On October 23, 2023 we asked our attorney, Rafael Yakobi of The Crypto Lawyers to assemble an expert legal team to respond to the U.S. Department of the Treasury and FinCEN’s proposed rules that would seriously harm your privacy by effectively outlawing bitcoin mixing as well as conflating basic best practices such as not reusing addresses as a suspicious action requiring enhanced reporting.
Below is an exact reproduction of the letter we have submitted to Treasury and FinCEN as part of the public request for comment period.
We wish to thank Rafael Yakobi and the team he assembled to draft this response on behalf of Samourai and our users: Carla Reyes, Sasha Hodder, JW Verret, among others who worked diligently behind the scenes for months preparing this submission because they believe this harmful overstepping by the federal government must be addressed.
We would like to warmly thank Ten31, who graciously pledged to help cover some of the considerable costs we incurred to draft this response.
Lastly, we would like to thank all 25 of the unaffiliated Bitcoin companies that read and signed this letter to FinCEN in agreement with our position. They are listed individually at the bottom of this page.
You can download a PDF of the letter below:
Section 311 Mixing Transactions Designation NPRM Comment Letter PDF
Andrea Gacki January 22, 2024
Director
Financial Crimes Enforcement Network
U.S. Department of the Treasury
P.O. Box 39
Vienna, VA 22183
SUBMITTED ELECTRONICALLY
Re: Docket Number FINCEN–2023–0016 – Proposal of Special Measure Regarding Convertible Virtual Currency Mixing as a Class of Transactions of Primary Money Laundering Concern
Dear Director Gacki:
We appreciate the opportunity to comment on Docket Number FINCEN-2023-0016 (the “Mixing Transaction NPRM”), released by the Financial Crimes Enforcement Network (“FinCEN”) on October 22, 2023.[1] We are a variety of unaffiliated companies that rely on important cybersecurity safeguards and privacy-enabling software to protect our businesses and our users. The extreme breadth of the rules proposed by the Mixing Transaction NPRM would overly burden our use of such technologies in ways that would not assist FinCEN in achieving its mandate of preventing money laundering and other illicit use of money. As a result, we write to express our grave concerns regarding the novelty and scope of the Proposed Special Measures and the inadequate definitions contained therein.[2]
The Proposed Special Measures would unreasonably infringe upon the legitimate financial privacy interests of cryptocurrency users, and would apply to a variety of digital techniques that are not mixing transactions at all, but rather simply represent good cybersecurity practices. Moreover, the Proposed Special Measures are unnecessary to achieve FinCEN’s aim, and we encourage FinCEN to either withdraw the Mixing Transaction NPRM altogether or to pursue a less invasive, less restrictive, and more effective approach—the same approach it has used since its first enforcement activities in the cryptocurrency space in 2013—to enforcement against specific bad actors.
1. FinCEN should exercise caution and either withdraw entirely or narrowly tailor the Mixing Transaction NPRM because if adopted, the Mixing Transaction NPRM would not only represent the first time FinCEN used its Section 311 powers against a class of transactions, but also the first time FinCEN has ever imposed Special Measure 1.
Historically, FinCEN has exercised caution in making designations under Section 311 and implementing Special Measures. Section 311 (31 U.S.C. 5318A), authorizes the U.S. Department of Treasury (“Treasury”) to designate a foreign jurisdiction, financial institution, class of transactions, or type of account as being of “primary money laundering concern” and impose one or more of five possible “special measures.” Treasury delegated that authority to FinCEN, which has used its power quite sparingly since Section 311’s enactment. The first Section 311 action instituted by FinCEN in the virtual currency space occurred in 2013, when FinCEN instituted special measures against Liberty Reserve. Prior to that time, between 2002 and 2013, FinCEN had only ever implemented special measures against just four jurisdictions and 13 financial institutions. After a protracted legal battle regarding a Section 311 action between 2015-2017, FinCEN seemed reluctant to use its Section 311 powers widely. [3] The creation of the Global Investigations Division (GID) in 2019 [4] and the enactment of the Anti-Money Laundering Act of 2020, which increased FinCEN’s authority “to prohibit or impose conditions upon certain transmittals of funds (to be defined by the Secretary) by any domestic financial institution or domestic financial agency,” [5] coincided with an uptick in the use of Section 311 powers and a broadening of FinCEN’s attention to all 5 available Special Measures.
