Dissecting the FinCEN ‘unhosted wallet’​ proposed ruling

At the end of last week FinCen took aim at ‘unhosted’ wallets with the ‘Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets’ proposed rule (Link). There have been rumours across the industry for weeks about such ruling coming in and many key industry players have been voicing their concerns about it. Last month I wrote a piece highlighting the unintended consequences this could have and arguing that it was a misguided approach in trying to tackle crypto-crime. Even though the proposed ruling is significantly less aggressive than expected, many of the concerns raised by industry leaders are still relevant and there are exigent questions which will be challenging to answer in the 15 days window FinCEN has offered for comment.

The proposal seeks to introduce the following;

• US banks and MSBs (money service businesses) must identify and verify customers who engage in transactions with unhosted wallets above a $3,000 threshold. This must be retained for 5 years.
• They must report to FinCEN all transactions to unhosted wallets above a $10,000 threshold, either for an individual transaction or aggregate transactions to the counterparty within a 24hour period. This must be sent within 15 days of the transaction and retained for 5 years.
• US banks and MSBs must generate reports containing the transaction hash and identity of any users who engage with unhosted wallets across multiple financial institutions in designated jurisdictions (likely initially to be North Korea, Iran and Burma)
• A prohibition on structuring i.e engaging in transactions in a manner to avoid reporting requirements

There is a lot to unpack within the 72 pages of this proposed ruling, so I will dig into some of the key items;

Motivation for Ruling

The main motivation for this ruling appears to be a concern about increasing use of cryptocurrencies in criminal activity, and whilst industry consensus states illicit use to be around 1% (May 2020 Elliptic — below 1%, Mar 2020 Chainalysis — below 1%, 2019 CipherTrace — <1% [1]) FinCEN suggests that the $119bn in suspicious activity reports (SARs) it received in 2019 would put it closer to 11.9%.

However it’s worth looking at these figures in relation to traditional finance, where the majority of illicit funds are still processed through. The FinCEN files released in September 2020 showed over $2 trillion in illicit funds flowing through MSBs and financial institutions and 2019 topped the charts with the highest fines ever handed out to banks for breaches of anti-money laundering and counter-terrorism financing regulations with over $10billion levied. Therefore whilst it is clear to see that some nefarious actors are using cryptocurrencies to move the proceeds of their crime, it’s certainly not the rail of choice by any means, and one could argue that more focus should be on bolstering compliance with existing regulation for banks and MSBs in the fiat space.

Furthermore and as outlined in CipherTrace’s 2019 report 8 out of 10 U.S. retail banks harbor illicit crypto MSBs and 65% of the top 120 VASPs (virtual asset service providers) lack good KYC. As such we should not fall into the fallacy that unhosted wallets are in and of themselves illicit, and hosted wallets are ‘good’. There are many examples of criminals using accounts on cryptocurrency exchanges to move the proceeds of their crimes, and Chainalysis’ 2020 report states that over 300,000 individual accounts at Binance and Huobi received bitcoin from criminal sources in 2019.

Consultation Time

The industry has been given a very narrow window of consultation for this ruling — just 15 days. Notably this is over the festive period when many people will be enjoying Christmas away from the office and businesses have skeleton staff operating until the new year. This consultation period is insufficient to say the least. However FinCEN offers that it is “appropriate” due to several factors, one of which being;

“Furthermore, undue delay in the implementation of the proposed rule would encourage movement of unreported or unrecorded assets implicated in illicit finance from hosted wallets at financial institutions to unhosted or otherwise covered wallets, such as by moving CVC to exchanges that do not comply with AML/CFT requirements.”

However, I would question a) why we would see this mass exodus away to unhosted wallets since, post-implementation of this ruling, they would be under additional scrutiny rather than less scrutiny, and b) if a notable proportion of illicit funds are currently held with hosted financial institutions, shouldn’t this be a more worrying flag for failing compliance processes with these entities? After all as noted in the document, financial institutions and MSBs must already comply with “AML/CFT program requirements, including by conducting customer due diligence with respect to accountholders and reporting suspicious activity”. As such this appears to be an omission that these existing policies and procedures aren’t working as intended, and I think it’s fair to ask how we can have confidence that the proposed ruling would correct this. It could be concluded that the need to expedite this ruling comes not from an increasing risk profile but the impending end date of the current administration.

