January 04, 2021
January 04, 2021
Policy Division Financial Crimes Enforcement Network P.O. Box 39 Vienna, VA 22183
Re: FinCEN Docket No. FINCEN-2020-0020, RIN 1506-AB47. (Proposed Rulemaking on Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets.)
To whom it may concern:
Square, Inc. (“Square”) is a financial services company that was founded in 2009 to expand economic access for individuals and businesses underserved by the existing financial system. Since that time, we have provided tools to millions of entrepreneurs and individuals that have helped them run their small businesses, manage their finances, and grow in the economy.
One of our core principles is that people should have the ability to participate in financial systems easily and equitably. No one should be left out because the barriers are too high, the cost is too great, or the technology too complex. Because we believe that bitcoin can help deliver on this vision, Square has invested substantially in the health of its ecosystem from a product, leadership, innovation, and legal perspective. This includes initiatives such as Square Crypto, an independent team dedicated to contributing to and improving the open source ecosystem, and the Cryptocurrency Open Patent Alliance (COPA), a non-profit with the purpose of encouraging the adoption and advancement of cryptocurrency technologies and removing patents as a barrier to growth and innovation, and providing the ability for our customers to buy and sell bitcoin through our products.
The recently released Notice of Proposed Rulemaking on Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets (the “Proposal”) would require cryptocurrency service providers like Square to keep records of and report certain cryptocurrency transaction information far beyond what is required for cash transactions today.
With this rulemaking, FinCEN seeks to expand reporting and Know Your Customer (“KYC”) type obligations to parties who are not our customers. Instead of leveraging blockchain tracing with wallet addresses (which to date has proven effective in tracking the unlawful activity cited in the Proposal leading to indictments and convictions), FinCEN proposes a static requirement that would have us collect names and physical addresses from non-customers. To put it plainly — were the Proposal to be implemented as written, Square would be required to collect unreliable data about people who have not opted into our service or signed up as our customers.
This creates unnecessary friction and perverse incentives for cryptocurrency customers to avoid regulated entities for cryptocurrency transactions, driving them to use non-custodial wallets or services outside the U.S. to transfer their assets more easily (non-custodial, or “unhosted” wallets are a type of software that lets individuals store and use cryptocurrency, instead of relying on a third party). By adding hurdles that push more transactions away from regulated entities like Square into non-custodial wallets and foreign jurisdictions, FinCEN will actually have less visibility into the universe of cryptocurrency transactions than it has today.
The impact of the Proposal would not only hamstring law enforcement capabilities, but also limit American innovation by hindering our ability to create a competitive service that allows customers to seamlessly transfer and transact in cryptocurrency the way the technology was designed. The burdensome information collection and reporting requirements deprive U.S. companies like Square of the chance to compete on a level playing field to enable cryptocurrency as a tool of economic empowerment.
This is a critical moment in the development of cryptocurrencies and the associated regulations that govern their use. Delays in modernizing old regulations, or issuance of new regulations that are not risk-based and where the implementation fails to account for the incentives created, creates a drag on innovation, economic growth, and American competitiveness. FinCEN has an opportunity to lead at this moment with regulations that support American-grown innovation and the technologies that drive it. This Proposal, especially given the lack of proper time for meaningful review, falls short. Ultimately this will not only harm the economic empowerment of individuals and payments innovation more broadly, but also diminish FinCEN’s fundamental responsibility to protect the financial system — a goal which we strongly share.
Square’s focus is on improving payments systems, and our investments in bitcoin are aimed at better allowing this technology to be used by people around the world to make transfers efficiently, securely, and at a low cost. Square sees bitcoin as an instrument of economic empowerment — a way for the world to receive global financial services that impact and improve peoples’ daily lives. The future of cryptocurrency should be as a routine, everyday tool that allows people to easily and equitably transact in their daily lives. In order for this to happen, cryptocurrency must be easy to understand, access, and use.
