Padlock and wallet with money showing FinCEN rules on crypto wallets

Proposed New FinCEN Rules for Crypto Wallets Raise Privacy Concerns; Larger Transactions Would No Longer Be Anonymous

A set of proposed regulations recently filed by the Financial Crimes Enforcement Network (FinCEN) has the cryptocurrency world on edge. If they became law, the proposed FinCEN rules would out the personal identities behind private crypto wallets if transactions are large enough.

The new FinCEN rules are calling for holders of custodial accounts (hosted wallets) to identify themselves and their trading partner if they engage in a single transaction of over $3,000, or if they have cumulative transactions of over $10,000 to a private crypto wallet in one day. Any transaction of over $10,000 would also have to be reported directly to FinCEN. While the personal information would not go out to the general public, the exchange would then be required to store it and turn it over to law enforcement agencies on request.

Could new FinCEN rules undermine cryptocurrency?

Privacy advocates are already pushing back against the proposed FinCEN rules, calling them a violation of civil liberties.

In addition to verifying and recording the names of those sending large enough amounts to private crypto wallets, the exchanges will also need to keep a physical address on file. The name and address can be requested by FinCEN, or in the case of transactions over $10,000 will be proactively forwarded to the agency.

The new FinCEN rules are an attempt to move crypto wallets under the umbrella of the Bank Secrecy Act, a legal tool passed in 1970 to combat money laundering. Regular bank transactions that exceed $10,000 within one business day are currently reported to FinCEN, but with the addition of the party’s Social Security number. Purchases of bank-issued financial instruments (such as money orders) that exceed $3,000 must also be recorded and the relevant personal information retained for potential FinCEN access for at least five years.

In this case, the common use of private crypto wallets in ransomware attacks is being used as a central justification for the new FinCEN rules. Terrorist organizations have been linked to ransomware as a means of funding, though it is still not clear exactly how common this is. Ransomware payments might also wind up going to sanctioned individuals and organizations in foreign countries, something that generated an October advisory from FinCEN warning that companies making ransom payments of this nature could be found in violation of the law. According to the US Treasury Department: “U.S. authorities have found that malign actors are increasingly using CVC to facilitate international terrorist financing, weapons proliferation, sanctions evasion, and transnational money laundering, as well as to buy and sell controlled substances, stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms, and toxic chemicals.”

Privacy advocates are arguing that cryptocurrency is too unique and that the situation is too complicated for regulations of this nature to be pushed through so quickly. A 15-day public comment period has been opened for the new FinCEN rules, but critics note that the window includes the Christmas and New Year’s holidays (closing on January 4). Privacy advocates allege bad faith in the timing; FinCEN has responded by claiming that “significant national security imperatives” require the new rules to be implemented quickly. Public comment periods of this nature generally run for at least 60 days.

The impact on crypto wallets

Other critics point out that the proposed scope of the FinCEN rules leaves so much room for the things that it purports to combat that the changes would be functionally useless. The “know your customer” (KYC) information requirements do not extend to transactions between non-custodial crypto wallets, or basic accounts that users handle on their own by keeping personal access to their keys. It would put added burden on the cryptocurrency exchanges without removing the ability of bad actors to make use of them, as they could evade the new rules by simply breaking transactions up into smaller components. Some speculate that the government is more interested in obtaining tax information from crypto wallets that regularly do large volumes of legitimate business more than it is in stopping terrorism or ransomware gangs.

Another point along this line is that the documentation of the new rules never clearly define what an “unhosted” crypto wallet actually is. It’s taken to refer to private wallets, but that is never specifically spelled out.

The proposed rules could also potentially violate privacy in a way that is not possible with fiat currency under the current Bank Secrecy Act terms. Because many cryptocurrencies (most notably Bitcoin) keep a public log of all transactions tied to the addresses of crypto wallets, the government would only need one logged transfer to identify every transaction an individual had ever made with an unhosted wallet.

Some industry observers believe that the new FinCEN rules will do nothing but create a “walled garden” in the United States that is cut off from crypto wallets throughout the rest of the world, stifling innovation and trade. Coinbase has announced its opposition to the new rules, as have several crypto-friendly members of Congress.