Treasury’s GENIUS report is encouraging but there is still work to be done
Privacy and Self-Sovereignty in Digital Identity, and why Congress should focus on CLARITY.
Introduction
On March 6, pursuant to the GENIUS Act, the Department of Treasury published its report to Congress on “Innovative Technologies to Counter Illicit Finance Involving Digital Assets.” For background, GENIUS required Treasury to conduct research and submit a report on how it can better allow regulated financial institutions to “develop and implement novel and innovative methods, techniques, or strategies to detect illicit activity, such as money laundering and sanctions evasion, involving digital assets.”
The Report considers a select group of technologies, including: artificial intelligence (AI), digital identity, blockchain monitoring and analytics, and application programming interfaces (APIs). Its considerations with respect to these technologies came as a result of the various responses submitted to Treasury during its Request for Comment (RFC) back in August 2025. In October 2025, Coin Center responded extensively to Treasury’s RFC concerning privacy and digital identity, focusing on topics from our recent report: Tear Down this Walled Garden (i.e., the John Hancock Project).
The Report acknowledges the need for privacy in digital identities and references various solutions that will ensure that users are protected, but does not offer specific recommendations apart from indicating that Treasury will issue guidance for financial institutions and work with Congress. Concerning decentralized finance (DeFi), the Report recommends that Congress consider certain expansions of the BSA to fill perceived gaps. The recommendations do not explicitly state who in DeFi should be encompassed under the BSA, and do not mention the current market structure legislation that is already in progress and explicitly protects software developers from undue surveillance obligations. We believe Congress should remain focused there rather than expanding the BSA. All in all, Treasury’s Report provides some encouraging observations but much work remains to be done.
Digital Identity for Permitted Stablecoin Issuers
Among various technologies, the Report addresses digital identity solutions for financial institutions to combat illicit finance, outlining current uses by financial institutions and challenges that were expressed in responses to Treasury’s RFC. And although the Report recognizes important aspects of various digital identity technologies and supports the use of digital identity by financial institutions, Treasury does not take a clear position on which technologies it approves of or how financial institutions should implement them. Instead, the Report provides four next steps.
First, Treasury will issue guidance for financial institutions to adopt and use verifiable digital credentials. Second, it will work with Congress on legislation to incentivize the “development and integration of digital identity tools aimed at countering illicit finance,” which would include funding. Third, it will also work with NIST to develop common guidelines for international partners. And fourth, it will “[w]ork with Congress on ways to better enable third-party service providers to conduct identity verifications and issue verifiable digital credentials that can be accepted by financial institutions to fulfill elements of customer identification and verification requirements.”
Coin Center’s will continue to engage with Treasury as those processes unfold. Our positions will remain largely consistent with our response to Treasury’s RFC last October. which focused on AML obligations for permitted stablecoin issuers under GENIUS. As a primer, GENIUS treats permitted stablecoin issuers as financial institutions for purposes of the Bank Secrecy Act (BSA)—which requires them to identify customers to prevent money laundering—and instructs Treasury to adopt rules on the matter. In our response,we urged Treasury to consider new privacy-preserving technologies and digital identity tools that could protect stablecoin users while providing issuers with the means for compliance.
Coin Center’s work in digital identity, including our forthcoming John Hancock Project, focuses on regulated financial institutions in which identification is already required. In these cases, identity infrastructure will evolve, the open question is whether it evolves toward centralized trust silos or composable user-controlled systems. With permitted stablecoin issuers, that evolution is especially important. If stablecoins continue to travel on fully public blockchains, then a mandating issuer collection, storage, and retention of identifying information risks the creation of a total financial panopticon.
Treasury’s Report emphasizes privacy, but it also acknowledges other responses to the RFC that called for better linking of real-world identities with on-chain transactions. These responses focused on strengthening efforts against illicit finance in DeFi, but adopting them would effectively turn stablecoins into the CBDC surveillance tools many in Congress and the administration fear.
Coin Center’s response highlighted two technologies that can enable compliance while mitigating privacy risks for users, and we hope to work with Treasury on its next steps in order to protect everyday Americans.
Stablecoin Issuance on Privacy-Preserving Blockchains and the Use of Privacy-Preserving Smart Contracts
First, we called for Treasury to permit and encourage the issuance of stablecoins on privacy-preserving blockchains, which “now make it technically feasible to issue and manage stablecoins without sacrificing transactional privacy or regulatory oversight.” As we explained in our response, these blockchains “employ zero-knowledge proofs [ZKPs] and related cryptographic techniques to hide the details of individual transactions—amounts, counterparties, and balances—while still enabling verifiers to confirm that the system is solvent, compliant, and free of double-spending.”
Treasury’s Report makes no mention of privacy-preserving blockchains, and we hope that their future work on these topics makes clear that, using these networks, issuers can still perform their required obligations while users can transact freely amongst themselves and without limitless exposure to their financial lives—much like with cash. Otherwise, linkage between real-world identities and complete and detailed on-chain transaction histories would make it so everything becomes permanently traceable.
