Rethinking America’s coming crypto surveillance regime
At Consensus 2022, the U.S. Department of the Treasury announced its plans to bring the cryptocurrency industry in compliance with Bank Secrecy Act reporting requirements and to regulate self-hosted cryptocurrency wallets. To those uninitiated in regulatory speak, this means cryptocurrency users who transact privately using anonymous, peer-to-peer technology may soon be required to reveal their identity to private industry and the government.
Why is this a big deal? This oversight would allow law enforcement to pry into the financial transactions, personal relationships, and private interests of law-abiding American citizens.
Banks already have access to our financial histories. Private companies like Amazon sell information about our purchasing behavior to third parties. Governments also know practically everything about us thanks to surveillance laws, such as the USA Patriot Act. However, in each of these instances, most Americans are generally aware (and annoyed) that someone is watching and that they can’t do much about it. By contrast, cryptocurrency users who transact using self-hosted wallets or privacy coins do so because they assume those transactions are private and want them to remain that way.
As crypto users know, self-hosted wallets are a unique invention of the blockchain era that allow users to send and receive cryptocurrency without an intermediary, such as a bank. Beyond privacy, the option to transact digitally outside the traditional banking system is notable, among other reasons, because it offers greater financial inclusion for marginalized communities and individuals for whom banking access or trust is an issue. Moreover, there is currently no other way to buy or sell things online except directly or indirectly through a third-party financial institution. Self-hosted wallets also give individuals a new level of autonomy by providing them with a way to self-custody assets and diversify the risks of storing funds with a third-party, such as a bank or centralized exchange.
Because of this disintermediation, owners of self-hosted wallets are not required to go through the usual requirements of risk-based customer identification due diligence, also known as “know your customer” (KYC) and “anti-money laundering” (AML) compliance. While these measures may sound sensible on the surface, there are good reasons why they should not be applied to individuals making small transactions.
The average American has probably never heard of KYC/AML, because when we transact in the digital world, financial institutions have historically done this compliance legwork for us. For example, if you have ever tried to open an account with Coinbase, you know that biometric data verification must be completed before you can buy, sell, or trade cryptocurrencies. This means that in order to send a friend crypto, you must first give Coinbase a copy of your driver’s license and a really unflattering selfie taken by your computer camera. There are, of course, more significant requirements as well.
In addition to KYC/AML compliance, financial institutions must implement other regulatory surveillance requirements, such as the Travel Rule and the Recordkeeping Rule. Collectively, these two rules direct financial institutions to retain and share information, such as the name, address, account number, and any other specific identifier that is associated with the recipient of funds. Because this information is preserved, the U.S. government, including the Financial Crimes Enforcement Network (FinCEN), has the ability to search through an individual’s financial information to find and prosecute money laundering, tax evasion, and other financial crimes.
For U.S. financial institutions and cryptocurrency businesses, Travel Rule compliance is triggered for transactions above $3,000, a threshold determined by FinCEN to be beneficial to national security and law enforcement without being overly burdensome on the payments system. In 2020, FinCEN attempted to lower this threshold to $250. The proposed rule was geared towards international fund transfers, including cryptocurrency, that begin or end outside of the United States. The public response to the proposed rule was overwhelmingly negative, and as a result, FinCEN has not yet adopted a final rule.
In Europe, the crypto surveillance regime is even more extreme. Recently, EU lawmakers provisionally agreed that all cryptocurrency transactions that involve crypto-asset service providers (CASPs), such as Coinbase, trigger the EU’s version of the Travel Rule, regardless of the dollar amount of the transaction. This means that if a European self-hosted wallet user cashed out their crypto holdings for euros using Coinbase, then law enforcement could ask Coinbase to hand over that self-hosted wallet user’s name, crypto wallet public address, and transaction data.
Although such a request may seem innocuous at first glance, it is far from harmless in reality. Once law enforcement agencies possess this trifecta of data, they can trace almost every future transaction connected to that user’s public address on open blockchains without the need for a search warrant, subpoena, national security letter (NSL), or similar information request from financial institutions. The United States would be wise not to follow Europe’s troubling lead.
Instead of destroying privacy in the cryptocurrency payment system, the U.S. government should ensure that certain cryptocurrency-related transactions remain private, for three principal reasons:
First, the application of the Travel Rule and Recordkeeping Rule to self-hosted wallets is not practical. Self-hosted wallet users are individuals, not entities, who would be overly burdened to collect, store, and report the significant required transaction data. While banks may have the resources to meet this compliance burden, the majority of individual self-hosted wallet users would not. Although the technology underpinning self-hosted wallets could theoretically be programmed to collect, store, and report transaction data, this prospect creates another incentive for malicious actors to attack self-hosted wallets. This vulnerability would necessitate that individual self-hosted wallet providers and users take additional measures, such as incorporating quantum-resistant features to protect a user’s digital assets and identity, which could translate to costs that create unintended barriers to entry for individuals who want to transact using crypto.
