FinCEN has proposed new rules targeting CVC mixing that could significantly increase monitoring and reporting burdens, potentially leading to defensive filings and customer de-risking. Steve Merriman and Jim Vivenzio of Perkins Coie and Mike Carter of FTI Consulting explore the (perhaps) unintended consequences.
FinCEN recently issued a proposal that would subject financial institutions to a new reporting regime that will cover convertible virtual currency (CVC) transactions involving “CVC mixing” with a nexus to a foreign jurisdiction.
At first glance, the proposal simply leverages a new tool to combat a known money laundering typology: the misuse of services colloquially known as mixers, blockchain services that are intended to be used to bring financial privacy to otherwise public blockchain transactions. However, the proposed rule may cover more than just transactions involving traditional mixers and could capture many activities that do not present the same money-laundering risks as transactions involving these services.
FinCEN provides mixed signals in its proposal about the exact breadth of its proposed reporting regime. But read broadly, the proposal may disrupt domestic virtual asset service providers (VASPs), such as exchanges and hosted wallet services, because of the amount of transaction monitoring and reporting that such a reading would require. A broad reading, combined with other ambiguities within FinCEN’s proposal, may lead to unintended consequences, such as defensive filings of transactions with minimal value to law enforcement and the de-risking of customers that historically have not been viewed as engaging in mixing transactions.
Even though this is a proposed rule, domestic financial institutions that engage in CVC transactions should take this information and any new requirements into account as part of their overall anti-money laundering program and risk management framework, as FinCEN has effectively announced that CVC mixing transactions with a foreign nexus are a class of transactions of “primary money laundering concern.”
The proposed rule
The rule relies on FinCEN’s authority pursuant to Section 311 of the USA PATRIOT Act, which grants the Treasury secretary the authority, upon finding that reasonable grounds exist for concluding that a foreign jurisdiction, institution, class of transaction or type of account is of “primary money laundering concern,” to require domestic financial institutions to implement corresponding “special measures.”
Section 311 provides the secretary with a range of options that can be adapted to target specific money laundering and terrorist financing risks and is typically used to impose restrictions on certain foreign financial institutions and countries. Here it is being used to create an entirely new reporting regime for covered U.S. financial institutions and reporting obligations of this magnitude are typically established through the more deliberate administrative rulemaking processes.
FinCEN has historically addressed the money-laundering risks posed by CVC activities through existing Bank Secrecy Act requirements, as supplemented by industry alerts to help financial institutions focus their AML programs on specific CVC activities. While Section 311 requires FinCEN to consider certain factors when selecting special measures, it does not require FinCEN to consider the sufficiency of its existing authorities or whether alternative processes can be equally effective.
In its proposal, FinCEN announces that it has determined that transactions involving “CVC mixing within or involving” a foreign jurisdiction are a class of transactions that are of “primary laundering concern.” As the compensating special measure, FinCEN proposes to implement a new reporting regime that, if adopted, would require U.S. financial institutions to file discrete reports with FinCEN for each transaction “by, through or to” a financial institution that the financial institution “knows, suspects, or has reason to suspect involves CVC mixing” with a foreign nexus.
These discrete reports would contain transaction information, customer information and a narrative. In addition, the reporting requirement contains no dollar threshold: any transaction that involves CVC mixing with a foreign nexus would have to be reported, regardless of the amount.
The rule would also require covered financial institutions to separately file a suspicious activity report (SAR) if it determines that the transaction triggers the SAR reporting requirements, even though in many cases the financial institution’s exposure to a transaction of primary money laundering concern will be the sole basis for filing a SAR.
A broad proposed reporting regime
FinCEN’s proposal may confuse key stakeholders as to which transactions would require reporting and which transactions in CVC would not. The misalignment is likely to stem from the fact that the proposal adopts terminology — namely, “mixers” and “mixing” — with an established meaning within the blockchain industry but then proceeds to define those terms differently from this shared understanding.
As FinCEN points out in its proposal, a traditional mixer “is a service that is intended to obfuscate transaction information” and the term mixing, in turn, has been understood as the service provided by a traditional mixer.
But in defining those terms, FinCEN’s proposal deviates from its traditional understanding and omits the intent component. Under the rulemaking proposal, “CVC mixing” is defined as the “facilitation of CVC transactions in a manner that obfuscates the source, destination or amount involved in one or more transactions, regardless of the type of protocol or service used.” FinCEN expressly identifies activities like “exchanging between types of CVC, or other digital assets” and “pooling or aggregating CVC from multiple persons, wallets, addresses, or accounts” as examples of CVC mixing.
The result is a definition that, if read broadly, sweeps in services that historically have not been considered to involve CVC mixing and that do not present the same AML risk profile as transactions with a traditional mixer. For instance, the proposed rule seemingly captures transactions involving a CVC exchange — whether centralized or decentralized — because those services facilitate the exchange of one form of CVC for another and often pool CVC into omnibus wallets or smart contracts to facilitate the exchange of CVC. An expansive reading would also seemingly capture transactions on an NFT marketplace because those services enable users to exchange CVC for NFTs (i.e., another type of digital asset).
It is far from certain how broad FinCEN intends for its definition of CVC mixing to sweep, which will create challenges for the impacted financial institutions charged with designing processes to implement a new reporting regime. Other ambiguities within the proposal may amplify the uncertainty for financial institutions about what regulators will expect. Such ambiguities include (i) the extent to which indirect exposure to CVC mixing would require reporting, (ii) whether financial institutions be required to file reports on CVC mixing alerts months or years after the transaction took place and (iii) how to apply the concept of “within or involving” a foreign jurisdiction in the blockchain environment.
