On 18 December, the Financial Crimes Enforcement Network (FinCEN) at the U.S. Department of the Treasury announced highly anticipated and controversial new proposed requirements designed to mitigate illicit finance risks associated with “unhosted” virtual currency wallets and wallets hosted in certain foreign jurisdictions with weak anti-money laundering regimes. Unlike customers who rely on the custody services of financial institutions subject to anti-money laundering and combating the financing of terrorism (AML/CFT) requirements to send and receive virtual currency, users of unhosted or “self-hosted” wallets can transact directly with one another and with hosted wallets using their own private keys, creating potential illicit finance risks. FinCEN’s proposed rule would, if enacted, create new obligations for banks and money services businesses (MSBs) including virtual asset service providers (VASPs) engaging in transactions with covered wallets, a category that includes (1) unhosted wallets and (2) wallets hosted by financial institutions in certain foreign jurisdictions identified by FinCEN (currently Burma, Iran, and North Korea). The proposed rule would not, however, introduce requirements on all transactions with covered wallets, as some in industry and Congress had feared (See Figure 1).1
For transactions affected by the proposed rule, banks and MSBs would be subject to additional obligations:
- The proposed rule would create new reporting, recordkeeping, customer identity verification, and counterparty identification requirements for certain transactions involving convertible virtual currency (CVC) and digital assets with legal tender status (LTDAs). The most consequential aspect of the proposed rule would be the requirement for banks and MSBs to collect, among other information, a name and physical address associated with any unhosted-wallet counterparties of their customers for a single CVC/LTDA transaction involving a value greater than $3,000 or a group of transactions exceeding $10,000 in a 24-hour period.
- Under the new rule, if a customer sends or receives more than $10,000 in CVC/LTDA over a 24-hour period to or from a covered wallet, then the bank or MSB would be required to verify the identity of its customer and file a report with FinCEN containing information including the name and physical address of the counterparty. FinCEN states that this would be analogous to the existing currency transaction reporting (CTR) requirement, and the rule creates a similar prohibition on structuring.2
- In addition, if a customer sends or receives more than $3,000 in CVC/LTDA to or from a covered wallet, then the bank or MSB would be required to verify the identity of its customer and to keep records of the customer’s transaction and counterparty, including the name and physical address of each counterparty.
FinCEN’s Distinction between Hosted and Unhosted Wallets
“Hosted wallets are provided by account-based money transmitters that receive, store, and transmit CVC on behalf of their accountholders. Such entities generally interact with their customers through websites or mobile applications. In this business model, the money transmitter (i.e., the hosted wallet provider) is the host, the account is the wallet, and the accountholder is the wallet owner. Banks can also be hosted wallet providers. Money transmitters doing business in whole or substantial part in the United States, as well as banks within the United States, that are hosted wallet providers are subject to the BSA and must comply with AML/CFT program requirements, including by conducting customer due diligence with respect to accountholders and reporting suspicious activity. “By contrast, the term unhosted wallet describes when a financial institution is not required to conduct transactions from the wallet (for example, when an owner has the private key controlling the cryptocurrency wallet and uses it to execute transactions involving the wallet on the owner’s own behalf). Users of unhosted wallets interact with a virtual currency system directly and have independent control over the transmission of the value. When such a person conducts a transaction to purchase goods or services on the person’s own behalf, they are not a money transmitter and are not subject to BSA requirements applicable to financial institutions. Additionally, because such transactions do not necessarily involve a regulated financial intermediary on at least one side of the transaction, they may never be scrutinized pursuant to any AML/CFT program.”3 |
The proposed rule aims to address longstanding concerns raised by the U.S. government and the Financial Action Task Force (FATF) about the illicit finance risks associated with unhosted wallets. Secretary of the Treasury Steven Mnuchin has stated that the rule “is intended to protect national security, assist law enforcement, and increase transparency while minimizing impact on responsible innovation.”4 Critics in industry and the virtual asset community argue instead that the proposed rule will not meaningfully constrain illicit activity.
