To Whom It May Concern,
The Blockchain Association submits these comments in response to the Request for Information (the “RFI”) titled “Review of Bank Secrecy Act Regulations and Guidance.” The Blockchain Association (the “Association”) serves as the unified voice of the cryptocurrency and blockchain industry in Washington, DC. With a membership of over 70 of the industry’s top companies, investors, and software developers, the Association is the leading nonprofit organization dedicated to improving the public policy environment for the digital asset economy. The mission of the Association is to forge consensus on key policy solutions among regulators, lawmakers, and the public so that the digital asset economy can flourish in the United States. As such, the Association, in coordination with its membership, works to educate policymakers about blockchain technology and its ability to pave the way for a more secure, competitive, and consumer-friendly digital marketplace.
The Association and its members are strongly committed to protecting the integrity of the financial system and ensuring that cryptocurrencies and other digital assets are not subject to abuse by bad actors. The Association recognizes that the unique nature of blockchain technology presents novel risks related to illicit finance and that industry stakeholders must work collaboratively with regulators, legislators, and other policymakers to achieve the critically important anti-money laundering/countering the financing of terrorism (AML/CFT) goals set forth in the Bank Secrecy Act (BSA) and its related laws, rules, and regulations. Given its diverse membership and AML focused policy work, the Blockchain Association is well positioned to provide FinCEN with valuable perspectives on ways to modernize the United States’ AML/CFT regime so that cryptocurrency and blockchain technology are effectively and appropriately accounted for in regulations and guidance.
The Association has limited its response to questions that are most relevant to its membership. For convenience, the Association has provided responses to FinCEN’s questions in the same format in which they were asked.
A. Safeguards To Protect the Financial System From Threats
Q2. Do AML program requirements for financial institutions sufficiently address the threats, vulnerabilities, and risks faced by the U.S. financial system?
While cryptocurrency and blockchain technology is transforming the United States’ financial system, the rate of illicit activity in the space has remained low, which ultimately indicates that the AML program requirements currently in place for regulated financial institutions (FIs) sufficiently address the threats, vulnerabilities, and risks posed by this technology. According to the 2022 Crypto Crime Report published by blockchain analytics firm Chainalysis,“transactions involving illicit addresses represented just 0.15% of cryptocurrency transaction volume in 2021 despite the raw value of illicit transaction volume reaching its highest level ever.” Chainalysis’s data ultimately suggests that money laundering and terrorist financing are not crimes that are reliant or even dependent on cryptocurrency and blockchain technology. In this manner, ML/TF is still an issue that is largely occurring in traditional finance.
Although cryptocurrency and blockchain technology is not a material risk to the United States’ AML/CFT regime at this time, it is still important to recognize and acknowledge the novel AML/CFT risks associated with different applications of this technology. Decentralized finance (DeFi) and non-fungible tokens (NFTs) in particular are facilitating the digital exchange of value in a way that has never before occurred. As the use of both DeFi and NFTs continues to grow in this space, it will be especially important for FinCEN to work with members of industry to ensure that the United States’ AML/CFT regime is able to keep stride with this development.
B. Reports and Records That Are Highly Useful in Countering Financial Crime
Q3. Are there BSA reporting or recordkeeping requirements that you believe do not provide information that is highly useful in countering financial crimes? If so, what reports or records, and why?
Neither currency transaction reports (CTRs) nor suspicious activity reports (SARs) ultimately provide sufficiently useful information in countering financial crimes, especially in the cryptocurrency and blockchain ecosystem, to justify their substantial compliance burdens on reporters and their costs to user privacy. FinCEN recently estimated that it receives 16,087,182 CTRs per annum. While the rate at which CTR filings are useful to law enforcement is not publicly available to the Association’s knowledge, an examination of FinCEN’s use of SARs—risk-based filings that would logically produce more relevant information for law enforcement than a threshold based reporting requirement—reveals that even risk-based filings are largely “white noise.” According to public reports, FinCEN received more than 2,000,000 SARs in 2019, but reviews about 50 SARs per day, which amounts to only about 18,250 SARs per year. In other words, FinCEN did not review approximately 99.1% of the risk-based SARs it received in 2019. In the cryptocurrency and blockchain ecosystem, this reporting scheme not only inundates FinCEN with an overwhelming quantity of white noise that they have to process and review with a limited staff, but it also unnecessarily threatens Americans’ privacy and financial autonomy.
