24-hour total. The regulated institution would need to verify the identity of its customer, as well as collect the name and physical address of the counterparty (e.g. the holder of the unhosted or otherwise covered wallet).

The new recordkeeping requirement is for any individual transaction of this type in excess of $3,000. It, too, would require the verification of the institution’s customer as well as, at a minimum, the collection of the name and physical address of the counterparty (e.g. the holder of the unhosted or otherwise covered wallet). For both requirements, risk-based procedures could be used for verification of customer information, to decide whether or not to gather additional information about the counterparties beyond that which is required by the regulation, and to decide whether or not to confirm the accuracy of the provided counterparty information.

These requirements are consistent with existing requirements for other financial assets, such as the cash reporting requirements for cash transactions over $10,000, and the funds transmittal recordkeeping requirements. In a similar vein, structuring CVC or LTDA transactions to otherwise covered or unhosted wallets to avoid the reporting requirements would be prohibited in a similar manner to existing prohibitions on structuring.

On its face, these new requirements do not appear to be unreasonable, as they are consistent with other AML regulatory requirements. And FinCEN does document real-world cases of the uses of virtual currencies in a number of criminal activities, including the recent growth in payments in response ransomware attacks, which are paid almost exclusively in CVC.

However, before looking at the objections raised in the public response, it makes sense to probe FinCEN’s choice of controls.

Is it cash-like?

The new reporting requirement is based on the regulatory framework used for Currency Transaction Reports (CTRs), which is used to report large deposits or withdrawals of cash. To the casual observer, however, despite calling CVCs “currency”, they don’t share many of the characteristics of cash. Cash has a physical presence which easily calls out unusually large amounts of it when presented or withdrawn, and which presents a significant logistical problem when it comes to transporting it. The CTR filing is made easy because it requires a human being to physically hold it. Additionally, with the exception of some major currencies (most notably the U.S. dollar), cash has limited utility outside the issuing country or bloc; one often must visit a currency exchange or similar to give cash usability when outside its home country.

On the other hand, because CVC transactions do not contain identifying information other than wallet addresses, and the state of global AML regulation of virtual currencies is less uniform than other AML regulation, CVCs do enjoy a level of anonymity and a lack of regulatory control not too dissimilar to cash.

In the traditional banking system, FinCEN can prohibit providing banking services to specific institutions or countries under its USA PATRIOT Act Section 311 powers; such an ability to ban transacting with specific counterparties is an impossibility in a world of unhosted wallets, which enable individuals to bypass the banking system and transact with each other without a financial intermediary (much like cash, to be honest). Additionally, the hurdle to setting up a virtual currency exchange in many countries is purely a technical one, as such firms are not uniformly subject to licensing, registration or AML regulatory requirements. Even when such requirements exist, the lack of a physical presence makes the detection and identification of an unlicensed exchange more challenging than that of a brick-and-mortar MSB.

Similarly, the existing suspicious activity reporting regime, used for cash and non-cash transactions as well as behavioral red flags, seems a poor fit for virtual currencies. CVC and LTDA transactions are inherently point-to-point. This is in contrast to the international banking system enabled by the SWIFT network, where each message often provides a much broader view of the end-to-end transaction chain. The practical implication of this is that, other than identifying structuring to avoid reporting requirements, transfers out of line with information about the nature of the account relationship established as part of customer identification and due diligence (primarily due to the amount of the activity), or identifying counterparty wallets hosted in sanctioned countries, identifying suspicious behavior is extremely challenging – without gathering the information proposed in the NPRM.

So, to a certain extent, while using a CTR-like regulatory framework may be like trying to put a square peg. Into a round hole, it’s probably the best fit among the currently available AML tools.

Is it funds transfer-like?

