Financial Crimes Enforcement Network
P.O. Box 39
Vienna, VA 22183
FinCEN Docket No. FINCEN-2020-0020, RIN 1506-AB47
December 30, 2020
To Whom it May Concern:
I am Ben Davenport, an entrepreneur and investor. I previously co-founded BitGo, the first non-custodial multi-sig wallet provider, and now leading provider of custodial services for cryptocurrencies. I am also an investor in companies like Kraken, Xapo and Paxos. Today, I am a Venture Partner at Blockchain Capital, the oldest venture fund in the cryptocurrency space. These comments are my own, and do not reflect the opinions of either my current or former employer, or the companies I have invested in.
I appreciate the opportunity to comment on the proposed regulations. However, I take serious issue with the process by which these proposed rules are being rolled out. Rather than a more standard 30- or 60-day comment period, FinCEN has decided to use only a 15-day comment period, at the peak of a pandemic, at a time of year when most people are enjoying time with their families. It feels unnecessarily rushed, and gives the appearance that FinCEN and/or the Secretary are attempting to slip new regulations through unopposed, or to simply steamroll through any such opposition. FinCEN owes it to its own reputation & credibility, as well as to the American people, to immediately lengthen the deadline for comments, so that more thoughtful & diverse voices can be heard.
I also have serious objections to the substance of the rules themselves. The new rules would:
- go far beyond any existing measure of financial surveillance,
- provide little in terms of new investigatory powers,
- push bad actors to offshore or unregulated venues,
- destroy Americans’ financial privacy, and
- put Americans in real physical danger.
Comments on CTR Requirement
The rules propose applying the existing CTR reporting framework to any customer making a withdrawal or series of withdrawals over $10,000. On the surface, this may seem reasonable, since the same rules apply to customers withdrawing cash from a bank or MSB. But below I give some important reasons why this is not a straightforward analogy, and explain why the rules as proposed would create serious risks for Americans.
i) The traceability of cryptocurrency means permanent privacy loss for Americans.
While Bitcoin and cash are both bearer assets, they are very different in terms of traceability. Cash is effectively untraceable once it has left the bank. On the other hand, Bitcoin and other cryptocurrencies are highly traceable, and law enforcement agencies say that they would much prefer that criminals use cryptocurrency rather than cash, exactly because of the tracing powers it gives them. In fact, transaction history on a blockchain lives forever, and becomes more traceable every day, both as new techniques evolve, and as more blanks are filled in, making it a particularly bad choice for criminals.
All this means that once FinCEN has a database of every major withdrawal by any customer, they not only know the fact of that withdrawal, but they can watch and trace, in real time, the flow of all of those funds on the blockchain. Or, if the transaction is a deposit, FinCEN can look back in time to trace the user’s complete prior history of transactions no matter how small or innocuous. In other words, the proposed rules would violate law-abiding Americans’ privacy in a way that is far beyond the existing ability to subpoena bank/MSB records, because they operate in a broad undiscriminating manner, much like mass wiretapping and bulk phone metadata gathering.
ii) The massive aggregation of data puts Americans in real, physical danger.
The proposed CTR requirements would create a massive database at FinCEN/Treasury which would ultimately put Americans in real physical danger. The huge amount of data would create a honeypot so juicy as to be irresistible to hackers, whether state-sponsored or monetarily-motivated. And with the recent revelation of major databases at Treasury being hacked and stolen, this risk is far from theoretical.
It is likely that most cash withdrawals subject to CTR are not taken home and put under the customer’s mattress. Rather, they are used relatively soon thereafter, to make a large purchase, to gamble in Las Vegas, or for some other transactional purpose (whether licit or illicit.) On the other hand, Bitcoin and other cryptocurrencies are largely used as investments. So, a withdrawal to a non-custodial wallet is more likely than not to be simply a person deciding to hold his own assets without being subject to counterparty risk.
This means that, while a traditional CTR record for cash is not that valuable to an attacker, since the cash is usually long gone, a CTR for cryptocurrency can be extremely valuable. The record would contain the subject’s name and physical address and the address and amount of cryptocurrency. The attacker can even see on the public blockchain whether the coins have moved or not, guiding them to the most vulnerable victims to extort. Even a database theft from a single bank or MSB can cause innumerable problems for the affected customers. But concentrating the risk at the Federal level, endangering every American holding more than a token amount of cryptocurrency, is simply unconscionable.
