FinCEN Proposes Tracking and Reporting Virtual Currency Transactions Involving Unhosted Wallets

On December 18, 2020, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (NPR) regarding a proposal to impose on banks1 and money service businesses (MSBs) new recordkeeping, reporting, and identity verification requirements in relation to certain transactions involving convertible virtual currency (CVC) or digital assets with legal tender status (legal tender digital assets or LTDA)2 if the counterparty to the transaction does not have an account with, including a digital asset wallet hosted by, a financial institution regulated under the U.S. Bank Secrecy Act (BSA) or certain foreign financial institutions not located in designated problematic jurisdictions. If adopted, the proposed rule will impose significant new burdens only on banks and MSBs involved in digital asset businesses and undercut the role of U.S. institutions in digital asset economies, including in the growing area of “decentralized finance.” The NPR proposes to exclude broker-dealers, futures commission merchants, and mutual funds, among others that are subject to the BSA from these new reporting requirements, but specifically requests the industry’s comment on whether these types of institutions should also be included within the scope of the rule.

Affected institutions will have very limited time to assess and comment on the NPR, as the comment period closes on January 4, 2021, notwithstanding two intervening federal holidays.

Regulating “Unhosted Wallets” Without Using the Term. As a preliminary matter, it is important to understand that although the Department of the Treasury’s press release and Q&As regarding the NPR, and the preamble to the NPR itself, characterize the proposed rule as a regulation of the interaction between wallets hosted by banks and MSBs with “unhosted” or otherwise covered wallets, the word “wallet”3 appears in the proposed regulation itself only in two “notes” regarding use of wallets by noncustomers. Instead, the proposed regulation actually addresses transactions between “customers” of banks and MSBs and counterparties whose “accounts” are not held by a BSA-regulated financial institution or permitted foreign financial institution. The failure to address how and when a wallet should be considered an “account” is a fundamental disconnect that will undoubtedly be subject to significant discussion. Nonetheless, because of FinCEN’s express intent to address transactions involving “unhosted” or otherwise covered wallets dealing in CVC/LTDA, we use wallet terminology in the remainder of this discussion.

In addition, the very concept of differentiating between hosted and unhosted or otherwise covered wallets begs the question how banks and MSBs are going to be able to determine and verify the character of their customers’ counterparty wallets, including in transactions involving many types of smart contracts.4 The NPR preamble indicates that banks and MSBs will need a “reasonable basis” to conclude that a counterparty has an account/wallet hosted by a BSA-regulated institution or covered foreign financial institution. For example, the preamble indicates that the institution should check FinCEN for registration of a counterparty that purports to be a regulated MSB and for foreign financial institutions “would need to apply reasonable, risk-based, documented procedures to confirm that the foreign financial institution is complying with registration or similar requirements that apply to financial institutions in the foreign jurisdiction.”5 The NPR does not suggest how frequently such registrations would need to be checked.

General Expansion of Recordkeeping and Reporting. The proposed rule would require that banks and MSBs (i) file a report with FinCEN (Substitute CTR) containing certain information related to a customer’s CVC/LTDA transaction and counterparty (including name and physical address), and to verify the identity of their customer, if a counterparty to the transaction is using an unhosted or otherwise covered wallet and the transaction is greater than $10,000, as determined by the exchange rate at the time of the transaction, and (ii) keep records of a customer’s CVC/LTDA transaction and counterparty, including verifying the identity of their customer, if a counterparty is using an unhosted or otherwise covered wallet and the transaction is greater than $3,000.

Although the NPR indicates that value measurements for both recordkeeping and reporting thresholds should be based on the “prevailing exchange rate” at the time of the transaction, only the recordkeeping requirements of the proposed rule itself actually refer to this standard. In another example of the NPR referencing key terms only in the preamble and not in the proposed rule itself, the term “prevailing exchange rate” is defined solely in the preamble to mean “a rate reasonably reflective of a fair market rate of exchange available to the public for the CVC/LTDA at the time of the transaction. Financial institutions would be required to document their method for determining the prevailing exchange rate.”6 This would appear to preclude the use of the actual transaction rate for an over-the-counter transaction unless the institution maintains records tying that rate to a “fair market rate.”

