31

October

2023

DLx Alert: FinCEN Identifies Foreign Convertible Virtual Currency “Mixing” as a Class of Transactions of Primary Money Laundering Concern

Important Alert

On October 19, 2023, the U.S. Treasury Department’s Financial Crimes Enforcement  Network (“FinCEN”) issued a notice of proposed rulemaking (the “NPRM”)1 identifying certain  activities it refers to as “convertible virtual currency mixing” (“CVC mixing”) as a class of  transactions “within or involving a jurisdiction outside of the United States” that is of primary money  laundering concern under the USA PATRIOT Act.2 The NPRM includes proposed measures that  would strengthen the recordkeeping and reporting requirements of financial institutions subject to  the Bank Secrecy Act (the “BSA”),3 like virtual currency exchanges and banks, in relation to  transactions involving CVC mixing.

As proposed, the term “CVC mixing” is expansively defined and could potentially include  the activities of a broad spectrum of blockchain network participants, going far beyond what many  would readily think of as engaging in “mixing” (i.e., using mixers or tumblers like Tornado Cash,  Blender.io, or JoinMarket). The recordkeeping and reporting measures are meant to increase  transparency around CVC mixing, in theory discouraging its misuse by illicit actors and  counteracting money laundering activity. If adopted as proposed, however, these measures could  effectively cut off users, blockchain development companies, and other legitimate actors in the  blockchain space from accessing traditional payment systems or using other services provided by  financial institutions and licensed virtual currency exchanges.

Overview

In the NPRM, FinCEN cites to its authority under Section 311 of the USA PATRIOT Act to  designate CVC mixing “within or involving a jurisdiction outside the United States” as a “class of  transactions of primary money laundering concern.”4 Section 311 allows FinCEN (acting upon  designation by the Secretary of the U.S. Treasury) to make this designation as part of a proposed  rulemaking, but only on a time-limited basis, absent issuance of a corresponding final rule.5 Once  made, the designation allows FinCEN to apply one or more prophylactic safeguards to defend the  U.S. financial system from money laundering and terrorist financing risks. The available safeguards  are enumerated in Section 311 as “special measures,” which increase in severity from “measure one”  to “measure five.” FinCEN proposed in the NPRM only to apply the first special measure, which  concerns recordkeeping and reporting by U.S. financial institutions.

FinCEN has seldom exercised its power to make a Section 311 designation and apply  corresponding special measures. It is notable that this is the first time that FinCEN has used its  broader authority under 311 to sanction “classes of transactions.”6 In the past FinCEN has exercised  its 311 powers only with respect to specific countries and financial institutions. The first time FinCEN exercised these powers was in 2012, when it designated a foreign bank as a financial  institution of primary money laundering concern as part of a proposed rulemaking, but that  designation expired before the comment period and final rulemaking process could be concluded.7 In 2015, FinCEN designated another foreign bank as a financial institution of primary money laundering concern, but a federal district court judge enjoined the corresponding final rule  promulgated by the agency.8 This was because FinCEN had failed to follow the applicable  provisions of the Administrative Procedure Act requiring it to give the bank an opportunity to  respond to all public information on which the agency relied in its rulemaking, and to identify why the agency did not choose any potentially viable but less forceful alternative penalties.9

Importantly, FinCEN can make a “primary money laundering concern” designation under  Section 311 only with respect to activity “within or involving” a jurisdiction outside the United  States. As a result, the NPRM’s proposed enhanced recordkeeping and reporting requirements can only be applied to mixing activities taking place outside the country. Nevertheless, the NPRM does not clarify how covered financial institutions would be able to determine when any detected CVC mixing activity “occurs within or involves” a non-U.S. jurisdiction.10

Covered financial institutions 

“Covered financial institutions,” which would be subject to the proposed measures, are  defined under the BSA to include banks, securities broker/dealers, money services businesses  (including money transmitters), futures commission merchants, and mutual funds, among others. In  the NPRM’s background section, FinCEN states that currently no “CVC mixers” are registered with  the agency as money services businesses (“MSBs”), a type of covered financial institution. FinCEN  suggests this demonstrates the global nature of its related money laundering concerns, noting that  CVC mixers are required to register as MSBs if they engage in activities constituting money  transmission in the U.S. as money transmitters.

