US Treasury’s Unhosted Wallet Proposal Is Unnecessary, Ineffective And Counterproductive

Published on

Following the US Treasury notice of proposed rulemaking (NPRM) issued on December 18, 2020 regarding transactions with unhosted wallets and wallets hosted at financial institutions in certain jurisdictions, Elliptic today submitted an open letter to FinCEN in response to the proposed changes.

Get Our Activist Investing Case Study!

Get The Full Activist Investing Study In PDF

Q3 2020 hedge fund letters, conferences and more

Elliptic's Open Letter On US Treasury’s Proposed Rules On Unhosted Wallet Transactions

Policy Division

Financial Crimes Enforcement Network (“FinCEN”)

P.O. Box 39

Vienna, VA 22183

Re: FinCEN Docket No. FINCEN-2020–0020; RIN №1506-AB47; Notice of Proposed Rulemaking: Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets

To whom it may concern:

We are writing in response to FinCEN’s Notice of Proposed Rulemaking (“NPRM”) published in the Federal Register on December 23, 2020, regarding “Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets.” We appreciate the opportunity to comment on this NPRM. The measures it outlines will have far-reaching consequences for regulated entities, could negatively shape the future of financial innovation in the United States, and could adversely impact the effectiveness of US anti-money laundering and countering the financing of terrorism (AML/CFT) efforts for years to come if not addressed in a thoughtful and prudent manner.

It is therefore critical that the public and private sectors have a robust and open consultation about the impact of these proposed measures given their far-reaching consequences.

Though we welcome this opportunity to comment, we are deeply concerned that the comment period has been limited to only 15 days. We urge you to provide additional time for comments so that a truly effective analysis of the NPRM’s impact, and in particular, the resource and cost burdens it will impose on regulated businesses can take place before a final rule is implemented. The short comment period has meant that we are unable to fully analyze the NPRM, provide a comprehensive response, or answer the questions contained within it.

As a provider of blockchain analytics solutions for dozens of US banks and money services businesses (“MSBs”), Elliptic’s mission is to combat financial crime in convertible virtual currencies (“CVCs”). Indeed, we have been providing US businesses with compliance solutions to manage their CVC-related financial crime risk since 2013, when FinCEN first issued guidance related to virtual currencies. We also work closely with US law enforcement agencies, providing them with the ability to trace proceeds of crime through the blockchain and bring those involved to justice. We have a deep understanding of the illicit use of CVCs and have published extensive research on topics such as CVC-specific money laundering and terrorist financing typologies 1 .

It is owing to this ongoing commitment that we are concerned about the measures outlined in the NPRM. We feel the proposed measures will fail to protect against financial crime, and worse, could achieve the opposite outcome and exacerbate illicit activity by imposing requirements that would divert resources away from existing effective practices and incentivizing the use of less transparent CVC trading platforms. We believe the manner in which this NPRM has been rolled out will also undermine its effective implementation.

We have four main objections to the proposed rules and the rulemaking process:

1. The rulemaking process is unjustifiably short and risks introducing ineffective regulation with unintended consequences.

The 15 day comment period for this proposed rulemaking, spanning the Christmas and New Year holidays and during a pandemic, is clearly insufficient and will likely lead to ineffective regulations with unintended consequences, as described elsewhere in this letter.

The curtailed time frame is unnecessary and unjustified. In particular, the NPRM argues that providing the standard comment period is contrary to the public interest because it could tip-off criminals, who could:

“accelerate or cause the movement of assets implicated in illicit finance from hosted wallets at financial institutions to unhosted or otherwise covered wallets, such as by moving CVC to exchanges that do not comply with AML/CFT requirements.”

This argument is not valid for two reasons. First, the proposed rules, if enacted, will not prevent criminals moving their assets to unhosted wallets - they would simply trigger reporting and recordkeeping requirements. The measures themselves do nothing to prevent asset flight, and indeed, their imposition may hasten it by encouraging illicit actors to move funds to less transparent platforms, both in the near-term, and over the long-term. This risk is discussed further below.

Second, even if knowledge of the proposed rules leads criminals to move their funds out of US financial institutions, they have already now had an opportunity to do this owing to the publication of the NPRM in the Federal Register. The small additional risk that a longer comment period would provide these actors with more time to move their funds is far outweighed by the need for the public to assess and provide comment on the proposed rules given their scope and potential impact on regulated entities.

