31
October
2023
DLx Alert: FinCEN Identifies Foreign Convertible Virtual Currency “Mixing” as a Class of Transactions of Primary Money Laundering Concern
Important Alert
On October 19, 2023, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued a notice of proposed rulemaking (the “NPRM”)1 identifying certain activities it refers to as “convertible virtual currency mixing” (“CVC mixing”) as a class of transactions “within or involving a jurisdiction outside of the United States” that is of primary money laundering concern under the USA PATRIOT Act.2 The NPRM includes proposed measures that would strengthen the recordkeeping and reporting requirements of financial institutions subject to the Bank Secrecy Act (the “BSA”),3 like virtual currency exchanges and banks, in relation to transactions involving CVC mixing.
As proposed, the term “CVC mixing” is expansively defined and could potentially include the activities of a broad spectrum of blockchain network participants, going far beyond what many would readily think of as engaging in “mixing” (i.e., using mixers or tumblers like Tornado Cash, Blender.io, or JoinMarket). The recordkeeping and reporting measures are meant to increase transparency around CVC mixing, in theory discouraging its misuse by illicit actors and counteracting money laundering activity. If adopted as proposed, however, these measures could effectively cut off users, blockchain development companies, and other legitimate actors in the blockchain space from accessing traditional payment systems or using other services provided by financial institutions and licensed virtual currency exchanges.
Overview
In the NPRM, FinCEN cites to its authority under Section 311 of the USA PATRIOT Act to designate CVC mixing “within or involving a jurisdiction outside the United States” as a “class of transactions of primary money laundering concern.”4 Section 311 allows FinCEN (acting upon designation by the Secretary of the U.S. Treasury) to make this designation as part of a proposed rulemaking, but only on a time-limited basis, absent issuance of a corresponding final rule.5 Once made, the designation allows FinCEN to apply one or more prophylactic safeguards to defend the U.S. financial system from money laundering and terrorist financing risks. The available safeguards are enumerated in Section 311 as “special measures,” which increase in severity from “measure one” to “measure five.” FinCEN proposed in the NPRM only to apply the first special measure, which concerns recordkeeping and reporting by U.S. financial institutions.
FinCEN has seldom exercised its power to make a Section 311 designation and apply corresponding special measures. It is notable that this is the first time that FinCEN has used its broader authority under 311 to sanction “classes of transactions.”6 In the past FinCEN has exercised its 311 powers only with respect to specific countries and financial institutions. The first time FinCEN exercised these powers was in 2012, when it designated a foreign bank as a financial institution of primary money laundering concern as part of a proposed rulemaking, but that designation expired before the comment period and final rulemaking process could be concluded.7 In 2015, FinCEN designated another foreign bank as a financial institution of primary money laundering concern, but a federal district court judge enjoined the corresponding final rule promulgated by the agency.8 This was because FinCEN had failed to follow the applicable provisions of the Administrative Procedure Act requiring it to give the bank an opportunity to respond to all public information on which the agency relied in its rulemaking, and to identify why the agency did not choose any potentially viable but less forceful alternative penalties.9
Importantly, FinCEN can make a “primary money laundering concern” designation under Section 311 only with respect to activity “within or involving” a jurisdiction outside the United States. As a result, the NPRM’s proposed enhanced recordkeeping and reporting requirements can only be applied to mixing activities taking place outside the country. Nevertheless, the NPRM does not clarify how covered financial institutions would be able to determine when any detected CVC mixing activity “occurs within or involves” a non-U.S. jurisdiction.10
Covered financial institutions
“Covered financial institutions,” which would be subject to the proposed measures, are defined under the BSA to include banks, securities broker/dealers, money services businesses (including money transmitters), futures commission merchants, and mutual funds, among others. In the NPRM’s background section, FinCEN states that currently no “CVC mixers” are registered with the agency as money services businesses (“MSBs”), a type of covered financial institution. FinCEN suggests this demonstrates the global nature of its related money laundering concerns, noting that CVC mixers are required to register as MSBs if they engage in activities constituting money transmission in the U.S. as money transmitters.
