FinCEN’s proposed regulation of virtual assets
A controversial proposed rule from the Financial Crimes Enforcement Network would bring bank-like regulation of virtual asset transactions, including the first broadly-applied AML reporting requirement in at least two decades. However, it does not appear to account for the differences in technology that separate transactions involving digital assets from transactions that leverage traditional payments rails – nor does it appear to appreciate the significant costs to industry to fully implement the proposed rule.
FinCEN's Proposed Rule
On December 23, 2020, the US Department of the Treasury's Financial Crimes Enforcement Network ("FinCEN") published a Notice of Proposed Rulemaking ("NPRM") in the Federal Register proposing regulatory requirements on convertible virtual currencies ("CVCs") and digital assets. If finalized, the NPRM would impose reporting and recordkeeping requirements on banks and money services businesses ("MSBs"), including many virtual asset service providers, that facilitate transactions in CVCs and legal tender digital assets ("LTDAs") with self-hosted wallets and hosted wallets held in jurisdictions that are identified by FinCEN as primary money laundering concerns. It would also be the first significant, broadly-applied reporting requirement since the passage of the USA PATRIOT Act, if not earlier.
The proposed rule would define CVCs and LTDAs as "monetary instruments" for purposes of 31 U.S.C. 5313, i.e., the statutory language that authorizes FinCEN to collect Currency Transaction Reports ("CTRs"). In so doing, FinCEN leverages an authority that allows it to require financial institutions to report information about CVCs/LTDAs, in addition to its authority to require financial institutions to keep records under 31 U.S.C. 5318(a)(2). As a result, the proposed reporting requirement would be similar to CTR requirements, another Bank Secrecy Act ("BSA") regulatory requirement on transactions in physical currency of more than $10,000, while the recordkeeping requirement would be similar to the Funds Transfer Recordkeeping requirement on transmittals of funds and funds transfers of more than $3,000.
- CTR. Banks and MSBs would be required to report to FinCEN transactions of more than $10,000 in CVCs or LTDAs in a 24-hour period involving self-hosted wallets (where a user maintains their own private keys without further intermediation) or hosted wallets (where a third party holds the users private keys and initiates blockchain transactions on the users behalf) located in certain jurisdictions identified by FinCEN, initially proposed to include Burma, Iran, and North Korea, and may be expanded to include jurisdictions that FinCEN decided to have significant deficiencies in their regulation of CVC/LTDA. Banks and MSBs would be required to aggregate during a business day other CVC/LTDA transactions of a customer with self-hosted or applicable hosted wallets to count towards the $10,000 threshold. However, banks and MSBs would not be expected to aggregate the CVC/LTDA transactions with a customer's transactions in currency.
- Funds Transfer Recordkeeping Rule. The Funds Transfer Recordkeeping Rule requires financial institutions to keep records on certain information involving transmittals of funds and funds transfers of more than $3,000. However, a CVC/LTDA transaction between a bank or an MSB and a self-hosted wallet would not be considered a transmittal of funds or funds transfer. Consequently, the proposed rule would require banks and MSBs collect certain information about such transactions. In addition to information that is otherwise required under the Funds Transfer Recordkeeping Rule, banks and MSBs would be required to keep records of the name and address of their customer's counterparty. Banks and MSBs would also be required to verify the identity of their customer, through documented risk-based procedures, before completing any covered transaction.
- Structuring. The proposed rule would add the two reporting and recordkeeping requirements described above to the BSA reporting and recordkeeping requirements, such that the purposeful evasion of which would constitute the impermissible act of "structuring." This proposed amendment would create an additional, if indirect, reporting requirement. Financial institutions are required to investigate and report to FinCEN incidents of structuring as suspicious activity. Banks and MSBs will need to ensure that their transactions monitoring systems are set low enough to not only detect transactions that meet the value thresholds for the reporting and recordkeeping requirements described above, but will also detect those transactions that are just below those thresholds that are intended to evade those requirements.
Comments to the proposed rule were due on January 4th, 2021, a mere 15 days after the NPRM was published in the Federal Register, over a time period that spanned two federal holidays.
Setting aside the unusual circumstances of this NPRM, the thinness of the data supporting the regulation and the likely high cost of compliance, the proposed requirements mirror existing BSA obligations and, on their face, shouldn't be controversial. However, like FinCEN's prior guidance on CVCs and proposed amendments to the Funds Transfer Recordkeeping and Travel Rules, referenced below, FinCEN's regulatory approach in the NPRM perpetuates a bias towards an existing technology that seems inconsistent with FinCEN's public statements and may not be as effective at improving transparency to disruptive technologies that have emerged in financial services, as intended.