Treasury also justifies the abbreviated 15 day comment period, because:

“FinCEN has engaged with the cryptocurrency industry on multiple occasions on the AML risks presented in the cryptocurrency space and carefully considered information and feedback received from industry participants. These engagements have included a FinCEN Exchange event in May 2019, visits to cryptocurrency businesses in California in February 2020, an industry roundtable with the Secretary of the Treasury in March 2020, and a FinCEN Exchange event on cryptocurrency and ransomware in November 2020.”

Elliptic was present at both of the FinCEN Exchange events and the industry roundtable with the Secretary of the Treasury. These meetings were highly productive in enabling public-private sector collaboration on topics impacting CVCs. We welcome and are appreciative of this engagement. However, none of these events included discussion of the specific measures outlined in the NPRM, and the industry was not invited to comment on them at that time.

As the NPRM highlights in referencing these events, the industry has demonstrated its willingness to engage as a constructive partner with the public sector. The industry should be afforded more time to comment on the NPRM given that it was not invited to do so at the events noted above. If offered ample time to comment, the industry can provide more detailed views about how these measures can be improved, or can propose alternative measures that might be more effective than those outlined in the NPRM.

By not affording the industry more time to comment, or allowing more time for implementation, there is also a risk that the industry may struggle to implement the proposed measures effectively owing to a lack of clarity about their provisions, thereby undermining the intended outcomes of the proposed rule. We have outlined specific implementation issues that require further clarification in an Annex to this letter, but feel that additional time is essential to fully assess and clarify these issues and other challenges that the NPRM raises.

To ensure effective outcomes, it is therefore in both the public and private sectors’ interest to undertake a lengthier comment period. We recommend a 90 day comment period to ensure sufficient time, as has been requested in a petition by the Chamber of Digital Commerce 2 .

2. Data shows that the risks posed by unhosted wallets have been overstated and that the proposed rules are largely unnecessary for combating financial crime in CVCs.

The risk associated with unhosted wallets is overstated for at least two reasons:

(i) Unlike with physical cash, peer-to-peer CVC transactions through unhosted wallets are visible on the blockchain, and can be traced using blockchain analytics solutions. Using these techniques, law enforcement can already achieve the outcomes that the NPRM claims can only be achieved by imposing new measures.

The use of unhosted wallets does not prevent blockchain analytics techniques from being used to identify and trace proceeds of crime in CVCs. This has been readily demonstrated by numerous successful law enforcement investigations, including cases involving ransomware, fraud, sanctions evasion and terrorist fundraising. Regulated financial institutions engaged in CVC transactions also use blockchain analytics tools to successfully identify customer transactions to or from illicit actors, including those that have passed through unhosted wallets. Regulated businesses also rely on blockchain analytics to pre-screen transactions to identify and prevent dealings with sanctioned persons, as well as other illicit actors who use unhosted wallets - ensuring financial resources are denied to these threat actors.

By combining the data from blockchain analytics with other sources of intelligence, law enforcement agencies are frequently already able to identify users of unhosted wallets, apprehend them, and confiscate their assets - the same objectives the NPRM purports to achieve. The US has successfully accomplished this through recent law enforcement action. This includes recent action in September 2020 against cyber-enabled terrorist financing campaigns that utilized CVCs to raise funds. 3 US law enforcement relied on a combination of blockchain analytics and traditional techniques to dismantle those terrorist fundraising efforts. The new proposed measures would be redundant and merely impose a cost on the private sector to document information that law enforcement agencies have demonstrated they are able to access and act upon through existing means. The new measures would also threaten to jeopardize these techniques if they encourage users to move away from regulated platforms, a risk we describe further below.

The NPRM correctly points out that blockchain tracing is more challenging for anonymity-enhanced cryptocurrencies. However, the risks posed by these technologies can and should be addressed most effectively through risk-based application of existing Bank Secrecy Act (“BSA”) requirements, rather than through additional rules.

(ii) Illicit actors are almost completely dependent on being able to “cash-out” to fiat currency, and they use financial institutions subject to BSA requirements to do so. Information about this activity is already shared with FinCEN through the suspicious activity reporting (“SAR”) filing process.

