Below is an exact reproduction of the letter we have submitted to Treasury and FinCEN as part of the public request for comment period.

We wish to thank Rafael Yakobi and the team he assembled to draft this response on behalf of Samourai and our users: Carla Reyes, Sasha Hodder, JW Verret, among others who worked diligently behind the scenes for months preparing this submission because they believe this harmful overstepping by the federal government must be addressed.

We would like to warmly thank Ten31, who graciously pledged to help cover some of the considerable costs we incurred to draft this response.

Lastly, we would like to thank all 25 of the unaffiliated Bitcoin companies that read and signed this letter to FinCEN in agreement with our position. They are listed individually at the bottom of this page.

You can download a PDF of the letter below:

Section 311 Mixing Transactions Designation NPRM Comment Letter PDF

Andrea Gacki January 22, 2024
Director
Financial Crimes Enforcement Network
U.S. Department of the Treasury
P.O. Box 39
Vienna, VA 22183

SUBMITTED ELECTRONICALLY

Re: Docket Number FINCEN–2023–0016 – Proposal of Special Measure Regarding Convertible Virtual Currency Mixing as a Class of Transactions of Primary Money Laundering Concern

Dear Director Gacki:

We appreciate the opportunity to comment on Docket Number FINCEN-2023-0016 (the “Mixing Transaction NPRM”), released by the Financial Crimes Enforcement Network (“FinCEN”) on October 22, 2023.^[1] We are a variety of unaffiliated companies that rely on important cybersecurity safeguards and privacy-enabling software to protect our businesses and our users. The extreme breadth of the rules proposed by the Mixing Transaction NPRM would overly burden our use of such technologies in ways that would not assist FinCEN in achieving its mandate of preventing money laundering and other illicit use of money. As a result, we write to express our grave concerns regarding the novelty and scope of the Proposed Special Measures and the inadequate definitions contained therein.^[2]

The Proposed Special Measures would unreasonably infringe upon the legitimate financial privacy interests of cryptocurrency users, and would apply to a variety of digital techniques that are not mixing transactions at all, but rather simply represent good cybersecurity practices. Moreover, the Proposed Special Measures are unnecessary to achieve FinCEN’s aim, and we encourage FinCEN to either withdraw the Mixing Transaction NPRM altogether or to pursue a less invasive, less restrictive, and more effective approach—the same approach it has used since its first enforcement activities in the cryptocurrency space in 2013—to enforcement against specific bad actors.

1. FinCEN should exercise caution and either withdraw entirely or narrowly tailor the Mixing Transaction NPRM because if adopted, the Mixing Transaction NPRM would not only represent the first time FinCEN used its Section 311 powers against a class of transactions, but also the first time FinCEN has ever imposed Special Measure 1.

Historically, FinCEN has exercised caution in making designations under Section 311 and implementing Special Measures. Section 311 (31 U.S.C. 5318A), authorizes the U.S. Department of Treasury (“Treasury”) to designate a foreign jurisdiction, financial institution, class of transactions, or type of account as being of “primary money laundering concern” and impose one or more of five possible “special measures.” Treasury delegated that authority to FinCEN, which has used its power quite sparingly since Section 311’s enactment. The first Section 311 action instituted by FinCEN in the virtual currency space occurred in 2013, when FinCEN instituted special measures against Liberty Reserve. Prior to that time, between 2002 and 2013, FinCEN had only ever implemented special measures against just four jurisdictions and 13 financial institutions. After a protracted legal battle regarding a Section 311 action between 2015-2017, FinCEN seemed reluctant to use its Section 311 powers widely. ^[3] The creation of the Global Investigations Division (GID) in 2019 ^[4] and the enactment of the Anti-Money Laundering Act of 2020, which increased FinCEN’s authority “to prohibit or impose conditions upon certain transmittals of funds (to be defined by the Secretary) by any domestic financial institution or domestic financial agency,” ^[5] coincided with an uptick in the use of Section 311 powers and a broadening of FinCEN’s attention to all 5 available Special Measures.

Importantly, throughout its use of Section 311, FinCEN traditionally imposes Special Measure Number 5 to isolate a specific foreign financial institution and prevent it from accessing the U.S. financial system. Until this Mixing Transaction NPRM, FinCEN has only used Special Measure Number 1 one other time—in 2012 against JSC CredexBank (“Credex”).^[6] FinCEN later withdrew that proposed rule in 2016. ^[7] If adopted, the Mixing Transaction NPRM would constitute the first time FinCEN has imposed Special Measure Number 1 in exercising its Section 311 Powers. Moreover, this Mixing Transaction NPRM represents the very first time FinCEN has sought to designate an entire class of transactions as a primary money laundering concern. We encourage FinCEN to exercise extreme caution in the exercise of its Section 311 powers in such a novel way—the first-ever designation of a class of transactions and the first-ever imposition of Special Measure 1.

