On December 18, 2020, the Financial Crimes Enforcement Network (FinCEN) filed a notice of proposed rulemaking (NPRM), Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets (Proposed Rule). The Proposed Rule would define by regulation that convertible virtual currency (CVC) and digital assets with legal tender status (LTDA) are “monetary instruments” for the purposes of the Bank Secrecy Act (BSA). The proposed rule would also impose certain reporting, recordkeeping, and verification requirements on banks and money services businesses (MSBs) related to transactions involving CVC or LTDA held in: (1) unhosted wallets; or (2) wallets hosted in a jurisdiction identified on a Foreign Jurisdictions List designated by FinCEN as an Otherwise Covered Wallet. FinCEN concurrently released a related Frequently Asked Questions document (FAQ).
The Proposed Rule imposes requirements that may present significant challenges to banks and MSBs. Most significantly, banks and MSBs would be required to collect both the name and physical address for counterparties to a reportable transaction with an unhosted or Otherwise Covered Wallet, and determine, on a risk basis, when additional information or confirmation of the counterparty is necessary. Furthermore, the proposal includes a provision for the Secretary of the Treasury to prescribe additional information to be collected, without clarity in either the NPRM or the FAQ, as to what information may be required. CVC Exchanges operating in jurisdictions on the Foreign Jurisdictions List would need to act as an intermediary for collecting such information. Although the initial proposed list is composed of only Iran, Burma, and North Korea—which have limited activity with the US—the addition of a jurisdiction with a more significant US transactional flow could pose a large impediment to that business.
In October 2020, FinCEN published an Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments that indicated digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs) that facilitate ransomware payments may be required to register as an MSB with FinCEN depending on the entity’s specific facts and circumstances. As MSBs, DFIRs, and CICs would be required to comply with the Proposed Rule in relation to any ransomware payments sent to an unhosted or Otherwise Covered Wallet, as most such payments are. As a practical matter, it is unclear how a DFIR or CIC could collect details required in the Proposed Rule from cybercriminal counterparties.
In addition to the challenges of identifying details on counterparties to unhosted or Otherwise Covered Wallets, FinCEN would require banks and MSBs to first identify the attributes of the third-party wallet to understand whether the transaction is covered by the rule, and, if a transaction is with a foreign financial institution (FFI), apply risk-based procedures to determine whether the FFI is complying with local registration or similar requirements. Both identifying the details of the third-party wallet and understanding the registration regime of the jurisdiction that hosts the third-party wallet will take careful planning and allocation of resources.
FinCEN proposed the new rule to counter illicit financing using CVC and LTDA. Specifically, FinCEN explains that, unlike hosted wallets, unhosted or Otherwise Covered Wallets are not subject to BSA recordkeeping and reporting requirements and therefore leave gaps that might be exploited for illicit purposes. FinCEN aims to close these gaps with the Proposed Rule. The NPRM identifies the specific types of activity US authorities have connected to the use of CVC and LTDA, including terrorist financing, weapons proliferation, sanctions evasion, identity theft, drug smuggling, cybersecurity threats, and ransomware attack demands. Because of the related threat to US national security from these crimes, and previous dialogue with the industry that FinCEN considered when drafting the Proposed Rule, the NPRM includes a condensed 15-day comment period.
The Proposed Rule amends FinCEN’s BSA implementing regulations, and aligns the new CVC/LTDA requirements to existing Currency Transaction Reporting (CTR) and Recordkeeping Rule requirements.
CVC and LTDA Transaction Reporting Rule
The Proposed Rule would require banks and MSBs to report transactions in CVC and LTDA that aggregate to greater than the equivalent of $10,000 in “one day” between the bank’s or MSB’s hosted wallet and either an unhosted wallet or an Otherwise Covered Wallet (CVC/LTDA Transaction Report). Importantly, the rule defines “one day” as a 24-hour period, which differs from the existing CTR requirement for fiat currency, and therefore will require a differing set of business requirements.