Elliptic’s analysis of several billion dollars of criminal proceeds in bitcoin moved between 2011 and 2020 demonstrates that more than 90% of illicit funds were sent to exchanges and other MSBs that are already subject to identity verification, recordkeeping and SAR requirements. Fewer than 10% of the illicit-origin funds we analyzed remained in unhosted wallets. Of the minority of criminal funds currently in unhosted wallets, the vast majority are simply dormant, rather than being circulated in an “unregulated” part of the CVC ecosystem.

The data therefore shows that the primary risk lies not in criminals’ ongoing use of unhosted wallets. Rather, the largest risk would derive from imposing unnecessary requirements on regulated businesses, which might only encourage criminals to go further underground. The solution to this is to more tightly enforce existing requirements and encourage expansion of efforts that have already proved successful in preventing financial crime, rather than to impose costly and likely ineffective requirements on transactions involving unhosted wallets.

3. The proposed rules would be ineffective and possibly counterproductive, leading to increased criminal use of CVCs by forcing banks and MSBs to divert attention and resources from measures that are already working.

The proposed rules will provide law enforcement investigators with little additional insight into transactions facilitated by MSBs or banks that they cannot glean already. It will also not succeed in its aim of ascertaining the identities of high risk and illicit actors using unhosted wallets beyond what is already possible.

Even under the proposed rules, CVC users with accounts at MSBs/banks would still be able to transact with unhosted wallets controlled by third parties without those institutions being fully aware of those third parties’ identities. For outgoing transactions 4 this would be achieved by simply withdrawing CVC to an unhosted wallet controlled by the customer of the MSB/bank before then quickly sending the CVC to the third-party beneficiary’s unhosted wallet. Despite the proposed rule, the bank/MSB would have undertaken activity on behalf of the ultimate beneficiary of the transaction but without having this person’s identity recorded or reported by the MSB/bank. To glean further information about the flow of funds beyond the transfer to the customer’s own unhosted wallet, the regulated entity and law enforcement can already leverage blockchain analytics solutions, as noted above. It is therefore unclear what additional meaningful information the recordkeeping requirement is expected to produce beyond what is discernible from existing sources and through pre-existing AML compliance practices the cryptocurrency industry already employs.

As described above, illicit actors are still highly dependent on CVC service providers such as exchanges to cash-out or exchange their CVC holdings. Over 90% of criminal proceeds in bitcoin go either directly or via unhosted wallets to businesses that are subject to AML requirements such as SAR filing. Law enforcement greatly benefits from these transactions between regulated service providers and third party wallets, because valuable insights can be gained when publicly available information from the blockchain is combined with private information held by those regulated businesses. This information can already be readily accessed and utilized without imposing additional requirements.

Furthermore, the NPRM risks producing an unintended outcome: by imposing additional information collection requirements at the point where both industry and the public sector are already able to glean substantial amounts of information, the proposed rules would greatly incentivize both legitimate and illicit actors to move away from using centralized, regulated service providers towards decentralized, unregulated alternatives. This would make it considerably more challenging for illicit CVC use to be monitored and investigated than is the case today.

The proposed rules are also an inefficient use of the scarce compliance resources available to regulated entities. It is not the case that all recordkeeping and reporting requirements provide a net benefit in terms of the underlying AML/CFT goals. The opportunity cost must also be taken into account. The resources required to comply with the proposed rules would be far better invested in improved controls to detect and report suspicious activity that leverages existing techniques, rather than new blanket recordkeeping and reporting. The time and effort required to implement these new measures would force private sector entities to divert resources and effort away from processes and procedures that are already working.

As the NPRM itself highlights, FinCEN already receives valuable information from the private sector in the form of substantial volumes of SARs about CVC activity. This effectiveness could be lost if the industry is required to undertake these new measures, which provide little additional benefit, and particularly if implemented on a hasty timeline necessitated by the short comment period offered on this NPRM. Owing to the rushed comment period, MSBs, may, for example, be forced to divert staff urgently away from engaging in blockchain monitoring and SAR filing activities merely to fulfill the recordkeeping obligations set out in the NPRM - undermining the outcomes the NPRM purports to achieve and potentially making regulated entities more, and not less, vulnerable to illicit activity.

