Just before the Christmas holidays, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued proposed rulemaking entitled “Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets.”  The proposed regulations seek to “require banks and money service businesses (“MSBs”) to submit reports, keep records, and verify the identity of customers in relation to transactions involving convertible virtual currency (“CVC”) or digital assets with legal tender status (“legal tender digital assets” or “LTDA”) held in unhosted wallets…”  The proposed rulemaking is set to be adopted under the Bank Secrecy Act (BSA).

FinCEN justified their proposal on national security grounds – i.e., the national security threat posed by bad actors using CVCs to, inter alia, “facilitate international terrorist financing, weapons proliferation, sanctions evasion, and transactional money laundering.”  Thus, the question arising out of the proposal is the same that often arises – indeed, it’s the same question that came out of the Schrems II decision that led to the invalidation of Privacy Shield last year: What is the proper balance of national security vs. personal privacy?

Specifically, in the case of FinCEN’s recent proposal, banks and MSBs would be required to:

  1. file a report with FinCEN containing certain information related to a customer’s CVC or LTDA transaction and counterparty (including name and physical address), and to verify the identity of their customer, if a counterparty to the transaction is using an unhosted or otherwise covered wallet and the transaction is greater than $10,000 (or the transaction is one of multiple CVC transactions involving such counterparty wallets and the customer flowing through the bank or MSB within a 24-hour period that aggregate to value in or value out of greater than $10,ooo); and
  2. keep records of a customer’s CVC or LTDA transaction and counterparty, including verifying the identity of their customer, if a counterparty is using an unhosted or otherwise covered wallet and the transaction is greater than $3,000.

The proposed rulemaking was open for public comments for only 15 days (the standard public comment period for these types of policies is 60 days), until January 4, 2021.  (Note: the Electronic Frontier Foundation (EEF) and Coinbase both criticized the limited timeframe for public comments, given that the holidays occurred during the 15-day period).

Several of the public comments on the proposal were focused on privacy-related concerns.  Even though the proposal sought to make the know your customer (KYC) rules for traditional banking institutions equally applicable to cryptocurrency, commenters argued that the promises of cryptocurrency (e.g., privacy and self-sovereignty) and the technological nature of cryptocurrency (e.g., the public ledger for blockchain-based currencies like Bitcoin) introduced new concerns.

For example, EEF noted that some cryptocurrencies like Bitcoin keep a public record of all transactions.  Thus, if the name of a user connected with a particular Bitcoin address is known, “the government may have access to a massive amount of data beyond just what the regulation purports to cover.”

Jack Dorsey, the CEO of Twitter and Square, also submitted comments.  Dorsey’s major complaint was that the proposed rules would create “unnecessary friction” between cryptocurrency users and financial institutions, which could lead to “perverse incentives.”  “To put it plainly – were the [regulations] to be implemented as written, Square would be required to collect unreliable data about people who have not opted into our service or signed up as our customers.”

Of course, the proposed rulemaking will not be the end of action in cryptocurrency regulation.  The recently passed “National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) contains additional anti-money laundering tools that may further complicate cryptocurrency procedures in the coming months.