These details in the NPRM signal that the kinds of “CVC mixers” with which FinCEN is  likely primarily concerned are operating outside the U.S., away from its jurisdiction. This may not  universally be the case, however. For example, in August 2023, in its indictment of Tornado Cash’s  two founders (one of whom lived in the U.S.), the Department of Justice (the “DOJ”) alleged that the  pair committed money laundering, conspiracy to violate sanctions, and conspiracy to operate an  unlicensed money transmission business in connection with the platform, which provided a  quintessential CVC “mixing” technology.11

In the NPRM, FinCEN cites sanctions issued against Tornado Cash and Blender.io by the  Treasury Department’s Office of Foreign Assets Control, as well as the DOJ’s indictment, as  evidence of the misuse of CVC mixers. This, together with the DOJ’s allegations of a conspiracy to  violate U.S. money transmission laws in the case against the Tornado Cash founders, suggests that  FinCEN may view at least certain CVC mixers to be engaged in activities as money transmitters.  The agency has not publicly addressed the question, however, and it has not implied that any other  activities under the NPRM’s expansive definition of “CVC mixer” (discussed below) constitute  money transmission.

For those businesses that are considered to be money transmitters or other covered financial  institutions, the BSA requires, among other things, maintaining expansive know-your-customer and  customer due diligence programs, as well as implementing transaction monitoring, recordkeeping,  and reporting controls. These obligations are inconsistent with capabilities in the current state of the  smart contract code making up conventional CVC mixers. The same also holds true for other  blockchain-based protocols and decentralized applications (“dApps”) that could potentially be considered “CVC mixers” under the NPRM’s proposed definition. Moreover, complying with these  obligations (especially with the addition of the NPRM’s proposed measures) would be laborious, if  not untenable, for blockchain ecosystem participants, dApp developers, and “front end” website  operators facilitating the peer-to-peer use of decentralized finance (“DeFi”) services, if these persons  or entities were considered to be covered financial institutions.

“CVC mixing” and “CVC mixers”

The NPRM broadly defines “CVC mixing” as “the facilitation of CVC transactions in a  manner that obfuscates the source, destination or amount involved in one or more transactions,  regardless of the type of protocol or service used.” The definition of “CVC mixing” broadly includes  a wide range of identified activities, each included in the table below. Likewise, the NPRM broadly  defines “CVC mixer” as “any person, group, service, code, tool, or function that facilitates CVC  mixing.”12 The expansive definition of “CVC mixers” potentially includes a large swath of  blockchain network participants because the types of activities identified as “CVC mixing” could be  interpreted to include a variety of innocuous pursuits and uses in the blockchain space. The table below also identifies the kinds of activities that each activity included as part of the “CVC mixing”  definition could potentially be interpreted to include.

Activities Identified as “CVC Mixing”  Interpretations for Potentially Included Activity
“Pooling or aggregating CVC from  multiple persons, wallets, addresses, or  accounts”
  • Use of decentralized virtual currency exchanges  (DEXes).
  • Use of blockchain-based lending protocols.
  • Crowdfunding activities, ICOs, or use of other  investment structures.
  • Staking protocol activities.
  • Liquidity protocol activities.
  • Mining pool or yield farming participation.
  • Other types of blockchain-based services involving pooling participants’ contributions of virtual currency or other digital assets.
“Using programmatic or algorithmic code to coordinate, manage, or  manipulate the structure of a transaction”
  • Calls made to smart contracts generally.
  • Activities of decentralized autonomous  organizations (DAOs) or the functions of DAO  protocolsActivities on protocols that offer maximal  extractable value (MEV) opportunities.
  • Functions performed in support of various layer-2  blockchain protocols, like sequencing, relaying,  proposing, submitting, etc.
  • Interacting with blockchain “bridge” or cross chain interoperability protocols to move representations of CVCs from one blockchain  network to another.
“Splitting CVC for transmittal and  transmitting the CVC through a series of  independent transactions”
  • Services or protocol functions that facilitate  microtransactions with CVCs.
  • Any payment channel or layer-2 blockchain  protocol that uses off-chain mechanisms to split  any amount of a CVC to be recorded as separate  transactions.
“Creating and using single-use wallets,  addresses, or accounts, and sending CVC through those wallets, addresses, or accounts through a series of independent transactions”