The current payments system in the United States is imperfect and contributes to economic inequality by driving underserved and underrepresented communities to expensive, riskier financial products and services. As Aaron Klein, Senior Fellow at the Brookings Institution, has written, “The slow payment system is responsible for significant costs to those with lower income and assets, costs that are not borne by those with more.” [FN1] We firmly believe that everyone benefits from faster, cheaper, and more secure transactions that are provided by a range of service providers — not just the largest financial institutions.
Regulations that unnecessarily restrict the future of cryptocurrency are deeply concerning, specifically in the case of this Proposal which places undue burdens on consumers who seek to use it in their daily life. The Proposal restricts how and when a consumer establishes a new relationship with a regulated institution, and by making it much more difficult to make transfers from one wallet to another, FinCEN is, in essence, limiting cryptocurrencies to investment vehicle use cases. In order for cryptocurrency to reach its potential to benefit everyone — including communities underserved by traditional financial institutions — it needs to serve as more than just an investment vehicle. It must be a transferable form of value that responsible and innovative companies in the U.S. can leverage to develop solutions that meet the needs of people in every segment of the economy.
Cryptocurrency technology is a game-changing innovation in the global economy. It is not going away, and American businesses should play a leading role in driving this technological advancement forward. This Proposal would have detrimental effects on the ability of responsible, regulated American providers to remain globally competitive, and on payments innovation more broadly. The Proposal imposes a set of requirements that are burdensome for regulated entities, as well as intrusive to both customers and non-customers of those regulated entities. When faced with these new hurdles, businesses and individuals will switch their activity to non-custodial wallets and entities outside the U.S., which are not subject to the same requirements, driving cryptocurrency innovation and related jobs outside our borders. From a policy standpoint, this creates a competitive imbalance between the U.S. and foreign nations who are already at the forefront of cryptocurrency development. For example, China, who has made blockchain adoption a national priority and is already ahead of the U.S. in developing and using the technology [FN2], or Singapore, whose government (among other progressive regulatory actions) is directly funding blockchain projects. [FN3]
We believe cryptocurrency to be one of the most important technological developments of our lifetimes. By rushing through a rulemaking with so broad an impact on both new technology and the people and businesses who use it, FinCEN risks setting up roadblocks to U.S. financial innovation.
A. The Proposal Creates an Unlevel Playing Field with Legacy Financial Institutions and a Double Standard for Cryptocurrency Transactions
The Proposal seeks to implement new recordkeeping, currency transaction reporting (“CTR”), and verification requirements for convertible virtual currencies (“CVC”) and digital assets with legal tender status (“LTDA”) transactions [FN4] involving non-custodial wallets or wallets in certain foreign countries. Specifically, for these transactions, the Proposal would require:
Because cryptocurrency transactions function similarly to cash or negotiable instruments (e.g., checks), the recordkeeping requirement in the Proposal is unacceptable because it unfairly targets CVC transactions and creates a double standard between them and legacy cash transactions that occur between financial institutions and individuals. Cash CTR reporting and recordkeeping for transactions over $10,000 do not take the added, unprecedented step of requiring information about non-customers who have not consented to this data collection and sharing. Counterparty name and address collection/reporting should not be required for CVC CTRs or recordkeeping, as it’s not required for cash today.
For example, under this Proposal — if a Square customer’s mother gifts her daughter $4,000 in physical cash and the daughter deposits those funds in a bank, the bank would have no obligation to collect information on the customer’s mother. Under the Proposal, if this same transaction were completed in cryptocurrency, the bank would have to reach beyond its customer relationship and intrude upon the mother’s private information in order for the daughter to successfully deposit and freely access her gift.
The incongruity between the treatment of cash and cryptocurrency under FinCEN’s Proposal will inhibit adoption of cryptocurrency and invade the privacy of individuals. Yet the rule fails to explain the difference in risk. As such, this low threshold and its extension of KYC obligations beyond customer relationships is arbitrary and unjustified.