Digital Identity that is Portable, Attribute-Based, and Dynamically Risk-Scored
Second, we urged Treasury to investigate and ultimately permit alternative customer onboarding that is portable, attribute-based, and dynamically risk-scored. Treasury’s Report discusses these solutions at length, and even suggests that they would be useful in strengthening privacy and even be more efficient than traditional, dispersed identification methods. We agree, and what is left for Treasury is to get to specifications.
The Report largely focuses on “portable digital identity solutions” that allow for interoperability of verified credentials and explains the ways in which these portable solutions could better facilitate customer identification while protecting their privacy. This includes the ability to query “for the specific information required on a ‘need-to-know’ basis,” while integrating a risk-score for compliance purposes, and incorporating zero-knowledge proofs (ZKPs) so that customers can “prove that they are who they claim to be without revealing information other than that fact.” The Report emphasizes that these solutions could “create fewer large identity targets for illicit actors to exploit.”
The Report also explains the ways in which digital identity systems can be better protected, including through the use of “encryption, multi-factor authentication, continuous monitoring, and attack detection tools,” all while adhering to standards set out by the National Institute of Standard and Technology (NIST) in its Digital Identity Guidelines.
We commend Treasury for taking these new privacy preserving technologies seriously. Moving forward, as we called for in our comment, we hope that Treasury will specifically recommend the use of NIST’s Identity Assurance Level 2 (IAL2) benchmark for strengthening identity proofing, and for Treasury to clarify that it “satisfies FinCEN’s requirement that a financial institution ‘form a reasonable belief that it knows the true identity of each customer.’” Treasury should also permit custodial intermediaries and permitted stablecoin issuers to issue credentials themselves, provided they meet IAL2 standards and remain subject to audit, in order to promote competition and interoperability.
With regards to risk-scoring, the Report does not dive into how risk scores would be implemented. Our comment, and our larger report on the subject, advocates the following approach: that the gating via risk score only applies to custodial intermediaries, and that risk scoring be done dynamically and transparently while user data remains private.
Much work remains to be done on the question of how risk scoring is done. Today risk scores are calculated internally by financial institutions using mountains of personally identifiable information and transaction monitoring. Ideally this opaque and privacy damaging approach would be supplanted by transparent and open systems. For example, a neutral oracle or smart contract could “aggregate multiple credential attestations and behavioral proofs—such as liveness checks, wallet longevity, transaction history, or credential freshness—to produce a composite compliance score” at the behest of an individual. That score could “represent the outcome of many independent verifications, none of which requires disclosing underlying personal data.” In other words, users would input certain information to an oracle or smart contract to calculate a risk score that they can then present to a regulated entity for a service (e.g., stablecoin issuance and redemption). In this approach, “[u]sers would retain control over which credentials to disclose to improve their score,” and the scoring algorithms and parameters would be auditable to regulators.
Coin Center’s John Hancock Project is devoted to identifying and the technological and institutional gaps that need to be filled before privacy preserving digital ID and transparent risk scoring can be widely adopted at financial institutions. We will continue to engage with Treasury and Congress to socialize these new technologies and advocate for their adoption once mature.
Decentralized Finance
The Report also references submitted responses that concern DeFi’s role with digital identity. According to the Report, respondents focused on the government and law enforcement’s ability to “benefit from verifiable, tamper-evident audit trails tied to cryptographic proofs that can allow authorities to more easily query identifiers and ascertain linkages between a specific person and illicit activity.” The Report also references responses that highlighted the “utility of digital identity in the DeFi ecosystem.” In these cases, respondents focused on implementing digital identity credential checks in smart contracts and tools that “incorporate a user’s transaction history on the public blockchain into their identity profile,” as well as “tokenized credentials” tied to wallet addresses.
Coin Center opposes any mandates for digital identity in services and technologies that are not already obligated to comply with know-your-customer (KYC) requirements and where there is no legitimate business reason for identity collection (e.g., peer-to-peer transactions on an open blockchain network). The Treasury Report did not call for the use of digital identity tools within DeFi, and Coin Center strongly urges Treasury not to go down that road, but rather to continue focusing efforts on regulated entities.
Recommendations to Congress on the BSA
The Report does, however, include an assessment of DeFi’s role in AML efforts, and recommends that Congress “consider specifying actors within the decentralized finance ecosystem that should be subject to AML/CFT obligations, taking into consideration those actors’ roles in the ecosystem and attendant risks.” The Report also recommends that Congress create “digital asset-specific financial institution types or subtypes within the BSA, such that the new types or subtypes would be subject to AML/CFT obligations.” As well as for the Financial Crimes Enforcement Network (FinCEN) to “evaluate whether and how its existing guidance related to the digital asset sector, including guidance issued in 2013 and 2019, should be rescinded, modified, or updated to reflect legislative and regulatory changes.”
