On October 19, 2023, the U.S. Treasury Department, Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking identifying certain convertible virtual currency (CVC) mixing as “a class of transactions of primary money laundering concern,” pursuant to Section 311 of the USA PATRIOT Act. The proposed rule would require financial institutions subject to FinCEN’s jurisdiction to maintain records of and report certain transactions involving CVC mixing, a process whereby multiple accounts are used to obscure the source, destination, and amount of a CVC transaction. According to FinCEN Director Andrea Gacki, “CVC mixing offers a critical service that allows players in the ransomware ecosystem, rogue state actors, and other criminals to fund their unlawful activities and obfuscate the flow of ill-gotten gains.”
The proposed rule aims to impose additional recordkeeping and reporting requirements on covered financial institutions to mitigate the risks posed by CVC mixing transactions. While placing recognized burdens on financial institutions, FinCEN believes that by imposing recordkeeping and reporting requirements on transactions involving CVC mixing, intelligence on illicit users of the services and insight into CVC mixers can be enhanced.
Convertible Virtual Currency and CVC Mixing
CVC is any form of virtual currency, including digital currency, cryptocurrency, or digital asset, that has an equivalent value or acts as a substitute for traditional fiat currency. Transactions involving CVC are regularly recorded on public blockchains that provide a permanent record of all transactions.
In an attempt to maintain anonymity on the public blockchains, certain actors utilize CVC mixers which aggregate CVC transactions from multiple individuals or wallets into a single transaction, then split the aggregated transaction into multiple, smaller amounts, and transmit the resultant transactions across the public blockchain. Similar to the “layering” of transactions in traditional money laundering schemes, CVC mixers can be used by individuals to conceal or obscure the source and ownership of underlying illicit assets. In this way, CVC mixers pose a significant challenge to anti-money laundering and counter-terrorism financing regulations and safeguards, as mixing undermines the ability of financial institutions to obtain and know the identity of their customers and effectively report suspicious activity.
The proposed rulemaking is intended to prevent the misuse of cryptocurrencies to promote and develop illicit activities through CVC mixing transactions. According to various public reports and analyses, CVC mixing (also known as “tumbling”) has been employed by non-state and state-sponsored actors as a deliberate attempt to conceal the origins of cryptocurrencies obtained via illicit means while converting them to fiat currencies.
Proposed Recordkeeping and Reporting Requirements
Under the proposed rule, covered financial institutions would be required to keep records of and report certain information related to transactions where the institution knows, suspects, or has reason to suspect that a CVC transaction involved the use of CVC mixing within or involving a jurisdiction outside the United States. This information includes:
- The amount of CVC transferred;
- The CVC mixer used;
- The CVC wallet address(es) associated with the mixer and customer;
- The transactions hash;
- The date of the transaction;
- The IP address(es) and timestamp(s) associated with the transaction; and
- A narrative description of the activity observed by the financial institution.
Additionally, financial institutions would be required to collect and report information about the customer associated with the covered transaction. This includes the customer's full name, date of birth, address, email address, and a unique identifying number such as a taxpayer identification number or passport number.
Covered financial institutions would then be required to report this information to FinCEN within 30 calendar days of detecting a covered transaction. They would also be required to maintain records documenting compliance with the rule.
OFAC Responses to CVC Mixing
In addition to the requirements of FinCEN’s proposed rulemaking, other federal authorities have sought to limit the use of CVC mixers. Specifically, in 2022, the Office of Foreign Assets Control (OFAC) within the U.S. Treasury issued first-ever sanctions against virtual currency mixer Blender.io (Blender), which, according to OFAC, is used by the Democratic People’s Republic of Korea (DPRK) to support “its malicious cyber activities and money-laundering of stolen virtual currency.” Specifically, on March 23, 2022, DPRK’s state-sponsored cyber hacking organization Lazarus Group carried out one of the largest virtual currency heists to date, worth approximately $620 million. The heist was to secure the currency from a blockchain project; Blender was then used to process over $20.5 million of the illicit proceeds.
On August 8, 2022, OFAC also sanctioned Tornado Cash, a virtual currency tumbler used to launder more than $7 billion worth of virtual currency since its creation in 2019. Furthermore, the Federal Bureau of Investigation (FBI) has determined that DPRK cyber actors laundered millions of dollars worth of Ethereum stolen from U.S. crypto company Harmony through a UK-based CVC mixer called RAILGUN.
FinCEN’s proposal will be subject to a 90-day comment period following publication in the Federal Register.