Payments Technology and AML Regulations
FinCEN's position has long been that new financial products and services should be developed by industry in compliance with existing regulations and not that regulations should be adapted to suit new products and services. To justify this position, FinCEN has traditionally claimed that its regulations are technology-neutral and therefore innovation should be responsive to it rather than vice versa. Unfortunately, FinCEN may not realize just how dependent its regulatory infrastructure is on one specific technology, namely payments messaging technology, which has formed the backbone of the international financial system for generations.
The term "money transmission" has fast become a bit of a misnomer. Except in increasingly rare circumstances physical cash is not moved from place to place. What we think of as a payments chain is really a series of accounting notations debiting and crediting accounts across a series of financial institutions, triggered by messages between those institutions verifying the accounting instructions. Anti-money laundering ("AML") policies rely on the messaging infrastructure as a framework to shape the limits of regulations that ensure the necessary transparency for financial integrity.
But, transactions involving virtual assets are different. The accounting ledger is necessarily shared, meaning there is no need for a messaging infrastructure to effectuate the accounting transactions. Rather, the debits and credits are inputted directly into the shared ledger. Without a messaging infrastructure, the traditional methods of ensuring financial integrity become manifestly less effective, and, correspondingly, AML regulations on virtual assets have struggled to be fit for purpose. Traditional AML regulations rely on the fact that financial institutions must already collect, retain, and transmit information about a transaction to give effect to the transaction. In leveraging what a financial institution already does, the burden of the AML regulations is substantially reduced. The balance between compliance with an AML rule and the cost of compliance is important. For while AML enforcement in the United States has been and will remain an enforcement priority, the US AML regime still primarily relies on the voluntary compliance of the persons and institutions subject to it. But by forcing traditional AML regulatory approaches on virtual assets, not only are costly new burdens created, but the regulations are more easily circumvented because they do not account for how the new technology operates.
The potential inconsistencies between AML regulations based on payments messaging technology and virtual assets infrastructure became increasingly clear last year when FinCEN released updated guidance on virtual currency business contorting key terms and concepts to place virtual assets more squarely in a money transmission construct. That guidance actually made it clear that to truly build financial integrity in virtual assets, FinCEN would have to develop bespoke regulations that more accurately reflect the dynamics of virtual asset transactions. Then came more explicit attempts in October of 2020 to bring CVC transactions under the auspices of the Funds Transfer Recordkeeping and Funds Travel Rules. And now, this NPRM continues to bend terminology, such as the definition of "monetary instrument" to create obligations on CVC and LTDA transactions that are corollaries to transactions in currency or over traditional payment rails. The proposed rule would consider CVCs/LTDAs to be "monetary instruments" for purposes of 31 U.S.C. 5313, but is careful to note that the definition of "monetary instruments" as defined in 31 CFR 1010.100(dd) or in reference to other BSA reporting requirements will not be amended.
FinCEN's unusually short comment period and stated intention to rapidly implement a final rule is tantamount to regulation by edict, which is inconsistent with the cooperative approach to AML regulation that has been baked into the Bank Secrecy Act through programs like the BSA Advisory Group ("BSAAG"), Section 314 of the Patriot Act, and the new mandates of the AML Act of 2020. More importantly, it seems to be a missed opportunity to build a dialogue on creating financial transparency in a world that is less dependent on financial messaging systems. Virtual assets service providers ("VASPs") should not feel that this is the last word, however. The BSAAG is an influential forum for shaping AML policies across all industries, and the VASP industry should ensure that it is an active presence in this group. The BSAAG is currently soliciting new members, with nominations due on January 28, 2021.
FinCEN claims its regulations are technology neutral, but it may not even realize how dependent those regulations are on payments messaging technology. There is nothing wrong with this, by the way, but hopefully in recognizing its own reliance on a specific technology, FinCEN can free itself and better work with the public to design regulations that account for the technologies that have truly disrupted the traditional payments system and will form the backbone of the payments system of tomorrow.
A rigid extension of rules based on traditional payments technologies to virtual assets may skew the balance of the government's need for financial integrity against the public's need for faster payments, greater financial inclusion, and reasonable expectations of financial privacy. Payments effectuated through virtual assets offer tremendous promise to meet a number of public policy objectives, but it is becoming increasingly clear that greater AML regulation will build trust in these systems among consumers and help them to achieve mainstream adoption. But neither FinCEN nor the VASP industry can pursue their policy objectives in isolation.