The virtual currency market continues to grow. The price of Bitcoin at the end of 2020 was at a historical high of approximately $28,990. In light of this growth, regulators are trying to apply existing compliance rules to virtual currency, even though these rules were generally written to apply to various pre-existing types of financial instruments.1 On December 18, 2020, FinCEN released a notice of proposed rulemaking (the “NPRM”) setting forth proposed U.S. anti-money laundering regulations that would expand the application of U.S. anti-money laundering rules to virtual currency.
The NPRM is controversial and considered unduly burdensome by virtual currency market participants.2 The NPRM also only provided a 15-day comment period after its release (comments were due by Monday, January 4, 2021, the first business day of the new calendar year). The extremely short comment period and the release of the NPRM on the Friday immediately preceding the last two weeks of 2020, shortly before the end of the current Presidential term, have led some to describe the NPRM as a “midnight regulation.”3 A subsequent Notice published in the Federal Register on January 15, 2021 reopened the comment period and provided additional statutory authority for the NPRM.4 Given the potentially short timeline for implementation, bank compliance teams should examine the regulation and consider its impact on compliance initiatives relating to virtual currency and certain related digital assets.
Holders of virtual currency use so-called “wallets” to hold proof of ownership of their virtual currency. A holder proves ownership of a position in virtual currency by providing a so-called “private key” (that must be kept confidential to protect ownership) along with a related “public key” that is not confidential. Wallets are used to hold an owner’s private keys and might be understood as a sort of intangible, digital vault. There are several different types of virtual currency wallets and variations are not generally discussed here. For purposes of the NPRM, a “hosted wallet” is one where an owner’s private keys are held by a financial institution. An “unhosted wallet” is one where the private keys are not held by a financial institution, also often referred to as a “self-hosted” wallet.5
Holders must set up a wallet prior to conducting any transactions in virtual currency, and they cannot purchase virtual currency without a wallet.6 Holders may transfer their existing virtual currency between hosted and un-hosted wallets. Nothing prohibits individuals wishing to transact in virtual currency from engaging directly with each other using so-called “peer-to-peer” transactions.7 However, in order to purchase virtual currency from online exchanges, holders must generally link a bank account, credit card, or online payments system account such as PayPal.8
Currently, under the Bank Secrecy Act of 1970 as amended (including significant amendment by the U.S. Patriot Act; collectively, the “BSA”)9, financial institutions operating in the U.S. are subject to specific obligations with regard to virtual currency transactions involving wallets hosted by such institutions.10 Moreover, BSA requirements specific to virtual currency are not new.11 They apply to banks and money service businesses (“MSBs”), including “virtual asset service providers” (“VASPs”). However, continuing concerns remain regarding the use of virtual currency in connection with illicit activity. The NPRM notes that even after the imposition of existing BSA requirements to virtual currency transactions involving banks and MSBs, there continues to be a fairly high level of illicit activity connected to virtual currencies.12
The NPRM explains that one industry estimate of illicit activity in the global virtual currency market in 2019 was $10 billion USD or one percent of the total market, and that reporting of potentially suspicious U.S. connected activity was in excess of $119 billion.13 The NPRM is intended to tighten the applicable BSA rules to further inhibit illicit activity by imposing new regulatory requirements on financial institutions with regard to customers’ unhosted wallets.
The NPRM would impose new requirements that banks and MSBs must gather, maintain, and report information about customers engaging in virtual currency14 transactions with unhosted wallets. The NPRM would also impose these same requirements on transactions with otherwise covered wallets, hosted wallets held by a financial institution that are not subject to the BSA and are located in a foreign jurisdiction on the so-called FinCEN “Foreign Jurisdictions List.” FinCEN has expressed concern that transactions involving unhosted wallets or hosted wallets with financial institutions that are not subject to BSA required reporting are not sufficiently scrutinized by any anti-money laundering program.15 Anonymity due to the lack of scrutiny may be “the main risk that facilitates money laundering.”16 The proposed regulations are issued under the authority of the BSA and are intended to address threats such as the trade of illicit goods or the demands for payment made in technological “ransomware” attacks.17
Although the stated goal of the NPRM is to ameliorate potential abuses, it imposes additional reporting burdens on MSBs that interact with customers holding virtual currency via transactions involving unhosted wallets (or wallets within specific jurisdictions). Virtual currency industry participants consider these additional reporting requirements unduly burdensome. Moreover, concerns have been expressed that the requirements would reduce financial privacy and impinge on civil liberties.18 Some have suggested modifying business practices to bifurcate holdings and processes into separate “know your customer” wallets versus unhosted wallets in an attempt to limit the information shared pursuant to these new proposed rules.