When an FI files a CTR or SAR on a transaction, the institution is also required to send a variety of personally identifiable information (PII) about the customer that executed said transaction. In the blockchain ecosystem, this personal information necessarily includes both the customer’s PII as well as the public address tied to the transaction on the blockchain network where the transaction occurred. Tying one’s identity to their public address on a public blockchain allows for the aggregation of one’s entire financial life and would represent a gross invasion of one’s privacy. If the same level of visibility were given to law enforcement in the cash ecosystem, every single cash transaction a citizen has ever conducted or will ever conduct regardless of the amount of money involved in the transaction could be identified and traced. The risk of aggregating all of this data also creates a massive honey pot of Americans’ sensitive personal information that is increasingly vulnerable to ransomware attacks, hackers, and other illicit activity.
In essence, the nature and nuances of blockchain technology means that CTRs and SARs unintentionally threaten US cybersecurity by creating dangerous honey pots of data while also compromising Americans’ right to privacy. The key to modernizing the United States’ AML framework is twofold: 1) integrating privacy as a top priority while 2) balancing compliance and production of information pursuant to proper legal process. The cryptocurrency industry is currently developing privacy-preserving technologies that allow for AML/CFT compliance under the BSA while simultaneously providing individuals privacy and security over their financial lives. These technologies will be explored further in the below sections.
C. Identify BSA Regulations and Guidance That May Be Outdated, Redundant, or Do Not Promote a Risk-Based AML/CFT Regime for Financial Institutions
Q10. Are there BSA regulations or guidance that are obsolete or no longer provide useful information to the government? Alternatively, are there any BSA regulations or guidance that target risks that no longer exists? If so, which regulations or guidance, and what changes do you recommend?
Cryptocurrency and blockchain technology is transforming the way that Americans make payments and conduct their financial lives, which necessitates a requisite update of the BSA and its implementing regulations. Indeed, an AML/CFT regime that relies on the application of regulations to custodial intermediaries cannot be effectively transposed onto an ecosystem whose core innovation is disintermediation. One area of the cryptocurrency and blockchain ecosystem where this issue is readily apparent is with peer-to-peer transactions. As the popularity of peer-to-peer transactions has grown, regulators have tried to gain visibility in this space by attempting to identify the individuals behind such a transaction. This approach not only sacrifices Americans’ right to privacy but also would require individual users of cryptocurrencies to become intermediaries themselves. Any analysis in this regard should weigh heavily in favor of upholding the right to privacy and streamlining disclosures through true intermediaries (when applicable) as has been the case in the traditional financial system.
Another area in which BSA regulations don’t clearly fit the realities of the cryptocurrency and blockchain ecosystem is with reporting different types of financial information to FinCEN. Specifically, CTRs, SARs, currency and monetary instrument reports (CMIRs), and foreign bank account reports (FBARs) must all be updated to appropriately account for this technology. As discussed above, CTR and SAR reporting creates an overwhelming quantity of “white noise” that is both a cybersecurity risk and an invasion of Americans’ financial privacy. With both CMIRs and FBARs, there is considerable ambiguity surrounding how one might incorporate cryptocurrency into these types of reports.
For example, if an individual is flying to another country with over $10,000 worth of cryptocurrency stored in a digital wallet on his/her phone, there is currently no guidance as to whether it would need to be included on a CMIR and how it would need to be included on a CMIR. While the Association is staunchly opposed to a CMIR reporting requirement in these circumstances, the lack of guidance means that cryptocurrency users could be legally implicated should they decide to travel with cryptocurrency wallets on their phone and fail to report it. Additionally, in January 2021, FinCEN announced its intention to amend FBAR reporting standards so that a foreign account holding virtual currency would qualify as a type of reportable account. However, FinCEN has said nothing on this issue since the announcement, so there are still many questions around how and if different cryptocurrency accounts will be incorporated into FBAR filing requirements.
Q12. Do FinCEN’s regulations and guidance sufficiently allow financial institutions to incorporate innovative and technological approaches to BSA compliance? If not, how can FinCEN facilitate greater use of these tools, while ensuring that appropriate safeguards are in place and highly useful information continues to be reported to government authorities?
Yes, FinCEN has done a particularly admirable job engaging with industry participants to understand how the United States’ AML/CFT regime can be amended to coexist and thrive within this burgeoning yet critically important ecosystem. Although the actual incorporation of innovative and technological approaches to BSA compliance is still nascent in the cryptocurrency industry, FinCEN’s 2019 Guidance for Convertible Virtual Currencies, its Innovation Hours Program, and its BSA Advisory Group all demonstrate the agency’s commitment to creating regulation that strikes the appropriate balance between national security and innovation within the cryptocurrency and blockchain ecosystem as well as with other emerging technologies. As more blockchain-native solutions to AML/CFT compliance come into the fold, it will be especially important for FinCEN to maintain such a forward-thinking and collaborative approach to ensure FinCEN is at the forefront of setting appropriate regulatory standards that will guide the rest of the world.
