cLabs Responds to FinCEN’s Proposed Rule on Unhosted Wallets

Just before the holidays, FinCEN — the primary anti-money laundering regulator in the United States — released a new proposed regulation that would require banks and money services businesses, including virtual asset service providers, to file reports when their customers transact with unhosted wallets. The proposal would require banks and MSBs to collect information identifying owners of unhosted wallets for transactions above $3000 and report that information to FinCEN for transactions above $10,000.

cLabs fully supports regulation that prevents illicit financial activity, but creating effective regulation, especially in areas of emerging technology, must involve the experience of regulators, industry, and the broader public working together. Moving forward with midnight rulemaking without this participation misses an important opportunity to create regulations that effectively address illicit financial activity as cryptocurrencies go mainstream. The result is a rushed proposal that will most likely serve as a tax on the innocent — particularly the most financially vulnerable — without meaningfully supporting law enforcement efforts to combat illicit financial activity.

Like many organizations in the cryptocurrency space, cLabs has submitted a public comment on the proposed regulation with the hope FinCEN will delay implementation of the rule until it has sought meaningful input from the public that would result in more effective measures. cLabs’ comments are as follows:

January 4, 2021

Kenneth A. Blanco, Director cLabs

c/o Policy Division 58 West Portal Ave PMB 729

P.O. Box 39 San Francisco, CA 94127

Vienna, VA 22183

Email: frc@fincen.gov

Re: Requirements for Certain Transactions Involving Convertible Virtual Currencies (Docket Number FINCEN-2020–0020; RIN number 1506-AB47)

Director Blanco:

The Financial Crimes Enforcement Network (FinCEN) published a Notice of Proposed Rulemaking (NPRM) on December 23, 2020, seeking comment on new recordkeeping and reporting requirements under the Bank Secrecy Act (BSA) applying to transactions involving convertible virtual currencies (CVC) and legal tender digital assets (LTDA). cLabs is an emerging technology startup whose mission is to foster a financial system that creates the conditions of prosperity for all. It is one among a community of developers that produces open source software applications, including an unhosted wallet, on Celo — a permissionless, distributed ledger platform. We aim to improve access to financial services, particularly for underbanked and financially marginalized populations around the globe (celo.org).

cLabs appreciates the opportunity to provide feedback on the proposed rule set forth in the NPRM, but finds it practically infeasible to comment on all of the 24 questions for each of the new proposed requirements in the time allotted. Therefore, despite broader concerns, our feedback is limited to addressing one of the questions posed by FinCEN and with respect only to one set of related requirements which we believe raise significant issues requiring FinCEN’s attention before the rule is finalized. Specifically, this comment addresses whether the NPRM’s proposed counterparty record keeping and reporting requirements strike a reasonable balance between financial inclusion and consumer privacy and the importance of preventing terrorism, money laundering and other illicit financial activity. The provisions in question would require banks and money service businesses (MSBs), including virtual asset service providers, to collect PII of counterparties using unhosted wallets for aggregate transactions above $3,000, and report that information to FinCEN above a $10,000 aggregate threshold.

For reasons described in greater detail below, these new counterparty identification requirements are an unwarranted expansion of the BSA’s scope and will most likely serve as a tax on the innocent — particularly the most financially vulnerable — without meaningfully supporting law enforcement efforts to combat illicit financial activity. We therefore recommend that FinCEN extend the comment period to a more reasonable 60 or 90 days to allow for meaningful input, or in the alternative remove the counterparty record keeping and reporting requirements.

The shortened comment period is inconsistent with FinCEN’s past practice and deprives the public a meaningful opportunity for input

As an initial matter, while cLabs fully supports the goal of preventing the misuse of distributed ledger technologies for illicit financial activity, and firmly believes that the goals of financial integrity and financial inclusion are complementary, we do not feel that a comment period of 7 working days over the holidays provides a meaningful opportunity for comment — particularly in light of the worsening conditions of an ongoing pandemic. The question of whether counterparty identification provisions establish a reasonable balance between the competing social values of financial inclusion and consumer privacy and the importance of preventing illicit financial activity is itself an enormous one that deserves serious dialogue among regulators, technology innovators, the cryptocurrency industry and academics who are driving the development of cryptocurrencies and distributed ledger technology. This robust dialogue simply cannot take place in the time allotted for comment.