Exercising caution in Section 311 powers reflects the seriousness of Treasury’s policy purposes for invoking its powers to make primary money laundering concern designations and impose special measures—namely, to act as a signal to the world that FinCEN is “serious about ensuring that the international financial system is safeguarded against the threat of money laundering.” ^[8] As Treasury explained in the press release announcing the very first use of its Section 311 powers in 2002, when FinCEN uses Section 311, “[FinCEN] tell[s] the world clearly that these jurisdictions [or entities or transactions] are bad for business and that their financial controls cannot be trusted.” ^[9] For the reasons further explained below, FinCEN’s targeting of convertible virtual currency (“CVC”) ^[10] purported “mixing” transactions does not achieve these aims. Rather than target transactions that are “bad for business,” the Mixing Transaction NPRM targets an overly broad range of technical approaches used as best practices both by businesses and individuals for ensuring the security of CVC and impinges on privacy rights of legitimate users of CVC. In an attempt to exercise authority it has never used before (class of transactions) through a special measure it has never previously imposed successfully (special measure 1), FinCEN created a proposed rule fraught with misunderstandings and overreach. We urge FinCEN to withdraw the rule and reconsider its approach to this novel use of its authority.

2. The Mixing Transaction NPRM proposes a rule that is an improper and overbroad application of Section 311 measures to achieve transaction surveillance and suppression that FinCEN does not otherwise have a lawful basis to undertake.

Although the Mixing Transaction NPRM ostensibly designates a class of transactions as being of Primary Money Laundering Concern, its real goal is to uncover an alternative method for collecting information about and suppressing the use of digital currency in general. The Mixing Transaction NPRM is an improper and overbroad application of Section 311 measures for that purpose. Indeed, although the Mixing Transaction NPRM allegedly sanctions a class of transactions, it inconsistently throughout refers to “CVC mixers,” “CVC mixing” and “CVC mixing services” by reference to specific business entities ^[11] and as a type of business model more generally.^[12] If FinCEN has reason to believe specific entities conduct illicit activities, FinCEN could use the Section 311 powers it has traditionally and successfully used to target specific entities as financial institutions of primary money laundering concern. Such an approach offers a more targeted way to address actual money laundering while protecting legitimate users of legitimate privacy-enhancing tools.

Notably, Treasury has separately sanctioned what it refers to as CVC mixing transactions through its Office of Foreign Asset Control (OFAC) authority to designate people or property who conduct transactions with specifically designated foreign jurisdictions identified through executive order as posing terrorist threats. ^[13] Treasury is currently facing legal challenges to, and has been widely criticized for, its attempt to sanction the Tornado Cash open source software as property of a non-existent entity Treasury alleges is called “the Tornado Cash DAO entity.” ^[14] Although we agree with the many arguments as to why Treasury’s OFAC action with regard to Tornado Cash software is an example of agency overreach, we wish to make a different but related point here. To justify its OFAC sanctions against the Tornado Cash software, Treasury had to designate the software as property of an entity. ^[15] OFAC officially explained as part of defending its sanction to a judge that the Tornado Cash software was property under Treasury’s regulations because it fell within the broad reach of “any contract whatsoever.” ^[16] Although the definition of “transaction” under the BSA regulations is quite broad, it does not encompass “any contract whatsoever” but rather centers on monetary transfers and specific services offered by financial institutions, and provides a catch-all for “any other payment, transfer, or delivery by, through or to a financial institution, by whatever means effected.” ^[17] No part of the definition applicable to CVC mixing is also a contract.^[18]

In other words, in proposing the Mixing Transaction NPRM, one arm of Treasury is classifying CVC mixing as a transaction type while another arm of Treasury argues that mixing is a contract for services. Under the regulations governing both enforcement actions, mixing activity cannot be both a transaction type and a contract for service simultaneously. Treasury’s attempt to designate mixing software as both a type of transaction and a contract is evidence of the arbitrary and capricious nature of its attempt to regulate open-source software that enhances the digital privacy of legitimate CVC users. To the extent that FinCEN really wants to target non-custodial, open-source software that individuals can use on their own accounts, FinCEN exceeds its statutory authority.

Indeed, tools that enhance digital privacy in CVC transactions simply seek to enable a form of digital cash. As a result, in its rush to find a way to suppress CVC mixing transactions, by whichever means, even if inconsistent amongst different internal branches of its own agency, FinCEN’s Mixing Transaction NPRM amounts to an attempt to sanction “all transactions conducted in cash,” which is both impossible and an unreasonable over-extension of its rulemaking authority.

3. The Mixing Transaction NPRM should be withdrawn because the proposed definition of “CVC mixing” is overbroad and targets lawful activity in a way that makes the agency’s proposed action arbitrary and capricious.