This point is so critical, I will reiterate: Creating a centralized repository of individual owners of cryptocurrency puts them all at serious risk, and, far from reducing crime, creates the potential for an eventual unprecedented wave of violent crime.
iii) Large cryptocurrency deposits & withdrawals are far more common than with cash.
The percentage of cash withdrawals or deposits where something nefarious is involved may be relatively substantial (although I don’t know the specific numbers). This is simply because in today’s world there are not that many types of transactions where cash is needed or desired, and so illicit uses make up a correspondingly higher fraction of the overall cash transactions. On the other hand, with cryptocurrencies, which are predominantly held as investments, larger transactions are simply an everyday occurrence. And it is common wisdom in the community that trusting exchanges to hold one’s coins for the long term is a very bad idea due to the risks of cybercrime and/or fraud by the MSB.
Because of this fact, any signal of bad actors received by FinCEN will be totally buried in the noise of completely normal large withdrawals and deposits. So, without sophisticated blockchain analytics picking out the funds moving to bad actors, the CTR records are not useful to law enforcement. And, if the blockchain analytics software can identify trails of funds moving to or from bad actors, then identifying information for any link in that chain that touches an exchange or other MSB can already be easily be gotten through the normal subpoena process without violating the privacy of law-abiding citizens. The conclusion is that the mass collection of CTR records serves only to create the aforementioned panopticon into everything innocent users do (or have done) with their funds.
Comments on Wallet Verification
The proposed rules also appear to require that MSBs “verify” the address of customers when sending or receiving more than $3000. There are serious problems with this requirement, leading to significant friction for users and difficult make-work for exchanges, while providing exactly zero additional information useful to law enforcement. My reasons are as follows:
i) It is impossible to prove ownership of an address.
At first, it appears that Bitcoin and other cryptocurrencies make it easy to prove ownership of an address. Simply sign a message with the public key associated with an address, or make a small transaction back to a specified address. But that proves nothing about the ownership of said address. All it proves is that the user doing the transaction can get the person or entity who does control the address to jump through these additional hoops.
ii) Transactions do not have a “sending address.”
For all UTXO-based cryptocurrencies (such as Bitcoin), there is no such thing as a “sending address” for a transaction. Thus, while verifying an address for a withdrawal may be possible (though meaningless as shown above), verifying the source of an incoming transaction is essentially impossible in the usual case, where a transaction’s inputs are the outputs of multiple prior transactions. The user would be potentially forced to jump through hoops to pre-consolidate his funds to a single address, which he then verifies with the exchange, for no real gain of information to law enforcement.
iii) The proposed requirement provides no actual new information.
When a user at a regulated MSB makes a deposit or withdrawal, they are required to have KYC information on that user in order to serve them. So we already know who is responsible for the deposit or withdrawal, regardless of what wallet it came from or went to: the user who is known to the MSB. Whether a user withdraws directly to his own “verified” address and then subsequently sends to a bad actor, or whether the user sends to the bad actor directly from the exchange makes no difference to law enforcement’s investigatory powers. In fact, I believe that law enforcement would likely prefer that the illicit transaction happen directly on-exchange where there is a chance that the exchange can use its own blockchain analytics software to either block or file a suspicious activity report (SAR). As they stand, all the proposed rules do is force bad actors to practice better operational security.
iv) Law enforcement efforts are actively harmed.
As mentioned above, the more hoops that US exchange users must jump through, the more the likelihood that those users think twice before using those exchanges to do their illicit activity. And it is exactly the use of these regulated exchanges that allows law enforcement to make arrests and successfully prosecute bad actors. By pushing illicit activity to offshore or unregulated exchanges, law-enforcement powers are necessarily diminished.
v) New emerging uses of cryptocurrency are crippled.
There are many emerging uses for cryptocurrency where the user is depositing from or withdrawing to a smart contract, rather than another MSB or his own wallet. A smart contract can neither abide by FinCEN guidance (it is not a legal entity and may have no owner or controller), nor can it prove its identity to an MSB. These applications of smart contracts (which are currently attracting hundreds of millions of dollars in venture capital) would be crippled, and American competitiveness would be severely damaged in this potentially important emerging space.
Given the serious problems raised above, I think it is absolutely incumbent on FinCEN and the Secretary to significantly lengthen the period for comments on this proposal, and to begin a real 2-way dialogue with companies and experts in the industry, while also listening to the concerns of the general public. What is at stake is nothing less than:
- the privacy and safety of millions of Americans,
- the ability for law enforcement to do its job effectively, and
- the competitiveness of US companies in an important emerging technology sector.