- FinCEN estimates that 11.9% of CVC market activity is “relevant to a possible violation of law or regulation,” and states that the risks involving CVC are exacerbated by the use of unhosted wallets or wallets hosted by institutions not subject to effective controls.5
- Notably, FinCEN suggests that countering ransomware and cybersecurity attacks is a primary objective of the proposed requirements, citing examples in which malign actors connected to North Korean money laundering have conducted large transactions between U.S. financial institutions and unhosted wallets and have used unhosted wallets to obscure the flow of funds following theft and extortion.6
- Opponents of the proposed rule argue that it would not be effective in reducing illicit activity because a focus on unhosted wallets is misplaced relative to other vulnerabilities;7 because criminals will simply evade controls;8 because financial activity will be driven into peer-to-peer9 or informal10 channels, reducing investigators’ visibility; and because the change would not give investigators new information, in part because of the transparency of the blockchain.11
- FinCEN, however, stresses that even for CVCs associated with public blockchains, investigators cannot always identify illicit activity.12 FinCEN states that because CTRs provide valuable information to investigators, an analogous CVC/LTDA reporting requirement for transactions valued at more than $10,000 per day will provide greater insight as well.13
- Critics appear to accept that the proposed $10,000 reporting requirement seeks parity with existing CTR standards for cash, but they believe that the proposed $3,000 recordkeeping requirement creates a double standard in requiring certain information to be collected only if the transaction is being made with cryptocurrency.14 A bank customer is allowed to write a check to a non-customer, these opponents point out, without reliably identifying the physical address of the counterparty.15
*Click here to view this text box on a mobile device.
FinCEN’s Proposed Rule a Part of Evolving Global Standards
Regulation of VASPs and other entities in the crypto space is evolving rapidly, as K2 Integrity Policy Alerts continue to highlight. FinCEN’s proposed rule is intended both to keep pace with changing global standards and to address the risks emanating from jurisdictions that are falling behind in establishing effective counter illicit-finance controls. The proposed rule is consistent with the recent focus by FATF on the need to increase supervision of VASPs and address the risk that transfers to the unregulated peer-to-peer sector through unhosted wallets could “present a leak in tracing illicit flows of virtual assets.”16 However, FinCEN’s proposed requirements do not include the most restrictive proposals contemplated by FATF,17 and they are less onerous than similar regulations recently enacted in the Netherlands and particularly Switzerland.18 The “Swiss rule” prohibits transactions with unhosted wallets other than those proven to belong to customers. FinCEN’s proposal thus makes it less likely that global standards will evolve to restrict, either directly or in practice, transactions between hosted and unhosted wallets. In establishing a Foreign Jurisdictions List to name countries with significant deficiencies in their regulation of CVC and LTDA, FinCEN signals that the United States aims to further incentivize foreign governments to implement controls consistent with global standards in the virtual asset space. The current list, Burma, Iran, and North Korea, focuses on jurisdictions that FinCEN has identified as primary money laundering concerns under Section 311 of the PATRIOT Act, and also closely mirrors the FATF’s inclusion of Iran and North Korea on its list of high-risk jurisdictions subject to a call for action19 and its inclusion of Burma on its list of jurisdictions with strategic deficiencies.20 |
Beyond questioning the efficacy of the proposed rule, the virtual asset community has also highlighted practical challenges related to collecting and managing information about unhosted-wallet counterparties and the potential for the proposed requirement to undermine innovation.21 Additionally, FinCEN has allowed for a comment period of only 15 days, citing national security considerations and its ability to expedite foreign affairs rulemaking, noting prior engagement with the cryptocurrency industry and stating that it will “endeavor to consider any material comments received after the deadline as well.”22
- The need to collect a counterparty’s name and physical address could complicate smart contracts and other potential CVC use cases that do not require the parties to a transaction to interact directly.23 The virtual asset community points, for example, to startups currently developing a decentralized model for wireless internet connectivity featuring machine-to-machine payments.24
- Opponents of the proposed rule have also raised concerns related to the reforms potentially undermining privacy25 and financial inclusion-related objectives26 of virtual currencies. Some argue that requirements focused on unhosted wallets could force American companies offshore, particularly if projects under development assume the continued use of private, unhosted wallets.27
- Some opponents warn that regulations targeting unhosted wallets could create in the United States what they believe the “Swiss rule” has created in Switzerland: a bifurcated market in which CVC can move between wallets held by regulated custodians, or between unhosted wallets, but not across the divide.28
Financial institutions including VASPs should be aware that FinCEN has identified procedures that compliance staff would need to implement so that each institution can satisfy the core requirements described by the proposed rule. Banks, MSBs, and VASPs should also continue to monitor the evolution of global standards, particularly if a new U.S. administration takes a proactive stance on revising or extending regulation.