These details in the NPRM signal that the kinds of “CVC mixers” with which FinCEN is likely primarily concerned are operating outside the U.S., away from its jurisdiction. This may not universally be the case, however. For example, in August 2023, in its indictment of Tornado Cash’s two founders (one of whom lived in the U.S.), the Department of Justice (the “DOJ”) alleged that the pair committed money laundering, conspiracy to violate sanctions, and conspiracy to operate an unlicensed money transmission business in connection with the platform, which provided a quintessential CVC “mixing” technology.11
In the NPRM, FinCEN cites sanctions issued against Tornado Cash and Blender.io by the Treasury Department’s Office of Foreign Assets Control, as well as the DOJ’s indictment, as evidence of the misuse of CVC mixers. This, together with the DOJ’s allegations of a conspiracy to violate U.S. money transmission laws in the case against the Tornado Cash founders, suggests that FinCEN may view at least certain CVC mixers to be engaged in activities as money transmitters. The agency has not publicly addressed the question, however, and it has not implied that any other activities under the NPRM’s expansive definition of “CVC mixer” (discussed below) constitute money transmission.
For those businesses that are considered to be money transmitters or other covered financial institutions, the BSA requires, among other things, maintaining expansive know-your-customer and customer due diligence programs, as well as implementing transaction monitoring, recordkeeping, and reporting controls. These obligations are inconsistent with capabilities in the current state of the smart contract code making up conventional CVC mixers. The same also holds true for other blockchain-based protocols and decentralized applications (“dApps”) that could potentially be considered “CVC mixers” under the NPRM’s proposed definition. Moreover, complying with these obligations (especially with the addition of the NPRM’s proposed measures) would be laborious, if not untenable, for blockchain ecosystem participants, dApp developers, and “front end” website operators facilitating the peer-to-peer use of decentralized finance (“DeFi”) services, if these persons or entities were considered to be covered financial institutions.
“CVC mixing” and “CVC mixers”
The NPRM broadly defines “CVC mixing” as “the facilitation of CVC transactions in a manner that obfuscates the source, destination or amount involved in one or more transactions, regardless of the type of protocol or service used.” The definition of “CVC mixing” broadly includes a wide range of identified activities, each included in the table below. Likewise, the NPRM broadly defines “CVC mixer” as “any person, group, service, code, tool, or function that facilitates CVC mixing.”12 The expansive definition of “CVC mixers” potentially includes a large swath of blockchain network participants because the types of activities identified as “CVC mixing” could be interpreted to include a variety of innocuous pursuits and uses in the blockchain space. The table below also identifies the kinds of activities that each activity included as part of the “CVC mixing” definition could potentially be interpreted to include.
Activities Identified as “CVC Mixing” | Interpretations for Potentially Included Activity |
“Pooling or aggregating CVC from multiple persons, wallets, addresses, or accounts” |
|
“Using programmatic or algorithmic code to coordinate, manage, or manipulate the structure of a transaction” |
|
“Splitting CVC for transmittal and transmitting the CVC through a series of independent transactions” |
|
“Creating and using single-use wallets, addresses, or accounts, and sending CVC through those wallets, addresses, or accounts through a series of independent transactions”
(The NPRM states that this is colloquially known as a “peel chain”) |
|
“Exchanging between types of CVC or other digital assets”
(The NPRM states that this as a type of user activity meant to facilitate transaction obfuscation by converting from one CVC to another before moving the funds to a different platform, colloquially known as “chain hopping”) |
|
“Facilitating user-initiated delays in transactional activity” |
|
In a modest concession to the current workings of the blockchain ecosystem, the NPRM’s proposed “CVC mixer” definition explicitly excludes the use of “internal protocols or processes to execute transactions” by “banks, broker-dealers, [and] money services businesses, including [virtual asset service providers],” as long as they preserve records of the source and destination in all transactions involving virtual currency in accordance with U.S. regulations. Nevertheless, this carveout does not extend to non-U.S. financial institutions that might perform any of these kinds of functions or activities, so those institutions could very well be considered CVC mixers under the proposed measures.
Proposed requirements
Under the proposed rule, all covered financial institutions would have to report certain information to FinCEN whenever they know, suspect, or have reason to suspect a transaction involves the use of “CVC mixing” outside the United States. Under the NPRM’s measures as proposed, an institution would likely have to file a report with FinCEN every time it suspects a customer transferred or received any virtual currency through a foreign virtual currency exchange, or via a DeFi service or blockchain-based protocol that includes non-U.S. participants, thereby likely discouraging their use. The details that covered financial institutions would need to include in the reports would be extensive and include the personal identifying information of their customers.