Setting aside FinCEN’s own apparent confusion about whether CVC mixing is a transaction, a service, a business, or a specific business entity, when FinCEN does attempt to define the “class” of transactions that it considers to be CVC mixing, the Mixing Transaction NPRM’s definition of “mixing” is extremely broad and includes numerous activities routinely conducted by legitimate users as a matter of routine safety precautions in online transacting in CVC. Specifically, the Mixing Transaction NPRM provides:

The term “CVC mixing” means the facilitation of CVC transactions in a manner that obfuscates the source, destination, or amount involved in one or more transactions, regardless of the type of protocol or service used, such as: (1) pooling or aggregating CVC from multiple persons, wallets, addresses or accounts; (2) using programmatic or algorithmic code to coordinate, manage, or manipulate the structure of a transaction; (3) splitting CVC for transmittal and transmitting the CVC through a series of independent transactions; (4) creating and using single-use wallets, addresses, or accounts, and sending CVC through such wallets, addresses, or accounts through a series of independent transactions; (5) exchanging between types of CVC or other digital assets; ^[19] or (6) facilitating user-initiated delays in transactional activity. ^[20]

Indeed, most of the activities captured by the proposed definition of CVC mixing are considered established best practices within the industry for the use and safekeeping of CVC. Specifically, the proposed definition encompasses lightning transactions, single-use wallets, atomic swaps, decentralized finance protocols, privacy coin features, and multi-signature wallets, among other things. The main commonality among this broad range of software tools is that they enhance digital privacy and offer basic cyber-security techniques to owners or custodians of CVC. Employing these techniques to safeguard valuable digital assets is as routine and mundane and free of illicit purpose as using two-factor authentication to secure a digital wallet containing payment card information or an X (formerly Twitter) account to prevent an unauthorized announcement.^[21]

4. The Mixing Transaction NPRM should be withdrawn because its inaccurate depiction of standard security practices as “mixing” impermissibly restricts the capacity of users to protect their property so that FinCEN can conduct a fishing expedition.

The proposed rule describes as red flags such everyday practices as “creating and using single address wallets” and “splitting CVC for transmittal.” ^[22] The standard practice among cryptocurrency users is to change addresses with every transaction. For example, Coinbase Exchange describes to their users that: “[w]e automatically generate a new address for you after every transaction you make or when funds are moved between your wallet and our storage system. This is done to protect your privacy, so a third party cannot view all other transactions associated with your account simply by using a blockchain explorer.” ^[23]

The fact that a small subset of users, who may be criminals, engage in the same operational security practices as ordinary users does not make those operational security practices suspect. The fact that criminals may use two-factor authentication to protect the security of their online applications does not mean that the use of two-factor authentication is itself an indicator or facilitator of criminal activity. In exactly the same way, the fact that users do not reuse Bitcoin addresses is merely indicative of basic operational security.

In an apparent recognition of the fact that these tools legitimately enable important cyber-security precautions, FinCEN exempts financial institutions from reporting on any of their own mixing transactions that they may conduct in the course of providing services to the public.^[24] By exempting financial institutions from the rule, FinCEN creates a regime where financial institutions can take proper cyber-security measures for using CVC, but regular people cannot.

Perhaps even more problematic, throughout the Mixing Transaction NPRM, FinCEN justifies the proposed rule as necessary to enable law enforcement and the agency to better understand the transactions and the extent to which illicit activity occurs through CVC mixing. ^[25] The extraordinary and never before successfully invoked Section 311 power to designate a class of transactions and implement special measure 1 is not appropriate for use in a fact-finding mission. Employing such overly broad definitions as proposed in the Mixing Transaction NPRM for the purpose of authorizing an invasive fact-finding mission represents an arbitrary and capricious use of FinCEN’s delegated rulemaking authority because FinCEN’s justification for the rule lies outside of the statutory criteria for determining a class of transactions is of primary money laundering concern.

Specifically, FinCEN is statutorily required to consider the following factors when determining that a class of transactions is of primary money laundering concern: (1) the extent to which the class of transactions is used to facilitate or promote money laundering in or through a jurisdiction outside of the United States, including money laundering activity with connections to international terrorism, organized crime, and proliferation of WMDs and missiles; (2) the extent to which a class of transactions is used for legitimate business purposes; and (3) the extent to which action by FinCEN would guard against international money laundering and other financial crimes.” ^[26] Throughout the Mixing Transaction NPRM, FinCEN acknowledges that due to a lack of data and a lack of understanding of CVC mixers, it cannot sufficiently assess the extent to which CVC mixing and the proposed rule measures up under any of these three criteria. ^[27] FinCEN’s assessment ultimately boils down to: FinCEN does not have sufficient information to properly assess the statutory criteria required to justify the proposed rule, so the proposed rule is justified because, in FinCEN’s own words, it “is necessary to better understand the illicit finance risk posed by CVC mixing.” ^[28] Using a sanction to obtain the information necessary to justify imposing the sanction even when the agency knows that doing so will likely impose a high burden on legitimate uses and financial institutions is the definition of arbitrary and capricious regulatory action.