D. Identify BSA Regulations and Guidance That Do Not Conform With International Standards To Combat Financial Crime
Q21. Do any BSA regulations or guidance fail to conform with U.S. commitments to meet international standards, or do not fully implement international standards, including the FATF Recommendations? If so, which regulations or guidance, and why?
While BSA regulations conform with U.S. commitments to meet international standards, there is still considerable uncertainty as to how certain standards might apply to the realities of the ecosystem. For example, there is confusion within the industry as to the applicability of FATF Recommendation 16, the Travel Rule, to cryptocurrency transactions involving self-hosted wallets. Because self-hosted wallets are not controlled by third-party intermediaries, FIs whose customers transact with those types of wallets are unable to verifiably determine the beneficiary of their customer’s transaction. The inability of FIs to comply with the Travel Rule in this instance has led some to the belief that the US does not and cannot conform to this international standard; however, this belief cannot be further from the truth. Treasury Secretary Janet Yellen has clarified that the Travel Rule does not impose any compliance obligations on FIs when it comes to transactions involving these types of wallets. Given Yellen’s recent comments surrounding self-hosted wallets, FinCEN’s notice of proposed rulemaking, “Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets,” should be abandoned.
Additionally, it is important to acknowledge that regulatory efforts to force FIs to verifiably determine and collect PII on the beneficiary or originator of their customer’s transactions will inevitably push more and more people towards peer-to-peer networks and away from regulated FIs. If individuals find that regulated intermediaries will not accept or allow a crypto transfer because the originator or beneficiary of said transfer is a self-hosted wallet that is either unable or unwilling to provide PII information as part of the transfer, the individual can and will choose to execute the transfer without the FI in a peer-to-peer marketplace.
Another facet of industry that generates confusion when it comes to the BSA’s conformity to international standards is DeFi. Currently there is neither an international regulatory standard nor a BSA regulation for DeFi. Recently, however, the FATF asserted in its “Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers” that any DeFi project involved in launching a VASP service could be considered a VASP. Transposing this Guidance onto the BSA would amount to the application of BSA reporting obligations to providers of non-custodial interfaces that simply help users access a DeFi protocol on the front-end. Given the lack of control that these interfaces have over their users and their finances, these interfaces are not currently obligated to comply with the BSA and should not be obligated to comply with it in the future. Additionally, the recommendations put forth in FATF’s Guidance have no bearing on a country’s ability to conform with international standards. In the words of Treasury Secretary Janet Yellen, “it is important to note that the guidance is not a part of the FATF standards.”
E. Identify Changes to BSA Regulations and Guidance To Improve Efficiency
Q26. In what ways could BSA regulations or guidance be more efficient in light of innovative approaches and new technologies. For should any BSA regulations or guidance account for technological advancements, such as digital identification, machine learning, and artificial intelligence? If so, how?
As discussed above, the AML/CFT regime for the traditional financial system is not suited to combat ML/FT risks in the peer-to-peer ecosystem, i.e., an ecosystem predicated on the absence of custodial intermediaries. Effectively addressing ML/FT risk in this disintermediated system will require a new AML/CFT paradigm that is not focused on the roles and responsibilities of gatekeepers but rather employs technological solutions that can support law enforcement’s efforts to police this space within the parameters of due process. These technological solutions cannot sacrifice individuals’ right to privacy, however.
Such solutions can leverage the very cryptographic technologies that have enabled the creation of distributed ledgers and their many innovative and far-reaching applications. Some of these solutions include zero-knowledge proofs and know-your-transaction (KYT) technology. Zero-knowledge proofs allow one party to a transaction to prove to the other party that they have knowledge of a particular piece of information, such as verification that the originator of the transaction is not tied to any AML/CFT schemes. KYT will allow law enforcement to holistically monitor all the transactions controlled by a public address on a blockchain network for real-time intelligence on the source or destination of their funds. In short, these innovative technological solutions can be used to make BSA regulations and guidance more efficient.
In closing, the Association would like to acknowledge and applaud FinCEN for the excellent work that the agency has done to understand and account for the unique benefits and challenges of digital assets. FinCEN’s 2019 guidance has been one of the most clarifying pieces of regulation that the industry has seen. The Association is incredibly encouraged by FinCEN’s efforts and is looking forward to on-going successful collaboration with the agency on these important issues.