Network for the enforcement of financial crime
P.O. Box 39
Vienna, VA 22183
FinCEN file number FINCEN-2020-0020, RIN 1506-AB47
December 30, 2020
To whom it May concern:
I’m Ben Davenport, an entrepreneur and investor. Previously, I was a co-founder of BitGo, the first non-custody multi-sig wallet provider and now the leading provider of cryptocurrency custody services. I am also an investor in companies like Kraken, Xapo, and Paxos. Today I am a venture partner at Blockchain Capital, the oldest venture fund in the field of cryptocurrency. These comments are my own and do not reflect the views of my current or previous employer, or the companies I have invested in.
I am pleased to have the opportunity to comment on the proposed regulations. However, I take serious problems with the process by which these proposed rules are put in place. Instead of a standard 30 or 60 day comment period, FinCEN decided to use only a 15 day comment period at the tip of a pandemic at a time of year when most people spend time with their families. It feels unnecessarily rushed and gives the appearance that FinCEN and / or the secretary are trying to enforce new regulations unhindered or simply to dampen them by such opposition. FinCEN owes it to its own reputation and credibility, as well as the American people, to immediately extend the comment deadline so that more thoughtful and diverse voices can be heard.
I also have serious objections to the content of the rules themselves. The new rules would:
- go far beyond any existing financial monitoring measure,
- offer little in terms of new investigative powers,
- push bad actors to offshore or unregulated locations,
- destroy the financial privacy of Americans and
- Putting Americans in real physical danger.
Comments on the CTR request
The rules suggest applying the existing CTR reporting framework to any customer making a withdrawal or series of withdrawals over $ 10,000. On the surface it can seem to be reasonable as the same rules apply to customers withdrawing cash from a bank or MSB. But below I give some important reasons why this is so Not a simple analogy and explain why the proposed rules would pose serious risks to Americans.
i) The traceability of the cryptocurrency means a permanent loss of privacy for Americans.
While bitcoin and cash are both bearer assets, they differ significantly in terms of traceability. Cash is practically no longer traceable as soon as it has left the bank. Bitcoin and other cryptocurrencies, on the other hand, are highly traceable, and law enforcement officials say they would very much prefer criminals to use cryptocurrency instead of cash precisely because of the law enforcement powers they are given. In fact, the transaction history on a blockchain lives forever and becomes more understandable from day to day, both as new technologies evolve and as more gaps are filled, making it a particularly bad choice for criminals.
All of this means that once FinCEN has a database of all of a client’s major payouts, it not only knows the fact of that payout, but can also track and track the flow of all these funds on the blockchain in real time. If the transaction is a deposit, FinCEN can look back in time to keep track of the user’s full transaction history, no matter how small or harmless. In other words, the proposed rules would violate the privacy of law-abiding Americans in ways that go well beyond their existing ability to subpoena bank / MSB records, as they are largely non-discriminatory, much like mass wiretapping and metadata collection for mass phones.
ii) The massive accumulation of data puts Americans in real physical danger.
The proposed CTR requirements would create an extensive database at FinCEN / Treasury that would ultimately put Americans in real physical danger. The huge amount of data would create a honeypot so juicy that it would be irresistible to hackers, whether government sponsored or financially motivated. And with recent news that key Treasury databases have been hacked and stolen, the risk is far from theoretical.
It is likely that most of the click-rate cash withdrawals will not be taken home and placed under the customer’s mattress. Rather, they are used relatively soon afterwards to make a large purchase, gamble in Las Vegas, or for some other transaction purpose (whether legal or illegal). On the other hand, Bitcoin and other cryptocurrencies are largely used as investments. So a withdrawal to an unprotected wallet is most likely just a person who chooses to hold their own assets without being subject to counterparty risk.
This means that a traditional CTR record for cash is not that valuable to an attacker, since the cash has typically long been gone. However, a CTR for cryptocurrency can be extremely valuable. The record would include that of the subject Name and physical address and the Address and amount of the cryptocurrency. The attacker can even see in the public blockchain whether the coins have moved or not and lead them to the most vulnerable to blackmailing victims. Even a database theft from a single bank or MSB can cause myriad problems for affected customers. The concentration of risk at the federal level and the exposure to any American who owns more than one amount of tokens in cryptocurrency is simply incomprehensible.