These concerns about the proposed rules are echoed by many within the law enforcement community who the NPRM cites as benefiting from its proposals. According to Jarek Jakubcek, an experienced investigator at Europol and one of the world’s foremost experts on the criminal use of CVCs, Treasury’s proposed rules are 5 :

“Probably the worst value-for-money compliance proposal that has a dangerous potential for diverting legitimate clients from the most to the least compliant services.”

Public sector resources can also be better used by reinforcing and doubling-down on existing initiatives that have proven effective to date in mitigating against certain risks associated with unhosted wallets, rather than diverting resources to a new set of requirements whose value is unproven.

For example, the November 2020 FinCEN Exchange event that Elliptic and our peers in the industry attended provided an excellent forum for the public and private sectors to discuss information on threat actors, specifically ransomware perpetrators, who rely on unhosted wallets. Public and private sector resources would be better directed at undertaking a greater number of public-private initiatives that allow relevant parties to share information in a collaborative fashion, including information on self-hosted wallets known to be used by illicit actors, rather than directing those same resources at fulfilling the rote recordkeeping requirements set out in the NPRM.

Furthermore, public-private partnership initiatives such as FinCEN Exchanges can be augmented through related information sharing initiatives that leverage existing frameworks and do not require the imposition of any new measures. For example, FinCEN recently provided valuable clarification about the types of counterparty information that private sector entities can share under section 314(b) of the USA PATRIOT Act. 6

FinCEN should work with the cryptocurrency industry to ensure that banks and MSBs can maximize the value offered by 314(b). Leveraging 314(b) alongside the open data available from blockchain analytics offers the promise of law enforcement receiving greater intelligence insights about illicit activity passing through unhosted wallets than the proposed measures in the NPRM can achieve. Resources and time would be better devoted to enriching and enhancing these information sharing efforts that draw on pre-existing mechanisms. Imposing new requirements that merely focus resources and attention in the wrong places will lead to increased opportunities for criminals to exploit the CVC ecosystem.

4. The proposed rules are disproportionate because they impose far more onerous requirements on CVC transactions than for physical cash transactions, despite cash presenting a substantially higher risk.

The proposed rule requires that MSBs and banks should report CVC transactions to or from an unhosted or “otherwise covered” wallet, with an aggregate value greater than $10,000 in one day. The information reported should include the name and physical address of the counterparty, and should be filed in the form of a Currency Transaction Report (“CTR”). The rule would also require MSBs and banks to record the name and physical address of counterparties using unhosted or otherwise covered wallets for any transactions over $3,000.

These requirements do have an analogy in legacy finance. However, the proposed rule goes far beyond the existing reporting requirements for physical cash by requiring that an individual counterparty’s name and physical address to be collected, reported and in some cases verified, including during the course of CTR reporting. Again, the proposed rulemaking provides no justification for this discrepancy with existing reporting requirements for physical cash transactions.

We believe that there is no reasonable justification for these additional recordkeeping and reporting requirements. They go far beyond the existing requirements for physical cash transactions, despite the level of illicit use of cash being far higher than for CVCs. Elliptic’s own research has shown that fewer than 1% of bitcoin transactions can be linked to criminal activity 7 , and this aligns with other independent industry analyses. The NPRM calls into question the accuracy of such figures based on blockchain analytics; however, this type of analysis represents the most accurate available measure of the illicit use of CVCs. The NPRM cites the volume of CVC-related suspicious activity reports (SARs) in the US as representing 11.9% of CVC transactions. However, SARs are filed where there is only a suspicion of illicit activity. Financial institutions are known to file SARs “defensively”, leading to significant over-reporting. Indeed, according to a survey of past and present FIU heads, 80-90% of SAR filings are of “no operational value” 8 . When this over-filing is taken into account, all available data infer that 1% represents the order of magnitude of illicit CVC use.

The lack of transparency that makes cash a far more powerful criminal tool than CVCs also makes it more challenging to measure its illicit use. However, Harvard economist Kenneth S. Rogoff has estimated that more than a third of all U.S. currency in circulation is used by criminals and tax cheats - a figure that far exceeds the proportion of illicit activity in CVCs 9 .

