FinCEN proposes rule targeting international convertible virtual currency mixers

On October 19, 2023, the Financial Crimes Enforcement Network (FinCEN) released a notice of proposed rulemaking (NPRM) that would designate transactions involving international convertible virtual currency[1] mixing (CVC mixing) as a class of transactions of primary money laundering concern.[2] Once implemented, the proposed rule would require covered financial institutions to collect and report certain details on transactions in CVC (including bitcoin and other digital assets) that the institutions know, suspect, or have reason to suspect involve CVC mixing activities outside of the United States. The NPRM is one of a series of measures that the United States Treasury Department (Treasury) has taken in recent years to target CVC mixers, which are third-party services used to anonymize cryptocurrency transactions.[3] According to Treasury, North Korea, terrorist groups, and other illicit actors have exploited CVC mixers to launder criminal proceeds and evade sanctions. FinCEN believes that the NPRM will curb the misuse of CVC mixers and facilitate law enforcement investigations into CVC transactions.

The NPRM would not prohibit financial institutions from processing transactions that involve CVC mixers and would only apply to transactions “in CVC.” As FinCEN noted, therefore, the scope of the NPRM would generally be limited to institutions that directly engage with CVC transactions—such as virtual asset service providers (VASPs) —rather than downstream financial institutions that process “indirect fiat transactions.”[4] FinCEN also clarified that financial institutions would only be required to report information in their possession and would not be required to contact transaction counterparties to collect additional information. Nevertheless, the NPRM would, on its face, require covered financial institutions to collect and report a range of data that currently falls outside the scope of reporting requirements under the Bank Secrecy Act (BSA) and may require financial institutions to reassess their transaction monitoring and suspicious activity reporting controls.

The NPRM is not yet final or effective and its reporting and recordkeeping requirements will not apply until the comment period has ended and FinCEN issues a final rule. FinCEN is soliciting comments on the NPRM generally and posed a number of questions for public comment, including the scope and timing of reporting requirements, the compliance burdens and challenges that would result from the NPRM, and any issues requiring clarification and guidance. Comments are due to FinCEN by January 22, 2024.

What the NPRM would do

Designation of CVC mixing as a “primary money laundering concern”

FinCEN issued the NPRM using its authority under Section 311 of the USA PATRIOT Act,[5] which authorizes Treasury to designate foreign jurisdictions, financial institutions, classes of transactions, and types of accounts as being of “primary money laundering concern.” After making this designation, Treasury may impose one or more of five “special measures,” which include information-gathering and record-keeping requirements for financial institutions and prohibitions on opening or maintaining correspondent or payable-through accounts that “involve” the designee. The NPRM would impose the first of the five special measures, which requires financial institutions to keep records of and report biographical and transactional information related to transactions involving international CVC mixing. Because FinCEN’s authority under Section 311 extends only to transactions “involving a jurisdiction outside of the United States,” the NPRM’s requirements would not apply to transactions that exclusively involve U.S. entities and have no international nexus.

FinCEN rarely uses its Section 311 authority, and the NPRM would be the first time that FinCEN invokes Section 311 to designate a “class of transaction.” The NPRM is consistent, however, with longstanding concerns that Treasury and law enforcement have expressed with respect to CVC mixing. As FinCEN noted in the NPRM, mixers have been used to facilitate money laundering, sanctions evasion, and weapons of mass destruction proliferation by North Korea, Russian-associated ransomware actors, terrorist groups, and cyber criminals. In two well-known incidents, for example, North Korea-controlled cyber actors used mixers to launder $455 million stolen in March 2022 and $20.5 million stolen in a subsequent cyber heist in May 2022. The Office of Foreign Assets Control subsequently imposed blocking sanctions on both mixers.

FinCEN concluded that imposing reporting and recordkeeping requirements on financial institutions would help mitigate the anti-money laundering and countering the financing of terrorism (AML/CFT) risks presented by mixers, by (1) facilitating investigations by law enforcement and regulators and (2) highlighting the risks and deterring illicit actors’ use of CVC mixing services.

What the NPRM requires

The NPRM would require “covered financial institutions” (broadly defined to include “financial institutions,” as defined under the BSA,[6] such as banks and money services businesses) to collect and report to FinCEN certain information on “covered transactions,” which are transactions “in CVC” conducted “by, through, or to the covered financial institution that the covered financial institution knows, suspects, or has reason to suspect involves CVC mixing within or involving a jurisdiction outside the United States.” CVC mixing, in turn, means “the facilitation of CVC transactions in a manner that obfuscates the source, destination, or amount involved in one or more transactions, regardless of the type of protocol or service used.” The NPRM’s definition of “CVC mixing” lists several non-exclusive examples, including:

• Pooling or aggregating CVC from multiple persons, wallets, addresses, or accounts;
• Using programmatic or algorithmic code to coordinate, manage, or manipulate the structure of a transaction;
• Splitting CVC for transmittal and transmitting the CVC through a series of independent transactions;
• Creating and using single-use wallets, addresses, or accounts, and sending CVC through such wallets, addresses, or accounts through a series of independent transactions;
• Exchanging between types of CVC or other digital assets; or
• Facilitating user-initiated delays in transactional activity.