This point is so critical that I will repeat again: Creating a central repository for individual cryptocurrency owners puts them all at serious risk and, far from reducing crime, creates the potential for an unprecedented wave of violent crime.
iii) Large cryptocurrency deposits and withdrawals are far more common than cash.
The percentage of cash withdrawals or deposits that is something nefarious can be relatively high (although I don’t know the specific numbers). This is simply because there aren’t as many types of transactions that require or want cash in today’s world, and therefore illegal uses make up a correspondingly higher proportion of total cash transactions. On the other hand, with cryptocurrencies, which are mainly held as investments, larger transactions are simply commonplace. It is well known in the community that due to the risk of cybercrime and / or fraud by the MSB, it is a very bad idea to trust the exchange to keep your coins long term.
Because of this fact, any bad actor signal received by FinCEN is completely buried in the noise of perfectly normal large withdrawals and deposits. Without sophisticated blockchain analytics to select the funds that go to bad actors, the CTR records are of no use to law enforcement. And if the blockchain analysis software can identify traces of funds moving to or from bad actors, information can be identified for every link in that chain that touches an exchange or other MSB already can be easily obtained through the normal precharge process without Violation of the privacy of law-abiding citizens. The bottom line is that the bulk collection of CTR records is only for the purpose of creating the above panopticon for everything that innocent users do (or have done) with their funds.
Wallet Review Comments
The proposed rules also seem to require MSBs to “verify” customers’ addresses when they are sending or receiving more than $ 3000. There are serious problems with this requirement, creating significant friction for users and difficult editing capabilities for exchanges exactly zero additional information useful for law enforcement. My reasons are as follows:
i) It is impossible to prove ownership of an address.
At first glance, it seems that Bitcoin and other cryptocurrencies make it easy to prove possession of an address. Just sign a message with the public key associated with an address or make a small transaction back to a specified address. However, this does not prove anything about ownership of this address. All it proves is that the user making the transaction can get the person or entity controlling the address to jump through these additional frames.
ii) Transactions do not have a “return address”.
For all UTXO-based cryptocurrencies (such as Bitcoin) there is no “sending address” for a transaction. While verifying an address for a withdrawal may be possible (though meaningless as shown above), verifying the source of an incoming transaction is essentially impossible in the normal case where the inputs of one transaction are the outputs of several previous transactions. The user might be forced to jump through the frames to pre-consolidate their money into a single address that they then verify on exchange with no real information from law enforcement.
iii) The proposed requirement does not contain any actual new information.
When a user makes a deposit or withdrawal with a regulated MSB, they must have KYC information about that user in order to serve them. So we already know who is responsible for deposit or withdrawal, regardless of which wallet it came from or went from: the user known to the MSB. Whether a user withdraws directly to their own “verified” address and then sends to a bad actor, or whether the user sends directly from the exchange to the bad actor, does not matter to the investigative powers of the law enforcement agencies. In fact, I believe law enforcement would likely prefer the illegal transaction to take place directly on the exchange when there is a chance the exchange can use its own blockchain analytics software to block or file a suspicious activity report (SAR). From today’s perspective, all the proposed rules are Force bad actors to improve operational safety.
iv) Law enforcement efforts are actively harmed.
As mentioned above, the more mature US exchange users they have to go through, the greater the likelihood that these users will think twice before using these exchanges for their illegal activities. And it is I agree the use of these regulated exchanges that allow law enforcement to make arrests and successfully prosecute bad actors. By moving illegal activity to offshore or unregulated exchanges, law enforcement powers are necessarily reduced.
v) Emerging uses of cryptocurrency are crippled.
There are many new uses for cryptocurrency where the user deposits or withdraws from a smart contract rather than from another MSB or their own wallet. A smart contract cannot comply with FinCEN’s guidelines (it is not a legal entity and may not have an owner or controller), nor can it prove its identity to an MSB. These smart contract applications (which are currently attracting hundreds of millions of dollars in venture capital) would be crippled and America’s competitiveness would be severely damaged in this potentially important emerging area.
Given the serious issues raised above, I believe it is absolutely up to FinCEN and the Secretary to extend significantly the deadline for comments on this proposal, to have a real two-way dialogue with companies and industry experts, while listening to the concerns of the public. What is at stake is nothing less than:
- the privacy and safety of millions of Americans,
- the ability of law enforcement agencies to do their jobs effectively; and
- the competitiveness of US companies in an important emerging technology sector.