There are also technological limitations that will make it difficult to identify and collect the counterparty information required and no guidance provided as to when additional diligence may be necessary. For example, wallet geolocation and addresses are not typically identifiable. As a result of these challenges, some institutions may apply the counterparty recordkeeping requirements to all incoming and outgoing cryptocurrency transactions above the $3,000 threshold, which will add to compliance burdens and create unnecessary friction for transactions. Unfortunately, due to the limited review and comment period it is difficult to provide an estimate as to the costs associated with these burdens.
As a number of Members of Congress recently noted in a letter to Secretary Mnuchin, “With respect to AML/KYC requirements, there should be regulatory parity between the traditional financial system and the digital asset ecosystem.” [FN5] The proposal, however, discriminates against new payments technologies in favor of legacy instruments by creating burdensome compliance obligations that impact only cryptocurrency transactions, with little in the way of a risk-based assessment as to why such special treatment is needed. The limited comment period provides no opportunity for us to conduct such analysis.
B. The Proposal Does Not Provide Adequate Risk-Based Justification for the Regulation While it is important to encourage innovation, it is equally important to assess associated risks. The requirements of the Bank Secrecy Act are intended to be risk-based and focus on activities rather than technology. The Proposal fails to identify what specific risks it is addressing or how it will be effective in mitigating them. Specifically, we do not believe the risks presented by non-custodial wallets have been adequately analyzed in support of the Proposal, nor do we believe that the risks merit prescriptive rules that stray from the risk-based approach afforded to legacy cash reporting and recordkeeping.
Evidence suggests that cryptocurrency does not present a greater threat of money laundering than fiat currency (cash). As the independent nonprofit research and advocacy center Coin Center points out in their recent comment letter on the Proposal:
“….the Financial Action Task Force (FATF) cites the United Nations Office on Drugs and Crime (UNODC) estimates that some $1.9 trillion was laundered in 2009, well before most cryptocurrencies existed. In contrast, the blockchain analytics firm Chainalysis estimated that some $2.8 billion in Bitcoin was laundered through exchanges in 2019.” [FN6]
At the very least, a much deeper examination of the issue is required to identify and quantify the risks and correlate the proposed rules with the particular risks identified. The Proposal fails to identify how regulated financial institutions handling cryptocurrency transactions fail to meet their AML obligations to identify suspected activity among their customers by leveraging technological differences between cryptocurrency and fiat currency.
C. The Recordkeeping Requirement Appears Arbitrary and Not Based on Evidence The limited time for review and comment on the Proposal does not allow for robust data collection and analysis by individual industry participants, trade associations, or other working groups as to the need for the Proposal. This makes it difficult to determine the need for controls for cryptocurrency transactions as prescribed by the Proposal.
Instead of identifying clear data to support the need for this unprecedented new requirement to collect and share information about non-customers at a $3,000 threshold, the Proposal notes that the recordkeeping requirement “is similar to the recordkeeping and travel rule regulations pertaining to funds transfers and transmittals of funds”, otherwise known simply as the “travel rule”. [FN7] But the travel rule is categorically different. The travel rule only governs transfers of currency between two regulated financial institutions; it does not apply where one party is an individual. The Proposal also applies to transactions with individuals using non-custodial wallets. The magnitude of this difference cannot simply be brushed away. It necessitates further explanation and examination as to why a $3,000 threshold amount is appropriate.
This Proposal also begs the question as to what evidence there is that a $3,000 cryptocurrency transaction with an individual is riskier or poses a greater threat than a $3,000 cash transaction, as data collection and reporting requirements for cash are only imposed at a $10,000 threshold. Regulatory changes of this magnitude should be based on research, analysis, and industry collaboration. It is equally important to consider the differences between the intra-financial institution wire transfers subject to the legacy travel rule and cryptocurrency transactions. Although both are electronic transfers, they differ in substantial areas of customer and operational risk, and applying the same threshold simply because they both involve the electronic transfer of value is hasty.