A covered financial institution would be required to report certain data on the covered transaction and the information “in its possession” within 30 calendar days of initial detection of the transaction. This information would include, among other things:

• The type of CVC transferred and the amount (including U.S. dollar equivalent);
• The mixer used, if known;
• The CVC wallet addresses of the mixer and the customer;
• The transaction hash, date of transaction, and relevant IP addresses;
• Identifying information on the customer (e.g., name, address, and date of birth); and
• A narrative description.

FinCEN noted that many financial institutions already collect this information as part of their risk-based AML/CFT programs, which suggests FinCEN believes that the NPRM would not impose a significant additional burden on covered financial institutions. The agency expects financial institutions to use a risk-based approach to compliance with the NPRM, including the use of “free and paid blockchain analytic tools commonly available.” Notably, the filing requirements under the NPRM would not relieve covered financial institutions from their existing obligations under the BSA to file suspicious activity reports (SARs). Accordingly, because FinCEN views all transactions involving international CVC mixing as inherently suspicious, the NPRM would arguably lead to duplicative reporting, as covered institutions would be expected to file a SAR for CVC mixing transactions, regardless of whether they have already submitted a report under the proposed rule.

Implications of the NPRM for financial institutions

As FinCEN observed in the NPRM, the rule would cover a limited universe of financial transactions and the definitions used in the rule tend to limit its scope. First, the NPRM would only apply to transactions “in CVC,” meaning that reporting requirements would only extend to financial institutions “that directly engage with CVC transactions, such as a CVC exchange” or other VASPs. FinCEN stated that the proposed rule is not intended to apply to fiat currency transactions that “are only indirectly related to CVC,” such as “a bank sending funds on behalf of a CVC exchanger that is acting on behalf of a customer purchasing CVC previously processed through a CVC mixer.” In other words, financial institutions would not be expected to determine whether a non-CVC transaction involves funds that, at one time or another, were linked to a CVC mixer.[7]

Second, a financial institution would only be required to report information “in its possession,” meaning the rule in theory would “not require a covered institution to reach out to the transactional counterparty to collect additional information on the CVC mixing transaction.” FinCEN clarified that covered institutions “would need to collect required information about the covered transaction,” but the reports submitted to FinCEN would only need to include “as much of the reportable required information as available to the affected institution.” Nevertheless, financial institutions would still be expected to revise their recordkeeping and reporting policies to align with the NPRM’s requirements, and as a practical matter they may be required to contact customers and counterparties to collect additional information. This may be necessary, for example, to determine the purpose of the transaction, identify any nexus to international mixing activities, confirm that the transaction falls within the scope of reporting requirements, and provide an adequate narrative description to FinCEN. In this regard, financial institutions may face challenges in determining when CVC mixing “involves” a jurisdiction outside of the United States, both as a technical matter and owing to the ambiguous regulatory language.

Although many financial institutions already classify transactions involving mixers as high risk, the NPRM may nevertheless require covered financial institutions to reassess their transaction monitoring and suspicious activity reporting controls. The NPRM also makes clear that, regardless of whether reporting requirements apply under the proposed rule, all financial institutions should presumptively treat transactions that they know to have involved an international CVC mixer as high risk.[8]

Looking ahead

The proposed rule is not the first—and most likely, not the last—action taken by Treasury to target CVC mixers. Recent events have brought the issue into even sharper focus, following reports that Hamas’s financing network has relied on CVC to raise funds. The NPRM also follows a number of proposed measures in recent years that have generally focused on AML/CFT compliance in the CVC ecosystem, including the proposed Digital Asset Anti-Money Laundering Act of 2023 introduced in July[9] and two proposed rules that FinCEN released in 2020 that have yet to be finalized.[10] Treasury’s specific concerns with CVC mixers were also highlighted in its 2022 National Money Laundering Risk Assessment (discussed in our March 2022 client update) and its 2022 Action Plan to Address Illicit Financing Risks of Digital Assets (discussed in our September 2022 client update).

Although the NPRM itself would have a relatively narrow focus, several open questions remain. For example, it is unclear when a financial institution would be expected to know if mixing activities “involve” a non-U.S. jurisdiction. In addition, it is unclear what FinCEN’s minimum expectations would be for the information included in a report, given that the NPRM would only require covered financial institutions to submit information “in their possession.” The public will have 90 days to submit comments on the NPRM, and stakeholders are encouraged to provide their views.