Aggregation and Structuring. Similar to cash transaction reporting, the proposed Substitute CTR rule would impose an aggregation requirement if the institution has knowledge that a transaction is one of multiple CVC/LTDA transactions involving a single person within a 24-hour period that aggregate to value in or value out of greater than $10,000. Importantly, however, the 24-hour measurement period for CVC/LTDA would be different from the business-day measurement period for cash transactions, setting up a key inconsistency between the two as well as ambiguity in the application of the 24-hour standard. Cash and CVC/LTDA transactions would be aggregated separately.

In addition, the proposed rule would add a requirement not found in the cash Currency Transaction Reporting (CTR) requirements to aggregate transactions across all of a bank or MSB’s “offices and records,” including foreign offices. The NPR would also extend the prohibition on structuring transactions to cover structuring to avoid filing a Substitute CTR.

Reporting Requirements on Greater Than $10,000 CVC/LTDA Transactions With Unhosted or Otherwise Covered Wallets. As indicated, the NPR proposes to expand CTR reporting requirements to cover each deposit, withdrawal, exchange, or other payment or transfer by, through, or to a bank or MSB involving an equivalent value of CVC/LTDA with unhosted or otherwise covered wallets.7 Like CTRs, Substitute CTRs will need to be filed within 15 days of the reportable transaction. Some of the ways in which the reporting requirements deviate from cash transaction reporting, however, are these:

  • A requirement that if the bank or MSB has knowledge that a person accessed the customer’s wallet to conduct a reportable transaction, and that person is not otherwise a bank customer, the bank or MSB must treat such person also as a customer for purposes of identity verification. This may have implications for custody accounts managed by third-party advisers.
  • Addition of a specific requirement to report the name and address of each counterparty and “such other information as the Secretary may require,”8 thereby attempting to provide a regulatory basis for FinCEN to significantly expand reporting requirements without going through further notice and public comment. Moreover, banks and MSBs should not take comfort that the reporting requirement related to counterparty information does not include a verification standard. The NPR, although not the proposed rule, specifically states, “Consistent with their AML/CFT programs, under the proposed rule, banks and MSBs would continue to follow risk-based procedures to determine whether to obtain additional information about their customer’s counterparties or take steps to confirm the accuracy of counterparty information.”9
  • Conditioning the exemption for transactions with accounts/wallets hosted by BSA-regulated financial institutions and certain foreign financial institutions on each counterparty to such a transaction so qualifying.
  • Failure to apply all the exemptions from CTR reporting requirements to Substitute CTRs, such as for transactions with publicly traded companies.
  • Application of the reporting requirement even if the user of the unhosted or otherwise covered wallet is the customer for which the financial institution holds a hosted wallet.

Note that the NPR states that “the proposed rule would cause banks and MSBs to generate reports containing the transaction hash and identity of persons holding wallets engaging with unhosted or otherwise covered wallets engaging in transactions across multiple financial institutions.”10 However, the rule itself contains no reference to reporting a transaction hash. Although the provisions discussed below related to maintaining records of transactions with a value in excess of $3,000 do contain an extremely broad requirement to record “any other information that uniquely identifies the transaction,”11 that is a recordkeeping obligation, not a reporting obligation.