The proposed regulations appear to set forth relatively straightforward rules that are consistent with other BSA requirements to require enhanced bank and MSB reporting and recordkeeping under specific scenarios in which a bank or MSB is involved in a virtual currency or related cash transfer to or from certain types of counterparties or jurisdictions. However, the cryptocurrency industry’s reaction to the NPRM has been strongly negative.
Summary and Statute
In the NPRM, FinCEN notes that although many financial institutions likely already have BSA obligations and customer identification compliance processes established for the services they provide, many virtual currency transactions may only have anonymized or pseudonymized information about the participants in the transaction available.19 The lack of transparent information regarding the actual identity of participants creates a risk that certain transactions involving virtual currency could be related to illicit activity. FinCEN estimates of the amount of virtual currency trading activity it would consider “potentially illicit” vary from one to 12 percent of the total overall trading volume.20
The NPRM also notes that the virtual currency market has and continues to develop new virtual currencies and transactions with enhanced privacy technology (referred to as “anonymity-enhanced currency,” or “AEC”), which exacerbates this risk. In fact, the NPRM notes that “AECs have a well-documented connection to illicit activity.”21
Given these potential risks, as well as the increased risks presented by newer virtual currencies with enhanced privacy technology, FinCEN has promulgated the proposed regulations to provide enhanced reporting and recordkeeping requirements. These reporting and recordkeeping requirements are intended to target three primary situations:
- Where a bank or MSB is involved in a single transaction or 24-hour aggregate value transactions of greater than $10,00022 and a counterparty’s wallet is either unhosted or held by a financial institution in certain foreign jurisdictions (an “otherwise covered wallet”),23 the bank or MSB must file a report with FinCEN.24 The report must contain certain customer and counterparty information such as name, physical address, taxpayer identification numbers and identity verification documents, cross-referenced to existing currency transaction report information requirements (“CTRs”).25 The bank or MSB must also establish risk-based procedures for identity verification.26 Additionally, if the bank or MSB is aware that another party used the customer’s wallet to effect such a transaction, the bank or MSB must similarly attempt to verify that individual’s identity and treat them as a customer for reporting and recordkeeping purposes.27 While existing rules provide specific exemptions for some currency transactions with certain parties, primarily applicable to banks and certain of their customers, the NPRM provides a list of exemptions that do not extend to virtual currency transactions, such as transactions carried out by certain publicly traded corporations, their subsidiaries, known frequently transacting business entities, or business entities maintaining payroll accounts.28
- Similarly, a bank or MSB must make and maintain a record of transaction, customer, and counterparty information in transactions exceeding $3,000 in value where the bank or MSB’s hosted wallet customer transacts with an unhosted or otherwise covered wallet.29
- Finally, the proposed regulations add the NPRM’s new reporting requirement to both the existing definition of “transaction structuring” and the regulatory prohibition against transaction structuring.30 The NPRM provisions classify convertible virtual currencies (“CVCs”) and legal tender digital assets (“LTDAs”) as “monetary instruments” for purposes of several BSA provisions, which may trigger criminal penalties for structuring virtual currency transactions.31
The proposed rule implements these goals by adding virtual currencies to the existing BSA framework of definitions and reports. An initial new provision states that for purposes of 31 U.S.C. 5313, CVCs and LTDAs are “monetary instruments,” an existing category defined in two separate places, which includes U.S. or foreign coins and currency and a variety of bearer financial instruments.32 Note that the expanded definition of “monetary instruments” is expressly not intended to apply elsewhere, such as in 31 CFR § 1010.100(dd), 31 CFR § 1010.311, or 31 CFR § 1010.340.33
The proposed rule also explains the specifics of the proposed FinCEN reporting for transactions exceeding the $10,000 threshold and outlines aggregation rules, both broadly similar to existing customer transaction reporting requirements.34 Additional guidelines for the verification and recording of customer identity in the case of reportable transactions are also provided.35 Analogous provisions provide both a governing framework for recordkeeping requirements applicable to transactions exceeding the $3,000 threshold.36 Furthermore, consistent with existing BSA requirements, the thresholds are not intended to be mutually exclusive; a transaction (or aggregated set of transactions) in excess of $10,000 falls within the scope of both provisions.37
The unusually brief comment period ending on January 4, 2021, was accompanied by a note in the NPRM stating that there is no minimum comment period applicable here, provided the public has had a ”meaningful opportunity to comment” and is further justified by a long history of FinCEN engagement and outreach with virtual currency and market participants, a compelling foreign interest, and circumstances where delay may have negative impact.38 Although subsequent guidance reopened the notice period for an additional “15 days for comments on the propose reporting requirements and for 45 days for comments on the proposed requirement to report counterparty information and the proposed recordkeeping requirements,” it seems unlikely that virtual currency and market participants will find this extension to be adequate. There may be concerns by FinCEN that a longer notice and comment and subsequent implementation period could also allow or even encourage movement of any virtual currency belonging to illicit actors out of banks or MSBs before the rule can go into effect.39 Thus, FinCEN has taken the position that in this instance, the benefits of speedy implementation outweigh procedural concerns.
