Our Response to Proposed Rules from FinCEN and the Dept. of Treasury
Electric Capital recently submitted comments during FinCEN’s open comment period for proposed rules documented in Docket No. FINCEN-2020–0020, RIN 1506-AB47. We have republished these comments below.
January 3, 2021
Policy Division Financial Crimes Enforcement Network
P.O. Box 39
Vienna, VA 22183
FinCEN Docket No. FINCEN-2020–0020, RIN 1506-AB47
To whom it may concern:
We request FinCEN offer a 60-day notice-and-comment period to on the Financial Crimes Enforcement Network (“FinCEN) Notice of Proposed Rulemaking regarding “Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets” (the “NRPM”) so that the public has adequate opportunity to comment on the NRPM, as required by law.
Electric Capital is a venture capital investment firm with backing from top US university endowments, healthcare systems, and philanthropies. We are grateful to be able to work on behalf of institutions that offer higher education, provide meals to those in need, and research novel treatments for cancer. As investors at Electric Capital and in our private capacity as individual investors, we have provided seed capital to companies with a combined market capitalization of over $20 billion and that employ thousands of people. In addition, the employees and partners at Electric Capital have significant hands-on experience with bringing new technologies to market. We have started several successful businesses and helped build products used by 1 billion people every day.
We are fortunate to have been involved with multiple innovative technology platforms that have led to value and job creation in communities across the US. As a result of our expertise in early stage technologies and the potential for emerging technologies to meaningfully impact our communities, we are compelled to comment and offer feedback on the NRPM.
Electric Capital is supportive of smart regulation as we believe proper regulation of emerging technologies creates clarity and unlocks innovation. The United State government has done this effectively in prior technology waves such as the creation of the early PC industry, the Internet, GPS technologies, cryptography, and many other fields. Unfortunately, the dash by FinCEN to implement these proposed rules during the holidays does not leave sufficient time to address and improve the proposed rules such that they may be productive, constructive, and enhance American competitiveness in the globally competitive crypto and blockchain industries.
Our letter comments on both the shortcomings in the process around the NRPM and the in the proposed rules. Due to the extremely compressed timeframe to comment on the proposed rules and the fact that there are only a handful of working days during this time of the year, our comments on the deficiencies in the proposed rulings are accurate yet incomplete.
Deficiencies in the Rule Making Process
We acknowledge the important issues that FinCEN and the Department of Treasury seek to address and appreciate the complex challenges that rulemakers must face in tackling challenging issues such as money laundering. And precisely because we believe these are important issues, we believe the process around the NRPM has been deeply flawed. The NRPM is a seventy page document with two dozen substantive subjects that deserve thoughtful discussion and feedback. FinCEN released the proposed rules on Friday, December 18, 2020 with a 15 day window to comment — a window that includes Christmas, New Year’s, and weekends, leaving only a handful of working days to comment on the proposed rules.
Given these constraints, our letter is an incomplete and abbreviated accounting of our concerns with both the rule making process and the proposed rules.
Executive Order 12,866, which also binds FinCEN, states that agencies must “provide the public with meaningful participation in the regulatory process” and a “meaningful opportunity to comment on any proposed regulation, which, in most cases should include a comment period of not less than 60 days.” This requirement to allow the public to meaningfully has been upheld in the courts, as in N.C. Growers’ Ass’n, Inc. v. United Farm Workers, 702 F.3d 755 (4th Cir. 2012).
The allowed exceptions to the notice and comment period are for “foreign affairs functions” and “good cause” exemptions, which clearly do not apply in the case of NRPM and would not stand in court. The foreign affairs function can only apply to those affairs that would impact relations with other governments and would clearly provoke undesirable international consequences. There are no such specific undesirable international consequences that would force an expedited 15-day comment window across the holiday season. The “good cause exemption” § 553(b)(B) applies if compliance would be “impracticable, unnecessary, or contrary to the public interest.” The Treasury Department is suggesting that a 30-day or longer comment period is contrary to the public interest because it “has directly engaged with the cryptocurrency industry on multiple occasions and in a variety of formats over the past year on the AML risks arising in connection with cryptocurrency and carefully considered information and feedback received from industry participants.” The argument conflates a small number of industry professionals for “the public.” The proposed rules impact far more people than a small number of industry professionals who have had closed-door, off-the-record meetings. Private consultation with a small number of individuals or companies is not a substitute for the broader public — hence the well-established case law for required public commentary and feedback. It is also worth noting that such industry consultations happen regularly with the banking and finance industries in addition to offering sufficient time for public comment, as required by law.
