FinCEN Proposes New Regulations on Convertible Virtual Currencies and Digital Asset Transactions

April 09, 2021 The Financial Crimes Enforcement Network (FinCEN), a bureau within the U.S. Treasury Department, has proposed a new rule to bring convertible virtual currencies (CVC) and legal tender digital asset transactions within the existing anti-money laundering and “know your customer” regulatory framework under the Bank Secrecy Act. The timing of FinCEN’s proposed rule is no accident. It comes at an explosive time for ransomware attacks and increased public awareness of and acceptance of CVCs, such as Bitcoin.

By: Jennifer Lee & Allen Sattler

The Financial Crimes Enforcement Network (FinCEN), a bureau within the U.S. Treasury Department, has proposed a new rule to bring convertible virtual currencies (CVC) and legal tender digital asset transactions (LTDA) within the existing anti-money laundering (AML) and “know your customer” (KYC) regulatory framework under the Bank Secrecy Act (BSA). 

The timing of FinCEN’s proposed rule is no accident. It comes at an explosive time for ransomware attacks and increased public awareness of and acceptance of CVCs, such as Bitcoin.

Ransomware attacks – where an attacker gains unauthorized access to a victim’s digital environment, deploys malware to encrypt the victim’s data, and demands a ransom payment in CVC in exchange for a decryptor key or to keep stolen data from being posted on the dark web – increased dramatically in 2020. These attacks were fueled partly by the shift to remote work in response to the pandemic. Unfortunately, this trend does not appear to be stopping anytime soon. 

Likewise, CVCs and LTDAs have recently gained more traction with the greater public. This has been due in part to market access and their use in conventional transactions – as indicated by Tesla’s announcement that it would accept Bitcoin as payment for its cars. Due to the increased acceptance and usage of difficult to trace CVCs and LTDAs, regulators are becoming increasingly concerned that they are being used for illicit transactions that traditionally relied on cash, such as international terrorist financing, weapons proliferation, money laundering, and sale of controlled substances.

The rule, as currently proposed, would apply only to banks and companies acting as money service businesses (MSB) involved in those ransom transactions and to other transactions that qualify under the rule. Specifically, the proposed rule would add a determination that CVCs and LTDAs constitute monetary instruments for the purposes of 31 U.S.C. 5313, which establishes the reporting requirements under the BSA, and impose record keeping and reporting requirements for transactions involving CVCs and LTDAs that parallel those already in existence for cash transactions. 

The proposed rule, if adopted, would require banks and MSBs facilitating transactions involving CVCs and digital assets to report transactions where the value of the CVC or LTDA exceeds $10,000. Banks and MSBs will also be required to keep records of transactions, including the identity of the customer and any other parties to the transaction if parties involved use an unhosted or otherwise covered wallet for transactions greater than $3,000. 

For such transactions, the bank or MSB would be required to collect the following categories of information and report to FinCEN within 15 days of the transaction:

  1. The name and address of the financial institution’s customer;
  2. The type of CVC or LTDA used in the transaction;
  3. The amount of CVC or LTDA in the transaction;
  4. The time of the transaction;
  5. The assessed value of the transaction, in U.S. Dollars, based on the prevailing exchange rate at the time of the transaction;
  6. Any payment instructions received from the financial institution’s customer;
  7. The name and physical address of each counterparty to the transaction of the financial institution’s customer;
  8. Other counterparty information that the Secretary may prescribe as mandatory on the reporting form for transactions subject to reporting pursuant to § 1010.316(b);
  9. Any other information that uniquely identifies the transaction, the accounts, and, to the extent reasonably available, the parties involved; and
  10. Any form relating to the transaction that is completed or signed by the financial institution’s customer.

The proposed rule would apply to both “hosted” and “unhosted” wallets. A hosted wallet is one in which the bank or MSB serves as the custodian of the CVC or LTDA, and transactions are executed on the blockchain by the bank or MSB on behalf of a customer using a private key controlled by the company. In contrast, an unhosted wallet is one in which the individual does not utilize the custodial services of a bank or MSB and opts to control the private key by himself. The hosted versus unhosted wallet distinction is significant because financial institutions and MSBs are already subject to AML and KYC regulations for transactions involving a hosted wallet. 
 
Because an individual conducting transactions in an unhosted wallet on his own behalf is not considered a money transmitter and therefore not subject to AML and KYC regulations and reporting requirements, transactions in unhosted wallets pose a visibility issue for FinCEN. The proposed rule, if implemented, would allow FinCEN to identify the individual associated with an unhosted wallet. This is ostensibly for the purpose of facilitating investigations into transactions that may be associated with illicit activity. It would also put the onus on the bank and MSBs to ensure that the owner of the unhosted wallet is not associated with any nation-states, individuals, or organizations that have been sanctioned by the Office of Foreign Assets Control (OFAC) for involvement in terrorist activities, drug trafficking, or weapons trafficking.

For more information, including how this proposed rule might impact your business, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.

**Lewis Brisbois has been nominated for two Advisen Cyber Risk Awards! Vote for Lewis Brisbois as “Cyber Risk Event Response Team of the Year” and “Cyber Law Firm of the Year” here.**