By imposing a significantly higher recordkeeping and reporting burden for CVC transactions than for fiat cash transactions, the proposed rules would impose an unjustified tax on financial innovation, and could discourage US banks and MSBs from offering new innovative services - ultimately hindering US competitiveness. Before undertaking such a significant measure, FinCEN should provide further explanation for the justification behind these measures, and the private sector should be afforded more time to comment on their potential impact.

Our Recommendations

1. The NPRM consultation period should be increased to 90 days in order to allow a comprehensive analysis and response by stakeholders.

2. The proposed counterparty recordkeeping requirement should be removed.

3. If the new CTR reporting requirement is retained, the obligation to collect and report counterparty information should be removed. This would bring the requirements in line with those for cash and other monetary instruments.

4. FinCEN should work with the cryptocurrency industry to expand public-private partnership initiatives that can be used to generate intelligence on illicit users of unhosted wallets, and that would yield more valuable information than the measures outlined in the NPRM.

Finally, we attach an appendix listing areas of the NPRM that require further clarification. We are concerned that the lack of clarity in the NPRM around these issues could prevent banks and MSBs from successfully complying with the measures if adopted as written - a problem that would be compounded if banks and MSBs are forced to do so at extremely short notice.

Sincerely,

Simone Maini

Chief Executive Officer

Elliptic

Appendix - Key Issues Requiring Further Clarification

In addition to those points raised above, there are other more specific points regarding technical compliance with the proposed measures that we feel require additional clarification.

These issues have been raised to us by US banks and MSBs that we engage with, and who have indicated to us that failure to obtain clarification on these issues could prevent them from implementing the measures effectively.

We therefore request that FinCEN clarify:

1. The definitions of “hosted” and “unhosted” wallets, and types of entities it considers to provide “hosted wallet services.” The NPRM never provides a single clear definition of a “hosted wallet” and uses inconsistent terminology when attempting to define it. The NPRM in one place describes hosted wallets as being “provided by account-based money transmitters” and also notes that “Bank can also be hosted wallet providers.” However, the NPRM also frequently uses the term, “financial institution” - a term that is broader than just banks and MSBs - when describing hosted wallet services, including when referring to entities located in countries on the Foreign Jurisdiction List. This inconsistent terminology may confuse banks and MSBs about whether a wallet they are interacting with is a hosted wallet for the purpose of complying with the measures set out in the NPRM. More specific definitions are essential to ensure effective compliance.

2. Its expectations regarding transactions that banks and MSBs may conduct with decentralized exchanges (DEXs) and other smart contract-based platforms. At present, the NPRM does not clearly define smart contracts as “unhosted wallets”, or otherwise address their status under these measures. As such, it is unclear how transactions with platforms such as DEXs that rely on smart contracts should be handled under the current proposal.

3. The extent of counterparty verification that would be required to satisfy the conditions for exemption from the requirements where a transaction involves an address with no spending history. In cases where a cryptoasset address does not have a history of transacting, a bank or MSB may not be able to rely on third party analytics solutions to ascertain whether the wallet is hosted or unhosted. In those cases, the bank or MSB would need to rely in part on their customer to provide an indication of whether the funds are bound for another financial institution or not. FinCEN should clarify the steps it expects banks and MSBs to take in these instances.

4. The nature and extent of due diligence that banks and MSBs should perform on their financial institution counterparties to satisfy the conditions for exemption from the proposed measures. The NPRM notes that FinCEN expects banks and MSBs to “determine that a counterparty wallet is a hosted wallet at either a BSA-regulated financial institution or a foreign financial institution that is not on the Foreign Jurisdiction List” and indicates that they can “apply reasonable, risk-based, documented procedures to confirm” the status of their financial institution counterparties. FinCEN should provide more specific guidance about the extent of counterparty due diligence it would regard as sufficient to make these determinations, and what level of verification must be undertaken in those instances

5. Provide further guidance on the data protection and privacy implications of these measures. This rule requires that banks and MSBs gather information on their counterparties, who may not be their own customers. Because of the underlying transparency of cryptoasset blockchains, both regulated businesses and law enforcement agencies would be in possession of an unprecedented amount of information about individuals and the extent of their financial flows. FinCEN should clarify what data protection measures the public sector will take to ensure that financial data of well-intentioned cryptoasset users is not jeopardized, and it should also clarify that banks and MSBs that gather this information would be provided with safe harbour.