Some of the previous section’s arguments also work here, but kind of in reverse. On the one hand, institutions have limited visibility, by themselves, into the context surrounding an individual transfer of virtual currency. In that regard, CVC and LTDA transactions are more cash-like. On the other hand, because there is no physical transport of the “currency”, but can travel anywhere in the world with only the firm’s records and any distributed ledger entries to identify it, it is more akin to an electronic funds transfer. And thus, the recordkeeping requirement proposed by FinCEN in the NPRM seems appropriate.

What about LTDAs?

Although a number of LTDAs have either been proposed or in development, none have reached actual production. While few implementation details have emerged, it would not be surprising to see privacy features implemented for the coins from Russia and China (not to mention a lack of cooperation with law enforcement investigations), which would make tracing transactions more difficult. In that regard, the use of an LTDA would be a red flag in and of itself, similar to the concerns surrounding the use of privacy coins (FinCEN refers to these as “anonymity enhanced coins” in the NPRM).

Additionally, Russia’s proposed cryptoruble and China’s DCEP (currently in development) will be issued by the central government and not mined. The central governments can create and destroy their LTDA assets as they see fit. In that regard, the central government can act like a virtual currency mixer if it wishes to, by destroying coins sent to one party, then creating new coins for another involved in the same pattern of activity (particularly those promulgated, promoted  or permitted by the state, but prohibited by other governments, such as receiving payment for goods shipped to sanctioned parties).

In the past, the U.S. government has banned transactions in both the Venezuelan petro (now inactive) and Iran’s cryptorial, as part of its economic sanctions programs. Whether it will be practical to do the same for the cryptoruble and DCEP is open to debate. Assuming that transactions in at least some LTDAs will be legal at some point, it seems prudent to regulate them in a similar manner to CVCs, even if some present additional challenges, as outlined here.

How big is the problem?

One of the challenges of the NPRM is that the two sides in the discussion are quoting different figures, without clarity on how germane the figures are to the proposed rule changes. FinCEN, for its part, quotes an industry estimate of 1% of overall 2019 CVC traffic was illicit, which equates to ten billion dollars. However, they question this figure because it conflicts with $119 billion in CVC activity reported in SARs over the same period, which would be closer to 12% of total market volume.

The response quotes different figures. The firm’s analysis of “several billion” dollars of illicit Bitcoin funds that were moved between wallets between 2011 and 2020 showed that over 90% of the funds were sent to firms subject to AML program requirements (identity verification, recordkeeping and SAR requirements), while less than 10% were in unhosted wallets (and the majority of those being dormant).

So, it appears that neither party’s set of figures are particularly compelling, for the following reasons:

  • Is FinCEN’s $119 billion in activity de-duplicated? First, was any activity in “continuing activity” SARs matched up with others, or with the original SAR filing? Secondly, if the CVC transfers went between 2 US firms subject to SAR requirements, and they both filed SARs, were those de-duplicated? What is the net figure after any de-duplication?
  • How much of FinCEN’s $119 billion in activity involved unhosted or otherwise covered wallets, and how much went between hosted wallets other than those in Burma, Iran and North Korea? Only the former figure is relevant to the NPRM.
  • As a general matter, what percentage of FinCEN’s reported suspicious activity ends up being deemed criminal in nature? Is there a defensible reason that a similar calculus should not apply to the higher figure quoted by FinCEN?
  • Even with rounding the provider’s “several billion” dollar figure to $10 billion, over 10 years, the sample size does not appear to be statistically significant in the face of FinCEN’s $119 billion 2019 CVC SAR activity figure.
  • The provider’s analysis is limited to Bitcoin transactions. While it is the most heavily used CVC, especially with the advent of privacy coins, the distribution of illicit use may not match up with overall use.
  • Of the AML program requirements listed by the provider when discussing the 90% of illicit funds going through regulated firms, neither the identity verification nor recordkeeping requirements apply to any CVC or LTDA transactions today, other than when they are converted to fiat currency.