Second, mass surveillance of self-hosted wallet activity is not necessary. The Travel Rule and Recordkeeping Rule were implemented in order to help law enforcement and federal agencies identify bad actors and protect U.S. national security. However, financial crime is less pervasive domestically than what one might assume. For example, FinCEN reported that 17,000 of approximately 1.29 million transactions that were included in a terrorist-financing analytics dataset involved transactions within the United States. While this number is still substantial, it represents only 1.3% of transactions within an already-suspected subset of FinCEN data — the likes of which would no doubt receive intense scrutiny — and an even smaller percentage of the vast number of normal digital transactions that are conducted domestically on a daily basis.
Furthermore, from a global perspective, although the overall volume of illicit cryptocurrency activity has increased, it has actually reached an all-time low as a share of all cryptocurrency transactions. For example, Chainalysis, a trusted provider of blockchain data to government agencies and financial institutions, noted in its 2022 Crypto Crime Report that transactions involving illicit cryptocurrency addresses only made up approximately 0.15% of all cryptocurrency transaction volume in 2021. The Chainalysis report also noted that cryptocurrency money-laundering activity is heavily concentrated among a small group of service providers that are located in high-risk jurisdictions. Similarly, ransomware attacks have primarily been linked to Iran, North Korea, China, and Russia. These exploits typically involve hundreds of millions of dollars, not your everyday transactions that amount to a weekly trip to the grocery store.
Statistics like these suggest that the European model of mass surveillance of all cryptocurrency users is unnecessary. While some might suggest that heavy-handed surveillance laws are necessary for curtailing crime, it would be a mistake to think that having more rules, rather than better rules, is the answer to the problem. Financial crime experts have already deemed the global anti-money laundering system to be “the world’s least effective policy experiment” and point to the 99% failure rate in identifying money laundering transactions as evidence of such. There have also been proposals for fewer identification and reporting requirements in order to let financial criminals into the system so we can simply monitor what they’re doing.
Third, surveillance of low-dollar transactions by banks and the government is not reasonable, regardless of whether cryptocurrency is the means of payment or not. In 1974, the constitutionality of the Bank Secrecy Act’s reporting requirements was the center of debate in the Supreme Court case California Bankers Assn v. Shultz. Although the Supreme Court concluded that requiring banks to record and report certain transactions did not violate the constitution, this was in the context of Treasury Department regulations that involved the reporting of currency transactions in amounts greater than $10,000. Today, that dollar threshold translates to approximately $60,000 given the rate of inflation. This legal precedent calls into question the constitutionality of the surveillance of low-value transfers pursuant to the Bank Secrecy Act, and suggests that the current threshold may be far too low.
Furthermore, in a concurring opinion, Supreme Court Justices Powell and Blackmun warned that a significant extension of the Bank Secrecy Act’s reporting requirements for domestic-only transactions may implicate legitimate expectations of privacy and be ripe for abuse, especially when “the legislative scheme permits access to this information without invocation of the judicial process.”
While society needs tools to promote financial transparency and deter illicit use of the U.S. financial system, the means to achieve these objectives should be narrowly tailored. Without a doubt, in the absence of surveillance, criminals would exploit the instantaneous and anonymous nature of the cryptocurrency payments system. However, there are already adequate tools and intelligence networks at law enforcement’s disposal to trace illicit behavior without surveilling the financial records of every American citizen.
For example, recent investigations in 2020 and 2021 by FinCEN and other law enforcement agencies reveal numerous alternative methods to foil financial crimes, including the interception of cell phone photographs and cell site location information, monitoring unusual activity at local banks, tracking ownership of unregistered money services businesses, acquiring FBI tips, tracing boiler-room telemarketing scams, observing dark web “cash out” vendors, and receiving investigative assistance by police departments and the U.S. Coast Guard.
So, what is the solution to balancing these societal and individual interests? Can the government adequately protect our national security without abridging our freedom to transact with new forms of money?
While there is not a simple answer to these questions, we should be exploring alternative checks and balances that can protect our individual right to privacy. For starters, we should, like our British counterparts, create exemptions for low-dollar, domestic-only cryptocurrency transfers and self-hosted wallet transfers that aren’t deemed high-risk. We should also seriously consider wholly deregulating self-hosted wallet activity to give Americans a way to transact with digital cash. Not only would this relieve an impractical reporting burden from the individual, it would also be an important tool for financial inclusion for individuals who distrust banks.
Moreover, deregulating self-hosted wallet activity could be a positive competitive force for the U.S. financial system, where today, the infrastructure to transact in the digital world is concentrated in the hands of the few. Decentralized cryptocurrency payment systems can benefit society, and the U.S. government should consider this before creating rules that impede the free flow of money.
Disclaimer: The author is the co-founder of an Ethereum-based startup.
Agnes Gambill West is a visiting senior research fellow with the Mercatus Center at George Mason University.