Recordkeeping Requirements on Greater Than $3,000 CVC and LTDA Transactions With Unhosted or Otherwise Covered Wallets. As mentioned, banks and MSBs would be required to keep records and verify the identity of their customers engaging in transactions involving the withdrawal, exchange, or other payment or transfer by, through, or to such financial institution of CVC/LTDA with a value of more than $3,000. The corresponding transactions should not be completed until such recordkeeping and verification is complete. Unlike with CTR reporting, there is no express transaction aggregation provision for the purpose of the recordkeeping requirement. The information that must be collected and maintained includes the following:

  • the name and address of the financial institution’s customer
  • the type and amount of CVC or LTDA used in the transaction
  • the time of the transaction
  • the assessed value of the transaction, in U.S. dollars, based on the prevailing exchange rate at the time of the transaction
  • any payment instructions received from the financial institution’s customer
  • the name and physical address of each counterparty to the transaction of the financial institution’s customer
  • any other information that uniquely identifies the transaction, the accounts, and, to the extent reasonably available, the parties involved
  • any form relating to the transaction that is completed or signed by the financial institution’s customer

As with the Substitute CTR requirements, FinCEN also attempts to preserve substantial flexibility outside the notice and public comment process to demand “other counterparty information the Secretary may prescribe as mandatory.” Similarly, as with the Substitute CTR requirements, FinCEN indicates in the preamble that banks and MSBs may be required by their risk-based anti-money-laundering programs to verify counterparty name and address or to gather further counterparty information.

Request for Comments on Specific Issues. In addition to generally seeking comments on the foregoing, FinCEN has requested specific comments on 24 separate items, including several that would dramatically expand the coverage of the proposed rule. For example, FinCEN has inquired as to the costs and benefits of expanding the proposed reporting requirements to cover all CVC/LTDA transactions by hosted wallets, including those with hosted wallet counterparties. Commenters should pay particular attention to those proposed expansions, as they could form the basis for FinCEN’s attempting to justify significant broadening of any final rules without further opportunity to comment.

Limited comment period. As indicated at the outset, affected institutions and other interested market participants have only until January 4, 2021, to respond to this proposal. Although the adequacy of that time period, and FinCEN’s justification for curtailing the practical ability to provide input on such a fundamental change in regulatory requirements, may be subject to challenge, affected institutions should do their best to register their concerns about both the substance of the proposed rule and the way it has been proposed.

Implementation and Potential Legal Challenges. Not only has FinCEN permitted only a truncated comment period but it may well seek to promulgate a final rule with near-immediate effect, prior to the conclusion of the Trump administration and dispensing with the 30-day period usually required between announcement of a final rule and when the rule takes effect. The notice accompanying the proposed rule sets out the rationales that the administration would use to defend both the limited comment period and giving the rule nearly immediate effect. Those rationales relate to the foreign affairs implications of the rule and the enforcement need for prompt action. Those justifications are highly controversial, and FinCEN’s limited comment period and quick formulation and implementation of a final rule, if that occurs, could well attract a legal challenge. Such a procedural challenge would also likely be combined with substantive challenges related to FinCEN’s treatment of potential adverse effects of the rule, consistency of the rule with other BSA policies, and FinCEN’s handling of the record evidence and objections presented as part of the comment process.

1 For this purpose, a “bank” includes a state or federal trust company.

2 LTDAs presumably include central bank digital currencies.

3 “Otherwise covered wallets” under the NPR refers to those wallets that are held at a financial institution that is not subject to the BSA and is located in a foreign jurisdiction identified by FinCEN on a List of Foreign Jurisdictions Subject to 31 CFR § 1010.316 Reporting and 31 CFR § 1010.410(g) Recordkeeping, designated as jurisdictions of primary money laundering concern (i.e., Burma, Iran, and North Korea).

4 For this purpose, a smart contract is self-executing computer code designed to automatically execute all or part of an agreement once deployed and run on a blockchain and that will not require the parties to the agreement reflected in the code to directly interact.

5 NPR at 27.

6 NPR at fn. 64.

7 In adopting this expansion, FinCEN relies on authority derived from 31 U.S.C. § 5312(a)(3) by treating CVC/LTDAs as “monetary instruments.” FinCEN does not, however, attempt to characterize CVC/LTDAs as monetary instruments more generally under its regulations.

8 Proposed 31 C.F.R. §1010.316(b).

9 NPR at 26.

10 NPR at 13.

11 Proposed 31 C.F.R. §1010.410(g)(1)(viii).

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.