The Financial Crime Enforcement Network (FinCEN), a unit of the U.S. Treasury Department wants crypto exchanges to collect a lot more data about individuals transferring more than $3,000 in cryptocurrencies into private wallets. The crypto industry isn’t having it.
As the public comment period for the controversial rule comes to a close, industry heavyweights are logging their opposition in a coordinated effort. They are trying to delay the rule’s implementation until after a new presidential administration takes over, as well as raise procedural and substantive concerns. The proposed rule, industry participants contend, could drive crypto innovation outside the U.S. and threaten the digital privacy rights of individuals and entities transacting with cryptocurrencies.
As of press time, well over 7,000 comments had been submitted (though less than 4,000 were available to read), with major fintech firms such as Square, traditional business groups including the U.S. Chamber of Commerce and crypto exchanges like Coinbase filing comments pushing back against the proposed rule. U.S. lawmakers have also weighed in, asking the Treasury Department to at least slow down and engage with the industry before implementing any strict Know-Your-Customer (KYC) rules on counterparties.
Under the proposed FinCEN rule, unveiled late last month, exchanges would have to collect names and home addresses for the owners of private crypto wallets (also referred to as self-hosted wallets, unhosted wallets or sometimes just “wallets”) receiving more than $3,000 in cryptocurrencies in aggregate in a day. If a wallet receives more than $10,000, the exchange would be required to file a Currency Transaction Report (CTR) to FinCEN.
U.S. Treasury Secretary Steven Mnuchin first hinted that these rules might be coming in February 2020, 10 months before they were unveiled. However, the rollout seems timed to ensure implementation before President-elect Joe Biden takes office on Jan. 20.
FinCEN hasn’t explained why such a rule that specifically includes counterparty information for convertible virtual currency (CVC) transactions is necessary, said a16z Partners Katie Haun and Anthony Albanese in their comment letter opposing the rule’s implementation.
CVCs are a Treasury Department term for virtual currencies that can be substituted for fiat currencies.
Twitter and Square CEO Jack Dorsey also weighed in, publishing a comment letter Monday.
“The incongruity between the treatment of cash and cryptocurrency under FinCEN’s proposal will inhibit adoption of cryptocurrency and invade the privacy of individuals. Yet, the rule fails to explain the difference in risk. As such, this low threshold and its extension of KYC obligations beyond customer relationships is arbitrary and unjustified,” Dorsey’s response said.
On a procedural level, much of the crypto industry has taken issue with the rushed rollout for the proposal. Coinbase CEO Brian Armstrong first said the Treasury Department was considering a rule in late November 2020, but the notice of proposed rulemaking wasn’t actually published until Dec. 18, with a 15-day public comment period that many in the industry say is too short. Typically, these comment periods range from 30 to 90 days.
Indeed, the shortened time period might actually violate the law, said Coinbase General Counsel Paul Grewal. The Administrative Procedure Act requires at least 30 days for public comment periods. Grewal contends that the Treasury Department does not justify a shorter period “on national security or foreign-policy grounds.”
Because the two weeks took place over two weekends and federal holidays (Christmas and New Year’s), this effectively left only half a dozen business days for comments to be submitted, a16z said.
Furthermore, the stated deadline of Jan. 4 wasn’t the actual deadline; As CoinDesk reported last month, the proposed rule was published in the Federal Register on Dec. 23 and given a 15-day comment period, which would end on Jan. 7. FinCEN quietly updated the posted due date on its website on Tuesday.
“A comment period doesn’t really begin until the notice is published in the Federal Register and people cannot file comments until it’s published in the Federal Register,” said Jerry Brito, executive director of industry group Coin Center.
If the rule is finalized, it will likely be challenged in court and the shortened time period will be used as one argument, he said.
“FinCEN can say, ‘well we cured that,’ but effectively people relied on the initial notice. There was no announcement that there was a mistake, so people relied on that and they effectively got only 12 days,” he said.
It’s also possible the Treasury Department doesn’t actually have the legal authority to implement this rule, a Coin Center comment filed on Jan. 7 claims.
The Treasury Department’s use of two different websites – regulations.gov and beta.regulations.gov – to accept public comments is another issue preventing industry participants from easily submitting their thoughts. Dayton Young, product director at Fight for the Future said in an email that using the two different versions left “some users confused and unable to submit comments.”
Calling the move a “last-ditch effort to expand financial surveillance before the new presidential administration takes over,” Young said his organization had facilitated the submission of over 2,000 comments to the FinCEN website.
“All of this has been done as a deliberate attempt to silence criticism about [its] invasive new rule … [W]e demand FinCEN reinstate the full 60-day comment period so that everyone’s voice can be heard,” he said.
Implementing this rule would also be difficult for exchanges to achieve on a technical level. Matt Corallo, a Bitcoin developer, noted that cryptocurrencies typically do not include built-in mechanisms for banks or other forms of money services businesses to easily retrieve information like names and physical addresses.