5. The Mixing Transaction NPRM should be withdrawn or significantly narrowed in scope because FinCEN’s required statutory analysis fails to adequately value the legitimate uses of CVC mixing services and unduly burdens legitimate users and financial institutions.

FinCEN admits that public blockchains “make it possible to know someone’s entire financial history on the blockchain” ^[29] and that it “recognizes that there are legitimate reasons why responsible actors might want to conduct financial transactions in a secure and private manner given the amount of information available on public blockchains.” ^[30] Yet, in the same document, alleges that the Mixing Transaction NPRM is necessary because CVC “is not without its risks and, in particular, the use of CVC to anonymize illicit activity undermines the legitimate and innovative uses of CVC.” ^[31] These two propositions cannot be simultaneously accurate.

As a matter of technical reality, FinCEN’s assertion that public blockchains expose a user’s entire financial history on the blockchain to the public for everyone to see and inspect is correct. ^[32] Indeed, that creates the fundamental need for legitimate CVC users to conduct CVC mixing transactions—to reintroduce the same level of financial privacy that they enjoy in the traditional financial system ^[33] to their transactions via CVC (for example, the traditional financial system does not expose a consumer’s entire credit card history to the public, and indeed, federal law requires that financial institutions protect such information from being exposed to the public ^[34]). ^[35]

Ensuring their CVC transactions enjoy the same level of privacy as transactions in traditional finance reduces the potential danger of personal harm to legitimate users and enables legitimate users to avoid waiving their constitutional right to privacy. When the identity of a legitimate CVC user is known and connected to the wallets holding CVC assets, the user becomes a target for kidnap, robbery, extortion, and hacking schemes. ^[36] Further, because of this inherent transparency by design of public blockchains, the Fifth Circuit recently ruled that no expectation of privacy exists for users of permissionless public blockchains who take no additional action to privacy-protect their transactions. ^[37] Legitimate users employ privacy-enhancing software when transacting in CVC in order to avoid inadvertently waiving their constitutionally protected privacy rights.

Ultimately, FinCEN has completely failed in its obligation to adequately account for the impact on legitimate users as required by its rulemaking authority. In defending its selection of special measure 1 over 2 through 5, FinCEN emphasizes, without explanation, that special measure 1—additional record keeping—allows legitimate users to continue using privacy-enhancing software without interruption. ^[38] This is false, as covered entities must report on any transaction that may have involved CVC mixing and a foreign jurisdiction. Indeed, read broadly, it is possible that the rules proposed by the Mixing Transaction NPRM require reporting on transactions that involve CVC that were transacted through mixing software at any point in the asset’s transaction history. Such reporting directly impedes the reasons for which legitimate users employ mixing software (to enhance financial privacy) by requiring the elimination of financial privacy (it is not a private transaction if an intermediary must surveil and report on the transaction). Software tools like mixers that enhance digital financial privacy provide a true electronic equivalent to cash. Notably, transactions in cash are not subject to rules such as those proposed in the Mixing Transaction NPRM. In an apparent acknowledgment of this deep and inherent conflict between the rules proposed by the Mixing Transaction NPRM and the legitimate uses to which legitimate users put CVC mixing software, FinCEN itself predicts that the rule will chill the use of CVC mixers.

6. The Mixing Transaction NPRM should be withdrawn because it requires covered financial institutions to perform law enforcement’s function to accomplish FinCEN’s AML goals, which FinCEN, DOJ, and law enforcement can achieve using existing tools when they have a proper legal basis to employ those tools.

Like the definitions of CVC mixing and CVC mixer, the Mixing Transaction NPRM’s information reporting requirements demonstrate a deep lack of technological understanding. Notably, all of the transaction information that the Mixing Transaction NPRM proposes to include in required reports by covered financial institutions involves data that, in most circumstances, FinCEN can just as easily obtain itself through blockchain data analytics. Similarly, the customer information that FinCEN would require covered financial institutions to report includes the same kinds of information such institutions must already report if a transaction raises sufficient red flags to trigger the filing of a Suspicious Activity Report (SAR). Nevertheless, the Mixing Transaction NPRM seeks to require covered financial institutions to file such reports on every single transaction for which the CVC involved may have ever been transacted through the extremely broad set of software that FinCEN’s proposed rule defines as CVC mixing software. In other words, because law enforcement investigations into activity involving CVC are sometimes more difficult, FinCEN seeks to impose broad surveillance of individuals without cause through covered financial institutions. Covered financial institutions should not have to become de facto law enforcement officers to make investigations easier for FinCEN.

