In December, the U.S. Department of the Treasury submitted a Notice of Proposed Rulemaking (NPRM) to the Federal Register that would require financial institutions and cryptocurrency businesses to submit reports, keep records, and verify the identity of customers in relation to transactions above certain thresholds involving unhosted wallets (also known as “self-hosted” or “non-custodial” wallets). We published a blog post analyzing the data behind the use of unhosted wallets, breaking down what the industry would have to do to comply with the proposed rule, and offering thoughts on how the rule could better achieve its purpose to curtail illicit activity.
Yesterday, we formally sent the US Treasury Department our response to the NPRM. You can read our full letter here, which outlines our concerns around the proposed rule and states our recommendations, which include extending the review period and modifying the rule to create recordkeeping requirements only, and not reporting requirements.
Below is a summary of our concerns:
1. The industry needs more time to review and respond to the proposed rule. We are deeply concerned that the shortened review period for this proposed rule will reduce industry stakeholders’ ability to provide thoughtful, quality public comments. Both regulatory bodies and businesses rely on these review periods for thorough and fair evaluations of proposed rules and how they can be implemented. Given the substantial implications of this rule for the cryptocurrency industry, we believe that having a full review period is especially important.
2. There is no urgent reason to rush this rule out now. There isn’t any imminent risk of illicit funds entering the cryptocurrency ecosystem that can be abated by implementing this rule quickly. Our analysis has consistently shown that criminal activity makes up a tiny fraction of all cryptocurrency activity. This is especially true for unhosted wallets, which are overwhelmingly used to store cryptocurrency for investment. Furthermore, the vast majority of cryptocurrency sent between unhosted wallets originally came from a cryptocurrency exchange in a regulated environment. This means law enforcement can almost always trace suspicious activity involving an unhosted wallet to a regulated entity that will respond to a subpoena and enable them to identify unhosted wallet owners when necessary.
3. Risk of privacy and security breaches. The proposed rule would require cryptocurrency businesses to collect the names and physical addresses of unhosted wallet owners and provide this information to FinCEN, who would then consolidate this information in a central database. The leak of such a database would be a hacker’s dream, as it would immediately provide them with a list of targets, where they’re located, and how much cryptocurrency they hold. Cryptocurrency users have already faced substantial losses from phishing attacks and other forms of cybercrime following the leak of a single company’s customer database earlier this year, which contained information on over 270,000 users — a fraction of the users who would be affected by a similar leak of FinCEN data collected under the proposed rule.
4. The rule will push criminal activity to less regulated parts of the cryptocurrency ecosystem. 62% of the illicit cryptocurrency we trace is cashed out at exchanges with functional compliance programs, including anti-money laundering (AML) and know your customer (KYC) measures. While we need to address vulnerabilities stemming from other platforms used to move illicit funds, such as mixers and non-compliant exchanges in high-risk jurisdictions, law enforcement is currently able to police the cryptocurrency ecosystem effectively. In 2020 alone, law enforcement agencies have used Chainalysis tools in successful prosecutions, seizures, and forfeitures totalling over $1.5B USD. This rule will likely push illicit activity to cryptocurrency businesses headquartered in countries with weaker regulations, curtailing our law enforcement agencies’ ability to subpoena them as they can now.
5. This rule imposes huge regulatory costs on cryptocurrency businesses without much gain for law enforcement. Under the proposed rule, banks, traditional MSBs, and cryptocurrency businesses alike would need to report and retain Currency Transaction Reports (CTRs) identifying their customers and customers’ counterparties on transactions involving unhosted wallets that are above a certain monetary threshold. The collection of counterparty information goes beyond what has been required for cryptocurrency businesses thus far. While banks and other financial institutions have been required to retain and report counterparty information in the past, doing so is inherently more difficult for cryptocurrency businesses due to the nature of the technology. Imposing this requirement will create significant regulatory costs for U.S. cryptocurrency businesses, in terms of collecting, retaining, and securely maintaining the records, which will likely hamper future growth. Furthermore, in contrast to the significant costs, the return to law enforcement will be minimal given that CTR filings for cryptocurrency transactions are largely redundant. When financial institutions file CTRs on customers and their counterparties in fiat transactions, law enforcement is getting information on transactions they wouldn’t be aware of otherwise, unless they sent a subpoena to the institution. However, cryptocurrency transactions are automatically logged on public blockchains, meaning law enforcement can already view transactions facilitated by U.S. cryptocurrency businesses that meet reporting requirements with the resources already at hand.
For these reasons, we make the following recommendations:
- The comment period should be extended so that additional time may be given to review the hundreds of comments that have already been submitted, and so that FinCEN may have meetings with industry where meaningful time is given, and discussion on this topic is held, regarding additional research needed and recommendations for ways forward.
- The obligation in the CTR reporting requirement to collect and report counterparty information should be removed, making it consistent with the requirements of cash CTRs.
- Any rule being considered is issued as a record keeping requirement rather than a reporting requirement, as currently considered.
- FinCEN should meaningfully engage with representatives from the private sector to discuss ways in which regulation can be tailored to reflect the realities of cryptocurrency technology, while effectively and successfully reducing the actual sources of illicit finance risk and combating illegal activity in the digital assets ecosystem.
We look forward to working with FinCEN and our other partners in the regulatory community to ensure the cryptocurrency industry is regulated fairly and effectively.