Recently proposed regulations could present significant compliance burdens for the banks and money service businesses that engage in cryptocurrency transactions with unhosted wallets or wallets held in jurisdictions specified by FinCEN. In this LawFlash, we summarize the proposed rule and provide some key takeaways and observations on what appears to be a continuation of the trend of subjecting such transactions to the equivalent requirements found in the traditional banking system.
The Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (the Proposal) on December 18, 2020, along with a short set of FAQs regarding proposed requirements for certain transactions involving convertible virtual currency (CVC) or digital assets with legal tender status (LTDA) (commonly referred to as cryptocurrencies).
As discussed below, under the Proposal, banks and money service businesses (MSBs) would be required to submit reports, keep records, and verify the identity of customers participating in transactions above certain thresholds involving CVC/LTDA wallets not hosted by a financial institution (also known as “unhosted wallets”) or CVC/LTDA wallets hosted by a financial institution in certain jurisdictions identified by FinCEN. A “wallet” allows a user to store, send, and receive cryptocurrency.
The Proposal was made pursuant to the Bank Secrecy Act (BSA) and the proposed reporting and recordkeeping rules are similar to the rules for transactions in currency and for bank wire transfers, respectively.
Relying on the Administrative Procedure Act’s exemption from the 60-day comment period, FinCEN originally provided 15 days for public comment, or until January 4, 2021. However, FinCEN noted that it will endeavor to consider any material comments received after the deadline as well. On January 15, FinCEN extended the comment period for an additional 15 days for comments on the proposed reporting requirements, and for 45 days for comments on the requirement to report counterparty information and the recordkeeping requirements. In so doing, FinCEN noted the volume of comments received, as well as the enactment of the Anti-Money Laundering Act of 2020 (Division F) of Public Law 116-283 (AML Act), which amended 31 USC § 5312(a)(3), the definition of “monetary instruments” in the BSA, on which FinCEN proposes to rely in determining that CVC/LTDA are monetary instruments.[1]
It is clear that FinCEN would like to rapidly implement these rules, although the volume of comments that FinCEN apparently received (more than 7,500) plus the enactment of the AML Act appear to have stayed the agency’s hand for a time. We still believe that the Proposal, especially the reporting requirements, will become effective in the revised timeframe.
As we previously discussed, in 2019, FinCEN issued guidance consolidating regulations, rulings, and prior guidance about cryptocurrencies and MSBs under the BSA. Along with the 2019 guidance, FinCEN issued an advisory to assist financial institutions in identifying and reporting suspicious activity or criminal use of cryptocurrencies.
The original Proposal was issued in response to both criminal actors’ use of and the national security risks posed by certain cryptocurrency transactions. The statement accompanying the Proposal’s release explains that the US government has found that bad actors are increasingly using cryptocurrencies to “facilitate international terrorist financing, weapons proliferation, sanctions evasion, and transnational money laundering as well as to buy and sell controlled substances, stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms, and toxic chemicals,” and engage in ransomware attacks, all of which have increased in severity.
FinCEN also stated that this new cryptocurrency Proposal will establish controls to protect US national security from various state-sponsored threats, including state-sponsored ransomware and cybersecurity attacks, sanctions evasion, and the financing of global terrorism.
Reporting Requirement
The proposed reporting requirement applies to CVC and LTDA transactions between a bank or MSB and a counterparty where (1) the transaction exceeds $10,000 in value and (2) the counterparty uses an unhosted or otherwise covered wallet. The Proposal defines “otherwise covered” wallets as those held at a financial institution that is not subject to the BSA and is located in a foreign jurisdiction identified by FinCEN as a jurisdiction of primary money laundering concern, including Burma, Iran, and North Korea. Transactions between hosted wallets and transactions where the counterparty wallet is hosted by a foreign financial institution, except for a foreign financial institution in a jurisdiction listed on the Foreign Jurisdictions List, would be exempt from the requirements.