D. The Proposal Does not Address the Inherent Nature of Cryptocurrency Transactions and Efficacy of Existing Compliance Protocols Cryptocurrency networks, and the businesses and individuals that power them, have unique qualities and capabilities relative to their legacy finance counterparts. This Proposal places impractical burdens on these networks, creating existential threats to both protocols and the companies building upon them, and does not effectively monitor and address whatever risks they may present.
For example, blockchain technology is purposefully designed to create an immutable record of all transactions and not to use name and physical address for identification. This is a feature, not a bug. Instead, it relies on “public key” or alphanumerical addresses for each wallet. [FN8] Due to the inherent design of the technology, Square would not have the name or physical address of a party to a transaction unless that party is our customer. Implementing the Proposal would require Square to find means of acquiring counterparty information outside of the technology used to conduct the payments, for example, by putting the burden on our customers as senders or recipients to collect and share with us name and physical address information of the counterparty. This is impractical from a business perspective and likely to create little in the way of useful information for FinCEN or law enforcement, as discussed below.
Exchanges and other non-traditional, regulated firms have built comprehensive AML programs that have exceeded those of legacy institutions, including the use of “regtech” solutions and forensic tools that capture multiple data points and allow firms the ability to understand who their customers are, monitor transactions, and report suspicious activity. In the past, FinCEN has recognized and celebrated these industry efforts to address novel issues and risks. In a speech from May of last year discussing the industry’s response to the travel rule, Director Blanco noted that, “We are encouraged that so many creative solutions are being developed by industry to address these obligations. In particular, FinCEN is optimistic about the growth of various cross-sector organizations and working groups focusing on developing international standards and solutions addressing the travel rule.” [FN9]
Flexible, risk-based regulation allows compliance programs to be more comprehensive and actually mitigate risk using tools that are compatible with blockchain technology. For example, Square and other regulated entities are able to use data that is available through blockchain analysis to identify signals of unlawful activity. Velocity controls and pattern detection of system abuse by machine learning have proven to be extreme boons to the performance of our programs to combat abuse of the system. These signals and wallet addresses are more effective at identifying unlawful activity/actors than customer-provided names and physical addresses, which may or may not be accurate as provided. This is because the CVC blockchain networks allow for open-source traceability and accountability of each transaction, regardless of the identity or location of the sender and recipient. These efforts have been recognized to be both useful and successful. As Director Blanco has noted, since 2013, FinCEN has received nearly 70,000 Suspicious Activity Reports (SARs) involving virtual currency exploitation and just over half of these reports came from virtual currency industry filers. As Director Blanco further said, “This reporting is incredibly valuable to FinCEN and law enforcement, especially when you include technical indicators associated with the illicit activity, such as Internet Protocol (IP) addresses, malware hashes, malicious domains, and virtual currency addresses associated with ransomware or other illicit transactions.” [FN10]
The integrity of the system is best served by a plethora of private sector solutions and companies who perform regular analysis and tracking of these open networks. FinCEN and law enforcement regularly leverage these providers themselves to great success [FN11] as the Proposal details itself in the case of AlphaBay. [FN12] They have proved extraordinarily effective in identifying and stopping illicit activities. [FN13] Without evidence that current AML processes and blockchain analysis are insufficient, and without evidence that the burden of the recordkeeping requirements fulfill the goals of the proposal and outweigh the burden of implementation, and without time to properly assess all of these issues, it remains very unclear why the Proposal is required at this time.
