On December 18, 2020, the Financial Crimes Enforcement Network (FinCEN) filed a notice of proposed rulemaking (NPRM), Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets(Proposed Rule). The Proposed Rule would define by regulation that convertible virtual currency (CVC) and digital assets with legal tender status (LTDA) are “monetary instruments” for the purposes of the Bank Secrecy Act (BSA). The proposed rule would also impose certain reporting, recordkeeping, and verification requirements on banks and money services businesses (MSBs) related to transactions involving CVC or LTDA held in: (1) unhosted wallets; or (2) wallets hosted in a jurisdiction identified on a Foreign Jurisdictions List designated by FinCEN as an Otherwise Covered Wallet. FinCEN concurrently released a related Frequently Asked Questions document (FAQ).
The Proposed Rule imposes requirements that may present significant challenges to banks and MSBs. Most significantly, banks and MSBs would be required to collect both the name and physical address for counterparties to a reportable transaction with an unhosted or Otherwise Covered Wallet, and determine, on a risk basis, when additional information or confirmation of the counterparty is necessary. Furthermore, the proposal includes a provision for the Secretary of the Treasury to prescribe additional information to be collected, without clarity in either the NPRM or the FAQ, as to what information may be required. CVC Exchanges operating in jurisdictions on the Foreign Jurisdictions List would need to act as an intermediary for collecting such information. Although the initial proposed list is composed of only Iran, Burma, and North Korea—which have limited activity with the US—the addition of a jurisdiction with a more significant US transactional flow could pose a large impediment to that business.
In October 2020, FinCEN published an Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Paymentsthat indicated digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs) that facilitate ransomware payments may be required to register as an MSB with FinCEN depending on the entity’s specific facts and circumstances. As MSBs, DFIRs, and CICs would be required to comply with the Proposed Rule in relation to any ransomware payments sent to an unhosted or Otherwise Covered Wallet, as most such payments are. As a practical matter, it is unclear how a DFIR or CIC could collect details required in the Proposed Rule from cybercriminal counterparties.
In addition to the challenges of identifying details on counterparties to unhosted or Otherwise Covered Wallets, FinCEN would require banks and MSBs to first identify the attributes of the third-party wallet to understand whether the transaction is covered by the rule, and, if a transaction is with a foreign financial institution (FFI), apply risk-based procedures to determine whether the FFI is complying with local registration or similar requirements. Both identifying the details of the third-party wallet and understanding the registration regime of the jurisdiction that hosts the third-party wallet will take careful planning and allocation of resources.
FinCEN proposed the new rule to counter illicit financing using CVC and LTDA. Specifically, FinCEN explains that, unlike hosted wallets, unhosted or Otherwise Covered Wallets are not subject to BSA recordkeeping and reporting requirements and therefore leave gaps that might be exploited for illicit purposes. FinCEN aims to close these gaps with the Proposed Rule. The NPRM identifies the specific types of activity US authorities have connected to the use of CVC and LTDA, including terrorist financing, weapons proliferation, sanctions evasion, identity theft, drug smuggling, cybersecurity threats, and ransomware attack demands. Because of the related threat to US national security from these crimes, and previous dialogue with the industry that FinCEN considered when drafting the Proposed Rule, the NPRM includes a condensed 15-day comment period.
The Proposed Rule amends FinCEN’s BSA implementing regulations, and aligns the new CVC/LTDA requirements to existing Currency Transaction Reporting (CTR) and Recordkeeping Rule requirements.
CVC and LTDA Transaction Reporting Rule
The Proposed Rule would require banks and MSBs to report transactions in CVC and LTDA that aggregate to greater than the equivalent of $10,000 in “one day” between the bank’s or MSB’s hosted wallet and either an unhosted wallet or an Otherwise Covered Wallet (CVC/LTDA Transaction Report). Importantly, the rule defines “one day” as a 24-hour period, which differs from the existing CTR requirement for fiat currency, and therefore will require a differing set of business requirements.