(The NPRM states that this is colloquially known as a “peel chain”)
  • Services or protocol functions that involve using a  new public address for each transaction to enhance privacy or security.
  • Use of single-use wallets to facilitate escrow or  smart contract functions.
  • Use of any service or smart contract protocol that  involves segregation of CVCs among different wallet addresses for different purposes, or for  separate and distinct one-time transactions.
“Exchanging between types of CVC or  other digital assets”

(The NPRM states that this as a type of user  activity meant to facilitate transaction  obfuscation by converting from one CVC to  another before moving the funds to a different platform, colloquially known as “chain  hopping”)
  • CVC exchange activities, both centralized and  decentral.
  • Atomic swap services (which facilitate direct  wallet-to-wallet CVC exchange without an  intermediary).
  • Use of blockchain bridge protocols.
  • Use of any privacy coin or token designed to  enhance users’ privacy or anonymity.
“Facilitating user-initiated delays in  transactional activity”
  • Use of any smart contract to delay transaction  execution or finality.
  • Use of multiple-signature wallets to execute any  transaction, potentially causing delays.
  • Layer-2 blockchain protocol functions that are  used to batch transactions before finalizing them  on the main blockchain.

 

In a modest concession to the current workings of the blockchain ecosystem, the NPRM’s  proposed “CVC mixer” definition explicitly excludes the use of “internal protocols or processes to  execute transactions” by “banks, broker-dealers, [and] money services businesses, including [virtual  asset service providers],” as long as they preserve records of the source and destination in all  transactions involving virtual currency in accordance with U.S. regulations. Nevertheless, this  carveout does not extend to non-U.S. financial institutions that might perform any of these kinds of  functions or activities, so those institutions could very well be considered CVC mixers under the  proposed measures.

Proposed requirements

Under the proposed rule, all covered financial institutions would have to report certain  information to FinCEN whenever they know, suspect, or have reason to suspect a transaction  involves the use of “CVC mixing” outside the United States. Under the NPRM’s measures as  proposed, an institution would likely have to file a report with FinCEN every time it suspects a  customer transferred or received any virtual currency through a foreign virtual currency exchange,  or via a DeFi service or blockchain-based protocol that includes non-U.S. participants, thereby likely  discouraging their use. The details that covered financial institutions would need to include in the  reports would be extensive and include the personal identifying information of their customers.

What is unclear from the NPRM is the nature of the systems and controls a covered financial  institution would have to implement to be able to comply with the proposed special measure when  such a vast number of activities are considered to be “CVC mixing,” particularly since the  requirements of the special measure would apply to activities that take place in or involve a  jurisdiction outside of the U.S. and, thus, likely outside of the institution’s direct purview. For  example, it is not clear what tools would be at a covered financial institution’s disposal to be able to  detect when CVC has been “split” by services based overseas and transmitted through a series of  independent transactions.

To comply with the proposed measures, a covered institution may seek to collect detailed  records from customers on their use of CVC mixers during onboarding and again prior to each  transaction, putting the onus on customers to compile the details. Whether this would satisfy the  institution’s requirement to report activity it has “reason to suspect” involves CVC mixing, however,  is unclear. Alternatively, covered institutions may potentially view compliance as too great of a risk,  cost, or operational burden and stop supporting virtual currency services or blockchain-based  participants altogether. Either way, if adopted as proposed, the NPRM could likely diminish  legitimate use of crypto assets in the U.S. as users, exchanges, developers and operators of protocol  front-ends struggle to apply the new requirements correctly.