Objection 1: effective tools already exist

The provider raises a number of objections to the proposed requirements. First, they claim that the risks from unhosted wallets are overblown for a pair or reasons. Secondly, they claim that blockchain analytical tools and services allow the tracing of all transactions on the blockchain – and that law enforcement has already been successful in doing so.

In response, FinCEN claims that the size of a blockchain affects the real-world utility of blockchain analytics solutions. Since blockchain transactions link to others due to the time they are executed, not by the holder of a particular piece of CVC or LTDA, this is undoubtedly true to some extent. Actually, the relevant factor is the amount of activity requiring analysis on a given blockchain, not its overall size. This is because the analysis activity starts with the transaction identified by the financial institution, not from the beginning of the the blockchain. In theory, the reporting requirement would permit the analysis activity to start sooner. While such a headstart would not affect tracing the history of funds received from an unhosted or otherwise covered wallet, tracing what becomes of CVC or LTDA sent to such wallets would require less time and effort. Also, more timely investigation reduces the likelihood that the currency is exchanged for other virtual or fiat currency, which would complicate the ongoing effort.

FinCEN points out that there are other factors which make blockchain analytics less effective, including anonymizing technologies such as mixers or tumblers, peer to peer transactions and the lack of information about parties to particular transactions. While the provider does concede that privacy coins make analysis more difficult, they do not address the other factors listed by FinCEN.

To a certain extent, it appears that there is a lack of appreciation of the purpose of AML regulatory requirements on the part of the virtual currency industry. AML reporting and investigation extends beyond identifying a party using the U.S. financial system to launder funds, finance terror or be involved in other criminal activities, to identifying the underlying predicate crime, and all the parties in that enterprise. Doing this effectively requires timely recognition of notable events and gathering of relevant information. Waiting until a person converts their CVC or LTDA to fiat currency accomplishes neither goal – especially since one doesn’t know what the wallet owner’s role in the overall scheme, or what they know.

Objection 2: we can catch them when they want hard currency

The second objection about overestimating the risks is that, since parties eventually will convert CVCs or LTDAs to fiat currencies, this information about the customer will end up at FinCEN in the form of a SAR. Therefore, the new requirements are not necessary, as the activity will be captured using a different mechanism.

This argument makes a faulty assumption. If the customer pays out the CVC or LTDA to any wallet, hosted or  unhosted, there would be no conversion to fiat currency at the financial institution and therefore no SAR would be filed. While there may be eventually be a conversion, either by the customer or those to whom it is sent subsequently, there are no guarantees that it will occur at a regulated institution in a country with adequate AML regulation of virtual currency,  nor is it assured that the firm which performs the conversion will recognize it as suspicious.

Once the CVC or LTDA leaves the financial institution’s control, the analytics required to trace its use can grow in complexity significantly. This is due to the ability of any holder of the currency at any time to structure the currency holding, exchange it for other currencies, to spend it on other types of assets, and use anonymizing technologies,  among other methods, in order to make the investigative effort more difficult.

Objection 3: the problem might get worse

The third objection really consists of 3 parts:

  • The proposed rules would not produce the desired results
  • The proposed rules could cause criminals to take their assets to unregulated venues, and
  • The proposed rules could make regulated firms invest in these controls instead of enhancing existing areas which have already proven to be successful

Financial crime compliance is very much a business of catching the stupid,  the unsophisticated, the greedy and the impatient. In that regard, the first two elements are apt. Smarter perpetrators will spread out their holdings across multiple institutions and jurisdictions. To avoid detection under the NPRM’s rules, they will either transfer currency to or from jurisdictions not on the Foreign Jurisdictions List but which are locales where it is easier to  hide one’s financial dealings,  or will use an unhosted wallet in their name. In both cases, FinCEN gains no useful information. And a more sophisticated person would not tend to keep unusually large amounts of CVC or LTDA in a single institution’s hosted wallet, but would favor less traceable assets and methods, as has already been demonstrated by increased criminal use of privacy coins such as Monero. This is analogous to the use of money  mules by drug traffickers and hawalas by terrorist financiers in order to escape existing AML reporting and recordkeeping controls.