- In analyzing whether a counterparty’s wallet is hosted by a Bank Secrecy Act-regulated MSB, financial institutions would need to ensure that the MSB is registered with FinCEN. Regarding wallets hosted by foreign financial institutions, banks and MSBs would need to confirm that each foreign financial institution is not located in a jurisdiction on the Foreign Jurisdictions List and would need to apply risk-based procedures to confirm that the foreign institution is complying with requirements in that jurisdiction.29
- Banks and MSBs would need to establish risk-based procedures for verifying their hosted wallet customer’s identity that are sufficient to enable the bank or MSB to form a reasonable belief that it knows the true identity of its customer.30
- Financial institutions should view FinCEN’s proposed rule in context with other recent developments signaling a growing U.S. focus on CVC/LTDA. On 23 December, the President’s Working Group on Financial Markets released an initial assessment of key regulatory and supervisory considerations—including AML/CFT considerations—with respect to stablecoins, or digital asset arrangements designed to maintain a stable value relative to a fiat currency.31 On 30 December, the Office of Foreign Assets Control announced a settlement agreement with a service provider to online digital wallets for failing to prevent persons in sanctioned jurisdictions from using the provider’s services.32
- Compliance professionals should continue to consult K2 Integrity Policy Alerts for timely updates and insights on the evolution of global standards in the virtual asset space.
Endnotes
1 Nikhilesh De, “US Lawmakers Tell Mnuchin to Back Off From Potential Crypto Wallet Regs,” CoinDesk, December 9, 2020, https://www.coindesk.com/us-lawmakers-tell-mnuchin-to-back-off-from-potential-crypto-wallet-regs.
2 FinCEN, NPRM, pp. 83844-83845.
3 FinCEN, NPRM, pp. 83843-83844.
4 U.S. Department of the Treasury, “The Financial Crimes Enforcement Network Proposes Rule Aimed at Closing Anti-Money Laundering Regulatory Gaps for Certain Convertible Virtual Currency and Digital Asset Transactions,” December 18, 2020, https://home.treasury.gov/news/press-releases/sm1216.
5 FinCEN, NPRM, p. 83842.
6 FinCEN, NPRM, p. 83841.
7 Chainalysis Regulatory Team, “What You Need to Know About Treasury’s 72-page NPRM for Transactions with Unhosted Wallets and Certain Foreign Jurisdictions,” Chainalysis Insights, December 22, 2020, https://blog.chainalysis.com/reports/treasury-department-nprm-unhosted-wallets-2020.
8 Ian Allison, “Industry Pros Weigh In on Rumors of New Crypto Wallet Regulations,” Nasdaq, November 27, 2020, https://www.nasdaq.com/articles/industry-pros-weigh-in-on-rumors-of-new-crypto-wallet-regulations-2020-11-27.
9 Jerry Brito and Peter Van Valkenburgh, “Comments to the Financial Crimes Enforcement Network on Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets,” December 22, 2020, https://www.coincenter.org/app/uploads/2020/12/2020-12-22-comments-to-fincen.pdf, p. 25.
10 Jai Ramaswamy, “How I Learned to Stop Worrying and Love Unhosted Wallets,” Coin Center, November 18, 2020, https://www.coincenter.org/how-i-learned-to-stop-worrying-and-love-unhosted-wallets/.
11 See tweet by Jake Chervinsky, https://twitter.com/jchervinsky/status/1340135047693787138; Chainalysis Regulatory Team, “What You Need to Know About Treasury’s 72-page NPRM for Transactions with Unhosted Wallets and Certain Foreign Jurisdictions,” Chainalysis Insights, December 22, 2020, https://blog.chainalysis.com/reports/treasury-department-nprm-unhosted-wallets-2020.
12 FinCEN, NPRM, p. 83844.
13 FinCEN, NPRM, p. 83844.
14 Jerry Brito and Peter Van Valkenburgh, “Comments to the Financial Crimes Enforcement Network on Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets,” December 22, 2020, https://www.coincenter.org/app/uploads/2020/12/2020-12-22-comments-to-fincen.pdf, p. 16.
