OKCoin’s submitted response to FinCEN and a summary of our comment explaining how the proposed rule is likely to have a detrimental impact on crypto
On December 23rd, we posted our take on the recent proposed FinCEN ruling for cryptocurrencies, termed convertible virtual currencies (CVCs). Less than a week prior, on December 18th, FinCEN, a department of the US Treasury, announced a Proposed Rule that will require money services businesses (MSBs), including cryptocurrency exchanges, to collect and verify customers’ personal information for transactions over $3,000 sent to ‘unhosted’ wallets. In what appears to be rushed regulation, FinCEN gave the public only 15 days to respond to this proposal.
Yesterday, we submitted our formal comment and response to FinCEN, explaining why the proposed rule is not only detrimental to financial technology innovation in the United States, but will also negatively impact business in the sector.
Here is a summary of our comment, in 6 points:
- It is proposed that MSBs must report to FinCEN all transactions to “unhosted wallets” above the threshold of $10,000, either in a single transaction or on an aggregated basis in a 24-hour period.
- Under the current proposal, MSBs are required to maintain records of a customer’s transactions and information on the counterparties in the event that a counterparty uses an unhosted or covered wallet and the transaction exceeds $3,000.
- The effort and cost to comply would be astronomical and force smaller, regulated digital asset exchanges out of the US market, and potentially into unregulated jurisdictions.
- Tools such as the Bank Identification Code or SWIFT Code do not exist in the digital asset space.
- Digital asset service providers often operate globally across various jurisdictions, it can be difficult, if not impossible to establish the specific domicile of a wallet service provider.
- There are major security and privacy concerns with regulation that links an individual identity to a wallet address. Because of the inherent transparency of blockchain, anyone with access to this information would be able to see all transactions in and out of the account to be able to determine the current value of the wallet. A cybersecurity incident or data breach can cause an individual’s entire portfolio of digital assets to be exposed to the public leading to theft and fraud.
Read our full response below:
Via Federal E-rulemaking Portal
Docket No. FINCEN-2020-0020; 1506-AB47
Attn: Policy Division, Financial Crimes Enforcement Network P.O. Box 39, Vienna, VA 22183
January 4, 2021
Re: Proposed Rule on Requirement for Certain Transactions Involving Convertible Virtual Currency or Digital Assets
Dear Sir / Madam,
We welcome the opportunity to comment on the subject Proposed Rule published by the Financial Crimes Enforcement Network (“FinCEN”) on December 23rd, 2020.
OKCoin USA Inc. (“OKCoin”) operates as a digital asset trading platform and it is a licensed money transmitter (NMLS #1767779) and money services business (“MSB”) registered with FinCEN. We would like to express our concerns on the proposed rules for your consideration.
Currency Transaction Reporting (“CTR”) Requirements
It is proposed that MSBs must report to FinCEN all transactions to “unhosted wallets” above the threshold of $10,000, either in a single transaction or on an aggregated basis in a 24-hour period. Such reports have to be submitted within 15 days of the transaction. Currently, similar CTR requirements are not applicable to digital assets. If such reporting requirements are imposed, MSBs that provide digital asset services will have to design and implement additional processes and controls to compile, submit and ensure the accuracy of these reports. These processes will inevitably require extra costs and human resources for MSBs to develop and maintain the reporting protocols.
It is noted that a proposed exemption from the reporting requirement is available for those transactions that are between the MSB’s hosted wallet customer and a counterparty hosted wallet at a financial institution that is either regulated under the Bank Secrecy Act or located in a foreign jurisdiction that is not on the Foreign Jurisdictions List. Even with this exemption, MSBs will still need to establish procedures to determine if the counterparty’s wallet is hosted by a BSA-regulated MSB and whether a wallet is hosted by a foreign financial institution that is not located in a jurisdiction on the Foreign Jurisdictions List. Practically, there are two major challenges in relying on this exemption.
Firstly, MSBs will have to determine whether the foreign financial institution is located in a jurisdiction on the Foreign Jurisdictions List. Digital asset service providers often operate globally across various jurisdictions, it can be difficult, if not impossible trying to establish the specific domicile of a digital asset service provider. For example, Coinbase is headquartered in the United States, but has multiple entities in Singapore, Japan and the United Kingdom. Even if we can determine that funds were sent to a Coinbase hosted wallet, it will be impossible to ascertain which Coinbase entity the funds were distributed to.
Secondly, tools such as the Bank Identification Code or SWIFT Code do not exist in the digital asset space. In the absence of a global directory or a list of operating digital asset service providers and the fact that regulations on digital assets vary greatly amongst jurisdictions (even amongst members of the Financial Action Task Force), MSBs will need to spend significant time and effort to analyze the global regulatory regime in order to place reliance on the relevant exemption described by FinCEN.