Importantly, throughout its use of Section 311, FinCEN traditionally imposes Special Measure Number 5 to isolate a specific foreign financial institution and prevent it from accessing the U.S. financial system. Until this Mixing Transaction NPRM, FinCEN has only used Special Measure Number 1 one other time—in 2012 against JSC CredexBank (“Credex”).[6] FinCEN later withdrew that proposed rule in 2016. [7] If adopted, the Mixing Transaction NPRM would constitute the first time FinCEN has imposed Special Measure Number 1 in exercising its Section 311 Powers. Moreover, this Mixing Transaction NPRM represents the very first time FinCEN has sought to designate an entire class of transactions as a primary money laundering concern. We encourage FinCEN to exercise extreme caution in the exercise of its Section 311 powers in such a novel way—the first-ever designation of a class of transactions and the first-ever imposition of Special Measure 1.
Exercising caution in Section 311 powers reflects the seriousness of Treasury’s policy purposes for invoking its powers to make primary money laundering concern designations and impose special measures—namely, to act as a signal to the world that FinCEN is “serious about ensuring that the international financial system is safeguarded against the threat of money laundering.” [8] As Treasury explained in the press release announcing the very first use of its Section 311 powers in 2002, when FinCEN uses Section 311, “[FinCEN] tell[s] the world clearly that these jurisdictions [or entities or transactions] are bad for business and that their financial controls cannot be trusted.” [9] For the reasons further explained below, FinCEN’s targeting of convertible virtual currency (“CVC”) [10] purported “mixing” transactions does not achieve these aims. Rather than target transactions that are “bad for business,” the Mixing Transaction NPRM targets an overly broad range of technical approaches used as best practices both by businesses and individuals for ensuring the security of CVC and impinges on privacy rights of legitimate users of CVC. In an attempt to exercise authority it has never used before (class of transactions) through a special measure it has never previously imposed successfully (special measure 1), FinCEN created a proposed rule fraught with misunderstandings and overreach. We urge FinCEN to withdraw the rule and reconsider its approach to this novel use of its authority.
2. The Mixing Transaction NPRM proposes a rule that is an improper and overbroad application of Section 311 measures to achieve transaction surveillance and suppression that FinCEN does not otherwise have a lawful basis to undertake.
Although the Mixing Transaction NPRM ostensibly designates a class of transactions as being of Primary Money Laundering Concern, its real goal is to uncover an alternative method for collecting information about and suppressing the use of digital currency in general. The Mixing Transaction NPRM is an improper and overbroad application of Section 311 measures for that purpose. Indeed, although the Mixing Transaction NPRM allegedly sanctions a class of transactions, it inconsistently throughout refers to “CVC mixers,” “CVC mixing” and “CVC mixing services” by reference to specific business entities [11] and as a type of business model more generally.[12] If FinCEN has reason to believe specific entities conduct illicit activities, FinCEN could use the Section 311 powers it has traditionally and successfully used to target specific entities as financial institutions of primary money laundering concern. Such an approach offers a more targeted way to address actual money laundering while protecting legitimate users of legitimate privacy-enhancing tools.