FinCEN, the Department of Justice, and law enforcement have previously and successfully employed the very tools FinCEN asks financial institutions to use for reporting compliance under the Mixing Transaction NPRM to target specific illicit actors. FinCEN has demonstrated that it knows how to properly investigate and enforce against specific custodial CVC mixing service providers that are not complying with the regulations to which they are subject. Specifically targeting illicit actors about which FinCEN and law enforcement have built a clear, strong case using the available blockchain data analytics tools better balances the need to combat illicit CVC mixing with the legitimate use of CVC mixing by individuals seeking to protect their legitimate, constitutionally and statutorily protected privacy interests.

For all of the reasons discussed above, we urge FinCEN to withdraw the Mixing Transaction NPRM altogether.

Thank you for your consideration.

If you have any questions or would like additional information, please see the contact information below:

Rafael Yakobi, Esq.
Managing Partner
The Crypto Lawyers, PLLC.
[email protected]
(619) 317-0722

Sincerely,

Samourai Wallet, Ten31, River, Strike, RoninDojo, Swan Bitcoin, Primal, GRIID, Zaprite, Peach, Mempool Space, Upstream Data, Stakwork, Vida Global, Voltage, Coinkite, Mutiny Wallet, Standard Bitcoin Company, Satoshi Energy, Cathedra Bitcoin, AnchorWatch, Bitnob, Oshi, Battery Finance,Fold, Start9