Banks and MSBs would also be required to document the method used to identify the fair market exchange rate (Prevailing Exchange Rate) at the time of each transaction to determine whether the value of the CVC/LTDA meets the $10,000 threshold.
CVC/LTDA Transaction Reports would be subject to mandatory statutory exemptions, such as exempting a transaction between the bank or MSB and a department or agency of the US government; however, FinCEN is not proposing to extend either the regulatory or discretionary statutory exemptions similar to those applied for CTRs. For the purposes of the proposed rule, CVC and LTDA must be aggregated from all offices and records within the financial institution, but are not required to be aggregated with other currency transactions (e.g., with fiat currency). The rule would cover all activity in the US, including transactions conducted by non-US financial institutions.
Recordkeeping and Verification Requirements
Policy and Procedure AmendmentsIn addition to documenting the proposed method for determining the Prevailing Exchange Rate, the Proposed Rule would require banks and MSBs to assess the risks of the reportable CVC or LTDA transactions and develop risk-based identity verification procedures that the bank or MSB is able “to form a reasonable belief that it knows the true identity of its customer.” Banks and MSBs would be required to amend their current policies to incorporate provisions for when the financial institution is unable to obtain the required information, similar to the Customer Identification Program rule. FinCEN expects that, as part of their existing BSA/AML Program, banks and MSBs take a risk-based approach to ascertain when it is necessary to collect additional information or confirmation on a customer’s counterparty, and implies such procedures should likewise be applied to CVC/LTDA transactions without amendment.
FinCEN requests comments on several components of the Proposed Rule.
A. Costs and Estimated Burden
FinCEN asks responders to comment on the costs of implementation, and its estimates of the burden on the financial industry in relation to the benefit the new requirements would have to law enforcement. FinCEN also asks commenters to consider the costs of alternatives dismissed by FinCEN, such as whether all hosted wallets should be included, thresholds should be lowered, or modifications should be made to the data that banks and MSBs must collect.
B. Implementation Challenges
FinCEN further seeks comment on the clarity of the Proposed Rule, and whether technological requirements, such as creating and maintaining electronic records as proposed in the NPRM, are reasonable.
C. Scope of the Proposed Rule
Lastly, FinCEN asks commenters to opine on whether the scope of the Proposed Rule is appropriate. For example, FinCEN wants to know whether the proposal should be expanded beyond banks and MSBs to include other financial institutions such as broker dealers, whether the Proposed Rule appropriately balances the benefits of the reporting requirements to law enforcement with consumer privacy goals, and whether the anti-structuring provisions are necessary. FinCEN also wants to know whether the scope of the data banks and MSBs must collect should be expanded and whether it is considering the right process and initial list for the Foreign Jurisdictions List.
Banks and MSBs should consider proactively assessing their exposure to CVC/LTDA, both in current operations and any planned strategic changes, and conduct an analysis of the impact the Proposed Rule would have on the financial institution’s operations. The comment period is short. Based on the impact analysis and other strategic considerations, the bank or MSB should quickly decide whether to comment on the NPRM directly, or if its interests may be represented by an industry group.
The impact analysis should identify and assess the policies, procedures, and controls that would need to be amended or developed to comply with the Proposed Rule, along with the associated resources and budget. The bank or MSB should identify key stakeholders, and consider creating an action plan to track and prioritize necessary changes. When developing the action plan, financial institutions should determine whether existing technology can be leveraged and enhanced, and how the dynamic parts of the rule will be implemented, such as the exchange rate requirements, 24-hour aggregation, potential future changes to the Foreign Jurisdictions List, and confirmation of registration or other compliance requirements for foreign financial institutions. Additionally, should the bank or MSB process reportable transactions through a CVC exchange, the bank or MSB should identify the mechanism to obtain the required information about the counterparty from the CVC exchange.
Guidehouse can help banks and MSBs assess their compliance programs in light of the proposed regulatory changes, including determining developing and implementing updates to operations, policies, procedures, controls, and technology. Its areas of relevant expertise include the following:
Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.