February 14, 2022
Himamauli Das Acting Director Financial Crimes Enforcement Network P.O. Box 39 Vienna, VA 22183 Submitted electronically to http://www.regulations.gov
RE: Request for Information and Comment, Modernization of U.S. AML/CFT Regulatory Regime; Docket Number FINCEN–2021–0008
Dear Acting Director Das:
Centre Consortium, LLC (“Centre”) welcomes the opportunity to offer comments in response to the Financial Crimes Enforcement Network’s (“FinCEN”) Request for Information and Comment, Modernization of U.S. AML/CFT Regulatory Regime (“RFI”).
- Introduction
Centre was co-founded in 2018 by digital currency industry pioneers Circle Internet Financial Limited (“Circle”) and Coinbase Global, Inc. Centre provides the standards for technology, policy, compliance and reserves for USD Coin (“USDC”), a US dollar stablecoin issued by Circle.
Centre is strongly committed to preventing and deterring money laundering, terrorist financing, and other forms of illicit finance. Moreover, we support FinCEN’s efforts to streamline, modernize, and update the U.S. anti-money laundering and countering the financing of terrorism (“AML/CFT”) regulatory regime. We recognize that the technological advancements that enable people and industries to engage in borderless commerce have also introduced new challenges and are committed to supporting FinCEN’s efforts to combat financial crime. Centre fully supports the implementation of effective regulatory regimes to mitigate the risks presented by emerging technologies.
Many assume that the cryptocurrency industry is rife with illicit activities and money laundering. However, the volume of illicit activities associated with the cryptocurrency industry is comparatively smaller than that of the traditional financial industry.1 Moreover, the assumption that cryptocurrency introduces heightened AML risks compared to traditional finance also does not take into account that blockchain technologies provide powerful tools for financial institutions and government authorities to identify and track illicit digital transactions because such transactions are recorded immutably on distributed ledgers.
In this letter, we focus on two questions relevant to identifying Bank Secrecy Act (“BSA”) regulations and guidance that may be outdated, redundant, or do not promote a risk-based AML/CFT regulatory regime for financial institutions.
- Responses to Specific Questions in the RFI
- BSA Regulations and Guidance That May Be Outdated, Redundant, or Do Not Promote a Risk-Based AML/CFT Regulatory Regime for Financial Institutions
- Are there any BSA regulations or guidance that are obsolete because of changes in compliance business practices and/or technological innovation in the financial system or elsewhere? If so, how should FinCEN address this?
We respectfully request FinCEN to consider expanding the ability of financial institutions to rely on third party solutions, including decentralized identity arrangements that leverage other financial institutions’ performance of elements of their respective AML compliance program.
Under the present U.S. AML/CFT regulatory regime, financial institutions can rely on another financial institution to perform elements of their AML compliance program in only two circumstances. First, financial institutions subject to the Customer Identification Program (“CIP”) Rule may rely on another financial institution to perform any part of the financial institution’s CIP when a customer opens an account, as long as the requirements of the CIP Rule’s reliance provision are satisfied.2Second, under the beneficial ownership requirements of the Customer Due Diligence (“CDD”) Rule, a financial institution may rely on another financial institution to perform any of the requirements relating to verifying the identities of beneficial owners of a legal entity customer that is opening, or has opened, an account with the institution.3
As FinCEN acknowledges, technology, innovation, and the efficient application of resources to BSA reporting play an important role in promoting a risk-based approach to BSA compliance. FinCEN should create additional opportunities for financial institutions to rely on each other (or third-parties) to perform certain AML compliance program requirements. For example, FinCEN could expand the types of sources that can be relied upon for customer identity verification to include digital identity solutions; decentralized identity frameworks; in addition to third-parties and other institutions that have the technological capabilities, resources, and expertise to reliably verify the identity of individuals and entities. By expanding the opportunities for reliance between and among financial institutions, third parties, and industry frameworks and standards, FinCEN would significantly reduce regulatory costs for industry participants, thereby allowing institutions to efficiently allocate compliance resources to address their most significant AML/CFT risks.
- Do FinCEN’s regulations and guidance sufficiently allow financial institutions to incorporate innovative and technological approaches to BSA compliance? If not, how can FinCEN facilitate greater use of these tools, while ensuring that appropriate safeguards are in place and highly useful information continues to be reported to government authorities?
FinCEN should consider allowing financial institutions to use innovative approaches to identify customers. We believe that a new approach to verifying identity is needed to address the AML risks associated with emerging decentralized applications, including decentralized finance (“DeFi”) and non fungible token markets, where traditional, centralized identity models either work unsafely or do not work at all.
In recent years, technological innovations in blockchain and cryptography have led to decentralized identity architectures, wherein individuals can control access to their data and share it when and with whomever they choose. In particular, there are significant developments with respect to digital identification verification that would allow DeFi service providers to rely on traditional financial institutions to perform CIP procedures, thereby reducing the AML risks associated with such platforms.
For example, decentralized identity verification protocols would enable authorized verifiers, such as banks and broker dealers, to verify the identity of potential DeFi users. Upon completing the appropriate CIP procedures, authorized verifiers would issue a digital credential to individuals, which can then be presented to other financial service providers as proof of identity. This novel approach to identity verification would allow law enforcement to identify illicit activity in a manner that is consistent with the BSA, including executing inquiries to credential issuers, without exposing sensitive data to smart contracts, blockchains, or the public during the normal course of transactional activity. Digital identity verification would also significantly increase the effectiveness of AML compliance across the nascent blockchain ecosystem, thereby reducing AML/CFT risks across the broader financial system. Accordingly, FinCEN should consider promulgating new, or amending existing, AML regulations to allow financial institutions to incorporate innovative technology within their AML compliance programs.
Balancing the personal privacy needs of individual Americans and the public security needs of the U.S. Government and financial institutions to monitor and prevent financial crime is another important principle FinCEN should consider when modernizing the U.S. AML/CFT regulatory regime. Currently, minimizing the exposure of sensitive identity information (particularly when anchored to immutable datastores like distributed ledgers) while still making such information accessible to law enforcement is a significant technological challenge. Financial institutions are currently considering solutions, which include: (1) granting government investigators access to encrypted data via methods that bypass normal authentication systems; and (2) sharing encrypted identity data directly with counterparty financial institutions and providing decryption keys only to authorized law enforcement. Notably, these approaches would continue to require the unsafe transmission and storage of sensitive, encrypted identity data by each and every financial institution on each and every customer in an attempt to satisfy FinCEN guidance that requires data to be in the custody of BSA-regulated entities.
While both of these approaches guarantee government access to identity data in emergencies or for investigative purposes, we are concerned these and similar approaches may introduce new privacy risks to American consumers by creating additional opportunities for criminals to access sensitive personal information. If, for CIP purposes, BSA-regulated entities were instead able to rely on verifiable attestations of identity that minimize the data preserved in portable credentials, such an approach could help mitigate the privacy risks associated with the distribution of personal information over open networks, as law enforcement would be directed to the individuals and entities already in possession of the requested information. Accordingly, we respectfully request FinCEN to consider approaches that appropriately balance the legitimate privacy concerns of consumers with the needs of law enforcement.
III. Conclusion
We appreciate the opportunity to provide comments on this important RFI, and would be pleased to provide further information upon request.
Very truly yours,
David Puth
Chief Executive Officer
Centre Consortium, LLC
2See e.g., 31 C.F.R. § 1020.220(a)(6).
3See 31 C.F.R. § 1010.230(j). Note, we understand that the CIP Rule and the beneficial ownership requirements under the CDD Rule only apply to banks, broker dealers, futures commission merchants, and mutual funds.
