On October 23, the Financial Crimes Enforcement Network (“FinCEN”) published a notice of proposed rulemaking (“NPRM”) entitled Proposal of Special Measure Regarding Convertible Virtual Currency Mixing, as a Class of Transactions of Primary Money Laundering Concern. Section 311 of the Patriot Act, codified at 31 U.S.C. § 5318A (“Section 311”), grants the Secretary of the Treasury authority – which has been delegated to FinCEN – to require domestic financial institutions and agencies to take certain “special measures” if FinCEN finds that reasonable grounds exist for concluding that one or more classes of transactions within or involving a jurisdiction outside of the United States is of “primary money laundering concern.”
In this NPRM, FinCEN proposes to designate under Section 311 all convertible virtual currency (“CVC”) mixing transactions, as defined by the NPRM. This designation would require imposing reporting and recordkeeping requirements upon covered financial institutions (“FIs”) regarding transactions occurring by, through, or to a FI when the FI “knows, suspects, or has reason to suspect” that the transaction involves CVC mixing.
The NPRM is complicated and raises complex questions. We only summarize here, and note selected issues. Comments are due on January 22, 2024. FinCEN can expect many comments.
Reasons for Implementing Section 311
As we have blogged, FinCEN has employed Section 311 – a powerful tool – before. But, prior uses of Section 311 have involved specific banks (see here and here) or specific geographies (see here and here). In contrast, and as the government’s press release notes, “[t]his is FinCEN’s first ever use of the Section 311 authority to target a class of transactions of primary money laundering concern[.]” (emphasis added). As a practical matter, the NPRM likely will impact primarily CVC exchanges dealing directly with CVC and operating as money services businesses under the Bank Secrecy Act (“BSA”), as opposed to traditional FIs such as banks, which typically do not deal directly with CVC.
As the government’s press release further notes, the NPRM specifically seeks to combat illicit financing involving terrorism and evasion of U.S. sanctions: “This NPRM highlights the risks posed by the extensive use of CVC mixing services by a variety of illicit actors throughout the world and proposes a rule to increase transparency around CVC mixing to combat its use by malicious actors including Hamas, Palestinian Islamic Jihad, and the Democratic People’s Republic of Korea (DPRK).” As the NPRM itself also notes, and as we also have blogged (see here, here, here and here), the U.S. government recently has instituted several enforcement actions involving CVC mixers, which the NPRM describes as “ripe for abuse by, and frequently used by, illicit foreign actors that threaten the national security of the United States and the U.S. financial system” because they are “intended to make CVC transactions anonymous.”
The NPRM states that FinCEN recognizes that “there are legitimate reasons why responsible actors might want to conduct financial transactions in a secure and private manner given the amount of information available on public blockchains,” and that “in addition to illicit purposes, CVC mixing may be used for legitimate purposes, such as privacy enhancement for those who live under repressive regimes or wish to conduct licit transactions anonymously.” Although FinCEN provides lip service to the potentially legitimate uses of CVC mixers, the bottom-line message of the NPRM – not surprisingly – is that the U.S. government ultimately regards CVC mixers as the go-to tool for illicit actors interested in defeating transparency, laundering funds, evading sanctions, and undermining the national security of the United States. Indeed, as the NPRM observes, “[t]he global nature of the problem is further demonstrated by the fact that no CVC mixers are currently registered with FinCEN. CVC mixers are required to register with FinCEN if they do business as money transmitters wholly or in substantial part within the United States.” (emphasis added). Moreover, “FinCEN assesses that the percentage of CVC mixing activity attributed to illicit activity is increasing.”
The NPRM defines CVC as “a medium of exchange that either has an equivalent value as currency, or acts as a substitute for currency, but lacks legal tender status.” The definition also explicitly includes Bitcoin, even though Bitcoin has legal tender status in at least two jurisdictions.
The term “covered transaction” means a transaction, as it is already very broadly defined in 31 C.F.R. § 1010.100(bbb)(1), “in CVC by, through, or to the covered financial institution that the covered financial institution knows, suspects, or has reason to suspect involves CVC mixing within or involving a jurisdiction outside the United States.” The section of this definition referring to a “reason to suspect” is potentially very broad. It is unclear whether this portion of the definition involves an objective or a subjective standard regarding the FI’s knowledge. The entire definition is rendered more opaque by referring to knowledge or suspicion of the presence of CVC mixing – which itself is a potentially elusive term, as described below.
The NPRM defines a CVC mixer as “any person, group, service, code, tool, or function that facilitates CVC mixing.” CVC mixing is then defined as “the facilitation of CVC transactions in a manner that obfuscates the source, destination, or amount involved in one or more transactions, regardless of the type of protocol or service used,” including through six different methods:
(A) Pooling or aggregating CVC from multiple persons, wallets, addresses, or accounts;
(B) Using programmatic or algorithmic code to coordinate, manage, or manipulate the structure of a transaction;
(C) Splitting CVC for transmittal and transmitting the CVC through a series of independent transactions;
(D) Creating and using single-use wallets, addresses, or accounts, and sending CVC through such wallets, addresses, or accounts through a series of independent transactions;
(E) Exchanging between types of CVC or other digital assets; or
(F) Facilitating user-initiated delays in transactional activity.
The example set forth above in (E), “[e]xchanging between types of CVC or other digital assets,” is potentially very broad and on its face does necessarily include activity involving multiple transactions. That is, it could include a simple and common transfer of CVC 1 on Blockchain 1 to CVC 2 on Blockchain 2.
