On 17 January 2024, K2 Integrity hosted a webinar on FinCEN’s Notice of Proposed Rulemaking on virtual currency mixers and the implications of this first-of-its-kind 311 designation on the virtual currency industry. Elizabeth Severinovskaya, associate managing director at K2 Integrity, moderated the discussion with Juan Zarate, global co-managing partner and chief strategy officer at K2 Integrity, and Valerie-Leila Jaber, global head of financial crimes compliance at Coinbase. To watch a recording of the full webinar, click here. To read K2 Integrity’s policy alert on the topic, click here.
A mixer is an anonymity enhancing service that is intended to obfuscate transactional information that would otherwise be visible on a public blockchain, allowing its users to conceal their link back to the virtual currency in question. Mixers typically work by aggregating or pooling virtual currency sent from multiple users and wallet addresses into a single transaction or set of transactions in an effort to make it more complicated to trace a virtual currency transaction back to the originator address and its wallet balance. Mixers are not registered money services businesses, do not adhere to AML regulation, and rarely, if ever, provide regulators or law enforcement with originator and beneficiary transaction details needed to support investigations.
While there are legitimate uses for mixers—such as the ability to anonymously donate to legitimate causes or to privately conduct a transaction when markets could be affected if such a transaction were public—FinCEN has grown concerned about the risks posed by what it views as the extensive use of mixers by a variety of illicit and sanctioned actors throughout the world. In response, FinCEN issued the NPRM to increase transparency around mixers to combat use by malicious actors. This rule is notable on two accounts: first, this is the first use of Section 311 Special Measures under the USA PATRIOT Act specifically for the virtual currency industry, and second, this action represents the first time in history that FinCEN has designated a whole class of transactions as being of primary money laundering concern. The proposed special measures would impose record-keeping and reporting obligations on U.S. regulated financial institutions, including virtual currency exchanges, that would include reporting of transaction and customer details, and a narrative around the transaction activity, within 30 calendar days of initial detection. This is an important moment in the regulation of the crypto industry as authorities attempt to address systemic risks posed by virtual assets and seek comment from the industry on the appropriate mechanism for addressing gaps that can be exploited by illicit actors.
The webinar featured a lively debate between the panelists on the effectiveness of the proposed regulation in addressing the systemic risks posed by mixers. The panelists agreed that comment letters issued in response to the notice of proposed rulemaking will be critical to providing some education, contours, and ideas as to how the regulation can address the systemic risks identified in a way that does not create undue burden for the virtual asset industry.
The panelists shared their 2024 predictions and agreed that there will continue to be an increasingly mature posture toward compliance in the industry in accordance with the maturation of the asset class as a whole following, among other events, the recent approval of spot Bitcoin ETFs. As the virtual asset industry eagerly awaits the outcomes of the NPRM process, is here to provide support to industry players in assessing risk exposure to mixers and developing a risk-based approach.
Questions and Answers from the Session
Will this new regulation include non-custodial wallets such as Wasabi Wallet?
The NPRM states the following in its definition of CVC mixing services:
The term ‘CVC mixing’ means the facilitation of CVC transactions in a manner that obfuscates the source, destination, or amount involved in one or more transactions, regardless of the type of protocol or service used, such as: (1) pooling or aggregating CVC from multiple persons, wallets, addresses, or accounts; (2) using programmatic or algorithmic code to coordinate, manage, or manipulate the structure of a transaction; (3) splitting CVC for transmittal and transmitting the CVC through a series of independent transactions; (4) creating and using single-use wallets, addresses, or accounts, and sending CVC through such wallets, addresses, or accounts through a series of independent transactions; (5) exchanging between types of CVC or other digital assets; or (6) facilitating user-initiated delays in transactional activity.[1]
Given that Wasabi Wallet and other similar non-custodial privacy wallets are engaged in some of the above-stated activities (e.g., points (1) and (2) above), it is likely that their activities will fall within the scope of the definition. The NPRM definition notably does not limit the activities to custodial services—in the same way that the Tornado Cash OFAC designation was applied despite the fact that Tornado Cash offered a non-custodial service. Because this is a proposed rule, however, we may see greater definitional clarity in the final rulemaking.
Which fiat currencies does North Korea convert its crypto-hack proceeds into, and in which jurisdictions?
Lazarus Group and other DPRK state-sponsored entities target crypto exchanges with weaker financial crimes compliance controls in jurisdictions with less robust regulatory regimes to off-ramp their cryptocurrencies into fiat and convert funds into the fiat trading pairs offered by those exchanges. A popular typology involves converting digital assets from a hack of a decentralized exchange or bridge into liquid stablecoins, particularly Tether (on TRON), that can be used for cross-border payments and more readily converted into fiat.
Invalidation and misattribution rates by tools responsible for identifying attribution are currently undisclosed; are financial institutions responsible for reporting changes in attribution?
The NPRM does not provide sufficient detail as to deduce whether a financial institution would be responsible for reporting subsequent changes in attributions, though one might imagine that reporting will be based on information reasonably available to the exchange at the time of the transaction. One of the questions raised in the NPRM for comment is the following: “12. Is FinCEN correct in its assessment that covered financial institutions would have access to reasonable and appropriate services or tools, whether free or paid, to be able to effectively identify covered transactions? If not, what are impediments to accessing such tools, and what costs would be associated with ?”[2] As part of the comment period, impacted entities may choose to challenge the assumption that mixer activity is readily identifiable and may raise any concerns regarding tool (e.g., blockchain analytics) efficacy, including misattribution.
What would be the expectation of financial institutions processing transactions involving mixers that are retroactively tagged as a mixer?
