Policy DivisionFinancial Crimes Enforcement NetworkP.O. Box 39Vienna, VA 22183FinCEN Docket No. FINCEN-2020-0020, RIN 1506-AB47January 4, 2020Dear Sir or Madam,The proposed regulations on currency transaction reports and record-keeping seem to require that banks and money services businesses (MSBs) be able to prove that an identified counterparty to a transaction indeed owns one or more particular cryptocurrency addresses, when that counterparty uses an unhosted wallet and the transaction is over $3,000 in value. (The $3,000 mark would invoke the record-keeping requirement, while the $10,000 mark would also invoke the currency transaction report requirement.)The proposal makes no explicit distinction between withdrawals and deposits, so I assume that the aforementioned proof of ownership requirement would apply to both types of transactions if they exceed $3,000 and involve a counterparty with an unhosted wallet. From here on out, I will call any procedure or measure that attempts to prove the ownership connection between a counterparty’s identity and one or more cryptocurrency addresses, as an “address verification procedure.” I will refer to the general process itself as “address verification.” In my country of residence, the Netherlands, the central bank rushed through address verification last fall for those transactions from exchanges and custodians which involve withdrawals to an unhosted wallet. By contrast to your proposal, address verification is required in the Netherlands on withdrawals in these cases regardless of the transaction value. Address verification is not a requirement for deposits from an unhosted wallet. As a long-time consultant and educator within the cryptocurrency ecosystem, I have given extensive consideration to the practicality and desirability of address verification in light of the measures that have recently been taken by the Dutch central bank (De Nederlandsche Bank NV). And I want to share with you my thoughts on these matters. Overall, my conviction is that address verification is unlikely to be very productive in fighting financial crime, and that it carries significant costs to commerce and innovation, and customer privacy and security. In this letter, I would like to set out why I am so skeptical of the practice of address verification and why I deem your proposal unworkable and disproportionate. Before starting, I would like to make three comments regarding the scope of my critical feedback. First, neither from your proposal nor from any additional commentary on your part have I been able to ascertain exactly what types of measures you propose for address verification. I would assume, however, that you have in mind similar procedures as those that are currently recommended by the central bank in the Netherlands to our custodians and exchanges.Hence, I will take its suggested procedures as a guideline for formulating my criticisms of address verification. These suggested procedures are as follows:
Second, I will limit my examples to cases in which money is withdrawn to an unhosted wallet. The same criticisms can be leveraged against the case in which money is deposited from an unhosted wallet. In fact, address verification is an even bigger practical problem in the case of deposits, as cryptocurrency transactions typically involve multiple unspent transaction outputs as their inputs (meaning that you would have to connect an identified counterparty to multiple addresses, not just one). Third, your regulation also proposes address verification in cases where the counterparty’s wallet is hosted, but the bank or MSB of which the counterparty is a client is located in certain foreign jurisdictions. I only restrict my commentary to cases in which the counterparty uses an unhosted wallet. Unproductive In The Fight Against Financial CrimesThe proposal intends for address verification to combat a wide variety of financial crimes. In the executive summary, for example, the proposal states:As explained further below, U.S. authorities have found that malign actors are increasingly using CVC to facilitate international terrorist financing, weapons proliferation, sanctions evasion, and transactional money laundering, as well as to buy and sell controlled substances, stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms, and toxic chemics. In addition, ransomware attacks and associated demands for payment, which are almost exclusively denominated in CVC, are increasing in severity, and the G7 has specifically noted concern regarding ransomware attacks ‘in light of malicious actors targeting critical sectors amid the COVID-19 pandemic. I cannot possibly discuss address verification procedures with regards to all of these crimes. So, instead, I will just limit my discussions to some financial crimes that are at least a major part of the concerns with these proposed regulations: money laundering, terrorist financing and sanctions evasion. These are structurally very similar crimes, even though they differ in terms of their legal underpinnings and substances. And address verification procedures are going to have little effect on combating them for the same reasons, in my opinion. Suppose, for example, that the customer of an exchange is intent on laundering money for a drug cartel via bitcoin, and that the exchange implements address verification by having customers take screenshots of their wallets. How exactly would this stop the customer from participating in money laundering activities? The customer could easily circumvent the requirement in the following manner:
Sometimes customers are tricked into being money mules, rather than intentionally supporting a criminal organization. Even for such customers, however, it would not really change much about my reflections above. If a customer can be tricked into becoming a mule for a criminal organization, it is unclear how a screenshot might help prevent their stupidity.And these conclusions can be made more generally about most other address verification procedures. I didn’t just cherry pick the screenshot implementation of address verification. Many other practical implementations — such as making digital signatures or sending back some of the funds — would experience a similar level of fecklessness. Overall, address verification procedures really seem to offer no additional tangible benefits with regards to combating money laundering, terrorist financing and sanction evasion when standard customer due diligence and transaction monitoring procedures are in place. I am not much convinced that address verification fights other types of financial crime well either, at least not in any way that could not also be done in a less invasive manner. I believe the comments above are enough to show the types of effectiveness problems address verification will experience in practice. The Costs Of Address Verification ProceduresAddress verification also comes with significant costs. Precisely what these costs are will depend on the exact measures taken by the banks and MSBs that have to implement it. But I want to emphasize two major concerns that, to different degrees, will probably apply to some extent for any practical implementation of address verification. First, address verification procedures present a hurdle to commerce and innovation. Suppose, for instance, that an exchange required all counterparties to draw a connection between their identity and their cryptocurrency address(es) on an unhosted wallet via a digital signature over the address(es). (I set aside for the moment the concern that this would be an ineffective proof of anything.) Most customers have no idea how to make digital signatures and this will create an overload of customer complaints and requests. It would also require customers to obtain software and hardware that could relatively safely allow them to make these digital signatures. A lot of business will probably be lost as a consequence of the chaos of implementing such an address verification procedure. Some possible implementations of address verification, of course, might be slightly less invasive to commerce, such as a screenshot of a wallet (again setting aside the concern that this would be ineffective proof of anything). But even here, we have to recognize that some costs or complications to commerce and innovation will materialize. For instance, as cryptocurrencies are programmable, you can also send them to addresses governed by decentralized protocols, not human beings. While these decentralized protocols are largely experimentation at the moment, they may prove to have very interesting and valuable use cases. But how exactly could these decentralized protocols fit into the proposed address verification requirement? In my view, the proposed regulations cannot accommodate this kind of use case: decentralized protocols do not have identities or physical addresses after all. So, even a relatively simple measure to implement address verification by a bank or MSB, such as a wallet screenshot, will have negative consequences to commerce and innovation. Second, address verification is likely to hurt customer privacy and security. I will just run through a couple of the possible implementations to make the point. To start, a screenshot reveals what type of wallet a customer is using and potentially further information, potentially about the type of operating system or device. A video conference will reveal even more about the customer’s personal storage arrangements. This type of information is very dangerous in the wrong hands. We do not ask customers of precious metal merchants where they store their gold and silver. So why do this with bitcoin customers? While I recognize that bitcoin is much more liquid and introduces additional risks with regards to financial crimes, the higher the risks for customer privacy and security are in my opinion not proportionally weighed with address verification procedures. Another likely candidate for address verification is making a digital signature over the counterparty’s address. It is a well-established best practice within the Bitcoin industry that you only reveal your public key when making a transaction (hence, why you should only use an address once). This type of measure would directly contravene industry best practices. ConclusionIn conclusion, I am doubtful that address verification procedures, as required for those contexts prescribed by these regulations, will make any real contribution to fighting financial crimes. At least, I have not really seen any sound implementation of them that would make me think otherwise.In addition, address verification procedures come with costs to commerce and innovation, and customer security and privacy. Surely these costs depend on how exactly you implement them. But costs they will have, at least in any way that I can envision their implementation. I, therefore, urge FinCEN to stop moving with this proposal in its current form. Any revised proposal must in my opinion answer three key questions:
Sincerely,Jan-Willem BurgersThe author would like to thank Daan Kleiman for his critical feedback on an earlier version of this letter.