Notably, Treasury has separately sanctioned what it refers to as CVC mixing transactions through its Office of Foreign Asset Control (OFAC) authority to designate people or property who conduct transactions with specifically designated foreign jurisdictions identified through executive order as posing terrorist threats. [13] Treasury is currently facing legal challenges to, and has been widely criticized for, its attempt to sanction the Tornado Cash open source software as property of a non-existent entity Treasury alleges is called “the Tornado Cash DAO entity.” [14] Although we agree with the many arguments as to why Treasury’s OFAC action with regard to Tornado Cash software is an example of agency overreach, we wish to make a different but related point here. To justify its OFAC sanctions against the Tornado Cash software, Treasury had to designate the software as property of an entity. [15] OFAC officially explained as part of defending its sanction to a judge that the Tornado Cash software was property under Treasury’s regulations because it fell within the broad reach of “any contract whatsoever.” [16] Although the definition of “transaction” under the BSA regulations is quite broad, it does not encompass “any contract whatsoever” but rather centers on monetary transfers and specific services offered by financial institutions, and provides a catch-all for “any other payment, transfer, or delivery by, through or to a financial institution, by whatever means effected.” [17] No part of the definition applicable to CVC mixing is also a contract.[18]
In other words, in proposing the Mixing Transaction NPRM, one arm of Treasury is classifying CVC mixing as a transaction type while another arm of Treasury argues that mixing is a contract for services. Under the regulations governing both enforcement actions, mixing activity cannot be both a transaction type and a contract for service simultaneously. Treasury’s attempt to designate mixing software as both a type of transaction and a contract is evidence of the arbitrary and capricious nature of its attempt to regulate open-source software that enhances the digital privacy of legitimate CVC users. To the extent that FinCEN really wants to target non-custodial, open-source software that individuals can use on their own accounts, FinCEN exceeds its statutory authority.
Indeed, tools that enhance digital privacy in CVC transactions simply seek to enable a form of digital cash. As a result, in its rush to find a way to suppress CVC mixing transactions, by whichever means, even if inconsistent amongst different internal branches of its own agency, FinCEN’s Mixing Transaction NPRM amounts to an attempt to sanction “all transactions conducted in cash,” which is both impossible and an unreasonable over-extension of its rulemaking authority.
3. The Mixing Transaction NPRM should be withdrawn because the proposed definition of “CVC mixing” is overbroad and targets lawful activity in a way that makes the agency’s proposed action arbitrary and capricious.
Setting aside FinCEN’s own apparent confusion about whether CVC mixing is a transaction, a service, a business, or a specific business entity, when FinCEN does attempt to define the “class” of transactions that it considers to be CVC mixing, the Mixing Transaction NPRM’s definition of “mixing” is extremely broad and includes numerous activities routinely conducted by legitimate users as a matter of routine safety precautions in online transacting in CVC. Specifically, the Mixing Transaction NPRM provides:
The term “CVC mixing” means the facilitation of CVC transactions in a manner that obfuscates the source, destination, or amount involved in one or more transactions, regardless of the type of protocol or service used, such as: (1) pooling or aggregating CVC from multiple persons, wallets, addresses or accounts; (2) using programmatic or algorithmic code to coordinate, manage, or manipulate the structure of a transaction; (3) splitting CVC for transmittal and transmitting the CVC through a series of independent transactions; (4) creating and using single-use wallets, addresses, or accounts, and sending CVC through such wallets, addresses, or accounts through a series of independent transactions; (5) exchanging between types of CVC or other digital assets; [19] or (6) facilitating user-initiated delays in transactional activity. [20]
Indeed, most of the activities captured by the proposed definition of CVC mixing are considered established best practices within the industry for the use and safekeeping of CVC. Specifically, the proposed definition encompasses lightning transactions, single-use wallets, atomic swaps, decentralized finance protocols, privacy coin features, and multi-signature wallets, among other things. The main commonality among this broad range of software tools is that they enhance digital privacy and offer basic cyber-security techniques to owners or custodians of CVC. Employing these techniques to safeguard valuable digital assets is as routine and mundane and free of illicit purpose as using two-factor authentication to secure a digital wallet containing payment card information or an X (formerly Twitter) account to prevent an unauthorized announcement.[21]
4. The Mixing Transaction NPRM should be withdrawn because its inaccurate depiction of standard security practices as “mixing” impermissibly restricts the capacity of users to protect their property so that FinCEN can conduct a fishing expedition.
The proposed rule describes as red flags such everyday practices as “creating and using single address wallets” and “splitting CVC for transmittal.” [22] The standard practice among cryptocurrency users is to change addresses with every transaction. For example, Coinbase Exchange describes to their users that: “[w]e automatically generate a new address for you after every transaction you make or when funds are moved between your wallet and our storage system. This is done to protect your privacy, so a third party cannot view all other transactions associated with your account simply by using a blockchain explorer.” [23]
The fact that a small subset of users, who may be criminals, engage in the same operational security practices as ordinary users does not make those operational security practices suspect. The fact that criminals may use two-factor authentication to protect the security of their online applications does not mean that the use of two-factor authentication is itself an indicator or facilitator of criminal activity. In exactly the same way, the fact that users do not reuse Bitcoin addresses is merely indicative of basic operational security.
