FinCEN Proposes Insane Special Measures
Yesterday’s FinCEN rule proposal is incredibly overbroad, comprehensive, and perfectly designed to allow arbitrary information collection at any scope they choose to enforce. It truly is a mind-blowingly large grab attempt at private information of anyone they can get their hands on. They want all regulated entities — VASPs, banks, financial institutions or entities like casinos, etc. — to by default submit reports of any transactions interacting with mixing within 30 days of noticing the relevant transaction and its association to mixing activity. Currently, most exchanges and businesses keep these records anyway, but they do not by default send copies of them to regulators unless deeper inspection actually merits a reason to do so. FinCEN wants that to change.
To really get a sense for the scope of things, the first thing to look at is the definitions of mixing provided in the proposal. Obviously, the act of mixing is obscuring the source of funds, but the specific technical definitions they give for what falls under the definition of mixing are incredibly broad when looked at together. Let’s go through them:
- “Pooling or aggregating [funds] from multiple persons, wallets, addresses, or accounts” This encompasses so many different activities other than a traditional custodial mixing service. Lightning channels? That is multiple persons pooling and aggregating funds together. Multisig wallets held by multiple people in general are doing the same thing. Just combining a recent withdrawal from Coinbase with coins you had from Kraken from the point of view of both exchanges is pooling funds from multiple addresses. According to the language of this proposal, something that just happens on a regular basis in the normal course of using Bitcoin, with no attempt whatsoever to obscure or render private anything about the activity, fits into the definition of mixing.
- “Using programmatic or algorithmic code to coordinate, manage, or manipulate the structure of a transaction” Again, that completely covers the Lightning Network. Coinjoins fall into this definition. In fact…you know what? This is so ridiculously and absurdly broad — it doesn’t even specify manipulating the structure of a transaction to attain obfuscation of the source of funds — that this literally encompasses any piece of Bitcoin software that handles making and signing transactions. 100% of the transactional activity on the Bitcoin blockchain out of sheer logical necessity fits this definition of mixing.
- “Splitting [funds] for transmittal and transmitting the [funds] through a series of independent transactions” This is also incredibly broad. How are legitimate independent transactions between the same parties to be distinguished from a single transaction split into many for obfuscation purposes? What about situations where that is a perfectly legitimate thing to do for no reason other than your personal privacy? What if I only have three different UTXOs that three separate people know about, and I don’t want to reveal to all three of them my payment history with the other two in order to make a payment requiring all three UTXOs? Does opening multiple independent Lightning channels with the same node constitute this?
- “Creating and using single-use wallets, addresses, or accounts, and sending [funds] through such wallets, addresses, or accounts through a series of independent transactions” So default behavior of the super majority of Bitcoin wallets — not reusing addresses — constitutes mixing? When I go to my exchange to withdraw with a unique address every time, are they required to consider that action “mixing” my coins? Do physical Bitcoin bearer instruments constitute “single-use wallets?”
- “Exchanging between types of [cryptocurrencies] or other digitals assets” So every single person trading NFTs, dumb tokens, utility tokens, and just outright shitcoins, whether on an exchange or on-chain through different mechanisms, is now mixing?
- “Facilitating user-initiated delays in transactional activity” Uhm..timelocks in Lightning? Any type of 2FA rate limited multisig set up? Just the DCA scheduled withdrawal function at different on-ramps? All of this is now mixing?
The definition of [cryptocurrency] mixer is “any person, group, service, code, tool, or function that facilitates [cryptocurrency] mixing.”
Now of course, FinCEN carves out an exception for regulated businesses and institutions covered by the proposed rules for “internal processes” (i.e. the DCA withdrawal functions mentioned above) so as to not interfere with their business operations, provided they can provide the required records to law enforcement whenever required. If a business is unsure whether or not activity they engage in falls under the category of mixing and the exemption, they must by default begin maintaining the required records to provide to law enforcement if required.
Of course, no such exemption exists for private individuals simply seeking to maintain the privacy of their financial activity from the public. Here is the information, within 30 days of being noticed by a business subject to the proposed rule, that would be required to be reported to the government, for every single transaction:
- The amount of cryptocurrency transferred, in native units and USD value at the time.
- The cryptocurrency involved.
- The mixer protocol/service/etc. used, if known.
- Any addresses associated with the mixer used.
- Any addresses associated with the user who mixed.
- The TXID of the relevant transaction.
- The date of transaction.
- Any IP addresses associated with the transaction.
- A “narrative” explaining context, the transaction itself, what the institution did, etc.