The NPRM justifies the limited comment period by relying on the presumed migration of illicit financial activity from regulated intermediaries to unhosted wallets in anticipation of the rule’s implementation. While there is good reason to question whether a 7-day comment period would effectively deter this behavior since cryptocurrencies can be moved instantaneously, this rationale is flawed for a more fundamental reason. The NPRM imposes record keeping and reporting requirements primarily intended to support the prosecution of criminal activity and forfeiture of criminal proceeds. Unlike measures that block or prohibit transactions, the effects of record keeping and reporting requirements on illicit financial activity necessarily arise over time, calling into question the supposed necessity for urgent action here.

This limited opportunity for comment is inconsistent with the approach traditionally taken by FinCEN in addressing other illicit finance risks that arguably pose a greater threat to national security than unhosted wallets. For example, in 2016 FinCEN addressed the problem of anonymous shell corporations — repeatedly identified as one of the most significant illicit financial risks to the global financial system — by imposing new requirements to identify ultimate beneficial owners. Indeed the final rule, issued in 2016, relied in part on sources dating as far back as 2011 that identified the scale and scope of that threat, including a 2012 hearing held before the House Subcommitee on Crime, Terrorism and Homeland Security. Despite this real and ongoing threat to national security, the Customer Due Diligence (CDD) rule was introduced as an Advanced Notice of Proposed Rulemaking (ANPR). Furthermore, following publication of the ANPR, FinCEN allowed for extensive public comment over a 4 year period before issuing the final rule, including several industry roundtables and a public hearing. And implementation of the rule was delayed by two years to give covered institutions the opportunity to develop policies and procedures to comply with the new requirements without disrupting the provision of services to their customers.

This deliberate approach stands in stark contrast to the present race to the finish line that — even compared to other examples of midnight rulemaking — appears to be rushed. The current timeline is difficult to understand in light of all the available evidence suggesting that the illicit finance risks arising from unhosted wallets are significantly less than the risks addressed by the CDD rule. Independent analyses by Chainalysis and Elliptic — two blockchain analytics companies — have concluded that illicit activity represents approximately 1% of total activity or about $10 billion. Significantly, this is less than estimates for illicit financial activity through traditional financial channels, which the United Nations Office of Drugs and Crime estimated in 2011 to represent 2–5% of global GDP, or by consensus estimate about $1.6 trillion. It is therefore not surprising that the Financial Action Task Force (FATF), an intergovernmental standards setting body of which the United States is a charter member, recently reported that the available evidence was insufficient to designate unhosted wallets as a greater illicit finance risk to the global financial system than traditional financial channels.

The NPRM acknowledges, but discounts, such estimates by pointing to suspicious activity reporting identifying about $119 billion — or 11.9% of overall activity — as suspected criminal proceeds. However, FinCEN implicitly concedes that this is likely an overestimation by acknowledging that suspicious activity is “not a clear indication of a crime but is activity that is potentially illicit”. Moreover, suspicious activity reporting is generally acknowledged to be inaccurate and subject to high false positive rates. And even if for the sake of argument this number is taken at face value, the amounts in question are an order of magnitude less than available estimates of illicit financial activity through traditional channels. The point of all of this is not to dismiss the concerns raised by FinCEN in the NPRM, but to point out that the available evidence does not support the rush to judgment here. To the contrary, it supports a more deliberate approach that is consistent with FinCEN’s treatment of other illicit finance risks.

The NPRM represents a missed opportunity to find effective solutions

Importantly, the failure to provide adequate notice and comment is more than a technical violation of the Administrative Procedures Act. It represents a missed opportunity to develop solutions that lay the groundwork for successfully combating illicit financial activity in an area of growing importance, while remaining consistent with our core national values. Of particular concern are new record keeping and reporting requirements for the collection of personally identifying information (PII) not just of customers, but third party counterparties of customers. Specifically, the proposed rules would require covered intermediaries to collect PII of counterparties using unhosted wallets that involve aggregate transactions above $3,000, and report that information to FinCEN above a $10,000 aggregate threshold.