15 Jerry Brito and Peter Van Valkenburgh, “Comments to the Financial Crimes Enforcement Network on Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets,” December 22, 2020, https://www.coincenter.org/app/uploads/2020/12/2020-12-22-comments-to-fincen.pdf, pp. 21-22.
16 Financial Action Task Force (FATF), “12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers,” June 2020, https://www.fatf-gafi.org/media/fatf/documents/recommendations/12-Month-Review-Revised-FATF-Standards-Virtual-Assets-VASPS.pdf, p. 15.
17 Financial Action Task Force (FATF), “12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers,” June 2020, https://www.fatf-gafi.org/media/fatf/documents/recommendations/12-Month-Review-Revised-FATF-Standards-Virtual-Assets-VASPS.pdf, p. 15.
18 Nikhilesh De and Danny Nelson, “US Floats Long-Dreaded Plan to Make Crypto Exchanges Identify Personal Wallets,” CoinDesk, December 18, 2020, https://www.coindesk.com/fincen-proposes-kyc-rules-for-crypto-wallets.
19 Financial Action Task Force, “High-Risk Jurisdictions Subject to a Call for Action – 21 February 2020,” accessed 27 December 2020, http://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/call-for-action-february-2020.html.
20 Financial Action Task Force, “Jurisdictions Under Increased Monitoring – 23 October 2020,” accessed 27 December 2020, http://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/increased-monitoring-october-2020.html.
21 Turner Wright, “Heavy Hitters of Crypto Call for Users to Comment on Proposed FinCEN Wallet Rule,” Cointelegraph, December 30, 2020, https://cointelegraph.com/news/heavy-hitters-of-crypto-call-for-users-to-comment-on-proposed-fincen-wallet-rule.
22 FinCEN, NPRM, p. 83841.
23 Peter Van Valkenburgh, “A Midnight Rule for Cryptocurrency Transaction Reports,” Coin Center, December 18, 2020, https://www.coincenter.org/a-midnight-rule-for-cryptocurrency-transaction-reports/.
24 Jerry Brito and Peter Van Valkenburgh, “Comments to the Financial Crimes Enforcement Network on Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets,” December 22, 2020, https://www.coincenter.org/app/uploads/2020/12/2020-12-22-comments-to-fincen.pdf, pp. 19-21.
25 Brian Armstrong, “Make Your Voice Heard—Share Your Thoughts on the New Proposed Crypto Rules Directly With the U.S. Department of Treasury,” The Coinbase Blog, December 30, 2020, https://blog.coinbase.com/make-your-voice-heard-share-your-thoughts-on-the-new-proposed-crypto-rules-directly-with-the-u-s-a707467c2697.
26 Jerry Brito and Peter Van Valkenburgh, “Comments to the Financial Crimes Enforcement Network on Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets,” December 22, 2020, https://www.coincenter.org/app/uploads/2020/12/2020-12-22-comments-to-fincen.pdf, p. 19.
27 Michelle Bond, Letter to Secretary Mnuchin from the CEO of the Association for Digital Asset Markets (ADAM), December 15, 2020, http://www.theadam.io/wp-content/uploads/2020/12/Letter-Secretary-Mnuchin-Self-Hosted-Wallets-ADAM-12.15.pdf.
28 Laura Shin, “Everything You Need to Know About the Looming Battle Over Privacy in Crypto,” Unchained (podcast), November 17, 2020, https://unchainedpodcast.com/everything-you-need-to-know-about-the-looming-battle-over-privacy-in-crypto/.
29 FinCEN, NPRM, p. 83849.
30 FinCEN, NPRM, p. 83849.
31 U.S. Department of the Treasury, “President’s Working Group on Financial Markets Releases Statement on Key Regulatory and Supervisory Issues Relevant to Certain Stablecoins,” December 23, 2020, https://home.treasury.gov/news/press-releases/sm1223.
32 U.S. Department of the Treasury, “OFAC Enters Into $98,830 Settlement with BitGo, Inc. for Apparent Violations of Multiple Sanctions Programs Related to Digital Currency Transactions,” December 30, 2020, https://home.treasury.gov/system/files/126/20201230_bitgo.pdf.