Notably, the NPRM comes shortly after the Treasury published the 2023 DeFi Illicit Finance Risk Assessment in April of 2023.13 The NPRM contains but one of several sets of anticipated new  measures as part of Treasury’s recent and ongoing efforts to prevent illicit actors from abusing CVC,  DeFi, and other applications of blockchain technology. FinCEN’s Global Investigations Division  (GID)—which was formed in 2019 with authority under Section 311 to detect and deter a wide range  of potential threats to national security and the U.S. financial system14—is expected to play a big part  in enforcement under the new measures.

Request for comments

The NPRM concludes with a request for comments on a number of important topics,  including FinCEN’s designation of CVC mixing as a class of transactions of primary money  laundering concern. Commenters are also invited to offer feedback on the proposed enhanced  recordkeeping and reporting requirements under special measure one of Section 311, the definitions  included as part of the proposed measures, anticipated burdens or impacts on the industry, and  potential alternative approaches, including whether FinCEN should impose any of the other four  significantly more restrictive special measures. The comment period closes January 22, 2024.

Conclusion 

The NPRM focuses almost exclusively on the activities of illicit / threat actors who are  outside of the U.S. However, it is unclear the extent to which increased recordkeeping by U.S. institutions would address the underlying concerns associated with CVC mixing. FinCEN noted  that they did not believe that the implementation of special measure one with respect to CVC mixers  as proposed in the NPRM would place an undue burden on U.S. institutions because these entities  are already required to comply with substantially similar requirements under the BSA, including  the BSA’s “suspicious activity report” (SAR) regime.

This observation raises the question of the need for, and likely efficacy of, the  proposed measure, however, unless the primary purpose is for FinCEN to require  licensed virtual currency exchanges to gather data on specific transactions via  heightened record keeping requirements. Although not stated in the NPRM, one  indirect objective may be to make it more burdensome or invasive for customers  of covered financial institutions to use CVC for otherwise law-abiding purposes,  thereby potentially cutting down on the overall usage of CVC in the U.S.

To the extent that the primary bad actors and the operators CVC mixers are outside of the U.S., however, the impact of the NPRM may be counterproductively to drive this activity further outside the boundaries of the United States, reducing likely enforcement pathways. FinCEN acknowledges that CVC mixing can be used for some legitimate business purposes  (for example, privacy enhancement for those living under repressive regimes) but it will be left to  commenters to make the case for why these uses are valuable and should not be unduly impinged  upon.

Reality of the old requirements vs. new requirements

  • Importantly, FinCEN can and has assessed monetary penalties on covered financial  institutions that have failed to conduct appropriate customer due diligence, including in its enforcement actions against Bitrex and BitMex.
  • Once the final rule is put in place, additional enforcement actions and penalties affecting  U.S.-based blockchain businesses can be anticipated.

Feel free to contact the DLx Law team with any questions you might have.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

NOTES

1. Dep’t of Treasury, Fin. Crimes Enf’t Network, Proposal of Special Measure Regarding Convertible Virtual Currency Mixing, as a Class of Transactions of  Primary Money Laundering Concern, 88 Fed. Reg. 72701 (Oct. 23, 2023) (to be codified at 31 C.F.R. pt. 1010),  https://www.federalregister.gov/documents/2023/10/23/2023-23449/proposal-of-special-measure-regarding convertible-virtual-currency-mixing-as-a-class-of-transactions.

2. See The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct  Terrorism Act of 2001, Public Law 107-56 (the “USA PATRIOT Act”).

3. The BSA, as amended, is the popular name for a collection of statutory authorities that FinCEN administers that is  codified at 12 U.S.C. 1829b, 1951–1960 and 31 U.S.C. 5311– 5314, 5316–5336, and includes other authorities reflected in notes thereto. Regulations implementing the BSA appear at 31 CFR Chapter X.