“The only practical way in which a regulated entity could retrieve the counterparty information they would be required to hold is to force users to input that information directly when making a transaction,” he wrote.
Wallets also cannot prevent other addresses from sending them funds, which might impact entities such as charities accepting cryptocurrencies – a charity might not be able to accept donations from an entity if it cannot easily collect that counterparty data, Corallo wrote.
In other instances, a trading platform might not be able to prevent an incoming transaction from a customer who refuses to share the appropriate counterparty information, wrote CrossTower President and co-founder Kristin Boggiano.
The rule might end up favoring major players in the industry, wrote Neha Narula and Patrick Murck, from MIT’s Digital Currency Initiative. Smaller or newer exchanges might not be able to quickly build the compliance infrastructure that existing platforms already have.
The proposed rule goes beyond Bank Secrecy Act requirements, a16z claimed. Haun and Albanese’s letter said correspondent banking most closely resembles the FinCEN rule’s KYC obligation, but goes far beyond what correspondent banks must comply with.
“There, the BSA requires banks broadly to understand the correspondent banking customer’s customer base, but only seldom might a financial institution subject to the BSA know and collect information about the identities of specific customers of its respondents. Here, the proposed rule requires that Covered Entities collect information on their customers’ counterparties, and potentially take steps to verify such information, in all cases,” the letter said.
A traditional financial institution wouldn’t be able to comply with the proposed rule for a similar transaction that doesn’t touch cryptocurrencies, Coin Center’s Brito and Director of Research Peter Van Valkenburgh wrote.
(More) data privacy concerns
A number of respondents questioned whether sending name and address information to FinCEN would be safe for users.
Fight for the Future’s Young noted that over the past few months, the FinCEN Files were leaked and the Treasury Department’s systems were breached as part of a broader intrusion into U.S. government agencies through the use of a software vendor, SolarWinds.
“If anything, the Treasury’s awful infosec proves just how essential our financial privacy is. We’re safer when we use personal wallets, privacy coins and other financial tools free from government surveillance and interference,” he said.
This concern might prevent new customers from using U.S.-based platforms.
“A number of preliminary discussions with potential and actual customers indicate that they are seriously concerned about providing detailed information to FinCEN, citing recent security breaches at FinCEN as risks,” Boggiano wrote, referencing the FinCEN Files.
Grewal also highlighted the SolarWinds hack, which the FBI, Cybersecurity and Infrastructure Security Agency, Office of the Director of National Security and National Security Agency said Tuesday was part of “ongoing cyber compromises of both government and non-governmental networks.”
The attack, which the U.S. agencies described as “Russian in origin,” compromised over 18,000 entities and individuals.
Similar hacks could put individuals’ personal safety at risk, others wrote. Kristin Smith, executive director of the Blockchain Association, wrote that malicious actors could surveil U.S. citizens or others by associating public addresses with their names if either the federal government or crypto exchanges that store this data were hacked.
“FinCEN itself has acknowledged that the unauthorized disclosure of private financial information ‘can impact the national security of the United States, compromise law enforcement investigations, and threaten the safety and security of the institutions and individuals who file such reports,’” she wrote.
Requiring this type of data collection opens this attack vector, wrote Chamber of Digital Commerce Chief Policy Officer Amy Davine Kim.
“It will similarly increase physical security concerns for CVC holders who may be subject to physical harm or threats from bad actors should their identity become known, particularly those storing CVC in self-hosted wallets,” she said.
Marta Belcher, special counsel to the Electronic Frontier Foundation and an attorney with Ropes and Gray, told CoinDesk she believes the proposed regulation might violate the Fourth Amendment of the U.S. Constitution, which protects against “unreasonable searches and seizures” and requires probable cause for warrants to be issued.
While she believes warrantless surveillance of the financial system at large is similarly unconstitutional, she noted the U.S. Supreme Court had previously ruled in U.S. v. Miller that the Bank Secrecy Act was constitutional as there isn’t a reasonable expectation of privacy when data is shared with a third party, such as banks.
“In addition, the government has greatly expanded the Bank Secrecy Act’s reach since Miller,” she said. “I think that if Miller was revisited today, it might have a very different outcome – that is, the court would hold that the warrantless mass surveillance of financial records is a Fourth Amendment violation.”
Implementing the rule would effectively ensure that the government would have all transaction information tied to a given address, regardless of how much is transacted due to the nature of a public blockchain, she added.
Grewal and Kim agreed in their respective notes, noting that this would be true for individuals who never signed up to become an exchange customer and therefore might not know that their data is being stored.
Grewal said that FinCEN and the Internal Revenue Service do not currently use all of the data it collects from the traditional financial system. What’s more, implementing the proposed rule could add a huge amount of new data to these databases. He projected that Coinbase alone could file up to 7,000 reports per day.
CORRECTION (Jan. 13, 2021, 15:15 UTC): While the Treasury Department website initially said there were over 65,000 comments, this appears to have been an error. The actual figure is just over 7,000.