1. FinCEN, Proposal of Special Measure Regarding Convertible Virtual Currency Mixing, as a Class of Transactions
   of Primary Money Laundering Concern, Dkt. FINCEN-2023-0016 (Oct. 22, 2023) https://www.fincen.gov/sites/default/files/federal_register_notices/2023-10-19/FinCEN_311MixingNPRM_FINAL.pdf [hereinafter Mixing Transaction NPRM”] ︎
2. In this regard, we intend this letter to specifically respond to FinCEN’s request for comments A(1)-(8), B(2)-(3), C(1), D(2), and D(11) as listed in the Mixing Transaction NPRM. ︎
3. See FBME Bank Ltd. v. Lew, 125 F. Supp. 3d 109 (D.D.C. 2015); FBME Bank Ltd. v. Lew, 142 F.Supp.3d 70 (D.D.C. 2015); FBME Bank Ltd. v. Lew, 209 F.Supp.3d 299 (D.D.C. 2016); FBME Bank Ltd. v. Munchin, 249 F. Supp.3d 215 (D.D.C. 2017). ︎
4. FinCEN, Press Release, New FinCEN Division Focuses on Identifying Primary Foreign Money Laundering Threats (Aug. 28, 2019),https://www.fincen.gov/news/news-releases/new-fincen-division-focuses-identifying-primary-foreign-money-laundering-threats. We note with some alarm that the timing of GID’s creation coincided with the release of FinCEN’s 2019 CVC guidance, indicating that perhaps the two were coordinated and greater targeting of CVC users has been underway for some time. ︎
5. 2021 NDAA, Section 9714, https://www.congress.gov/116/bills/hr6395/BILLS-116hr6395enr.pdf. ︎
6. 77 Fed. Reg. 31,794 (Mar. 30, 2012). ︎
7. 81 Fed. Reg. 14,408 (Mar. 17, 2016). ︎
8. U.S. Dept. Treas., Press Release, Fact Sheet Regarding the Treasury Department’s Use of Sanctions: Authorized Under Section 311 of the USA PATRIOT ACT (Dec. 20, 2002), https://home.treasury.gov/news/press-releases/po3711. ︎
9. Id. ︎
10. We note that we dislike the term convertible virtual currency, as it does not fit industry understanding of the technical realities of cryptocurrencies and their many uses. We use the term in this letter only because it is the language that FinCEN has adopted for the implementation of its regulations. As an aside, we would encourage FinCEN to adopt more technically accurate vocabulary for implementing its regulations, as doing so would help FinCEN avoid proposing unworkable and overbroad regulations such as the Mixing Transaction NPRM. ︎
11. See, e.g., Mixing Transaction NPRM, supra note 1, at 15 (“ChipMixer, a darknet CVC ‘mixing’ service”); 16 (referring to Bestmixer.io as a CVC mixing transaction); 20 (referring to enforcement against “Bitcoin Fog”). ︎
12. See, e.g., id. at 5 (“persons who facilitate…CVC mixing transactions”); 18 (“RAILGUN falls under the umbrella of CVC mixing…because it uses its privacy protocol to manipulate the structure of the transaction to appear as being sent from the RAILGUN contract address, thus obscuring the true originator.”); 20 (“CVC mixing services often deliberately operate opaquely…”.) ︎
13. U.S. Dpt. Treas., Press Release, U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash (Aug. 8, 2022), https://home.treasury.gov/news/press-releases/jy0916. ︎
14. See, e.g., Van Loon et. al., v. OFAC, No. 23-506669 (5th Cir. 2023) (notably, a variety of amici intervened with arguments critiquing the OFAC sanction at both the District Court and 5th Circuit Court of Appeals); Peter Van Valkenburgh, New Tornado Cash Indictments Seem to Run Counter to FinCEN Guidance, CoinCenter (Aug. 23, 2023), https://www.coincenter.org/new-tornado-cash-indictments-seem-to-run-counter-to-fincen-guidance/. ︎
15. OFAC, FAQ 1095, https://ofac.treasury.gov/faqs/1095 (“OFAC designated the entity known as Tornado Cash, which is a “partnership, association, joint venture, corporation, group, subgroup, or other organization” that may be designated pursuant to the IEEPA.”). ︎
16. See, Order, Van Loon et. al. v. Dpt. Treas., 1:23-CV-312-RP at 18 (W.D. Tx. Aug. 17, 2023). ︎
17. 31 CFR 1010.100(bbb)(1). “Except as provided in paragraph (bbb)(2) of this section, transaction means a purchase, sale, loan, pledge, gift, transfer, delivery, or other disposition, and with respect to a financial institution includes a deposit, withdrawal, transfer between accounts, exchange of currency, loan, extension of credit, purchase or sale of any stock, bond, certificate of deposit, or other monetary instrument, security, contract of sale of a commodity for future delivery, option on any contract of sale of a commodity for future delivery, option on a commodity, purchase or redemption of any money order, payment or order for any money remittance or transfer, purchase or redemption of casino chips or tokens, or other gaming instruments or any other payment, transfer, or delivery by, through, or to a financial institution, by whatever means effected.” ︎
18. Notably, in the Mixing Transaction NPRM, FinCEN refers to Tornado Cash as a “CVC mixer,” not as a CVC mixing transaction. Is mixing a transaction? Is mixing a contract? Is mixing a type of business? The fact that FinCEN cannot decide belies the inappropriateness of using its Section 311 sanctions as proposed. ︎
19. We note that the Mixing Transaction NPRM does not include a definition of “other digital assets” anywhere. Further, we are unaware of any definition of “digital assets” in FinCEN’s regulations or guidance. Finally, it is not clear to us how FinCEN has authority to impose regulatory reporting requirements upon exchanges of CVC for digital assets that are not CVC. See FinCEN, Application of FinCEN’s Regulations to Persons Administering, Exchanging or Using Virtual Currencies, FIN-2013-G001 (Mar. 18, 2013) (the phrase “digital assets” appears nowhere in the 2013 Guidance); FinCEN, Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies (May 9, 2019) (the only time that the phrase “digital assets” appears in the 2019 Guidance is in footnote 75 in reference to the title of the SEC “Framework for Investment Contract Analysis of Digital Assets”). This is just another small but notable way in which FinCEN seeks to overreach its authority through the Mixing Transaction NPRM. ︎
20. Mixing Transaction NPRM, supra note 1, at 30-31. ︎
21. True Tamplin, How to Protect Your Digital Wallet from Cyber Threats, Forbes (Dec. 19, 2023, 2:00 pm EST), https://www.forbes.com/sites/truetamplin/2023/12/19/how-to-protect-your-digital-wallet-from-cyber-threats/?sh=1e9146825981 (noting the importance of 2FA for securing digital wallets). ︎
22. Mixing Transaction NPRM, supra note 1, at 30-31. ︎
23. See https://help.coinbase.com/en/exchange/managing-my-account/crypto-address-change ︎
24. Mixing Transaction NPRM, supra note 1, at 31. ︎
25. See, e.g., id. at 24 (“Furthermore, the information generated by this special measure would support investigations into illicit activities by actors who make use of CVC mixing to launder their ill-gotten CVC by law enforcement. At present, there is no similar or equivalent mechanism possessed by law enforcement to readily collect such information, depriving investigators of the information necessary to more effectively understand, investigate and hold illicit actors accountable.”). ︎
26. 31 U.S.C. 5318A(a)(1). ︎
27. See Mixing Transaction NPRM, supra note 1, at 19 (not enough data to know how much CVC mixing is used in money laundering); 22 (not enough “available transactional information” for FinCEN to “fully assess the extent to which or quantity thereof CVC mixing activity is attributed to legitimate purposes”); 22 (essentially claiming that FinCEN’s lack of information itself is reason enough to show that getting more information would guard against international money laundering). ︎
28. Id. at 23. ︎
29. Id. at 7. ︎
30. Id. at 21. ︎
31. Id. at 6-7. ︎
32. Matthias Nadler & Fabian Schar, Tornado Cash and Blockchain Privacy: A Primer for Economists and Policymakers, 105 Fed Res. Bk. St. Louis Rev. 122 (2023); Vitalik Buterin, et. al., Blockchain Privacy and Regulatory Compliance; Towards a Practical Equilibrium (Sept. 9, 2023) (unpublished manuscript), ︎
33. See, e.g., 12 U.S.C. §§ 3401-3423 (the Right to Financial Privacy Act of 1978 (RFPA), which protects the confidentiality of personal financial records by creating a statutory fourth amendment protection for bank accounts). ︎
34. 16 C.F.R. Part 314, 67 Fed. Reg. 36484 (May 23, 2002) (FTC rule addressing the requirement that covered financial institutions safeguard non-public information”) ︎
35. Matthias & Schar, supra note 32. ︎
36. For a documented timeline of physical attacks on Bitcoin users, see Known Physical Bitcoin Attacks, GitHub
    https://github.com/jlopp/physical-bitcoin-attacks/blob/master/README.md (last visited Jan. 22, 2024). ︎
37. See United States v. Gratowski, No. 19-50492 (5th Cir. 2020). ︎
38. Mixing Transaction NPRM, supra note 1, at 25 (special measure 1 is the only special measure that will preserve “legitimate actors’ ability to continue conducting secure and private financial transactions.”). ︎