Data Requirements

The proposed ruling seeks to require US banks and MSB’s to collect blockchain and identity information for transactions with unhosted wallets over $3,000 and to submit this information to FinCEN where the transaction, either individually or in aggregate over a 24hour period, is over $10,000.

The reporting requirements includes that;

• Data must be submitted to FinCEN within 15 days of the transaction
• Data must be retained for 5 years
• The name and physical address of the counterparty must be recorded/shared (at a minimum) as well as; the asset type, the amount, the time of the transaction, the value of the transaction in dollars, any payment instructions receive from the bank or MSBs’s customer, any other counterparty information the Secretary may prescribe as mandatory on the reporting form for transactions, any other information that uniquely identifies the transaction, the accounts, and, to the extent reasonably available, the parties involved and any form relating to the transaction that is completed or signed by the financial institution’s customer.

Firstly, this creates a treasure trove of personal and sensitive financial data held by both FinCEN and the banks/MSBs. However one need look no further that the 2020 FinCEN file leak which saw more than 2,100 suspicious activity reports (SARs) exposed to the world, or the 2019 total of over $292m worth of crypto exchange hacks and over 500,000 pieces of customer data stolen to question whether these entities have the necessary cybersecurity and data storage processes in place to protect such an attractive honey pot for hackers.

Secondly the proposed ruling does not provide any guidance as to how the bank or MSB must verify this data — if the user reports that the counterparty address belongs to Joe Bloggs with a given address X, how is this to be verified — after all a transaction on a blockchain contains no inherent name or address metadata. As stated in my piece on unhosted wallets, this could create a situation where users are sending photos of a bitcoin address on their Ledger, or asking the recipient of their transaction to scan over a copy of their paper wallet. There are clear implications for fraudulent behaviour and challenges in ascertaining authenticity of documents and additional guidance will be sort by the entities who are liable to collect and verify this information.

Smart Contracts

Building upon this, and as raised by the industry in the lead up to this proposed ruling being published, is the challenge of smart contracts and how they fit within this approach.

A smart contract is a self executing piece of code, most often deployed on the Ethereum network as a token or decentralized app (Dapp) and is uniquely identified via a contract address (as circled in pink within the image). This smart contract is not necessarily ‘owned’ by anyone, nor does it have a physical location, so any transaction to it would likely fall under the “unhosted or otherwise covered” definition but pose considerable challenges in providing and verifying the identity information of. As with many items in the proposed ruling, further clarity is certainly required.

Aggregate Transactions

A key requirement from the proposed ruling would be the requirement for US banks and MSBs to report to FinCEN when a transaction to an unhosted wallet is over $10,000, either as a single transaction or in aggregate transactions to a counterparty over a 24hour period.

The reporting requirement as detailed within `31 CFR 1010.313` is tailored to the behaviour of fiat transactions and clearly incompatible with the 24/7 nature of cryptocurrencies;

Deposits made at night or over a weekend or holiday shall be treated as if received on the next business day following the deposit.

As such, the ruling proposes to add a new section for c) Multiple transactions in convertible virtual currency or digital assets with legal and notes that;

multiple convertible virtual currency and digital assets with legal tender status transactions shall be treated as a single transaction if the bank or money services business has knowledge that they are by or on behalf of any person and result in value in or value out of convertible virtual currency or digital assets with legal tender status with a value of more than $10,000 during a 24-hour period.

However, no further definition is given as to when the 24 hour period should begin and end — which will be an especially important clarification for businesses operating across multiple jurisdictions.