E. The Proposal Does Not Help (and Could Hinder) Law Enforcement Efforts FinCEN states that it is concerned that bad actors are increasingly using CVCs for unlawful activity. [FN14] At the same time, FinCEN, the U.S. Department of Homeland Security, and the U.S. Department of Justice have repeatedly noted the advantages CVCs possess when it comes to tracking illicit financial flows and the successful prosecutions that have led from their unique technical attributes. [FN15] While it would be nonsensical for FinCEN to impose regulations that would result in less visibility into the activities it seeks to monitor, that is exactly what the Proposal would do. This is because the inherent nature of cryptocurrency and the way the rules are structured would drive cryptocurrency (CVC) activity away from regulated entities, and push cryptocurrency transactions to offshore and other unregulated channels that are much more (if not entirely) opaque to FinCEN and law enforcement. Sujit Raman, Chair of the Attorney General’s Cyber-Digital Task Force, cites this as a major area of concern for law enforcement in the DOJ’s recent “Cryptocurrency Enforcement Framework”. [FN16]
The Proposal would force someone to make one of four choices:
By adding the data collection and reporting requirements on #1, this Proposal will have the unintended consequence of driving more activity to the other options. None of those other options give FinCEN what it seeks to achieve; they do the exact opposite. Adding burdensome hurdles to regulated entities will drive customers to the alternatives which will deprive FinCEN and law enforcement of the visibility into the type of activity they want to catch.
III. The Comment Period is Inadequate and Violates the APA The Proposal would impose substantial new requirements on CVC that would have an enormous impact on CVC users and market participants, and raises significant questions of both fact and policy for which the 15-day comment period provided is woefully inadequate. This comment period does not provide a meaningful opportunity to offer thoughts and analysis on the Proposal as required by the APA and compelled by the fundamental values of fairness, transparency, and due process in government policymaking.
While we have made our best attempt at gathering meaningful suggestions, analysis, and data, we believe this truncated 15-day comment period has not provided Square or other interested parties with sufficient time to perform the level of analysis required to understand the likely implications and potential consequences of the Proposal. [FN17] We note that the Proposal is one of substantial density and complexity, imposing an entirely new recordkeeping and verification framework on a complicated and rapidly evolving aspect of the global financial system. The magnitude of the factual questions and policy issues involved are underscored by FinCEN, where it notes that the Proposal has been under development and consideration since 2019. We value our relationships with FinCEN staff and particularly recognize the important work it has done in the past to support digital innovation through public/private sector dialogue. [FN18] The deliberative pace at which FinCEN has proceeded to date serves to underscore the extent to which quality of outcome, and not speed, is the more important regulatory objective. The comment period for this proposal is a sharp departure from that pace.
The APA establishes a range of procedural and substantive requirements that govern federal agency rulemaking, including the requirement under section 553 of the APA that agencies promulgate regulations through a notice-and-comment process that affords interested persons an opportunity to participate in the rulemaking through the submission of written data, views, and arguments. The Proposal falls well short of satisfying these requirements.
First, FinCEN asserts that the Proposal is exempt from the APA’s notice-and-comment requirements because it involves a “foreign affairs function” and because it “advances foreign policy and national security interests of the United States, using a statute that was designed in part for that purpose” (emphasis added). It is not. As the Proposal notes, the foreign affairs exemption is “not to be ‘interpreted loosely,’” and “[f]or the [foreign affairs exemption] to apply, the public rulemaking provisions should provoke definitely undesirable international consequences.” [FN19] A mere conclusory assertion of foreign policy interests satisfies neither the spirit nor the text of the foreign affairs exemption, and FinCEN has not identified any definitely undesirable international consequences of engaging in a public rulemaking. [FN20] In addition, the exclusion only applies to the extent a foreign affairs function is involved — it would certainly not apply, for example, to all transactions covered by the Proposal, e.g., purely domestic transactions.
Second, FinCEN asserts that the “good cause” exception from the APA’s notice-and-comment requirements applies on the premise that a delay in implementation could result in serious harm. It is difficult to understand precisely why, after spending over a year to develop the Proposal, an additional delay of 30 or 60 days would suddenly result in serious harm; there is no “dramatic change in circumstance that would constitute an emergency justifying shunting off public participation in the rulemaking.” [FN21] Moreover, the mere prospect of additional time in implementation does not make public rulemaking impracticable or contrary to the public interest; if it did, any agency would be entitled to invoke the good cause exception any time it promulgates a rule, rendering the APA’s notice-and-comment requirement pointless. In addition, FinCEN asserts that the “good cause” exception applies on the premise that announcement of the rule could cause malicious actions. That assertion is directly contradicted by the fact that FinCEN has announced the rule in the Proposal and sought comment for a period of 15 days.
