On Friday evening, the U.S. Department of the Treasury submitted a Notice of Proposed Rulemaking (NPRM) to the Federal Register that would require financial institutions and cryptocurrency businesses to submit reports, keep records, and verify the identity of customers in relation to transactions above certain thresholds involving unhosted wallets (also known as “self-hosted” or “non-custodial” wallets). While this rule would substantially increase the industry’s reporting and recordkeeping obligations similar to the filings that banks and other traditional financial institutions are required to file for certain comparable currency transactions, it goes further with additional novel requirements.
The deadline to comment on the NPRM is unusually short, potentially 6 business days from when the rule was officially published. Comments must be received by January 4, 2021. Treasury cites “significant national security imperatives that necessitate an efficient process for proposal and implementation” as the purpose for the short comment period. While Treasury would normally be required by law to provide the public with a “meaningful opportunity” to comment, and to publish the final version of the rule at least thirty days before the rule’s effective date, Treasury found these requirements inapplicable because the NPRM involves a foreign affairs function of the United States, and because Treasury found “good cause shown” that the rules requiring notice and public procedure are “impracticable, unnecessary, or contrary to the public interest.”
In this blog, we first analyze the data behind the use of unhosted wallets in cryptocurrencies, pointing out that the vast majority of their use is for investment purposes or for individuals and organizations to move money between regulated exchanges.
We also break down the key requirements in the full 72 page NPRM, outline what the industry would have to do to comply, and offer our thoughts on how the rule could more effectively achieve its purpose: to curtail illicit activity.
The role of unhosted wallets in the cryptocurrency ecosystem: a data-based analysis
Our blockchain data shows three clear trends related to unhosted wallets that all suggest their primary uses by individuals and organizations are to either store their cryptocurrency for investment purposes, or move it between regulated trading venues.
First, the vast majority of bitcoin sent between unhosted wallets is sourced from Virtual Asset Service Providers (VASPs), primarily exchanges.
In Q2 2020, 79% of the bitcoin sent from one unhosted wallet to another unhosted wallet originally came from an exchange in a regulated environment. Law enforcement and regulators can therefore usually trace suspicious activity involving unhosted wallets back to regulated exchanges, regardless of how many times the funds passed through unhosted wallets. Only 5% of bitcoin sent to unhosted wallets came from risky services or an illicit source.
Second, the vast majority of bitcoin sent between non-VASPs is later sent on to VASPs.
While 29% of bitcoin sent between unhosted wallets was not sent to a service – possibly to hold as an investment, as discussed further below – 62% was sent to regulated exchanges and only 3% was sent to risky or illicit services.
The vast majority of bitcoin both sent and received by unhosted wallets has an exchange in a regulated environment as the counterparty, with the resources to help law enforcement.
Finally, the transaction activity of bitcoin held in unhosted wallets strongly suggests that its primary use is as an investment.
This chart compares the monetary velocity of bitcoin against M2 USD money stock, a measure of the money supply that includes cash, checking deposits, and easily convertible near money. “Velocity” is a measure of how quickly money is circulating in the economy. By plotting bitcoin’s velocity against the M2 money supply, we can see whether bitcoin use is trending towards payments or towards savings and/or investment.
On average, only 30% of bitcoin withdrawn from top exchanges to unhosted wallets moves to another unhosted wallet in any given month. As the earlier charts show, the majority of this bitcoin is later sent to VASPs. The other 70% of bitcoin withdrawn from top exchanges remains in the original withdrawal wallet, suggesting it is held for saving and investment purposes. The M2 USD money stock moves 4.7 times more than this, indicating that bitcoin is used more like an investment and less like cash. This indicates that these reporting requirements – to detect illicit activity – will likely not deliver the intended results, but rather will cost VASPs millions of dollars in unnecessary compliance costs to report savings and investment activity of their customers.
The reality of illicit activity
Treasury specifically highlighted our 2020 Crypto Crime Report and cited skepticism regarding our estimate for the volume of illicit flow in the ecosystem, 1% of overall market transaction volume. We understand our estimate may be low, and we do not have access to regulatory reporting data and other data the government may have. But our data continues to improve over time to provide more accurate estimates, and it is consistently clear that the majority of bad actors still attempt to cash out illicit funds at regulated exchanges.
Of all the illicit funds that we trace, 62% are cashed out at exchanges with anti-money laundering programs that require them to have sufficient resources to know their customers, file reports on suspicious activity, and respond to requests from law enforcement, while 23% are sent to risky services such as mixers, gambling services, and services in high-risk jurisdictions. It is clear from Chainalysis data that more interventions are needed on these vulnerabilities in the cryptocurrency ecosystem, rather than a focus on unhosted wallets.
Our data shows that there are not two separate cryptocurrency ecosystems, with one made up of legitimate transactions between exchanges and the other with illicit transactions among unhosted wallets. There is one interconnected ecosystem, and most exchanges have controls in place to support law enforcement and governments in their investigations. Our case studies demonstrate this; law enforcement has used Chainalysis tools in successful prosecutions, seizures, and forfeitures totalling over $1.5B USD in 2020 alone. The current system is working, both in the US and internationally, and efforts to improve enforcement should be driven by what would actually improve the effectiveness of the system, not by adding box-checking compliance requirements.