Digital asset service providers rely on third party blockchain analytics tools such as Elliptic and Chainalysis to identify and analyze transactions on the blockchain. However, due to the design of blockchain technology, these analytics tools can only act as data aggregators in which they ascertain possible clusters and try to gauge whether a particular wallet address may belong to a specific cluster e.g. a digital asset service provider. Trying to determine with certainty whether the transaction involves an “unhosted wallet” or a “hosted wallet” held at a financial institution that is subject to the BSA and is not located in a foreign jurisdiction identified by FinCEN on a List of Foreign Jurisdictions, is impossible and not practical with the current tools available to the blockchain industry.
If forced to comply with the Proposed Rule, without an accurate and reliable global directory like SWIFT to identify the wallet provider with certainty, regulated digital asset service providers in the United States will have to apply the currency reporting requirements to ALL incoming and outgoing digital asset transactions above the $10,000 reporting threshold, out of an abundance of caution. The effort and cost to comply would be astronomical and force smaller, regulated digital asset exchanges out of the US market, and potentially into unregulated jurisdictions. This could be disastrous for the blockchain industry and counterproductive to the original intentions of this proposed rule by FinCEN. The additional resources and difficulty required to comply with the CTR requirements may force MSBs to prevent or restrict customers from transacting with “unhosted wallets” and driving customers to conduct transactions entirely through “unhosted wallets” instead. MSBs are required to conduct Know-Your-Customer (“KYC”) on their customers under the BSA and MSBs also conduct transaction monitoring and file Suspicious Activity Reports to FinCEN. These requirements do not exist when transactions are conducted entirely through “unhosted wallets” without going through a regulated MSB. This in effect fails to achieve the objective of making malign actors engaging in illicit financial activities via digital assets more detectable and traceable.
Furthermore, the added costs and resources associated with implementing the CTR requirements may cause MSBs to conclude that it is no longer favorable to operate in the US. MSBs may choose to shift their operations to jurisdictions that do not impose such reporting requirements and provide unregulated services to US residents.
Identifying “Unhosted Wallets”
Under the current proposal, MSBs are required to maintain records of a customer’s transactions and information on the counterparties in the event that a counterparty uses an unhosted or covered wallet and the transaction exceeds $3,000. Amongst the information to be collected are the name and physical address of the counterparty(ies). MSBs are also required to verify the identity of customers in relations to transactions involving “unhosted wallets”. Additionally, MSBs are not supposed to complete the transmission of funds until the relevant recordkeeping and verification is complete. In order to comply with these requirements, MSBs will need to design workflows to obtain the necessary information and establish processes to handle scenarios where there is a delay or where the MSB is unable to obtain the required information.
In addition to the technical difficulty in identifying an “unhosted wallet”, the collection of the counterparty’s name and physical address offers limited value as there is no viable way to verify such information.
We foresee that the identification of an “unhosted wallet” and the collection of information will cause considerable delay in the transaction speed. The ability to conduct speedily transactions is one of the attributes contributing to the popularity of digital asset transactions. The impacted speed and the additional KYC information to be collected can turn customers away from hosted wallets based in the US. The added compliance burden on US-based MSBs and affected customer experience will weaken the competitiveness of US-based MSBs and divert business opportunities and technological developments to other (likely unregulated) jurisdictions. Also as discussed previously, driving customers away from hosted wallets which are subject to BSA and relevant KYC requirements is going to be counterproductive to the intent of having these proposed controls in place.
Data Privacy Concerns
The use of “unhosted” or self-hosted wallets has legitimate business purposes, in particular, concerns about data security. This Proposed Rule has the potential to cause MSBs to collect more information than necessary out of an overabundance of caution as previously explained. It also heightens concerns around data leakage and cybersecurity incidents as a vast amount of personal information would be transmitted to FinCEN’s centralized portal. Ownership of digital assets is recorded on the distributed ledger by associating a wallet’s public address with assets linked to them. Given that this is open source information, if the name and physical address of a beneficiary has to be recorded and transmitted through a centralized portal, a cybersecurity incident can cause an individual’s entire portfolio of digital assets to be exposed or possibly leading to theft and fraud.
We appreciate regulatory initiatives that help to enhance the credibility of the burgeoning digital assets industry and we support regulatory requirements that help MSBs in discharging anti-money laundering and counter-terrorist financing obligations. We respectfully request FinCEN to have dialogues with the industry to provide practical and clear guidelines taking into account the nature and characteristics of the rapidly evolving industry. We also urge FinCEN to engage the industry and allow a reasonable time frame for complying with additional regulatory requirements so that appropriate systems, programs and technologies can be developed to cater to these requirements.
Chief Compliance Officer OKCoin38