While the NPRM does not state this explicitly, one might assume, based on Treasury’s approach to OFAC sanctions designations, that the requirement applies to transactions that can be reasonably identified as mixer transactions at the time of the financial institution’s reporting, rather than applied retroactively. The NPRM does not appear to contemplate periodic lookbacks to assess whether new mixers have been subsequently designated. However, should this rulemaking go into effect, covered financial institutions may choose to conduct a historical review/lookback as part of their overall risk-based approach. Lookbacks can help financial institutions assess prior exposure to mixers and determine how the newly proposed reporting requirements would impact operational processes and resource capacity going forward.
Is there a way to classify certain mixers as higher risk than others in order to apply monitoring requirements on those that are higher risk?
Blockchain analytics tools used for wallet address screening will generally identify whether a wallet address has been attributed to a mixer and will trigger an alert where the mixer rule is activated. Financial institutions may have different approaches in how they treat direct vs. indirect customer exposure to mixers depending on the individual firm’s risk-based approach and its blockchain analytics capabilities. Blockchain analytics investigations tools can also be used to “double click” into the transactions associated with a given mixer, allowing investigators to deduce which mixers are seeing higher transaction volumes and inflows from other high-risk addresses. However, as noted during the session, the NPRM does not appear to include an element of proportionality—mixer transactions are treated as a single transaction class without differentiation. While one might argue that FinCEN attempted to introduce some degree of proportionality in its definition of “covered transaction” by focusing on CVC mixing occurring outside the United States, the reality is that given the borderless nature of cryptocurrency transactions, it can be difficult to determine whether a transaction is domestic vs. international.
What are legitimate uses of mixers? About what percentage of mixer activity is legitimate?
To understand the legitimate use cases for mixers, we must first consider that many popular blockchain transactions (BTC, ETH, SOL, etc.) are public. This means that both entities and individuals have legitimate concerns that their transactional activity and counterparties could become public. While this is certainly a concern for users engaged in illicit activities, legitimate users may also want to protect their privacy and security. For instance, crypto whales (those with large crypto holdings) are at higher risk of being targeted for theft.[3] Trading firms engaging in proprietary trading strategies may wish to obfuscate their activities to avoid frontrunning and to “trade out of the view of others” to avoid market manipulation. Token projects that pay their employees and contractors in crypto may also use mixers to prevent others in the firm from learning how much their coworkers are getting paid. And, as noted in the session, mixers can be used to anonymize donations to legitimate charitable causes and organizations (especially under repressive political regimes).
Figures vary with respect to legitimate vs. illegitimate activity flowing through mixers; one indicative statistic from Chainalysis, a popular blockchain analytics provider, is that “34% of all funds sent to Tornado Cash came from illicit sources, but this number fluctuated greatly depending on the day, with most illicit funds coming in brief spikes.”[4] This suggests that in the case of Tornado Cash, the majority of funds did not necessarily come from illicit sources. Further, many of these available analyses focus on mixers that have already been designated, which are likely to have a higher representation of illicit activity by virtue of already being labeled as problematic by regulators and law enforcement.
Do we need to block only listed mixer service providers that are listed by OFAC and other international bodies or we should block all types of mixer service providers?
The NPRM proposes recordkeeping and reporting requirements and purposely does not impose a blanket prohibition on mixer transactions. Blocking/freezing obligations therefore only strictly apply to those mixer addresses that have been designated by OFAC or sanctioned by other jurisdictions (e.g., His Majesty’s Treasury List).
To what extent do you think “hops” and the directness of a connection to mixers in transaction chains should impact reporting strategy for Coinbase and other VASPs?
It is not altogether clear based on the NPRM whether reporting obligations are only associated with direct exposures or also with indirect exposures. For instance, the NPRM states: “The term ‘covered transaction’ means a transaction as defined in 31 CFR 1010.100(bbb)(1) in CVC by, through, or to the covered financial institution that the covered financial institution knows, suspects, or has reason to suspect involves CVC mixing within or involving a jurisdiction outside the United States.”[5] In a separate portion of the NPRM, FinCEN notes:
At present, in the absence of an obligation to comply with special measure one requirements, a covered financial institution may determine that a financial transaction exposed, directly or indirectly, to CVC mixing bears indicia of illicit activity. Given the potential link to illicit activity, this financial institution might file a SAR in compliance with existing BSA requirements. However, there are a number of potential reasons why any one individual institution may not file such a report, including that in terms of economic fundamentals, such reporting may not be privately optimal. Consequently, the absence of the proposed special measure one reporting requirement might naturally result in systematic underreporting of CVC mixing-related suspicious activity, particularly when the exposure to CVC mixing does not involve a CVC mixer.[6]
Based on these signals, it appears that the proposed rule may have a broad reach given that the language “involves CVC mixing” is a broad descriptor that could contemplate both direct and indirect exposure where the so called “number of hops” is not clear. Perhaps we will see greater definitional clarity following the comment period.
[1] Proposal of Special Measure Regarding Convertible Virtual Currency Mixing, as a Class of Transactions of Primary Money Laundering Concern, 88: 203 Fed. Reg. 72709 (23 Oct. 2023) (to be codified at 31 C.F.R. pt. 1010).
[2] Proposal of Special Measure Regarding CVC Mixing, p. 72712.
[3] See https://protos.com/thieves-pose-as-police-to-rob-wealthy-crypto-investors-in-home-invasion/.
[4] See https://www.chainalysis.com/blog/how-2022-crypto-sanction-designations-affected-crypto-crime/.
[5] Proposal of Special Measure Regarding CVC Mixing, p. 72710.
[6] Ibid, p. 72713.