FinCEN plans to issue a value transaction report form similar to but distinct from the existing currency transaction reporting (CTR) form that will require the reporting of information on the filer, transaction, hosted wallet customer, and each counterparty. Pursuant to the Proposal, banks and MSBs will have 15 days from the date on which a reportable transaction occurs to file a report with FinCEN. The Proposal also includes an aggregation requirement if the financial institution has knowledge that a transaction is one of multiple CVC/LTDA transactions involving a single person within a 24-hour period that aggregate to value in or value out of greater than $10,000.
In its January notice extending the comment period, FinCEN reiterated that it is not modifying the regulatory definition of “monetary instruments” or otherwise altering existing BSA regulatory requirements applicable to “monetary instruments” in FinCEN’s regulations, including the existing CTR requirement and the existing transportation of currency or monetary instruments reporting requirement.
Recordkeeping and Verification Requirement
The Proposal would require banks and MSBs to keep records of a customer’s CVC or LTDA transactions and counterparties, and verify the identity of their customers, if a counterparty uses an unhosted or otherwise covered wallet and the transaction is greater than $3,000. They would also be required to verify the identity of the person accessing the customer’s account, which may be someone conducting a transaction on the customer’s behalf.
Consistent with the bank’s or MSB’s AML/CFT program, the bank or MSB would need to establish risk-based procedures for verifying their hosted wallet customer’s identity that are sufficient to enable the bank or MSB to form a reasonable belief that it knows the true identity of its customer. For example, financial institutions should check FinCEN for the registration of a counterparty that purports to be a regulated MSB and for foreign financial institutions, and “would need to apply reasonable, risk-based, documented procedures to confirm that the foreign financial institution is complying with registration or similar requirements that apply to financial institutions in the foreign jurisdiction.”
In addition, banks and MSBs would be expected to incorporate policies tailored to their respective business models should a bank or MSB be unable to obtain the required information, such as by terminating its customer’s account in appropriate circumstances.
The proposed recordkeeping and verification requirements would not apply to transactions between hosted wallets (except for otherwise covered wallets). Such transactions are already covered under existing AML requirements.
Unlike other recordkeeping requirements, the recordkeeping requirement in the Proposal would require the electronic retention of information based on the fact that such recordkeeping is the practical way in which businesses engaged in CVC or LTDA transactions are likely to track their data and the most efficient form in which data can be provided to law enforcement and national security authorities. Furthermore, the information must be retrievable by the bank or MSB by reference to the name or account number of its customer, or the name of its customer’s counterparty.
Collected Data
Under the Proposal, FinCEN expects that banks and MSBs would be able to employ a single set of information collection and verification procedures to satisfy both the reporting and the recordkeeping requirements. The data to be collected would include the following:
Notably, the Proposal does not impact direct peer-to-peer (P2P) cryptocurrency transactions; rather it only imposes a reporting and recordkeeping burden on banks and MSBs. However, the requirement will indirectly affect all users of unhosted wallets that engage in any transactions with banks and MSBs, which will be required to gather information from such users in order to comply with the new rule.
FinCEN has said that these new reports will allow law enforcement agencies to protect national security by more quickly and accurately tracking money flows to identify and stop terrorist attacks, drug and human trafficking, and cybercrime. However, it is unclear whether the rule as written will accomplish these goals when parties generally set up a new wallet even for transactions that are fully compliant with the law. This can make the records kept and reported essentially useless with regard to tracking patterns of money flows to identify and stop bad actors.
As regulators continue to monitor and address cryptoassets and distributed ledger technology activities, we expect to see further guidance and regulations by FinCEN and other federal agencies in 2021 and beyond.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Washington, DC
Laura E. Flores
Kenneth J. Nunnenkamp
Andrew M. Ray
Chicago
Michael M. Philipp
New York
Martin Hirschprung
Silicon Valley
Andrew J. Gray IV
Albert Lung
E. John Park
[1] As a result of the AML Act, the BSA now defines the term “monetary instruments” as, among other things, the value that substitutes for any monetary instrument described in the other categories.