“…or otherwise covered wallet”

Whilst no legal definition of an unhosted wallet is provided in the proposal ruling, the following is offered “Such persons may store the private key in a software program or written record, often referred to as an “unhosted wallet” and throughout the proposed ruling the phrase

an unhosted or otherwise covered wallet

is used. However no definition, legal or otherwise, is offered as to what the “otherwise covered wallet” may refer to. Perhaps concerningly is a point of clarity in the section discussing exemption to the reporting requirement which seems to indicate that “otherwise covered” may refer to a subsection of hosted wallets.

The proposed recordkeeping requirement would not apply to transactions between hosted wallets (except for otherwise covered wallets).

It’s therefore possible that the scope of this proposal may be more far-reaching than currently understood and the definition of what “otherwise covered wallets” refers to will surely be required ahead any implementation and for further scrutiny.

Receiving a Transaction

Whilst the bulk of the document focusses on unhosted wallets being the recipient of the transaction, the following statement highlights the responsibility banks and MSBs have where their user receives a transaction from an unhosted wallet;

Similarly, in the case of a transaction in which the bank’s or MSB’s customer is the recipient, the bank or MSB would need to obtain the required recordkeeping and verification information as soon as practicable. In addition, under the proposed rule, banks and MSBs would be expected to incorporate policies tailored to their respective business models should the bank or MSB be unable to obtain the required information, such as by terminating its customer’s account in appropriate circumstances.

Therefore any deposits flagged as from unhosted wallets will require either the bank/MSB or user finding the necessary information within the required 15 day time period or risk their account being closed due to a breach of this ruling. This could be especially troublesome for entities accepting crypto donations who must now seek to collect the identity information of any donors or risk their account being closed down with the MSB. Furthermore, users receiving funds from entities who do not wish to comply with this ruling for whatever reason — be it political or an objection against sharing sensitive customer information with 3rd parties- may find the counterparties of their transactions facing burdensome scrutiny from their US banks and MSBs.

Implementation

Unsurprisingly there are a number of other outstanding implementation questions:

• How will smaller MSBs bear the time and financial cost of this ruling? The document outlines an estimated average annual burden hours per recordkeeper of 2,928 (c3.5 months!) and compounded with existing AML, KYC, CTF and risk obligations, many MSBs may simply decide that operating with US counterparties is not financially viable.
• Blockchain analytics providers will inevitably look to provide a solution to this proposed ruling as they track blockchain activity and seek to link entities with transactions. However, their coverage is not absolute and many transactions and addresses screened using their tools will not result in a known entity. As such, there is a risk that many false positives could be provided to crypto-services where an unknown entity is conflated with an unhosted entity. It is therefore critical to remember that an unhosted wallet is one in which the private key is stored by an individual rather than a sevrice, not just an address which unknown through blockchain analytics.
• Whilst bitcoin is mentioned throughout the proposed ruling (incorrectly referred to with a capital “B” instead of the lowercase “b” used to denote the asset rather than the protocol), there is brief mention of privacy focussed assets such as Zcash and Monero. However, there is no guidance on how the proposed ruling would be applied to this sub-set of crypto-assets. This could be especially troublesome to implement as unlike the Bitcoin blockchain where all transaction information is visible, addresses and transaction information can be hidden:

However, arguable the most worrying aspect of the 72 page report to me is hidden in the footer of page 11;

The FATF noted that jurisdictions have a range of national-level tools to mitigate, to some extent, the risks posed by anonymous peer-to-peer transactions if national authorities consider the ML/TF risk to be unacceptably high. This includes banning or denying licensing of platforms if they allow unhosted wallet transfers, introducing transactional or volume limits on peer-to-peer transactions, or mandating that transactions occur with the use of a VASP or financial institutions.

It’s therefore clear that whilst FinCEN’s guidance may have taken a less damaging route, future FATF guidance could seek to prohibit interactions with unhosted wallets or include restrictive transactional limits. So it’s likely this is the start of a long road in regulation towards unhosted wallets.

(All views expressed are the author’s own and do not necessarily reflect that of the employer or any associations)