A proposed rule would increase Treasury’s insight into non-US crypto mixing transactions to combat illicit activities by malicious actors.
On October 19, 2023, the US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) announced a Notice of Proposed Rule Making (NPRM) that would designate as a “primary money laundering concern” all non-US convertible virtual currency mixing (CVC mixing). The NPRM would impose enhanced reporting and recordkeeping requirements for any financial transactions involving international mixers, intended to mitigate the risks of money laundering and terrorist financing.
The proposed designation is pursuant to Section 311 of the USA PATRIOT Act, which empowers the Secretary of the Treasury to require domestic financial institutions and domestic financial agencies to take certain “special measures” against foreign jurisdictions, foreign financial institutions, classes of international transactions, or types of accounts designated as a primary money laundering concern. Section 311 has heretofore been employed only against non-US financial institutions and jurisdictions rather than an individual class of transactions.
Mixers (or “blenders”) are centralized platforms or decentralized protocols (e.g., software that operates on a blockchain) that specialize in masking the source and flow of digital assets via randomized and deliberately obfuscating transactions. While legitimate and responsible market participants may choose to use such services for increased privacy, they remain an attractive resource for those seeking to maximize anonymity, launder illicit funds or stolen digital assets, or evade law enforcement and sanctions.
According to FinCEN, mixers are generally required to register with FinCEN if they do business as money transmitters wholly or in substantial part in the US. However, the NPRM states that “no CVC mixers are currently registered with FinCEN.”
The NPRM would require covered financial institutions to identify, collect, and report certain information when they “know, suspect, or have reason to suspect a CVC transaction involves the use of CVC mixing within or involving a jurisdiction outside the United States.” Specifically, covered financial institutions would need to collect the following information for all covered transactions:
- Customer’s full name, date of birth, address, email, and Internal Revenue Service Taxpayer Identification Number (or a foreign equivalent, passport number, or government issued identification or registration number)
- The amount of any CVC transferred (in both CVC and its US dollar equivalent) when the transaction was initiated
- CVC type
- The CVC mixer used, if known
- CVC wallet address associated with the mixer
- CVC wallet address associated with the customer
- Transaction hash (i.e., the unique transaction blockchain address that serves as record or proof that the transaction has taken place)
- Date of transaction
- IP addresses and time stamps associated with the covered transaction
- Narrative (i.e., a description of observed activity, a summary of investigative steps taken, additional context, etc.)
Covered financial institutions would be required to report collected information to FinCEN within 30 calendar days of initial detection of a covered transaction. A covered financial institution would only be obligated to report information in its possession, and would not be required “to reach out to the transactional counterparty to collect additional information on the CVC mixing transaction.” It would also be required to maintain any records documenting compliance with the requirements of the NPRM.
FinCEN notes that covered transactions would only include those that directly involve CVC, and would therefore exclude transactions that are only indirectly related to CVC, “such as when a CVC exchanger sends the non-CVC proceeds of a sale of CVC that was previously processed through a CVC mixer from the CVC exchanger’s bank account to the bank account of the customer selling CVC.”
National Security a Top Priority
The NPRM is part of a wider US effort to thwart the national security risks associated with global exploitation of digital assets and platforms by a wide range of illicit actors such as hackers, criminals, and terrorists. It follows an August 2022 Treasury’s Office of Foreign Assets Control announcement of sanctions against a well-known decentralized virtual currency mixer (for more information, see this Latham post), and the January 2023 sanctioning of a digital asset exchange for facilitating money laundering.
FinCEN argues that the additional reporting obligations it is seeking to impose on international financial institutions would “enable investigations by law enforcement and regulators to support money laundering investigations,” and “highlight the risks and deter illicit actors’ use of CVC mixing services.” The designation of transactions involving CVC mixing within or involving a jurisdiction outside the US as a primary money laundering concern would give the Department of the Treasury broad enforcement authority, including the ability to deny specific entities access to US markets.
FinCEN expects that covered financial institutions employ a risk-based approach to compliance with the NPRM, and asserts that “[i]n light of the existing compliance practices of covered financial institutions, FinCEN expects that complying with this proposed rule should not add a significant additional burden.” In this regard, covered financial institutions would continue to have an obligation to file a suspicious activity report when warranted, notwithstanding any additional obligation under the NPRM.
Furthermore, FinCEN estimates that many potentially covered financial institutions have low to no direct exposure to CVC transactions. FinCEN notes that virtual asset service providers (VASPs) face the highest levels of potential exposure to CVC mixing, and would therefore be most directly affected by the NPRM. However, “the incremental burden of the rule is expected to be lowest for these entities because it imposes the least adaptation from current compliance practices and processes.”
The NPRM contains 33 questions for public consideration and feedback, and will be open for comment until January 22, 2024 (90 days from publication in the Federal Register).
 Described in the NPRM as a type of virtual currency that either has an equivalent value as currency or acts as a substitute for currency and is therefore a type of “value that substitutes for currency.” The label applies to any particular type of CVC, such as “digital currency,” “cryptocurrency,” “cryptoasset,” and “digital asset.”
 Covered financial institutions include:
- A bank (except bank credit card systems);
- A broker or dealer in securities;
- A money services business, including VASPs and other persons that provide money transmission services, (i.e., the acceptance of value that substitutes for currency from one person and the transmission of value that substitutes for currency to another location or person by any means);
- A telegraph company;
- A casino;
- A card club;
- A person subject to supervision by any state or Federal bank supervisory authority;
- A futures commission merchant or an introducing broker-commodities; and
- A mutual fund.
 Upheld on August 17, 2023, by a federal judge in the US District Court for the Western District of Texas. The Court Order granted summary judgment for the Treasury, and simultaneously denied the plaintiff’s summary judgment request.