Conversely, the NPRM contains a potentially broad exception to the definition of CVC mixing: the definition “does not include the use of internal protocols or processes to execute transactions by banks, broker-dealers, or money services businesses, including virtual asset service providers that would otherwise constitute CVC mixing, provided that these financial institutions preserve records of the source and destination of CVC transactions when using such internal protocols and processes; and provide such records to regulators and law enforcement, where required by law.” (emphasis added). Depending upon its final scope and how FinCEN seeks to apply it, this exception could be both broad and important. The NPRM explains:
This definition excepts the use of internal protocols or processes to execute transactions by banks, broker-dealers, or money services businesses, including VASPs, that would otherwise constitute CVC mixing, provided that these financial institutions preserve records of the source and destination of CVC transactions when using such internal protocols and processes, and provide such records to regulators and law enforcement, where required by law. This exemption is designed to avoid capturing transactions with known VASPs [i.e., virtual asset service providers] that use these internal protocols or processes as part of their business purpose and that are positioned to appropriately respond to inquiries by law enforcement and other relevant authorities. However, if the covered financial institution is unsure if these processes are used as part of a business purpose, they should collect the recordkeeping and reporting information.
FinCEN is seeking to address the primary money laundering concern posed by CVC mixing. The proposed definition of CVC mixing is designed to capture methodologies used by illicit actors to break the traceability of their illicit proceeds and create a mechanism on which covered businesses would be required to report when they observe CVC mixing transactions. The exception to the definition is crafted to avoid imposing undue burden on covered businesses, provided they are also taking appropriate steps to ensure information is being retained as prescribed by law.
As a practical matter, this exemption could mean that the proposed regulations – at least for “legitimate” CVC exchanges – will end up focusing on record keeping, not reporting. Further, it is unclear from the above language exactly what sort of records the FI would need to preserve under the exception, and if FinCEN is contemplating that the recordkeeping requirements set forth below would apply, or whether an FI’s own unique internal processes would suffice.
The NPRM sets forth a lengthy list of requested comments, all of which pose challenging questions. Arguably, the request for comment on the below encapsulates the practical problems facing FIs seeking in good faith to comply with the requirements set forth in the NPRM:
Is FinCEN correct in its assessment that covered financial institutions would have access to reasonable and appropriate services or tools, whether free or paid, to be able to effectively identify covered transactions? If not, what are impediments to accessing such tools, and what costs would be associated with gaining access?
Reporting and Recordkeeping Requirements
The NPRM simply provides, somewhat cryptically, that in regards to recordkeeping, “[a] covered financial institution is required to document its compliance with the requirements of this section.” Thus, we will focus on the reporting requirements proposed in the NPRM.
FIs will need to report the following information regarding covered transactions within 30 calendar days of the initial detection of a covered transaction:
(A) The amount of any CVC transferred, in both CVC and its U.S. dollar equivalent when the transaction was initiated;
(B) CVC type;
(C) The CVC mixer used, if known;
(D) CVC wallet address associated with the mixer;
(E) CVC wallet address associated with the customer;
(F) Transaction hash;
(G Date of transaction;
(H) IP addresses and time stamps associated with the covered transaction; and
Not surprisingly, the “narrative” item, as with the narratives required in Suspicious Activity Reports (“SARs”), is important. The NPRM explains:
The proposed rule would require a description of activity observed by the covered financial institution, including a summary of investigative steps taken, provide additional context of the behavior, or other such information the covered financial institution believes would aid follow on investigations of the activity. As the covered financial institution would have insight into the normal pattern of its customers’ transactions, this narrative would assist with understanding if there is an uncharacteristic change in pattern of behavior.
Moreover, the NPRM makes clear that FIs “would continue to have an obligation to file a SAR when warranted, regardless of whether the covered financial institutions also filed a report required under the proposed rule.”
The NPRM also refers to reportable information in the possession of the FI, which suggests that FIs do not necessarily need to make inquiries to obtain additional information in order to comply. However, for the purposes of filing SARs, and/or satisfying predictable expectations of regulatory examiners, it may turn out to be the case as a practical matter that an FI still will need to pursue missing information in order to try to obtain as much as possible.
The NPRM also provides that a FI shall report within 30 days the following information – again, in the possession of the FI – regarding a customer associated with a covered transaction:
(A) Customer’s full name;
(B) Customer’s date of birth;
(C) Customer’s address;
(D) Email address associated with any and all accounts from which or to which the CVC was transferred;
(E) Phone number associated with any and all accounts from which or to which the CVC was transferred;
(F) Internal Revenue Service or foreign tax identification number, or if none are available, a non-expired United States or foreign passport number or other government-issued photo identification number, such as a driver’s license[.]
We can expect many, many comments to this NPRM. This entire area is particularly tricky, and involves an original application of Section 311. The tone of the NPRM is that FinCEN is attempting – perhaps, struggling – to take an approach that will be regarded as relatively measured in regards to a technology that FinCEN and other regulators and law enforcement representatives in fact regard as inherently pernicious and uniquely suited to serve as instruments of crime. Even if this is so, the NPRM still presents many thorny technical interpretative issues.
Additionally, FIs should keep watch for new state laws, regulations, or regulatory interpretations that seek to impose similar obligations. Since the FTX collapse, state regulatory agencies have become increasingly skeptical of cryptocurrency business activities. Such regulators often coordinate with their federal counterparts to enact or enforce state laws that support federal initiatives. New York, for example, recently proposed new laws that substantially expand regulators’ oversight of crypto enterprises engaging in business in their jurisdictions, which appeared to be in response to skepticism on the federal level. It would be unsurprising if other states followed suit.