Banks and MSBs would also be required to document the method used to identify the fair market exchange rate (Prevailing Exchange Rate) at the time of each transaction to determine whether the value of the CVC/LTDA meets the $10,000 threshold.
CVC/LTDA Transaction Reports would be subject to mandatory statutory exemptions, such as exempting a transaction between the bank or MSB and a department or agency of the US government; however, FinCEN is not proposing to extend either the regulatory or discretionary statutory exemptions similar to those applied for CTRs. For the purposes of the proposed rule, CVC and LTDA must be aggregated from all offices and records within the financial institution, but are not required to be aggregated with other currency transactions (e.g., with fiat currency). The rule would cover all activity in the US, including transactions conducted by non-US financial institutions.
Recordkeeping and Verification Requirements
CVC/LTDA Transaction Recordkeeping Rule
In addition to the CVC/LTDA Transaction Reports, FinCEN proposes a new requirement that banks and MSBs verify and record the identity of a hosted wallet customer that engages in a withdrawal, exchange, payment, or transfer of CVC or LTDA by, through, or to the bank or MSB with a value greater than $3,000 if such transaction takes place with an unhosted wallet or Otherwise Covered Wallet. Banks and MSBs would be required to collect both the name and physical address for the counterparties to the transaction(s), as well as any additional information the Secretary of the Treasury may prescribe for CVC/LTDA Transaction Reports.
To calculate the $3,000 value, banks and MSBs would be required to use the Prevailing Exchange Rate at the time of the transaction, consistent with the CVC/LTDA Transaction Reporting requirement; however, no aggregation requirement would apply.
The Proposed Rule would mandate that CVC/LTDA transaction records be maintained electronically, and retrievable by customer name, customer account number, or counterparty name.
Similar to CTRs, the Proposed Rule would require CVC/LTDA Transaction Reports be filed with FinCEN, unless otherwise specified, on a form prescribed by the Secretary of Treasury. Forms must be filed within 15 days of the date of the reportable transaction, and retained by the financial institution for five years. Anti-structuring prohibitions for CVC and LTDA reporting would also align to similar provisions for CTRs.
Specific Identification and Verification Requirements
FinCEN indicates that when it is the originating financial institution for a reportable CVC or LTDA transaction, the bank or MSB should not complete the transaction until verification of their hosted wallet customer is complete. When the bank or MSB is the receiving financial institution, verification should be completed “as soon as practicable.” If the financial institution has knowledge that the person accessing the account is not its customer, it is required to also verify that person. Neither the Proposed Rule nor the accompanying FAQ clarify expectations regarding what FinCEN anticipates is “practicable,” or the likelihood of being able to conduct a verification exercise after the transaction has been posted. Banks and MSBs may therefore decide to verify their hosted wallet customers before any transactions can be completed.
The Proposed Rule specifies the data to be obtained and verified as follows:
a.CVC/LTDA Transaction Report Requirements
Banks and MSBs must:
Verify and record name and address of the person presenting the transaction.
Record the identity, account number, Social Security or taxpayer identification number, if any, of any person or entity on whose behalf such transaction is to be effected.
FinCEN specifies that verification of non-US residents or aliens must be conducted from a passport, alien identification card, or similar official document indicating the bearer’s nationality or residence. For US persons, the bank or MSB should review verification documentation similar to that which is “normally acceptable within the banking community as a means of identification when cashing checks for non-depositors,” but cautions that a bank signature card may be relied upon only if it contains the specific information from the identity document that was examined prior to issuing the signature card. In each instance, the specific identifying information used to verify identity must be included on the CVC/LTDA Transaction Report.
b.CVC/LTDA Transaction Recordkeeping Requirements
For each qualifying CVC/LTDA Transaction record, the bank or MSB must record:
Name and address of the financial institution’s customer, as well as any form relating to the transaction that is completed or signed by the financial institution’s customer.
Type, amount, and value of convertible virtual currency or legal tender digital assets used in the transaction, as well as the time of the transaction.