4. For additional details on Section 311, see Treasury Dep’t, 311 Actions, treasury.gov: Policy Issues: Terrorism & Illicit Finance,  https://home.treasury.gov/policy-issues/terrorism-and-illicit-finance/311-actions (last visited Oct. 31, 2023).

5. This special measure “may be imposed by regulation, order, or otherwise as permitted by law” without prior public  notice and comment, but an order designating any “class of transactions of primary money laundering concern” must be  issued together with an NPRM and must last no longer than 120 days absent the promulgation of a rule on or before the  end of the 120-day period beginning on the date the order was issued. See 31 U.S.C. §§ 5318A(a)(2), 5318A(a)(3). Therefore, while any particular jurisdiction, financial institution, class of transactions, or type of account may be  designated a primary money laundering concern in an order issued by FinCEN together with an NPRM, special measures  of unlimited duration can only be imposed by a final rule. 5 U.S.C. §§ 553(b), 553(c).

6. See 31 U.S.C. §§ 5318A(a)(1).

7. Treasury Dep’t, Fin. Crimes Enf’t Network, Notice of Proposed Rulemaking Imposing a Special Measure Against JSC CredexBank as a Financial Institution of Primary Money Laundering Concern, 77 Fed. Reg. 31794, 31794-803 (May 30, 2012), https://www.federalregister.gov/documents/2012/05/30/2012-12747/financial-crimes-enforcement-network imposition-of-special-measure-against-jsc-credexbank-as-a.

8. See FBME Bank Ltd v. Lew, 125 F. Supp. 3d 109, 113, 129 (D.D.C. 2015).

9. Unlike when special measures are imposed on a financial institution, when measures are imposed on a “class of  transactions,” no equivalent person or organization that can directly respond and make similar objections. Therefore, importantly, as many members of digital assets communities ought to engage in the NPRM’s comment process as  possible.

10. Because the source of FinCEN’s authority is Section 311 of the USA PATRIOT Act, domestic activity would likely  not require detection or reporting unless it “involves” a jurisdiction outside the United States. If potentially non-U.S. “involvement” stems only from the presence of at least one server node in a blockchain network being physically outside  of the U.S., then this may amount to a very significant expansion of how FinCEN’s authority under Section 311 is  currently interpreted. Of course, domestic CVC mixing activity, if detected, may still trigger a covered financial  institution’s reporting obligations under standard BSA principles.

11. U.S. v. Roman Storm and Roman Semenov (S.D.N.Y. 2023), Indictment No. 23 Cr. 430 (Aug. 23, 2023).

12. Throughout the NPRM, FinCEN conflates the technology that can be used to facilitate CVC “mixing” and the  individuals or companies that operate or maintain these technologies, referring at different times to both as “CVC  mixers”. Unless corrected in the final adopted rules, this conflation may significantly exacerbate the challenges market  participants face in applying the ultimate rules.

13. Treasury Dep’t, Press Release: Treasury Releases 2023 DeFi Illicit Finance Risk Assessment, treasury.gov: News: Press Releases (rev. Apr. 6, 2023), https://home.treasury.gov/news/press-releases/jy1391.

14. Treasury Dep’t, Press Release: New FinCEN Division Focuses on Identifying Primary Foreign Money Laundering  Threats, treasury.gov: News: Press Releases (rev. Aug. 28, 2019), https://www.fincen.gov/news/news-releases/new-fincen-division-focuses-identifying-primary-foreign-money-laundering-threats.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

IMPORTANT NOTICE ABOUT ATTORNEY ADVERTISING

The contents of this communication are intended for general informational purposes only. This is not an attorney-client communication, and you therefore should not consider the content of this communication as legal or regulatory advice or a legal opinion in connection with any specific facts or circumstances. This communication is not intended as attorney advertising, but it might be considered attorney advertising in certain jurisdictions. Read our full legal disclaimer.