There are numerous stakeholders that would be charged with interpreting the proposed reporting regime, including the financial institutions subject to the rule and the federal and state regulators charged with supervising and enforcing compliance with it. And the proposed rule presents ample room for misalignment among them about what it would require.
The absence of a common understanding of a proposal’s contours may lead to unintended consequences. As has been noted in the past by FinCEN in the SAR context, unclear regulatory standards cause financial institutions to overreport transactions in hopes of avoiding potential criticism from regulators, who scrutinize reporting decisions with the benefit of hindsight. Because the proposal lacks a reporting floor, many of these defensively filed reports will involve de minimis amounts. A lack of regulatory clarity may also result in the financial institutions de-risking otherwise legitimate customers, in lieu of shouldering the significant due diligence and reporting burden that comes with branding customers — many of whom have not historically been viewed as engaging in mixing transactions — as being involved in transactions of primary money-laundering concern.
Existing AML compliance obligations
Irrespective of the breadth of the proposal and ambiguities around its contours, covered financial institutions, including VASPs, should take steps to adjust their risk-management framework to address the fact that FinCEN has designated CVC mixing as a class of transactions of primary money-laundering concern.
Some of these changes should be made now, even before a final rule imposing a new reporting requirement is issued, due to the significance of a Section 311 designation itself. For instance, financial institutions should adjust their AML compliance programs to ensure that CVC mixing transactions, as defined in the notice of proposed rulemaking, are identified and processes are in place to evaluate them appropriately for purposes of filing SARs.
To identify CVC mixing transactions with a foreign nexus, FinCEN expects that financial institutions will use a risk-based approach to compliance with rule, including through the use of blockchain analytic tools. Those analytics tools often have a category for mixers, but providers of these tools have historically defined that category to align with the definition of a traditional mixer. Covered financial institutions will need to work closely with blockchain analytics providers to ensure that their automated transaction monitoring and forensics tools identify transactions captured by the definition of “CVC mixing” proposed by FinCEN.
VASPs have other tools they can deploy to identify transactions falling within a broader conception of CVC mixing, as blockchain analytics providers tailor their tools to respond to the Section 311 designation. For instance, financial institutions can leverage persistent algorithmic transaction monitoring and periodic aggregate transaction reviews for behavioral patterns to detect a variety of red flags that could indicate CVC mixing:
- Exposure to cross-chain bridges or CoinJoins
- Customers who frequently exchange one type of CVC for another absent obvious arbitrage tactics or financial gain
- Routine movement of CVC between and among different VASPs for no apparent business purpose
- Exceptional direct and indirect exposure to a variety of types of “risky” addresses or clusters (i.e., addresses identified with scams, gambling, ATMs or high-risk VASPs)
If VASPs already have controls in place to monitor such activities for red flags, FinCEN’s Section 311 designation means that financial institutions should verify that these existing controls are appropriately tuned to identify transactions involving CVC mixing.
Besides automated transaction monitoring, VASPs may incorporate targeted reviews of the above indicators of possible CVC mixing within their enhanced due diligence processes, periodic customer risk rating reviews and above- and below-the-line transaction testing.
From a SAR-reporting perspective, labeling a broad swath of transactions as of primary money laundering concern appears to create a presumption that transactions involving CVC mixing are suspicious and implicitly require a SAR and countermeasures to allow the customer to continue transacting on the platform. Put differently, where a transaction involves CVC mixing, FinCEN appears to intend for the Section 311 designation to shift the burden from “determining when a CVC transaction is reportable [under the SAR rule] to determining when it is not reportable.” And since FinCEN has defined CVC mixing much more broadly, VASPs should (i) adjust their risk assessments accordingly and (ii) incorporate this broad definition of CVC mixing into their suspicious activity report processes and file SARs based upon the presumption articulated in the proposal.
Over the longer term, covered financial institutions should begin taking steps to develop processes to file CVC mixing reports consistent with the proposed rule. With regard to reporting, the rule would require: (i) the affected customer’s identifying information, (ii) the amount of any CVC transferred, in both CVC and its U.S. dollar equivalent when the transaction was initiated; (iii) the CVC type; (iv) the CVC mixer used, if known; (v) the CVC wallet address associated with the mixer; (vi) CVC wallet address associated with the customer; (vii) the transaction hash; (viii) the date of transaction; (ix) the IP addresses and time stamps associated with the covered transaction; and (x) a narrative. FinCEN has indicated that the rule should not impose a significant additional burden and that financial institutions are only required to report information “in its possession,” but financial institutions will likely have to reach out to counterparties for additional information for other AML purposes (i.e., to fully understand the nature and purpose of the transaction).
Because of the overall burden of the Section 311 designation and potential new reporting requirements, VASPs should update their compliance roadmaps through revised staffing models and deploying updated (and automated where possible) detection measures to address CVC mixing risks and typologies. While some of these controls may be automated within a VASP’s transaction monitoring program, others, especially targeted reviews and investigations will place an additional resource burden on compliance teams, particularly if FinCEN’s plan to require the filing of discrete reports (in addition to SAR filings) follows the cumbrous reporting mechanisms deployed in the past.