This is a guest post by Samourai Wallet. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.

Source link

Yesterday’s FinCEN rule proposal is incredibly overbroad, comprehensive, and perfectly designed to allow arbitrary information collection at any scope they choose to enforce. It truly is a mind-blowingly large grab attempt at private information of anyone they can get their hands on. They want all regulated entities — VASPs, banks, financial institutions or entities like casinos, etc. — to by default submit reports of any transactions interacting with mixing within 30 days of noticing the relevant transaction and its association to mixing activity. Currently, most exchanges and businesses keep these records anyway, but they do not by default send copies of them to regulators unless deeper inspection actually merits a reason to do so. FinCEN wants that to change.

To really get a sense for the scope of things, the first thing to look at is the definitions of mixing provided in the proposal. Obviously, the act of mixing is obscuring the source of funds, but the specific technical definitions they give for what falls under the definition of mixing are incredibly broad when looked at together. Let’s go through them:

1. “Pooling or aggregating [funds] from multiple persons, wallets, addresses, or accounts” This encompasses so many different activities other than a traditional custodial mixing service. Lightning channels? That is multiple persons pooling and aggregating funds together. Multisig wallets held by multiple people in general are doing the same thing. Just combining a recent withdrawal from Coinbase with coins you had from Kraken from the point of view of both exchanges is pooling funds from multiple addresses. According to the language of this proposal, something that just happens on a regular basis in the normal course of using Bitcoin, with no attempt whatsoever to obscure or render private anything about the activity, fits into the definition of mixing.
2. “Using programmatic or algorithmic code to coordinate, manage, or manipulate the structure of a transaction” Again, that completely covers the Lightning Network. Coinjoins fall into this definition. In fact…you know what? This is so ridiculously and absurdly broad — it doesn’t even specify manipulating the structure of a transaction to attain obfuscation of the source of funds — that this literally encompasses any piece of Bitcoin software that handles making and signing transactions. 100% of the transactional activity on the Bitcoin blockchain out of sheer logical necessity fits this definition of mixing.
3. “Splitting [funds] for transmittal and transmitting the [funds] through a series of independent transactions” This is also incredibly broad. How are legitimate independent transactions between the same parties to be distinguished from a single transaction split into many for obfuscation purposes? What about situations where that is a perfectly legitimate thing to do for no reason other than your personal privacy? What if I only have three different UTXOs that three separate people know about, and I don’t want to reveal to all three of them my payment history with the other two in order to make a payment requiring all three UTXOs? Does opening multiple independent Lightning channels with the same node constitute this?
4. “Creating and using single-use wallets, addresses, or accounts, and sending [funds] through such wallets, addresses, or accounts through a series of independent transactions” So default behavior of the super majority of Bitcoin wallets — not reusing addresses — constitutes mixing? When I go to my exchange to withdraw with a unique address every time, are they required to consider that action “mixing” my coins? Do physical Bitcoin bearer instruments constitute “single-use wallets?”
5. “Exchanging between types of [cryptocurrencies] or other digitals assets” So every single person trading NFTs, dumb tokens, utility tokens, and just outright shitcoins, whether on an exchange or on-chain through different mechanisms, is now mixing?
6. “Facilitating user-initiated delays in transactional activity” Uhm..timelocks in Lightning? Any type of 2FA rate limited multisig set up? Just the DCA scheduled withdrawal function at different on-ramps? All of this is now mixing?

The definition of [cryptocurrency] mixer is “any person, group, service, code, tool, or function that facilitates [cryptocurrency] mixing.”

Now of course, FinCEN carves out an exception for regulated businesses and institutions covered by the proposed rules for “internal processes” (i.e. the DCA withdrawal functions mentioned above) so as to not interfere with their business operations, provided they can provide the required records to law enforcement whenever required. If a business is unsure whether or not activity they engage in falls under the category of mixing and the exemption, they must by default begin maintaining the required records to provide to law enforcement if required.