Read the full article on the link below

Read more
X

Amil Malik

Amil assists with various client matters in connection with digital assets and the adoption of blockchain technology, including general corporate law, securities law, and financial services regulation. She joined DLx Law after receiving her J.D. from the George Washington University School of Law, where much of her studies focused on national security and cybersecurity law.

Amil received her B.B.A./B.A. with high honors from the University of Texas at Austin. Between university and law school, Amil worked as a mergers and acquisitions analyst in New York, where she performed financial valuations and analysis as part of advisory services provided to sell-side and buy-side clients across media, consumer, technology, shipping, and financial technology industries. Amil is licensed to practice law in the District of Columbia.

Tom Momberg

+17186645458 tom.momberg@dlxlaw.com

Tom advises clients in an array of matters related to blockchain technology, decentralized finance, banking and payments systems, financial products, and financial technology applications. He joined DLx Law as an attorney after working as in-house counsel for a payments and banking software service provider, advising on various legal and regulatory matters, operations, risk, customer due diligence, and corporate best practices.

Tom received his J.D. from George Mason University Law School in Virginia and his B.A. from the University of Wisconsin-Milwaukee. Tom is a former journalist, and, while in law school, he interned for DLx Law and served as a law clerk for several federal institutions in Washington, D.C., including the CFTC, FCC, and House Judiciary Committee. Tom is admitted to practice law in the District of Columbia and the State of Oregon.

Sarah Chen

+19296345691 sarah.chen@dlxlaw.com

Sarah advises clients in all matters related to the adoption of blockchain technology, including general corporate, venture financing, securities laws and financial regulatory. Prior to joining DLx Law, Sarah was a senior associate in the M&A group of an international law firm headquartered in New York City, advising public companies and private equity firms on mergers, acquisitions, and other corporate transactions.

Sarah received her B.A. from New York University, magna cum laude, and her J.D. from Columbia Law School where she was a James Kent Scholar. During law school, Sarah also served as a judicial extern to the Hon. Debra Ann Livingston of the U.S. Court of Appeals for the Second Circuit. Sarah is licensed to practice law in the State of New York.

Gregory Strong

+3027665535 greg.strong@dlxlaw.com

Greg focuses on advising entities regarding legal issues associated with the adoption of blockchain technology. Prior to joining DLx Law, Greg was a Deputy Attorney General in the Delaware Department of Justice. He served as the Director of the Investor Protection Unit for three years and was responsible for administering and enforcing the provisions of the Delaware Securities Act. Prior to his appointment as Director of the Investor Protection Unit, Greg was the Director of the Consumer Protection Unit for three years.

Greg has successfully represented the State of Delaware in many complex civil enforcement matters alleging violations of Delaware investor and consumer protection statutes and has extensive litigation experience. Greg graduated from Lehigh University with a B.S. in Finance and received his J.D./M.B.A. from Temple University.

Angela Angelovska-Wilson

+12023651448 angela@dlxlaw.com

Angela is an early distributed ledger technology adopter and a leading authority in the evolving global legal and regulatory landscape surrounding distributed ledger technology and smart contracts. Prior to co-founding DLx Law, Angela served as the Chief Legal & Compliance Officer of Digital Asset and was part of the founding team.

Prior to joining Digital Asset, Angela was a partner at Reed Smith where she regularly advised clients on the implementation of new technologies to finance and the complex regulatory schemes involved in the development, creation, marketing, sale and servicing of various financial services and products. Before Reed Smith, Angela spent most of her career in various roles at Latham & Watkins, where she was recognized by The Legal 500 US among the top finance attorneys in the U.S.

Angela has a deep understanding of the Fin-Tech industry and in particular the distributed ledger industry, having been involved in a number of startups in various roles, as an employee, entrepreneur and advisor. In addition to DLx Law, Angela is also co-founder of Sila Inc., an innovative technology company.