Treasury proposes designating transactions with cryptocurrency mixers a "Primary Money Laundering Concern"
The US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has proposed a rule that would require US financial institutions to monitor and report transactions involving cryptocurrency mixing services.
Under this rule, issued on October 19, 2023, FinCEN would exercise its authority under the seldom-used Section 311 of the USA PATRIOT Act (Section 311) to designate transactions with cryptocurrency mixers and mixing services as a “Primary Money Laundering Concern.” This would permit FinCEN to order financial institutions regulated by the Bank Secrecy Act (BSA) to take “special measures” over and above the anti-money laundering (AML) program controls the BSA already requires.
Section 311 is a “powerful and flexible regulatory tool” designed to give FinCEN “a range of options that can be adapted to target specific money laundering and terrorist financing risks” and “protect the US financial system from specific threats.” But deploying Section 311 cannot happen overnight. FinCEN studied mixer-related illicit activity and consulted with the Federal Reserve, OCC, Secretary of State, SEC staff, CFTC, NCUA, FDIC, and (as required) the US Attorney General. The result is an 80-page notice of proposed rulemaking (NPRM) that attempts to define mixing, explains Treasury’s reasoning, and enumerates the new rules. In short, the proposed rule would impose recordkeeping and reporting requirements on certain BSA-regulated financial institutions. While this approach stops short of economic or trade sanctions Treasury’s Office of Financial Assets Control uses to change behaviors in the industry, the proposed requirements are nevertheless significant.
How does Treasury define CVC mixing?
Treasury refers to virtual currency as “convertible virtual currency,” or CVC. The proposed rule broadly defines “CVC mixing” to encompass a variety of methods beyond literal “mixing” of virtual currencies. CVC mixing means: “the facilitation of CVC transactions in a manner that obfuscates the source, destination, or amount involved in one or more transactions, regardless of the type of protocol or service used.”
CVC mixing includes other methods purportedly designed to obscure transactions and break the traceability of illicit proceeds such as: (a) creating single-use wallets; (b) exchanging between different types of cryptocurrencies; (c) introducing delays in transactional activity to hide connections between participants; (d) aggregating cryptocurrencies from multiple sources; (e) using programmatic code to coordinate transactions; and (f) splitting larger transactions into multiple smaller transactions - for example, similar to “smurfing” or structuring in traditional finance (TradFi).
The rule would further define a “CVC mixer” as “any person, group, service, code, tool or function that facilitates CVC mixing,” though it permits an exception for “the use of internal protocols or processes to execute transactions by banks, broker-dealers, or money services businesses,” provided that these financial institutions preserve records of the source and destination of CVC transactions and provide such records to the government when required by law.
What are Treasury’s concerns about mixing services?
The NPRM reflects Treasury’s determination that the risks of mixing services far outweigh their benefits. To develop the proposed rule, FinCEN had to evaluate the risk of money laundering and terrorist financing that mixing may pose to the US financial system, while also considering and weighing any legitimate use cases. After conducting its assessment, FinCEN acknowledged that “there are legitimate reasons why responsible actors might want to conduct financial transactions in a secure and private manner given the amount of information available on public blockchains.” FinCEN also recognized that, “in addition to illicit purposes, CVC mixing may be used for legitimate purposes, such as privacy enhancement for those who live under repressive regimes or wish to conduct licit transactions anonymously.”
Nonetheless, FinCEN concluded that “CVC mixing presents an acute money laundering risk because it shields information from responsible third parties, such as financial institutions and law enforcement.” Specifically:
- FinCEN explained: “The critical challenge is that CVC mixing services rarely, if ever, provide to regulators or law enforcement the resulting transactional chain or information collected as part of the transaction.”
- “FinCEN is concerned that CVC mixing makes CVC flows untraceable by law enforcement and makes potentially suspicious transactions unreportable by responsible financial institutions—thereby fostering illicit activity.” FinCEN cited multiple examples of international illicit activity, including hacks and ransomware attacks perpetrated by North Korea, where a high volume of funds were allegedly laundered through mixers.
- “FinCEN assesses that the percentage of CVC mixing activity attributed to illicit activity is increasing.” Yet “because of the lack of available transactional information, FinCEN cannot fully assess the extent to which, or quantity thereof, CVC mixing activity is attributed to legitimate business purposes.”
FinCEN also considered issuing a rule that would have been “narrowly scoped to address terror finance involving Hamas and ISIS and/or North Korea-sponsored and affiliated actions”; however, it “determined that such a narrow approach would be insufficient to address the relevant risks.” FinCEN further reasoned that “any one reportable transaction, by nature of the underlying illicit and potentially dangerous activity it facilitates, could provide large benefits to FinCEN and law enforcement if identified, or, alternatively framed, could impose substantial costs and serious national security risks if unreported.”
What would the requirements be?
As in FinCEN’s reporting model when TradFi engages with cannabis companies, the NPRM envisions a potentially onerous regime in which BSA-regulated financial institutions must file suspicious activity report-like (or SAR-like) reports about transactions with a mixer or mixing service. Specifically, the rule would require financial institutions to report:
1) Transaction Information within 30 calendar days of detecting a transaction involving a mixer or mixing service. This would include the:
- amount of CVC transferred
- CVC type
- mixer used, if known
- wallet address associated with mixer and customer
- transaction hash
- date of the transaction
- IP address and time stamps associated with the transaction
- a narrative describing “activity observed,” summarizing “investigative steps taken” and providing other information the “financial institution believes would aid follow on investigations.”
2) Customer information in the financial institution’s “possession,” including the customer’s:
- full name
- date of birth
- address
- email address
- phone number and
- IRS or foreign tax ID number (or, if not available, a form of government photo ID).
FinCEN intends to aggregate data across reporting institutions to catalogue the “size, scale, and methodologies of CVC mixers.” Its collection of customer information is more focused on investigating users, permitting law enforcement to build a profile of each wallet address and the person who owns it. Most onerous is the proposed “narrative” which is likely to be especially costly for institutions and would not satisfy the institution’s separate obligation to file a suspicious activity report under the BSA and related regulations, when warranted.
The proposed rule does, however, limit its reach. It only requires a covered financial institution to report information “in its possession, and thus does not require a covered institution to reach out to the transactional counterparty to collect additional information.” Furthermore, “FinCEN is not, at this time, proposing that covered financial institutions would be required to perform a lookback to identify covered transactions that occurred prior to issuance of a final rule.”
Key takeaways
- Treasury’s plan to collect information about and surveil users of virtual currency “mixing” services appears to focus on bad actors who use mixers to shield their illicit activity from law enforcement, thus threatening the US financial system and its national security.
- The proposed rule imposes onerous reporting requirements on BSA-regulated financial institutions and intermediaries, but would only require reporting information in the institution’s possession and—at this time – would not require a lookback to identify and report transactions occurring before the effective date of the final rule.
- Treasury assumes that legitimate users have no reason to fear that their personal information will be reported to law enforcement in a secure manner, and thus contends that requiring intermediaries to report mixer use will not deter customers’ legitimate use of mixers for privacy protection. The NPRM underscores Treasury’s stated belief that there are legitimate use cases for mixing (or other privacy preserving) services on the blockchain, leaving room for meaningful engagement in the notice and comment process which remains open until January 22, 2024.
