** Update: After this blog was published, FinCEN announced an extension to the comment period for the proposed regulation on transactions to and from so-called unhosted wallets. See details here.**

A major topic at our most recent training course on Cryptocurrencies and Money Laundering was the so-called “travel rule” introduced in June 2019 by the Financial Action Task Force (FATF), the international standard-setter for money laundering. There were questions over the implications for virtual asset service providers (VASPs), including banks and money services businesses.

Over the Christmas period, the U.S. Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking that pushes the idea behind the travel rule yet further and has significant implications for VASPs – as well as for the evolution of cryptocurrencies in general. The 12-day comment period expired on 4 January and the rule appears set to be introduced “as quickly as feasible”.

Fast and bold moves to strengthen anti-money laundering measures are usually welcome, but in this case many cryptocurrency experts are raising concerns. What does the proposed FinCEN rule mean and why is there controversy?

What is the FATF travel rule?

The travel rule in the FATF Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers extends its existing Recommendation 16 on wire transfers to virtual assets such as cryptocurrencies and to VASPs. It means the originators and beneficiaries of all transfers of virtual assets must exchange identifying information, guarantee its accuracy and provide the information to law enforcement if required.

VASPs now have to verify not only the identity their customers – standard practice anyway in all regulated jurisdictions – but the recipients of their customers’ transfers. The same applies to the VASP receiving the transaction. As with any other financial institution, VASPs are also required to monitor wire transfers for completeness. They need to take steps to prohibit transactions with designated (sanctioned) persons or entities and report such incidents to the local Financial Intelligence Unit.

What about unhosted wallets?

So far so clear. But what happens when the beneficiary or the originator of a transaction is not a customer of another regulated entity? What if a transaction is going from a verified account to an “unhosted” wallet?

Self-hosted or unhosted wallets are not provided or “hosted” by a financial institution or cryptocurrency service. Instead, they sit on a user's computer or offline, for example Trezor or Ledger. The holder of the virtual assets controls the private keys associated with the addresses and can store or use them without the need of any third party. Such transactions fall outside the scope of the travel rule and of the U.S. Bank Secrecy Act.

Some regulators see unhosted wallets as a facilitator for illicit activities and money laundering using cryptocurrencies. FinCEN – the U.S. Financial Intelligence Unit – seems to be among them.

The FinCEN proposal for unhosted wallets

On 23 December 2020, FinCEN issued a proposal for Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets. It extends regulatory requirements for transactions involving virtual assets to “unhosted wallets” or “other covered wallets”, meaning wallets held at certain foreign financial institutions not subject to the U.S. Bank Secrecy Act.

If adopted, the rule will impose significant obligations on VASPs for recordkeeping, reporting and identity verification. If a customer makes or receives a transaction where the counterparty is using such a wallet, the VASP will be obliged to:

1. Verify the identity of their customer, and record the name and physical address of their counterparties, for transactions over USD 3,000;
2. File Currency Transaction Reports where a customer undertakes aggregate transactions of USD 10,000 or greater in a 24-hour period, including the name and physical address of transaction counterparties.

Citing “substantial concerns about national security”, FinCEN appears ready to issue a final version of the rule with near-immediate effect, without the usual 30 days allowed between the announcement of a final rule and its effect. This will leave little time for the affected entities to build the infrastructure to comply with the rule.

But beyond the fast pace of the rulemaking and additional burden on VASPs, there are concerns about its fundamental intention and effects.

Going (too far) beyond the travel rule?

The proposal states that the recordkeeping requirement “is similar to the recordkeeping and travel rule regulations pertaining to funds transfers and transmittals of funds”, i.e. the above-mentioned FATF travel rule. However, the travel rule is profoundly different.

The travel rule concerns transactions between two regulated financial institutions and does not apply when the counterparty is an individual. In contrast, the FinCEN proposal applies to transactions with individuals using unhosted wallets.

Contrary to what FinCEN fears, i.e. that unhosted wallets are mainly used for illicit activity, leading blockchain analysis company Chainalysis has demonstrated that the primary use of unhosted wallets is by individuals and organisations to either store their cryptocurrency for investment purposes, or move it between regulated trading platforms.

An analysis of bitcoin transactions in Q2 of 2020 revealed that 92 percent of bitcoin sent among unhosted wallets originally came from a regulated VASP. Sixty-seven percent went back to a regulated VASP in that same quarter. Chainalysis concludes that: “law enforcement and regulators can therefore usually trace suspicious activity involving unhosted wallets back to regulated exchanges, regardless of how many times the funds passed through unhosted wallets.”