It is understandable that Treasury wishes to close any perceived gaps in BSA coverage. National security is important; however, it cannot excuse the violation of our constitutional rights and civil liberties. There are real gaps in the BSA, for example non-compliant centralized digital asset exchanges overseas. Peer-to-peer transactions themselves, however, are not a gap. The BSA has never and should never apply where no trusted financial institution exists. That has always been the case with peer-to-peer cash transactions and must also be the case with peer-to-peer digital asset transactions. A call for BSA application in these “gaps” risks either forced reintermediation of payments, or asking ordinary Americans to be part of the state surveillance and control apparatus merely because they are paying someone or being paid. Coin Center is already fighting this encroachment in our 6050I tax reporting lawsuit and will continue to fight it on the BSA side as well.
And while the Report’s recommendations for gap-filling are not as aggressive as Treasury’s past calls for BSA expansion and surveillance under the Biden Administration (e.g. the 2023 letter and proposal to the Chair of the Senate Banking Committee in 2023, the “Adeyemo Letter”), they pose the same risks of expanding financial surveillance and potentially imposing intermediary-like requirements where no intermediary exists. Those 2023 proposals would have expanded the definition of “financial institution” under the BSA to include various non-custodial software developers and blockchain nodes. In response, Coin Center argued that the BSA already provides Treasury with “extremely broad discretion to monitor financial transactions” and “can already be used to go much further and potentially criminalize everyday life.” Furthermore, we argued that it would be detrimental to the ecosystem and unconstitutional if specifications were to encompass those who are merely engaged in “the publication of software and are not in any trusted or agency-like relationship with the users of their software.” Thus, given the existing breadth of the BSA, there is no need for broader authority from Congress. We believe that Treasury should reconsider its stance on this recommendation and avoid the pitfalls of the previous administration.
Furthermore, the recommendation that FinCEN reevaluate its 2013 and 2019 guidances should be reconsidered. FinCEN clarified in its 2019 Guidance that a person or entity must “accept” an independent third-party’s funds and “transmit” them on their behalf in order to be considered a money services business under the BSA. This principle is sound and should not be rescinded, modified, or updated, except to more explicitly clarify that merely publishing or operating software is not money transmission when said actor does not have “total independent control” of user funds.
Congress should continue its current approach to AML as found in the the CLARITY Act, which would only create new categories of BSA regulated entities in the digital asset ecosystem for centralized financial intermediaries (i.e., digital commodity brokers and dealers). Congress must not obligate mere developers, infrastructure providers, or individual users to do surveillance. Current drafts of CLARITY include the Blockchain Regulatory Certainty Act, which would protect developers from being mistreated as money transmitters under the BSA just because they publish or maintain software that enables users to transact on their own and without an intermediary.
Sixth Special Measure to Section 311
In its DeFi assessment, the Report also recommends that Congress “consider how to best safeguard the U.S. financial system from money laundering threats that originate abroad, including those in the [DeFi] ecosystem,” which would include “adding a sixth special measure to Section 311 [of the PATRIOT Act] authorizing Treasury to prohibit, or impose conditions upon, certain ‘transmittals of funds’ that are not tied to a correspondent banking relationship.”
It is true that these powers could be abused to surveil cryptocurrency users or ban cryptocurrency transactions. However, even as contemplated in the report, 311 authority would only apply to regulated financial institutions. To review, Section 311 allows Treasury, after findings and through rulemaking, to impose restrictions on U.S. financial institutions dealing with designated foreign jurisdictions, institutions, or classes of transactions. Treasury has proposed a new sixth special measure that would explicitly allow them to ask financial institutions to report or block cryptocurrency transactions.
Coin Center does not advocate for this change to the law but we do not see it as a grave threat either. For one thing, it is likely that existing authority already allows these reporting and blocking orders, and the proposed changes merely formalize that power. Moreover, 311 reporting requirements do not apply to ordinary business or individuals, nor to purely domestic transactions. Therefore, if Treasury were, one day, to attempt to inappropriately leverage Section 311 to require financial institutions to ban all crypto transactions, Coin Center would be able to effectively challenge these abuses under the Due Process Clause, as Americans’ liberty “would be decidedly curtailed without any trial or opportunity for review.” Coin Center has already successfully fought off past attempts to weaken the procedural checks on 311 authority. Fortunately, the Report does not recommend the weakening of those processes. Altogether, while we do not advocate for an expansion of 311 authority, the report’s proposed expansion is not a grave threat to our mission. Notably, the current market structure draft legislation also includes this expansion and we do not oppose it.
Conclusion
Treasury’s Report to Congress displays an honest effort to understand the various innovative technologies that exist for financial institutions to better detect and combat illicit finance. Solutions such as privacy preserving verifiable credentials present a good opportunity to do just that; however, these mechanisms must be designed to honor American values. Coin Center’s John Hancock Project exists to ensure this, and we welcome Treasury’s involvement.
As much as these new technologies can offer improved privacy while addressing AML risks, it is equally important that Treasury not to extend BSA obligations to those who are not acting as intermediaries, and are merely engaging in software development (protected speech) or participating in a blockchain network. We understand and support the need to strengthen national security, but encompassing software developers and operators, who do not act as intermediaries, would cause more harm than good, as it would jeopardize the continued development of private, free, and open electronic cash. Instead, Congress should focus on passing market structure legislation with proper distinctions between software developers and intermediaries.