What is unclear from the NPRM is the nature of the systems and controls a covered financial institution would have to implement to be able to comply with the proposed special measure when such a vast number of activities are considered to be “CVC mixing,” particularly since the requirements of the special measure would apply to activities that take place in or involve a jurisdiction outside of the U.S. and, thus, likely outside of the institution’s direct purview. For example, it is not clear what tools would be at a covered financial institution’s disposal to be able to detect when CVC has been “split” by services based overseas and transmitted through a series of independent transactions.
To comply with the proposed measures, a covered institution may seek to collect detailed records from customers on their use of CVC mixers during onboarding and again prior to each transaction, putting the onus on customers to compile the details. Whether this would satisfy the institution’s requirement to report activity it has “reason to suspect” involves CVC mixing, however, is unclear. Alternatively, covered institutions may potentially view compliance as too great of a risk, cost, or operational burden and stop supporting virtual currency services or blockchain-based participants altogether. Either way, if adopted as proposed, the NPRM could likely diminish legitimate use of crypto assets in the U.S. as users, exchanges, developers and operators of protocol front-ends struggle to apply the new requirements correctly.
Notably, the NPRM comes shortly after the Treasury published the 2023 DeFi Illicit Finance Risk Assessment in April of 2023.13 The NPRM contains but one of several sets of anticipated new measures as part of Treasury’s recent and ongoing efforts to prevent illicit actors from abusing CVC, DeFi, and other applications of blockchain technology. FinCEN’s Global Investigations Division (GID)—which was formed in 2019 with authority under Section 311 to detect and deter a wide range of potential threats to national security and the U.S. financial system14—is expected to play a big part in enforcement under the new measures.
Request for comments
The NPRM concludes with a request for comments on a number of important topics, including FinCEN’s designation of CVC mixing as a class of transactions of primary money laundering concern. Commenters are also invited to offer feedback on the proposed enhanced recordkeeping and reporting requirements under special measure one of Section 311, the definitions included as part of the proposed measures, anticipated burdens or impacts on the industry, and potential alternative approaches, including whether FinCEN should impose any of the other four significantly more restrictive special measures. The comment period closes January 22, 2024.
Conclusion
The NPRM focuses almost exclusively on the activities of illicit / threat actors who are outside of the U.S. However, it is unclear the extent to which increased recordkeeping by U.S. institutions would address the underlying concerns associated with CVC mixing. FinCEN noted that they did not believe that the implementation of special measure one with respect to CVC mixers as proposed in the NPRM would place an undue burden on U.S. institutions because these entities are already required to comply with substantially similar requirements under the BSA, including the BSA’s “suspicious activity report” (SAR) regime.
This observation raises the question of the need for, and likely efficacy of, the proposed measure, however, unless the primary purpose is for FinCEN to require licensed virtual currency exchanges to gather data on specific transactions via heightened record keeping requirements. Although not stated in the NPRM, one indirect objective may be to make it more burdensome or invasive for customers of covered financial institutions to use CVC for otherwise law-abiding purposes, thereby potentially cutting down on the overall usage of CVC in the U.S.
To the extent that the primary bad actors and the operators CVC mixers are outside of the U.S., however, the impact of the NPRM may be counterproductively to drive this activity further outside the boundaries of the United States, reducing likely enforcement pathways. FinCEN acknowledges that CVC mixing can be used for some legitimate business purposes (for example, privacy enhancement for those living under repressive regimes) but it will be left to commenters to make the case for why these uses are valuable and should not be unduly impinged upon.
Reality of the old requirements vs. new requirements
- Importantly, FinCEN can and has assessed monetary penalties on covered financial institutions that have failed to conduct appropriate customer due diligence, including in its enforcement actions against Bitrex and BitMex.
- Once the final rule is put in place, additional enforcement actions and penalties affecting U.S.-based blockchain businesses can be anticipated.
Feel free to contact the DLx Law team with any questions you might have.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
NOTES
1. Dep’t of Treasury, Fin. Crimes Enf’t Network, Proposal of Special Measure Regarding Convertible Virtual Currency Mixing, as a Class of Transactions of Primary Money Laundering Concern, 88 Fed. Reg. 72701 (Oct. 23, 2023) (to be codified at 31 C.F.R. pt. 1010), https://www.federalregister.gov/documents/2023/10/23/2023-23449/proposal-of-special-measure-regarding convertible-virtual-currency-mixing-as-a-class-of-transactions.