Any payment instructions received from the financial institution’s customer.
Name and physical address of each counterparty to the transaction, as well as other counterparty information the secretary may prescribe as mandatory on the CVC/LTDA TransactionReport.
Any other information that uniquely identifies the transaction, the accounts, and, to the extent reasonably available, the parties involved.
Policy and Procedure Amendments
In addition to documenting the proposed method for determining the Prevailing Exchange Rate, the Proposed Rule would require banks and MSBs to assess the risks of the reportable CVC or LTDA transactions and develop risk-based identity verification procedures that the bank or MSB is able “to form a reasonable belief that it knows the true identity of its customer.” Banks and MSBs would be required to amend their current policies to incorporate provisions for when the financial institution is unable to obtain the required information, similar to the Customer Identification Program rule. FinCEN expects that, as part of their existing BSA/AML Program, banks and MSBs take a risk-based approach to ascertain when it is necessary to collect additional information or confirmation on a customer’s counterparty, and implies such procedures should likewise be applied to CVC/LTDA transactions without amendment.
Banks and MSBs would also need to develop procedures for identifying whether a CVC/LTDA transaction is going to or coming from an unhosted or Otherwise Covered Wallet. Furthermore, FinCEN would require that the bank or MSB have documented procedures to confirm that, for a transaction coming from a FFI, such institution is in compliance with local registration or similar requirements.
FinCEN's Request for Comments
FinCEN requests comments on several components of the Proposed Rule.
A. Costs and Estimated Burden
FinCEN asks responders to comment on the costs of implementation, and its estimates of the burden on the financial industry in relation to the benefit the new requirements would have to law enforcement. FinCEN also asks commenters to consider the costs of alternatives dismissed by FinCEN, such as whether all hosted wallets should be included, thresholds should be lowered, or modifications should be made to the data that banks and MSBs must collect.
B. Implementation Challenges
FinCEN further seeks comment on the clarity of the Proposed Rule, and whether technological requirements, such as creating and maintaining electronic records as proposed in the NPRM, are reasonable.
C. Scope of the Proposed Rule
Lastly, FinCEN asks commenters to opine on whether the scope of the Proposed Rule is appropriate. For example, FinCEN wants to know whether the proposal should be expanded beyond banks and MSBs to include other financial institutions such as broker dealers, whether the Proposed Rule appropriately balances the benefits of the reporting requirements to law enforcement with consumer privacy goals, and whether the anti-structuring provisions are necessary. FinCEN also wants to know whether the scope of the data banks and MSBs must collect should be expanded and whether it is considering the right process and initial list for the Foreign Jurisdictions List.
What You Should Start Doing
Banks and MSBs should consider proactively assessing their exposure to CVC/LTDA, both in current operations and any planned strategic changes, and conduct an analysis of the impact the Proposed Rule would have on the financial institution’s operations. The comment period is short. Based on the impact analysis and other strategic considerations, the bank or MSB should quickly decide whether to comment on the NPRM directly, or if its interests may be represented by an industry group.
The impact analysis should identify and assess the policies, procedures, and controls that would need to be amended or developed to comply with the Proposed Rule, along with the associated resources and budget. The bank or MSB should identify key stakeholders, and consider creating an action plan to track and prioritize necessary changes. When developing the action plan, financial institutions should determine whether existing technology can be leveraged and enhanced, and how the dynamic parts of the rule will be implemented, such as the exchange rate requirements, 24-hour aggregation, potential future changes to the Foreign Jurisdictions List, and confirmation of registration or other compliance requirements for foreign financial institutions. Additionally, should the bank or MSB process reportable transactions through a CVC exchange, the bank or MSB should identify the mechanism to obtain the required information about the counterparty from the CVC exchange.
Guidehouse can help banks and MSBs assess their compliance programs in light of the proposed regulatory changes, including determining developing and implementing updates to operations, policies, procedures, controls, and technology. Its areas of relevant expertise include the following:
Vendor sourcing and governance
Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.