In an apparent recognition of the fact that these tools legitimately enable important cyber-security precautions, FinCEN exempts financial institutions from reporting on any of their own mixing transactions that they may conduct in the course of providing services to the public.[24] By exempting financial institutions from the rule, FinCEN creates a regime where financial institutions can take proper cyber-security measures for using CVC, but regular people cannot.
Perhaps even more problematic, throughout the Mixing Transaction NPRM, FinCEN justifies the proposed rule as necessary to enable law enforcement and the agency to better understand the transactions and the extent to which illicit activity occurs through CVC mixing. [25] The extraordinary and never before successfully invoked Section 311 power to designate a class of transactions and implement special measure 1 is not appropriate for use in a fact-finding mission. Employing such overly broad definitions as proposed in the Mixing Transaction NPRM for the purpose of authorizing an invasive fact-finding mission represents an arbitrary and capricious use of FinCEN’s delegated rulemaking authority because FinCEN’s justification for the rule lies outside of the statutory criteria for determining a class of transactions is of primary money laundering concern.
Specifically, FinCEN is statutorily required to consider the following factors when determining that a class of transactions is of primary money laundering concern: (1) the extent to which the class of transactions is used to facilitate or promote money laundering in or through a jurisdiction outside of the United States, including money laundering activity with connections to international terrorism, organized crime, and proliferation of WMDs and missiles; (2) the extent to which a class of transactions is used for legitimate business purposes; and (3) the extent to which action by FinCEN would guard against international money laundering and other financial crimes.” [26] Throughout the Mixing Transaction NPRM, FinCEN acknowledges that due to a lack of data and a lack of understanding of CVC mixers, it cannot sufficiently assess the extent to which CVC mixing and the proposed rule measures up under any of these three criteria. [27] FinCEN’s assessment ultimately boils down to: FinCEN does not have sufficient information to properly assess the statutory criteria required to justify the proposed rule, so the proposed rule is justified because, in FinCEN’s own words, it “is necessary to better understand the illicit finance risk posed by CVC mixing.” [28] Using a sanction to obtain the information necessary to justify imposing the sanction even when the agency knows that doing so will likely impose a high burden on legitimate uses and financial institutions is the definition of arbitrary and capricious regulatory action.
5. The Mixing Transaction NPRM should be withdrawn or significantly narrowed in scope because FinCEN’s required statutory analysis fails to adequately value the legitimate uses of CVC mixing services and unduly burdens legitimate users and financial institutions.
FinCEN admits that public blockchains “make it possible to know someone’s entire financial history on the blockchain” [29] and that it “recognizes that there are legitimate reasons why responsible actors might want to conduct financial transactions in a secure and private manner given the amount of information available on public blockchains.” [30] Yet, in the same document, alleges that the Mixing Transaction NPRM is necessary because CVC “is not without its risks and, in particular, the use of CVC to anonymize illicit activity undermines the legitimate and innovative uses of CVC.” [31] These two propositions cannot be simultaneously accurate.
As a matter of technical reality, FinCEN’s assertion that public blockchains expose a user’s entire financial history on the blockchain to the public for everyone to see and inspect is correct. [32] Indeed, that creates the fundamental need for legitimate CVC users to conduct CVC mixing transactions—to reintroduce the same level of financial privacy that they enjoy in the traditional financial system [33] to their transactions via CVC (for example, the traditional financial system does not expose a consumer’s entire credit card history to the public, and indeed, federal law requires that financial institutions protect such information from being exposed to the public [34]). [35]
Ensuring their CVC transactions enjoy the same level of privacy as transactions in traditional finance reduces the potential danger of personal harm to legitimate users and enables legitimate users to avoid waiving their constitutional right to privacy. When the identity of a legitimate CVC user is known and connected to the wallets holding CVC assets, the user becomes a target for kidnap, robbery, extortion, and hacking schemes.