2. See The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Public Law 107-56 (the “USA PATRIOT Act”).
3. The BSA, as amended, is the popular name for a collection of statutory authorities that FinCEN administers that is codified at 12 U.S.C. 1829b, 1951–1960 and 31 U.S.C. 5311– 5314, 5316–5336, and includes other authorities reflected in notes thereto. Regulations implementing the BSA appear at 31 CFR Chapter X.
4. For additional details on Section 311, see Treasury Dep’t, 311 Actions, treasury.gov: Policy Issues: Terrorism & Illicit Finance, https://home.treasury.gov/policy-issues/terrorism-and-illicit-finance/311-actions (last visited Oct. 31, 2023).
5. This special measure “may be imposed by regulation, order, or otherwise as permitted by law” without prior public notice and comment, but an order designating any “class of transactions of primary money laundering concern” must be issued together with an NPRM and must last no longer than 120 days absent the promulgation of a rule on or before the end of the 120-day period beginning on the date the order was issued. See 31 U.S.C. §§ 5318A(a)(2), 5318A(a)(3). Therefore, while any particular jurisdiction, financial institution, class of transactions, or type of account may be designated a primary money laundering concern in an order issued by FinCEN together with an NPRM, special measures of unlimited duration can only be imposed by a final rule. 5 U.S.C. §§ 553(b), 553(c).
6. See 31 U.S.C. §§ 5318A(a)(1).
7. Treasury Dep’t, Fin. Crimes Enf’t Network, Notice of Proposed Rulemaking Imposing a Special Measure Against JSC CredexBank as a Financial Institution of Primary Money Laundering Concern, 77 Fed. Reg. 31794, 31794-803 (May 30, 2012), https://www.federalregister.gov/documents/2012/05/30/2012-12747/financial-crimes-enforcement-network imposition-of-special-measure-against-jsc-credexbank-as-a.
8. See FBME Bank Ltd v. Lew, 125 F. Supp. 3d 109, 113, 129 (D.D.C. 2015).
9. Unlike when special measures are imposed on a financial institution, when measures are imposed on a “class of transactions,” no equivalent person or organization that can directly respond and make similar objections. Therefore, importantly, as many members of digital assets communities ought to engage in the NPRM’s comment process as possible.
10. Because the source of FinCEN’s authority is Section 311 of the USA PATRIOT Act, domestic activity would likely not require detection or reporting unless it “involves” a jurisdiction outside the United States. If potentially non-U.S. “involvement” stems only from the presence of at least one server node in a blockchain network being physically outside of the U.S., then this may amount to a very significant expansion of how FinCEN’s authority under Section 311 is currently interpreted. Of course, domestic CVC mixing activity, if detected, may still trigger a covered financial institution’s reporting obligations under standard BSA principles.
11. U.S. v. Roman Storm and Roman Semenov (S.D.N.Y. 2023), Indictment No. 23 Cr. 430 (Aug. 23, 2023).
12. Throughout the NPRM, FinCEN conflates the technology that can be used to facilitate CVC “mixing” and the individuals or companies that operate or maintain these technologies, referring at different times to both as “CVC mixers”. Unless corrected in the final adopted rules, this conflation may significantly exacerbate the challenges market participants face in applying the ultimate rules.
13. Treasury Dep’t, Press Release: Treasury Releases 2023 DeFi Illicit Finance Risk Assessment, treasury.gov: News: Press Releases (rev. Apr. 6, 2023), https://home.treasury.gov/news/press-releases/jy1391.
14. Treasury Dep’t, Press Release: New FinCEN Division Focuses on Identifying Primary Foreign Money Laundering Threats, treasury.gov: News: Press Releases (rev. Aug. 28, 2019), https://www.fincen.gov/news/news-releases/new-fincen-division-focuses-identifying-primary-foreign-money-laundering-threats.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
IMPORTANT NOTICE ABOUT ATTORNEY ADVERTISING
The contents of this communication are intended for general informational purposes only. This is not an attorney-client communication, and you therefore should not consider the content of this communication as legal or regulatory advice or a legal opinion in connection with any specific facts or circumstances. This communication is not intended as attorney advertising, but it might be considered attorney advertising in certain jurisdictions. Read our full legal disclaimer.