At Chainalysis, we constantly seek to further the effectiveness of the AML regime
The proposed requirements go beyond the level of reporting and verification that exists in traditional financial services. The collection of large amounts of personal data on citizens transacting normally will not further the fight against illicit proceeds, as demonstrated by the use of unhosted wallets. It places an undue burden on regulators and the industry to collect and manage this data when there are more urgent vulnerabilities in cryptocurrencies, which can be addressed using the power and transparency of the blockchain.
The transparency of the blockchain also enables law enforcement to investigate the vast majority of the obligated transactions under the rule, without the reporting requirement. Furthermore, law enforcement can triage these transactions based on blockchain analysis to identify transactions of interest that may involve illicit activity but not meet the thresholds of the rule. Therefore, we think record keeping is sufficient.
We applaud FinCEN’s recent efforts to broaden the information sharing protocols of Section 314b of the USA PATRIOT Act to provide innovative ways for the cryptocurrency industry and government to work more closely on top national priorities. We strongly believe that strengthening these types of public/private partnerships, domestically and internationally, will more effectively address governments’ vulnerabilities and protect their citizens.
The NPRM and What Would Be Required to Comply
The NPRM can be divided into five primary parts: identification, collection, verification, record keeping, and reporting.
First, the proposed rule would require banks and money service businesses (MSBs), including cryptocurrency exchanges, to identify relevant transactions and keep records and/or report these transactions at certain thresholds. This includes transactions sending to, or receiving from:
- Unhosted wallets - wallets that are controlled by individuals and not organizations
- Covered wallets - wallets that are controlled by financial institutions in foreign jurisdictions on a “foreign jurisdictions list” designated by FinCEN as jurisdictions of primary money laundering concern (e.g. Burma, Iran, and North Korea).
For the purpose of simplicity, we will refer to transactions that involve one of these types of transactions as “obligated transactions.” Financial institutions and exchanges can identify such obligated transactions by using Chainalysis KYT (Know your Transaction) software, or another blockchain analysis product that is capable of identifying whether or not a transaction is: 1) above these thresholds, and 2) involves an unhosted wallet or a service based in a country on the foreign jurisdictions list. There is also an obligation to check for structuring payments that total more than $10,000 in a 24 hour period.
Once these transactions are identified, the proposed rule would require banks and MSBs to collect certain information concerning their customer and their customer’s counterparties. While the collection of customer information falls under the normal AML program at banks and MSBs, the collection of information on their customer’s counterparties is a new requirement and may pose significant costs and challenges in obtaining accurate information.
The information that must be collected on the customer and the transaction includes:
- The name and address of the customer;
- The type of virtual currency used in the transaction;
- The amount of digital asset in the transaction;
- The time of the transaction;
- The assessed value of the transaction, in U.S. Dollars, based on the prevailing exchange rate at the time of the transaction;
- Any payment instructions received from the financial institution’s customer; and
- Any form relating to the transaction that is completed or signed by the financial institution’s customer.
The information that must be collected on the customers’ counterparties includes:
- The name and physical address of each counterparty to the transaction of the financial institution’s customer;
- Other counterparty information the Secretary may prescribe as mandatory on the reporting form for transactions;
- Any other information that uniquely identifies the transaction, the accounts, and, to the extent reasonably available, the parties involved.
Most cryptocurrency businesses already perform Know Your Customer (KYC) processes, but the collection of counterparty information is a new requirement that goes beyond even the Travel Rule collection requirements. They also are encouraged to follow a risk-based approach in identifying their customer, and re-verification over time.
Banks and MSBs will need to verify the identity of their customer for obligated transactions that exceed the following thresholds:
- Deposits and withdrawals greater than $3,000
Although these transactions will not need to be reported to FinCEN, banks and MSBs will need to maintain records related to them.
- Deposits and withdrawals involving one or multiple transactions that aggregate to more than $10,000 within a 24-hour period
Banks and MSBs will need to monitor relevant transactions, and then report them to FinCEN.
Treasury acknowledged that there are different business models, and businesses should take a risk-based approach consistent with their AML program to ensure that they are confident in the verification of their customer.
Banks and MSBs will need to keep records of a customer’s obligated transaction and counterparty, including the verified identity of their customer, for five years if the transaction is greater than $3,000.
If an obligated transaction or series of transactions in a 24-hour period is more than $10,000, banks and MSBs will need to file a currency transaction report (CTR) on the customer’s transaction and counterparty, including the verified identity of their customer and the unverified name of their customer’s counterparty and the counterparty’s physical address.
Since this NPRM came out on Friday, many in the blockchain industry have been collaborating on concerns, comments, and next steps to potentially put forward to the Treasury. We are continuing to engage with industry bodies on responses to these proposed requirements. As always, we will advocate for policies that fight illicit activity and keep people safe, while building trust in the cryptocurrency industry.
Chainalysis KYT customers can proactively estimate the quantity of records and reports the proposed rule will require in order to estimate their increased costs of compliance. To get a sense for how many transfers your exchange has to unhosted wallets for more than $3,000, click here. Note this may include transfers to unknown entities that are not unhosted wallets, and should be treated as an upper bound.