We believe FinCEN, Treasury, and the public would be better served with a more typical 30 day comment period, and given the complexity of properly regulating an innovative new technology platform that could generate millions of jobs in the coming decade, we advocate strongly for a 60 day comment period to ensure that any proposed rules achieve the desired objectives without unintentionally hurting the American public.
Deficiencies in the Proposed Rules
The deficiencies in the proposed rules are far too numerous for us to enumerate in the abbreviated comment period. We could fill several dozen pages of feedback with technical inconsistencies in the proposed rules, fundamental misunderstandings about the nature of cryptocurrencies, encroachments into Constitutional rights, and impairments of future innovation and American competitiveness. We will continue to engage outside this initial commentary to address these numerous issues.
We focus this letter on the most pressing issues on which we are most uniquely qualified to comment as software engineers and investors:
A. The cybersecurity risks of centralized data storage at FinCEN or the Dept of Treasury
B. The sabotage of high-value innovative uses of cryptocurrencies and blockchain, and the resulting handicapping of US interests in a global financial and technology market
A. The risks of centralized data storage at the Department of Treasury
The proposed rules create new requirements for the filing of cash transaction reports (CTR) with FinCEN. We believe FinCEN and the Department of Treasury are wholly underprepared and incapable of handling the volume of such transactions. The most widely held cryptocurrencies such as Bitcoin are more similar to gold or real estate, not cash. This means that consumers will buy and hold these assets, rather than transact with them and far more transactions will trigger CTR requirements and result in a flood of reports to FinCEN. In addition to the infrastructure required for FinCEN to store and process these reports at three orders more magnitude than FinCEN or Treasury processes currently, the aggregation of these reports at such scale presents significant threats to US citizens.
In December 2020, the US company SolarWinds revealed a significant intrusion of its software systems. SolarWinds software is used to monitor networks by many government agencies, including the Department of Treasury. The Chairman of the Senate Armed Services Committee, James Inhofe, a Republican from Oklahoma, and Jack Reed, of Rhode Island, and the top Democrat on the Committee issued a joint statement stating “the cyber intrusion appears to be ongoing and has the hallmarks of a Russian intelligence operation.”
Subsequently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated the hack “poses a grave risk” to federal, state and local governments, and private companies. In addition, CISA has acknowledged that removing the malware will be “highly complex and challenging.”
Imagine the damage if the data compromised in this hack had been CTR reports tied to millions of American’s, their addresses, bank account information, and additional financial details. A leak of this magnitude to a foreign state actor would have endangered the physical and financial security of millions of American citizens. As Americans primarily use cryptocurrencies as a store of value, the physical addresses and history of transactions of American citizens would allow a hacker to identify high value targets to physically threaten to extract significant wealth. This is unique from CTRs for US Dollar transactions as the USD is primarily a medium of exchange, and thus the leak of this information for traditional USD transactions would not suggest that the individual named in a CTR continues to have access to the USD or is in a position to unilaterally transfer this USD to a hacker, unlike cryptocurrencies used as a store of value.
Unfortunately these sorts of attacks will only increase in the coming years and must be taken extremely seriously. We must enact a rigorous and thorough vetting process of only keeping the bare minimum data about Americans inside high profile targets of cyber-warfare such as FinCEN and the Department of Treasury. FinCEN and the Department of Treasury have not demonstrated they are capable of receiving or storing data securely. The proposed CTR requirements suggest a naïveté from the rulemakers about how much personally identifiable information is necessary to achieve the desired goals and how to store information so as to minimize leaking this data to foreign governments. It is also worth noting that asking for the breadth of information from millions of US citizens as the proposed CTR rules would require is Constitutionality dubious, and is tantamount to a warrantless search.