Industry Reaction to the NPRM
Industry reaction to the NPRM has been decidedly negative. More even-toned responses have pointed out potential difficulties; for example, some commentators have noted that a customer moving an over-threshold amount of their own virtual currency between the customer’s own hosted and unhosted wallets would likely trigger the reporting or recordkeeping obligations.40 Similarly, the Proposed Rule might present substantial difficulties for certain existing decentralized applications that mimic an exchange but do not have existing compliance initiatives.41
Other commentators used harsher language to describe the proposed bill. One critic calls it “damaging,” 42 while another used the term “stifling.”43 Both critics focused on the shortened implementation period and the fact that the proposed rule puts additional burdens on banks and MSBs, which could decrease an exchange’s ability to compete with unhosted wallets.44 While centralized cryptocurrency exchanges have historically facilitated easy exchange between virtual currency and fiat currency, at least some commentators have mused that this “most ironic development” might increase access to virtual currencies while at the same time erode its initial goals of privacy.45
Fundamentally, the enhanced BSA-related information reporting requirements set forth in the NPRM will have real consequences on the level of anonymity available to most users of virtual currency. Market participants and commentators have questioned whether regulation such as this will drive virtual currency activity away from exchanges and other traditional financial institutions as holders attempt to preserve anonymity. As many virtual currency blockchains record each transaction publicly, once Know Your Customer information about a particular unhosted wallet is reported to the government by a bank or MSB, it would be relatively easy to trace every prior or future transaction ever made by that wallet.46
Similarly, investigators have developed “clustering” analyses that allow them to use these known transactions to uncover and track transactions involving a virtual currency user’s other unhosted wallets with a relatively high degree of accuracy.47 One of the largest U.S. cryptocurrency exchanges, Coinbase, almost immediately requested additional time for comment to the NPRM in an open letter posted by its chief legal officer, while other industry participants are expected to take similarly negative positions on the proposed rule.48
During 2020, Bitcoin and other virtual currencies experienced significant increases in market values, with Bitcoin reaching record highs by the end of the calendar year.49 These increases create additional risks of potential misuse of virtual currency. The NPRM references and attempts to address these potential risks.
Given that FinCEN’s mission “is to safeguard the financial system from illicit use, combat money laundering and its related crimes including terrorism,”50 it is not surprising that FinCEN would take additional steps to address these risks. FinCEN’s NPRM would expand existing reporting rules in an attempt to deal with the anonymity of certain virtual currency transactions via unhosted wallets and other means. The NPRM could be considered as one more step in FinCEN’s attempt to harmonize financial institutions’ treatment of virtual currencies and other bearer instruments, such as cash. And the adoption of harmonized treatment could provide comfort to institutional investors who are considering virtual currency as an investment.
While many commentators have expected the regulation of virtual currencies by governments around the world to increase commensurately with value and market participation, FinCEN’s NPRM appears to have taken many in the industry by surprise due to the level of the reporting burden imposed by the rules in the NPRM and due to the extremely short comment period. Regardless, the proposed rule appears to be an attempt to harmonize financial institutions’ treatment of virtual currencies and other bearer instruments, such as cash.
Given the virtual currency industry’s beginnings, its relative infancy, focus on privacy, and the perceived burdens on participating U.S. financial institutions, an industry view that these regulations may be overbroad comes as no surprise. This may be particularly true for virtual currency industry participants who do not have extensive, existing BSA-related reporting obligations. Nevertheless, given the growth of the virtual currency market and other recent events, the NPRM is simply a harbinger of a likely dramatic increase in the regulation of cryptocurrency activity by a variety of financial market regulators.
Authors’ note: On January 28, 2021, an additional comment period extension notice was published in the Federal Register, at 86 FR 7352. This notice extends the reopened comment period for both the proposed reporting and recordkeeping requirements to March 29, 2021.