Moreover, the fact that 70 percent of bitcoin withdrawn to an unhosted wallet does not move to another unhosted wallet “strongly suggests that its primary use is as an investment”.

If this is correct – and it deserves serious attention – then the proposed rule will bring few benefits to law enforcement while hampering customers’ privacy and diverting the resources of VASPs away from developing their services to complying with unnecessary regulations.

Comparison with cash

Cryptocurrency transactions function similarly to cash, but, unlike cash, leave a permanent trace in the blockchain that can be followed and investigated even years after the event. This means we would not expect to see stricter requirements for virtual assets as opposed to “old” cash transactions.

However, the recordkeeping (when the transaction is above USD 3,000) and reporting (when the transaction is above USD 10,000) requirements in the FinCEN proposal seems to apply a stricter standard to transactions to individuals when they involve virtual assets rather than cash. VASPs will need to collect information about individuals who are not customers and have not consented to this data collection and sharing. Why should a USD 3,000 transaction from a VASP to an unhosted wallet be considered riskier than a USD 3,000 transaction to an individual in cash?

Privacy considerations

Technological limitations will also make it difficult to identify and collect the counterparty information required, since that information is not always available. One of the uses of cryptocurrency is to transfer money among individuals without exchanging sensitive information like the name and address of the parties involved. The proposed rule requires VASPs to collect exactly the information that cryptocurrency helps to keep private.

Imagine you wish to use your cryptocurrency account with a regular VASP to buy a good from a person who, for privacy, doesn’t want to share her name and location. How can you provide your VASP with that information if you don’t know it yourself?

The risk of driving cryptocurrency underground

In recent years we have created a safe and regulated environment that lets the exciting world of cryptocurrency flourish while giving the possibility to law enforcement agencies to investigate its criminal uses. Of course, money laundering regulations need to evolve to address new threats and weaknesses. But overly strict regulations, imposed without sufficient consultation or a clear purpose, could seriously harm this mechanism.

Cryptocurrency was imagined and created for person-to-person transfers. The pseudonymous creator of Bitcoin, the most well-known of the cryptocurrencies, described it as a “peer-to-peer electronic cash system” aimed at keeping middlemen out of the picture. It is not hard to imagine that the proposed approach would likely drive a significant number of actors out of the regulated system to places where regulators and law enforcement have no reach or visibility.

As I described in my 2019 Working Paper on Regulating Currencies: Challenges and Considerations, the risk is to create parallel value transmitting systems. One is fully regulated and transparent, with each and every transaction having identified senders and receivers, much like in the traditional financial sector. The second can, thanks to new technologies, easily bypass those regulations. Chief among such new technologies are “privacy coins” like Monero or ZCash, which employ a number of techniques to provide its users with complete anonymity.

So, what if a system like the one described above, where only identified and vetted persons could interact economically, were to be implemented? This would likely drive almost all, if not all of the criminal activity towards unregulated cryptocurrencies and foster greater demand for other privacy solutions.

And it would take legitimate activity with it as well, because citizens are becoming conscious of the personal and economic value of their personal data and are willing to take steps to prevent it being used for government surveillance or marketing. Financial transactions can reveal a tremendous amount of information, not just about the volume and recipients of transfers, but also about location, social networks, gender, sexual orientation, political views or medical history. There are legitimate reasons why certain people, such as political activists and investigative journalists, wish to remain anonymous.

An initial shift towards more anonymity could, thanks to the network effect, drive more and more citizens to use privacy-enhancing solutions such as privacy coins.

Shooting ourselves in the foot?

Imposing additional administrative burdens on innovative and dynamic VASPs – ones that result in high operational costs with little benefit for law enforcement – will push criminals and their dirty money even deeper into the blackness of the darknet. Cryptocurrency transactions will drift away to unregulated channels and privacy-centred cryptocurrencies that are opaquer to FinCEN and other law enforcement.

Exactly the opposite of what FinCEN expressed many times in the past and its Director, Kenneth A. Blanco, already identified as possible concerns when talking at the Consensus Blockchain Conference in May 2020. Exactly the opposite of the proposal’s intention.

Moreover, due to the influence of the U.S. in the FinTech market, this affects not only U.S.-based VASPs and law enforcement agencies. It affects all of us, all over the world, including users and including the future evolution of cryptocurrencies.

Cryptocurrencies and AML training

Our next training course on cryptocurrencies and anti-money laundering takes place on 8–11 February 2020. The course aims to help practitioners from a wide range of law enforcement, financial and business sectors prevent, detect and investigate the use of cryptocurrencies for illicit activities. Find out more and reserve your space.