While the NPRM describes these provisions as “similar to” traditional currency transaction reporting and travel rule requirements, they in fact represent a novel expansion of the BSA’s scope that raises issues requiring serious consideration by FinCEN. The BSA is principally designed to prevent financial institutions from using customer privacy as a shield for their own complicity in, or active indifference to, their customer’s illicit activity — a tactic employed in the past by Swiss banks and financial intermediaries in other bank secrecy jurisdictions. It does so by requiring financial intermediaries to collect and report their customers’ PII to law enforcement through currency transaction reports, suspicious activity reports as well as customer identification and travel rule requirements. FinCEN has also issued interpretive guidance requiring MSBs to conduct due diligence on their own foreign agents and counterparties to protect international gateways to the U.S. financial system. But in each of these instances, the regulated entity is required to collect PII and other information from individuals and entities in a direct relationship with it. And while the travel rule does require the preservation and transmission of counterparty information, that requirement is limited to information that the institution has received in connection with the transaction — it does not mandate the affirmative collection of counterparty data as the NPRM does. If applied uniformly to all types of financial transactions, the proposed rule would, for example, require a bank that offers direct payments through Zelle or bill payments through traditional ACH rails to collect PII not just on their own customer, but the customer’s payee (for senders) or payor (for recipients) as well. This would amount to a “know your customer’s customer/counterparty” requirement that regulators have traditionally resisted, and for good reason.

The NPRM argues for this proposed expansion of the BSA on the grounds that, unlike Zelle or ACH transactions which have a regulated institution on both ends, transactions between a financial institution and an unhosted wallet have a regulated institution only on one end, allowing the owner of an unhosted wallet to remain unidentified. However, this argument ignores the traditional unwillingness of regulators to impose counterparty identification requirements on analogous financial transactions that also involve unidentified counterparties. For example, if adopted in connection with cash, financial institutions would be required to collect PII on third parties when customers pay them using cash withdrawn from their accounts. No such requirement exists — despite the significant illicit finance risk posed by cash — because it would be practically difficult to implement and raise clear privacy concerns, without providing effective tools to prevent illicit financial activity. These concerns are equally true of the NPRM’s counterparty identification requirements.

Difficulty of implementing counterparty identification requirements

Most compliance professionals recognize the difficulty of implementing a sustainable and reliable process for collecting PII from customers. Creating a customer onboarding process that passes regulatory scrutiny is among the most challenging efforts faced by compliance officers, and is typically plagued by exceptions, gaps and errors. While financial institutions overcome these deficiencies by developing secure and reliable means of obtaining information from customers, it is well known that these processes are expensive to maintain, and that the complexity and friction of the onboarding process is an important driver of financial exclusion. But the complexity of customer onboarding pales in comparison to the logistical challenges of collecting information from non-customers. Establishing processes to collect information from unaffiliated third parties will take time to develop and raise the marginal costs of maintaining customer relationships. In addition, already trained to ignore unsolicited contact as potential fraud, counterparties will likely be reluctant to provide PII to financial institutions with whom they do not have a relationship, fearing that it could result in identity theft or unsolicited spam. The resulting failure rates will undoubtedly increase operational costs more than initially anticipated.

Past experience demonstrates that these costs will be imposed on customers through increased fees for unhosted wallet transactions. While the NPRM attempts to mitigate these adverse impacts on the impact by establishing $3,000 and $10,000 thresholds for the counterparty record keeping and reporting requirements, respectively, this is unlikely to provide the needed relief. Given the operational complexity of collecting counterparty information, financial institutions are unlikely to layer the additional complexity of aggregating related transactions and distinguishing those that fall below that threshold. Regulated institutions are more likely to apply these requirements uniformly to all unhosted wallet transactions, or in the extreme, engage in “de-risking” to avoid operational and compliance risks altogether by prohibiting transactions with unhosted wallets.

Adverse impacts on financial inclusion

FinCEN should be particularly concerned about the disproportionate impact the proposed rule will have on financially vulnerable populations who already face enormous barriers in obtaining financial services. While the U.S. banking system provides broad and deep services to those with financial means, it fails to meet the needs of a significant proportion of the U.S. population with more modest means. As the Federal Reserve has reported, nearly 6% of U.S. adults are unbanked, 16% are “underbanked” — i.e., use alternative financial solutions such as check cashing services and payday loans, among others, despite having a bank account — and a staggering 40% periodically use such alternative services.