Third, as described above, a 15-day comment period falls well short of the meaningful opportunity for interested parties to comment that is required under the APA. The purpose of the APA’s notice-and-comment requirement is to ensure that a proposed rulemaking is sufficient to “fairly apprise interested parties of the issues involved, so that they may present responsive data and argument.” [FN22] The 72-page Proposal includes 24 questions for commenters to address, including 14 that request commenters to evaluate the costs and benefits of different aspects of the Proposal under various factual scenarios. For example, the Proposal asks commenters to “[d]iscuss the costs and benefits of modifying the aggregation requirement to require aggregation for the purposes of the proposed CVC/LTDA transaction reporting requirement across both fiat and CVC/LTDA transactions.” Commenting on this question alone requires commenters to undertake a collection and analysis of data that would take well beyond the 15-day period, but could be more meaningfully analyzed with the proper 30- or 60-day period. The comment deadline simply does not provide sufficient time for us to perform the level of analysis that the Proposal warrants or to form a thorough understanding of the implications of the Proposal on the cryptocurrency and larger financial services industry.
We believe the haste of this rulemaking is not only detrimental to payments innovation and accessibility, but to FinCEN’s established mission to protect the global financial system from illicit activity. We support this mission and thus express serious concern that a rush to finalize the Proposal, for the reasons stated above, will leave the financial system more vulnerable. This limits both industry and FinCEN’s abilities to accomplish our shared goals of protecting citizens and customers from unlawful activity.
IV. Conclusions and Recommendations Cryptocurrency has the ability to transcend the limitations of traditional financial systems and provide benefits to individuals and businesses that are currently underserved. This type of innovation should be encouraged — and encouraged within U.S. borders. While it is important to identify and mitigate associated risks, regulation must be tailored to address issues that pose actual harm, and take into account the practical implications and consequences associated with implementation.
This Proposal will inhibit financial inclusion, present practical problems, is arbitrary and unduly burdensome, and will drive innovation and jobs outside of the U.S. and regulated institutions. We believe the work that industry and law enforcement have done and continue to do together has been effective and should be supported and strengthened. Evidence shows that current AML monitoring and existing tools are effective at achieving the goals of this rule. Instead of bolstering the fight against unlawful activity, this Proposal will have the unintended consequence of driving cryptocurrency activity to unregulated corners and thereby undermine law enforcement’s efforts to combat illicit activity.
While we appreciate FinCEN’s desire to enact a final rule, more time and consideration is needed to review the consequences of the proposed rule. We would ask that FinCEN extend the comment period to provide for expanded comments from the industry and allow for additional, formal collaboration with all stakeholders, including law enforcement. Industry, regulators and law enforcement should also continue to collaborate through other avenues, such as working groups, 314(a) information sharing, and developing best practices to achieve the policy goals associated with the proposed rules. We believe that any rules implemented should account for the unique technology associated with cryptocurrency innovations.
Finally, we appreciate the difficulty in developing regulations for emerging technology and therefore would encourage FinCEN to consider principle-based regulations that provide the ability to develop risk-based programs that leverage the technology to achieve the Proposal’s goals without extending arbitrary and burdensome recordkeeping and collection requirements to non-customers of financial institutions. As written, these regulations will only result in undermining the stated goals of the Proposal.
Thank you for your consideration of this comment. If you have any questions, please do not hesitate to reach out.
Sincerely, Jack Dorsey Square, Inc.
Square, Inc. changed its name to Block, Inc. on December 1, 2021.