We encourage FinCEN and the Department of Treasury to engage with cybersecurity experts inside the government, inside the cryptocurrency industry, and in the broader public in crafting reporting requirements that are limited in scope to sufficiently help law enforcement, Constitutional, and more secure from cybersecurity risks. There are novel technologies that would allow this data to be stored using encryption and blockchain technologies such that American citizens would control their own personally identifiable data and could be compelled via a warrant to share this data with law enforcement if necessary. We believe such constructions would be far more constitutionally viable, be less likely to create honey pot targets for hackers and state actors, and also allow law enforcement to build tooling to combat crimes.
B. The sabotage of high-value, innovative uses of cryptocurrencies and blockchain, and the resulting handicapping of US interests in a global financial and technology market.
As entrepreneurs and investors in emerging technologies, we are disappointed at the fundamental orientation of the NRPM. The ruleset (i) takes an adversarial (rather than pro innovation) mindset to cryptocurrencies and blockchain technologies, (ii) does not account for or understand the valuable new emergent use cases for these technologies, and (iii) does not place the impact of these rules on US citizens and US companies in a global context.
Much of the ruling assumes that these technologies are used for additional nefarious behaviors than any other technology and thus must be regulated differently. This is factually incorrect. Cryptocurrencies and blockchain technologies are subject to the same good and bad actors as any other technology, and the existing AML/KYC requirements of financial institutions are very effective at uncovering bad actors because ultimately bad actors must use USD onramps and offramps to perform illicit activities.
In fact, the manner in which cryptocurrencies are novel and unique is in their ability to unlock efficiencies, new use cases, and in their ability to protect our Constitutional rights. For example, using cryptocurrencies, we can now enable transactions between people and businesses in USD that settle instantly anywhere in the world rather than taking multiple days for dollars to move between bank accounts. Or using cryptocurrencies, we can now perform microtransactions for fractions of a cent such that we could pay the authors of articles anywhere on the web via our browsers so that content creators can be directly rewarded by their fans, without having to go through a large technology company as an intermediary.
Cryptocurrencies also unlock emergent behaviors that do not fit easily into the NRPM ruleset. One of the innovations of smart contract platforms that use cryptocurrencies is the ability for software to take custody of cryptocurrencies/money without the need for a human or corporate intermediary. Use cases for these smart contracts may be as seemingly banal as lending contracts that offer better rates and could not discriminate based on race, religion, or a business’s political views. This allows capital to flow to small businesses that otherwise cannot easily access funding and could allow entrepreneurs to raise capital at lower interest rates than traditional banks. In order to unlock all of this innovation and utility, we would need the ability for capital to flow into smart contracts from crypto exchanges and traditional brokerages.
Unfortunately, the NRPM would prevent all of this benefit to consumers and small businesses. There is simply no way for an entity in the US to verify the identity of the smart contract, as the smart contract is not a person or company that can be KYC-ed.
As a result, the businesses that intermediate these interactions will move overseas. Capital can easily flow from the US to Europe or Asia if overseas actors offer better interest rates, faster processing of loans, and easier loan servicing. The proposed rules almost guarantee that billions of dollars of economic activity would move away from the US, along with the detailed financial information of millions of American citizens and businesses.
This is simply one example of unintended consequences that hurt the US consumer, impair US businesses, cost the US billions of dollars, and lose the US thousands of jobs. There are numerous such provisions in the NRPM that are incompatible with very promising paths of future innovation. Rather than rush through a ruleset with many unintended consequences that harm US interests, we urge FinCEN and the Department of Treasury to solicit significant additional feedback via a 60 day public comment period. Much of the proposed rule set must be removed entirely as it causes significant harm and the remainder requires significant rework to actually achieve the desired objectives.