A Midnight Rule for Cryptocurrency Transaction Reports

FinCEN rulemaking announces a rushed, mostly technology-neutral reporting requirement

Over the last year we’ve watched as Switzerland, Singapore, and the Netherlands have taken a technology-specific approach to regulating transactions involving so-called “unhosted” wallets. We’ve seen the Financial Action Task Force (FATF) identify potential future measures to address “peer-to-peer transactions” including banning or severely limiting access to certain wallets altogether. These are the proposals that have been in the air throughout 2020. As U.S. policymakers continue to review their options with respect to cryptocurrencies and anti-money laundering rules, those are the proposals on the table. Those options are bad. They are drags on innovation, they unnecessarily limit the rights of citizens, and they are not technology neutral. Fortunately, these are not the policies proposed by the Treasury today. However, there are issues with this proposal, it’s rushed and has complicated new counterparty identification requirements that may be infeasible and innovation-killing in the context of cryptocurrency networks.

Coin Center strongly prefers no change to the currency state of AML policy whatsoever. We are, nonetheless, gratified that the U.S. has not chosen to repeat the mistakes made overseas, and, instead, policymakers have primarily proposed an extension of rules that already apply to traditional financial institutions dealing in cash, albeit with complications.

The proposal announced today is that transactions from regulated exchanges to individual wallets not subject to regulation (as well as unregulated foreign exchanges) should be subject to an existing automatic reporting requirement: Currency Transaction Reports (CTR) for cash transactions. Make no mistake, CTRs are a form of warrantless search and seizure of private financial records. Fifty years ago, the Supreme Court narrowly upheld the constitutionality of these reporting requirements, arguing that Americans lose their right to a warrant with individual suspicion when they hand their private information over to third parties. We’ve written extensively why the continued constitutionality of these policies is in doubt.

That said, CTRs have been required for financial institutions since the 1970s whenever a customer withdraws large amounts of cash or cash-like instruments. Bitcoin and other cryptocurrencies are best analogized to electronic cash, and therefore applying these same reporting requirements to cryptocurrency withdrawals has, at least, the benefit of technological neutrality and parity with longstanding obligations placed on traditional financial institutions. If a report is required when I take $10,000 in cash from my bank and put it in a suitcase, then it’s not unreasonable that a similar report would be required when I move $10,000 from my cryptocurrency exchange and put it into my hardware wallet. Unlike the so-called “Swiss rule,” this approach does not create a double standard between legacy financial services and cryptocurrency companies. And unlike the options listed by the FATF, this approach does not ban or otherwise limit citizens’ rights to hold their own crypto.

Nonetheless, the current proposal is problematic for two reasons. First, it requires new counterparty recordkeeping requirements for transactions above $3,000 and satisfying those recordkeeping requirements could be infeasible in the context of cryptocurrency transactions, as we’ll discuss below and in future analysis; it’s a complicated proposal. Second the proposal is problematic because it is being rushed. The Administrative Conference of the United States recommends that comment periods for proposed regulations be 30 days, and 60 days for “significant” ones, as this one is likely to be. However, this rulemaking affords only 15 days, which is highly unusual and contrary to the spirit of the Administrative Procedures Act. While the proposed rule cites a “foreign affairs function” exception to justify the short period, there is no actual account of why current policy is insufficient or why there is any urgency. And while FinCEN states that it has “engaged with the cryptocurrency industry on multiple occasions on the AML risks presented in the cryptocurrency space” it has not sought public comment on this particular proposal.

Nothing in the rulemaking suggests that some new dark web marketplace or some new money laundering threat will emerge in the next 15 days. What will happen in the next 15 days or so is the transition to a new administration. That may be the true motivation for rushing this rule. The time constraints of the so-called midnight period should never be an acceptable justification for imposing rules on Americans and innovative American businesses without sufficient opportunity for notice and comment.

In similar situations, banks have been treated to extensive consultation and a gradual (sometimes absurdly slow) rulemaking process. For example, FinCEN has had a bank customer due diligence rulemaking pending and unfinished since 2014. It is on a very similar subject: in both cases it’s a question of how—specifically—should regulated financial institutions deal with high risk payments. If banks get over six years of notice and opportunity for comment before they are regulated, why should the cryptocurrency ecosystem be treated differently? Why must we respond within 15 days and during the Christmas and New Years holidays no less? Griping aside, this is not a respectful way to engage with a vibrant American industry, and not likely to be conducive to the sort of meaningful feedback from regulated parties that could, in fact, improve our anti-money laundering policies.

A midnight rulemaking from a lame duck Trump administration is unwise and undemocratic. Regardless of the merits of this particular policy, ordering innovative businesses to implement any new compliance obligations without a standard notice and comment period is costly, sloppy, and disrespectful of the Americans companies that employ Americans, pay taxes, and contribute meaningfully to our technological prestige abroad. It’s also disrespectful to ordinary Americans, whose privacy is at stake, and individual software developers, who have dedicated their careers to building better, more secure, and more private financial infrastructure.

A last minute rulemaking also defeats accountability for the rulemakers because the political appointees associated with this rule know they will not face voters again. Finally, rushing this at the end of the term unfairly saddles the incoming administration with an untested regulatory regime that they will not have crafted nor had time to study. It will therefore further exacerbate inefficiency and wastefulness in government as the transitioning agency staff must adjust.

We appreciate the fact that this proposal avoids technology-specific standards like the Swiss-rule and draconian restrictions like those FATF has contemplated. Nonetheless this rulemaking takes a bulk warrantless surveillance regime and applies it to an innovative technology with little opportunity for public comment. This is especially problematic given the complicated implications of the proposed recordkeeping requirements which may, as described in the next section, meaningfully stymie innovation. A fifteen day period is simply not enough time to work through these implications.

The rulemaking’s subtle alteration of the recordkeeping requirement may add significant friction to transactions above $3,000 between regulated exchanges and some “un-hosted” wallet addresses. Existing recordkeeping requirements are risk-based and financial institutions do not have a black-letter obligation to always know the person their customer is asking them to pay. For brevity you can think of these obligations as Know Your Customer’s Counterparty or KYC requirements. This rulemaking would make recordation of the counterparty’s name and physical address mandatory rather than merely risk-based. It does not require any verification of that information, so in theory a customer could simply be asked to provide it and recording those answers might be sufficient for compliance. But the mere fact that the rule would require this recordkeeping at all may be enough to severely limit the availability of several types of transactions between exchanges and cryptocurrency addresses. How, for example, would an exchange record a name and physical address when its customer asks it to pay a smart contract that meters WiFi service? Or the address of a person with whom the customer is making an algorithmically matched decentralized exchange? These are exciting new use cases and the rule may stymie these important innovations. We’ll focus our attention on that recordkeeping requirement and develop our comments over the next fifteen days.