New Tornado Cash indictments seem to run counter to FinCEN guidance

Our initial thoughts on a case that could potentially criminalize the publication of software code

Roman Storm and Roman Semenov have been indicted for, among other charges, conspiracy to operate an unlicensed money transmitting business. We don’t have all the facts but at first blush we don’t see how the limited factual allegations offered by the indictment show any clear violations of the relevant law. We’ll likely have more to say about the other charges and this new case in general, but we thought it would be useful to look at the difference between what is money transmission and what is mere software development or communications services. That is a key question at stake in this case and it is also central to our rights as Americans to build and publish software.

The only thing the indictment claims regarding the defendants’ unlicensed money transmission is that they “engaged in the business of transferring funds on behalf of the public” and did so without registering with FinCEN. But does the indictment state any facts that actually show that the defendants engaged in any activities that qualify as money transmission under the relevant law?

The implementing regulations of the Bank Secrecy Act define “money transmission services” as “the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.”

The 2019 FinCEN Virtual Currency Guidance offered detailed interpretations of those regulations, and, with respect to anonymizing software providers, said,

An anonymizing software provider is not a money transmitter. FinCEN regulations exempt from the definition of money transmitter those persons providing only’the delivery, communication, or network access services used by a money transmitter to support money transmission services.’ This is because suppliers of tools (communications, hardware, or software) that may be utilized in money transmission, like anonymizing software, are engaged in trade and not money transmission.

The indictment provides various factual allegations describing the activities the defendants performed, but all of those facts point to the defendants fitting squarely within FinCEN’s guidance on anonymizing software providers rather than them being money transmitters. Let’s look at each alleged activity.

The allegations include that the defendants: (a) paid for web hosting services for a user interface that allowed users to send transaction messages to the underlying smart contracts, (b) paid for a software repository (Github) where smart contract and user interface software and documentation was hosted, and (c) had (for a time before May 2020) “complete control” over the Tornado Cash smart contracts.

As for procuring web hosting and software repository services, these activities on their own definitely do not fit the regulatory definition of money transmission, which again is “acceptance of funds and transmission from one person to another.” These activities are merely the communication and publication of software and data. Such activities are clearly excluded from money transmission under the 2019 guidance.

While it is true that by performing these “delivery, communication, or network access services,” the defendants made it easier for individual users to access and use the Tornado Cash smart contracts in order to transmit money, that doesn’t somehow mean that they became transmitters merely because they provided tools that others used to transmit their own money. As FinCEN’s 2019 guidance says,

[A] person that utilizes the software to anonymize the person’s own transactions will be either a user or a money transmitter, depending on the purpose of each transaction. For example, a user would employ the software when paying for goods or services on its own behalf, while a money transmitter would use it to engage as a business in the acceptance and transmission of value as a transmittor’s or intermediary’s financial institution.

FinCEN’s guidance clearly allows for the possibility that someone might publish anonymizing software and that someone else might use that software to move their own funds. FinCEN’s guidance says that in such an example neither the software provider nor the user is a money transmitter who needs to register. To my knowledge this is exactly how Tornado Cash tools were provided and used.

As for “controlling” the smart contracts before May 2020, the analysis may be more complicated. The indictment merely says the defendants had “complete control” over the contracts. Ethereum smart contracts are variable and sometimes people have no control over their operation, some control, or total control. This is the key fact needed to determine whether one is performing money transmission.

If a person, for example, had the ability to move any and all funds locked by that contract then it may be true that said person accepted those funds and was transmitting them on behalf of whoever put those funds into that contract, i.e. said person was a money transmitter. However, if a person merely had the ability to update certain logic relevant to the contract but insufficient to gain control over the funds and transmit the funds at their discretion then said person would not have what FinCEN in the guidance calls “independent control” over the funds being transmitted and would not therefore be a money transmitter. The indictment does not clearly state the manner of the defendant’s control and therefore does not sufficiently allege unlicensed money transmission.

We’re still researching but to our knowledge the only control that the defendants ever had over the smart contracts was the ability to change aspects of cryptography related to Tornado Cash’s privacy features and never had any ability to actually access, move, or direct the user funds in the contract. If that technical analysis is accurate then it does not seem likely the defendants ever had the sort of “independent control” over the transmitted value that FinCEN describes in its guidance, and, accordingly it seems that this alleged activity would also not constitute unlicensed money transmission.

The government also alleges that the Defendants “advertised” the Tornado Cash tool, “profited” from a governance token that afforded some control over smart contracts, and “designed” several aspects of the tool. As with the other allegations, however, none of these activities are the “acceptance and transmission” of money. And if one is advertising or profiting from the creation of mere software, that fact alone doesn’t change the provision of software into the provision of regulated financial services.

We’ll be closely monitoring developments in this case and will have more to say as further facts emerge.