The third element may also be accurate,  but it is more likely not the case. Firms with higher risk profiles  will continue to spend on enhancing existing systems, policies and procedures in order to avoid negative audit or regulatory findings. Regulatory expectations do tend to increase over time,  and the costs involved in keeping up with those standards will not impress an overseeing body as a valid excuse. And while it may be true that smaller firms may not invest appropriately in their AML compliance because of these requirements, that is true today, even in the absence of new requirements. And these firms do so at their regulatory peril.

Objection 4: all currencies should be treated the same

The last objection the provider raises is that cash is riskier,  yet the proposed rules for CVC and LTDA are harsher – and therefore not fair.

In some respects, this is true – and a function of the hybrid nature of CVC and LTDA being both cash-like and not cash-like. These currencies are being subjected to both a reporting requirement, like cash,  and a recordkeeping requirement, like funds transfers.

On the other hand, calling cash riskier than CVC and LTDA is debatable. As previously noted, while cash may be more anonymous, its transport is more detectable, due to its physical size and cross-border currency controls. In that regard, it is easier, and therefore riskier from a financial crime standpoint, to transfer virtual currencies.

The unspoken response to the objection: it isn’t new

The one thing not mentioned in the industry response to the NPRM is that these proposals are not novel. The Financial Action Task Force (FATF) published Guidance for a Risk-Based Approach: Virtual Assets and Virtual Asset Providers in June 2019, which proposes that, among other measures, the requirement in FATF Recommendation 16 for financial institutions to require originator and beneficiary information on funds transfers, and monitor for presence of such information in transfers they receive,  be adapted for Virtual Asset Service Providers (VASPs), which would comprise all providers of hosted wallets. FATFs requirement would require the gathering of such information, much like FinCEN’s recordkeeping and reporting requirements would. In fact, FATF’s proposal recommends such information gathering for all Virtual Asset (VA) transfers (although it considers a $1,000 minimum a de minimus standard for effective detection of attempts to conduct financial crime).

To be clear, virtual currency firms have been opposed to the FATF proposals as well. Not only does it cause firms in the industry to create a certain level of friction in conducting their transactions (which is one of the selling points of using virtual currencies), it also neuters the anonymity and lack of central control allures of abandoning fiat currencies for their virtual counterparts. And those two issues make transacting in virtual currencies less attractive, other than as a speculative investment, to both licit and illicit actors.

Final Grade: Incomplete

There is one important piece of information that is missing from both the NPRM and the industry response: how many of these transactions actually occur? This figure can be derived both by FinCEN from its SAR data, and from the solutions provider from its analysis.

If the actual volume of transfers to and from unhosted and otherwise covered wallets is small, then the burden to industry is small. On the other hand, the smaller the burden, the smaller the value fo FinCEN.

In fact, what is truly needed is to go beyond the questions raised earlier about the size of the problem, and seek a statistical breakdown of all CVC and LTDA transfers to and from regulated U.S. financial firms that would be subject to the proposed requirements. If the proposed rules had been in place in 2019, how many transactions would have been subject to the recordkeeping and/or reporting requirements, and what total amount would that represent? If the same rules had been extended to cover all large transactions, regardless of the source or destination of the currency, what would those totals be? And the solutions provider should do a similar analysis of the data they previously conducted.

Without such figures, we cannot be sure whether the NPRM is underwhelming in its impact on CVC and LTDA money laundering, overbearing in its impact on the industry, or in the Goldilocks zone of regulation. You cannot improve what you cannot measure otherwise, the NPRM and its public comment period are not much more than a box-checking exercise for both regulator and the regulated.

Eric A. Sohn, CAMS, CGSS, global market strategist and product director, Dow Jones Risk & Compliance, New York, NY, USA, eric.sohn@dowjones.com