In terms of private information about the user involved in the transaction, here is the information proposed to be collected and directly reported to the government for every transaction:
- User’s full name.
- User’s date of birth.
- User’s full address.
- User’s email address.
- User’s IRS Taxpayer Identification Number (TIN) or foreign equivalent.
Now really think about the broad scope of things that FinCEN is proposing to define as mixing, and the type of information they want directly reported to the government every time a regulated business in this space sees a customer engage in any of those behaviors. These rules, if enacted, would allow FinCEN at any point to arbitrarily capture almost any activity on the blockchain and deputize every regulated business in the space to act as an outsourced chainanalytics service tagging, cataloging, and reporting all of the information to the government.
The authority to propose and enact rulings like this is authorized to the Secretary of the Treasury under the Banking Secrecy Act, and delegated to FinCEN by the Secretary. Under the BSA the Secretary is allowed to mandate the retaining of records of net flows of money and individual transactions, mandate additional record keeping requirements or reporting requirements for certain types of transactions, or prohibit maintaining or allowing accounts or services that allow for specific types of transactions, as long as they can argue a material risk of money laundering. During this assessment they are required to consult with the Secretary of State and the Attorney General, and consider the extent to which the relevant class of transaction facilitates money laundering and terrorist financing weighed against the extent to which that class of transaction facilitates legitimate business and commerce.
Their argumentation that it presents a material risk of money laundering and terrorist financing leans on all the factual examples of bad people mixing you would expect them to. Ransomware, exchange and cross-chain bridge hacks, etc. They bring up TornadoCash, and North Korean groups mixing funds with it, its use in laundering funds from bridge hacks, etc.; all of the big examples of exactly the type of activity these proposed rules are meant to stop that have been detected, analyzed, and cataloged on-chain are trotted out. But when it comes time to analyze the legitimate uses of mixing?
They can’t determine or assess the percentage of legitimate mixing because of a lack of data.
Yeah, you read that right. When it comes to identifying activity on-chain that suits their argument, they have a bounty of examples to cite and point to, but when it comes to activity that would bolster the counter-argument, the data is somehow not there to be found. It’s not possible to watch and analyze the transactions happening on-chain, regardless of whether they are coinjoins, centralized mixing services, or whatever flowing into those mixers and determine if there are “illicit connections.” It’s impossible to look at the percentage coming from regulated exchanges where you know some record is present if you need it. It’s impossible to look at what coins are coming from places like darknet markets. It’s also completely impossible to see what percentage of the outflows from those mixers go to regulated exchanges, or innocuous transactions not intersecting with any known “illicit activity”, versus obvious illegal activity like back into darknet markets.
The data just isn’t there for some mystical reason. I call bullshit. It’s right there, just like it is for the cases of someone like North Korea hacking an exchange and mixing the stolen funds. They’re just going to pretend it isn’t so they can create a legal justification to take all this information businesses are already processing and storing and make a nice complete copy in the hands of government regulators themselves.
This is nothing short of a systematic preparation for an enforcement crackdown, and potentially progressively increasingly antagonistic regulatory scheme. The nature of how FinCEN has to argue just cause to enact new rules centers around scrutinizing the nature of specific classes of transactions. The overly and absurdly broad definitions of “mixing” in this proposal would essentially take everything broken down in the six definitions provided and bring them together under the same class of transactions, “mixing.” After having shown just cause to categorize and regulate them as a single class, there is a much sounder footing to further carve this single general class into subclasses, and argue just cause to subject specific subclasses to extra regulatory burdens. At the end of the day, they can also prohibit entirely specific classes of transactions given a sound enough argument for mitigating serious harm to the financial system or US geopolitical interests.
First and foremost, this must be routed around. Every substantial piece of Bitcoin should be designed with the possibility of jurisdictions becoming unfriendly to them, if not outright hostile. The scope of this is something all of you should be seriously considering when thinking about how you have interacted with Bitcoin, how you do interact with Bitcoin, and how you are going to interact with it in the future.
But that said, this is also something that should be fought. The scope of it is insanely overbroad in its attempted reach, and the reasoning behind the positive outcomes outweighing the harmful is just fundamentally broken. They just pretend they can’t even ascertain the data to weigh them against each other in the first place.
Actions on the part of the government aren’t going to be absurd jokes that will be easily ignored, or easily routed around anymore. Things are going to continue becoming more reasoned through in effectively achieving the outcome they want, and that is something that all of us need to start taking more seriously.
20 October 2023 20:47