Of course, no such exemption exists for private individuals simply seeking to maintain the privacy of their financial activity from the public. Here is the information, within 30 days of being noticed by a business subject to the proposed rule, that would be required to be reported to the government, for every single transaction:

• The amount of cryptocurrency transferred, in native units and USD value at the time.
• The cryptocurrency involved.
• The mixer protocol/service/etc. used, if known.
• Any addresses associated with the mixer used.
• Any addresses associated with the user who mixed.
• The TXID of the relevant transaction.
• The date of transaction.
• Any IP addresses associated with the transaction.
• A “narrative” explaining context, the transaction itself, what the institution did, etc.

In terms of private information about the user involved in the transaction, here is the information proposed to be collected and directly reported to the government for every transaction:

• User’s full name.
• User’s date of birth.
• User’s full address.
• User’s email address.
• User’s IRS Taxpayer Identification Number (TIN) or foreign equivalent.

Now really think about the broad scope of things that FinCEN is proposing to define as mixing, and the type of information they want directly reported to the government every time a regulated business in this space sees a customer engage in any of those behaviors. These rules, if enacted, would allow FinCEN at any point to arbitrarily capture almost any activity on the blockchain and deputize every regulated business in the space to act as an outsourced chainanalytics service tagging, cataloging, and reporting all of the information to the government.

The authority to propose and enact rulings like this is authorized to the Secretary of the Treasury under the Banking Secrecy Act, and delegated to FinCEN by the Secretary. Under the BSA the Secretary is allowed to mandate the retaining of records of net flows of money and individual transactions, mandate additional record keeping requirements or reporting requirements for certain types of transactions, or prohibit maintaining or allowing accounts or services that allow for specific types of transactions, as long as they can argue a material risk of money laundering. During this assessment they are required to consult with the Secretary of State and the Attorney General, and consider the extent to which the relevant class of transaction facilitates money laundering and terrorist financing weighed against the extent to which that class of transaction facilitates legitimate business and commerce.

Their argumentation that it presents a material risk of money laundering and terrorist financing leans on all the factual examples of bad people mixing you would expect them to. Ransomware, exchange and cross-chain bridge hacks, etc. They bring up TornadoCash, and North Korean groups mixing funds with it, its use in laundering funds from bridge hacks, etc.; all of the big examples of exactly the type of activity these proposed rules are meant to stop that have been detected, analyzed, and cataloged on-chain are trotted out. But when it comes time to analyze the legitimate uses of mixing?

They can’t determine or assess the percentage of legitimate mixing because of a lack of data.

Yeah, you read that right. When it comes to identifying activity on-chain that suits their argument, they have a bounty of examples to cite and point to, but when it comes to activity that would bolster the counter-argument, the data is somehow not there to be found. It’s not possible to watch and analyze the transactions happening on-chain, regardless of whether they are coinjoins, centralized mixing services, or whatever flowing into those mixers and determine if there are “illicit connections.” It’s impossible to look at the percentage coming from regulated exchanges where you know some record is present if you need it. It’s impossible to look at what coins are coming from places like darknet markets. It’s also completely impossible to see what percentage of the outflows from those mixers go to regulated exchanges, or innocuous transactions not intersecting with any known “illicit activity”, versus obvious illegal activity like back into darknet markets.

The data just isn’t there for some mystical reason. I call bullshit. It’s right there, just like it is for the cases of someone like North Korea hacking an exchange and mixing the stolen funds. They’re just going to pretend it isn’t so they can create a legal justification to take all this information businesses are already processing and storing and make a nice complete copy in the hands of government regulators themselves.

This is nothing short of a systematic preparation for an enforcement crackdown, and potentially progressively increasingly antagonistic regulatory scheme. The nature of how FinCEN has to argue just cause to enact new rules centers around scrutinizing the nature of specific classes of transactions. The overly and absurdly broad definitions of “mixing” in this proposal would essentially take everything broken down in the six definitions provided and bring them together under the same class of transactions, “mixing.” After having shown just cause to categorize and regulate them as a single class, there is a much sounder footing to further carve this single general class into subclasses, and argue just cause to subject specific subclasses to extra regulatory burdens. At the end of the day, they can also prohibit entirely specific classes of transactions given a sound enough argument for mitigating serious harm to the financial system or US geopolitical interests.

First and foremost, this must be routed around. Every substantial piece of Bitcoin should be designed with the possibility of jurisdictions becoming unfriendly to them, if not outright hostile. The scope of this is something all of you should be seriously considering when thinking about how you have interacted with Bitcoin, how you do interact with Bitcoin, and how you are going to interact with it in the future.

But that said, this is also something that should be fought. The scope of it is insanely overbroad in its attempted reach, and the reasoning behind the positive outcomes outweighing the harmful is just fundamentally broken. They just pretend they can’t even ascertain the data to weigh them against each other in the first place.

Actions on the part of the government aren’t going to be absurd jokes that will be easily ignored, or easily routed around anymore. Things are going to continue becoming more reasoned through in effectively achieving the outcome they want, and that is something that all of us need to start taking more seriously. 

Source link