A key factor driving use of these alternatives is the lack of same day settlement in the banking system which forces families living paycheck to paycheck to seek alternatives, and the costs can be enormous — for example, payday lenders commonly charge a 15% transaction fee, which equates to an annual percentage rate of almost 400% for a two-week loan. As Aaron Klein, the former Deputy Assistant Secretary for Economic Policy at the Treasury Department, has pointed out, this archaic payment system and the lack of cheaper alternatives are drivers of U.S. economic inequality. While the cryptocurrency industry is still in its infancy, solutions are beginning to emerge which provide instantaneous, reliable and inexpensive payments. Changing the scope of the BSA — as the proposed rule does — will reduce the accessibility of new and emerging financial technologies to those who most need, and stand to gain from, them, while extending cutting-edge technologies to those who are already well served by the current system.

Adverse impacts on privacy

The proposed rule would also unreasonably compromise consumer privacy in a manner that would expose unhosted wallet users to fraud and theft well beyond current risks. A well known attribute of cryptocurrencies is that the underlying transactions are recorded on an immutable and public ledger available for anyone with an internet connection to inspect and analyze. This distinguishing feature of private cryptocurrency transactions lowers their illicit finance risk compared to cash transactions. Despite this transparency, encryption algorithms allow users to preserve some attributes of privacy and protect against fraud and theft, e.g. by using pseudonymous public addresses. In the absence of pseudonymity, anyone would be able to associate an individual’s identity with their transaction history. Unlike cash transactions, which are essentially invisible once cash is withdrawn from a financial institution, cryptocurrency transactions are fully traceable regardless of whether they take place through a financial institution or through peer to peer transactions.

By mandating the association of an individual’s public wallet address with their PII, and effectively turning the financial life of any unhosted wallet user into an open book, the proposed rule would make exchanges even more desirable targets for malicious actors. This would expose unhosted wallet users to risks arising from the operational and compliance failures of entities with which they do not have a customer relationship, have never affirmatively decided to entrust with sensitive personal information, and whose security practices they do not know. Moreover, because it requires the reporting of that same data to FinCEN, these provisions would transform the BSA into a tool for collecting and analyzing personal financial activity, which would only grow in scope and scale as cryptocurrency usage achieves greater mainstream adoption. And because this new requirement is based on a monetary threshold rather than a determination of potential criminal activity, it would capture a significant amount of innocent conduct. As a result, it would transform a regulatory regime designed to prevent financial institutions from using privacy as a shield for complicity in their customers’ illicit activity into a tool of general surveillance.

No discernible benefit to law enforcement

Perhaps most importantly, these tangible and intangible costs would be imposed on wallet users without much discernible benefit in detecting and preventing money laundering, terrorist financing and other illicit financial activity. It is well-known that Illicit actors routinely use stolen and synthetic identities crafted from information purchased on so-called “dark markets” to circumvent customer identification and other know your customer requirements at financial institutions. While legitimate customers would dutifully comply with these requirements, illicit actors would not, and instead use these same techniques to establish ownership of unhosted wallets and defeat controls put in place to implement counterparty identification requirements. In addition, because the proposed requirements are limited to the United States, illicit actors could easily defeat them by using unhosted wallets to transact with financial intermediaries in the vast majority of foreign jurisdictions that lack similar requirements. In recent years, cooperation by U.S. based exchanges has been a critical factor enabling the detection, disruption and prevention of illicit financial activity by a variety of criminal actors, terrorist organizations and rogue state actors. Since crypto-exchanges rely on blockchain analytic tools whose effectiveness depends on the continued direct interaction between unhosted wallets, the cooperation of U.S. institutions would prove less effective as unhosted wallet transactions eventually move overseas. In sum, the proposed provisions would prove little more than an empty gesture that would do little to deter illicit financial activity, and likely degrade law enforcement’s ability to prevent it.

Conclusion

Expanding the scope of the BSA in the manner proposed would likely serve as a tangible and intangible tax on the innocent — particularly the most financially vulnerable — without meaningfully supporting law enforcement efforts to detect and prevent illicit financial activity. In light of these concerns, a better approach would be for FinCEN to abandon the current rushed timeline, set a reasonable comment period of 60 or 90 days that allows it to seek meaningful input from a broad range of affected parties, including academics, innovators and the cryptocurrency industry and discuss practical ways forward. If FinCEN is not inclined to extend the comment period, we strongly recommend removal of the counterparty record keeping and reporting requirements which represent an unwarranted expansion of the BSA’s scope with limited law enforcement benefit.

Please direct any questions to Jai Ramaswamy, Head of Risk, Compliance & Regulatory Policy (jai@cLabs.co).

Submitted by:

cLabs, contributor to Celo

Member of the Alliance for Prosperity

Charter member of the Celo Foundation