TRISA Feedback on Docket No. FINCEN-2020-0002 ; RIN 1506-AB41
November 27, 2020
US Federal Reserve and FinCEN Proposed Rule Change — Docket No. FINCEN–2020–0002 ; RIN 1506– AB41
Threshold for the Requirement To Collect, Retain, and Transmit Information on Funds Transfers and Transmittals of Funds That Begin or End Outside the United States, and Clarification of the Requirement To Collect, Retain, and Transmit Information on Transactions Involving CVCs
To: Board of Governors of the Federal Reserve System (‘‘Board’’); Financial Crimes Enforcement Network (‘‘FinCEN’’), Treasury.
Regarding: Joint notice of proposed rulemaking
Summary of Proposed Recommendation:
- Harmonize all Travel Rule regulations at $1,000
- Waive address requirement for virtual currency travel rule compliance
- Allow twelve months for VASPs to comply
Joint notice of proposed rulemaking
The proposed rule change would reduce the information collection, retention, and transmission threshold from $3,000 to $250 for funds transfers and transmittals of funds that begin or end outside the United States. The Travel Rule Information Sharing Alliance (TRISA) is an organization of more than a hundred stakeholders including exchanges, Bitcoin ATMs, compliance experts, regulators, privacy coin advocates, and technologists. We applaud the rulemaking process to achieve clarity.
It had previously been unclear if the travel rule applied to CVCs in the US. Clarifying the meaning of “money” as used in these same rules to ensure that the rules apply to domestic and cross-border transactions involving convertible virtual currency (“CVC”), which is a medium of exchange (such as cryptocurrency) that either has an equivalent value as currency, or acts as a substitute for currency, but lacks legal tender status, is laudable.
The proposed changes generate several issues to which TRISA collectively proposes recommendations.
Issues with the proposed changes:
Issue 1: Inconsistencies with FATF guidance for global de minimis Travel Rule threshold
Inconsistencies between the FinCEN proposal and FATF recommended thresholds for application of the Travel Rule will unduly complicate an already difficult compliance challenge by requiring conditional processing and cause increased exception handling. Complying with the FinCEN $3000 threshold for domestic CVC transfers, which is inconsistent with FATF’s $1000 threshold for all transactions is already confusing. Adopting a $250 threshold for international transactions will have the perverse impact of driving bad actors towards unregulated, nonreporting unhosted wallets. The $250 threshold impedes financial inclusion by creating hurdles for personal remittances.
Recommendation 1: Harmonize all Travel Rule regulations at $1,000 for all CVC transfers between VASPs.
Issue 2: Difficulty of determining if an address is cross border based on the location of VASP
It is for this reason that the FATF decided in its virtual asset guidance that “countries should treat all VA transfers as cross-border wire transfers, in accordance with the Interpretative Note to Recommendation 16 (INR. 16), rather than domestic wire transfers, based on the cross-border nature of VA activities and VASP operations.”
Recommendation 2: Treat all virtual asset transfers as cross border.
Issue 3: Sending address and tax information on US persons to untrusted VASPs
The proposed threshold reduction from $3,000 to $250 for funds transfers and transmittals of funds that begin or end outside the United States will result in the sharing of sensitive US PII with unknown or untrusted VASPs, creating numerous privacy issues for virtual asset users. As evidenced by dozens of successful exchange hacks, few VASPs are well prepared to defend against a dedicated adversary and have poor security around crypto assets, let alone stored PII.
Many smaller VASPs have minimal security expertise and have previously not considered themselves to be financial institutions. Risks to individual privacy, and to individuals, in the context of the Travel Rule include exposing sensitive PII to VASPS pursuant to the instructions of the Travel Rule where the receiving VASP is vulnerable to:
-
- Hacks and PII data leaks
- Fake VASPs masquerading as legitimate VASPs to collect PII
- Harvesting, data mining, and selling user PII data
- Monitoring by oppressive regimes, leaks, hacks, data mining, poor security, and data brokering
- DDOS and market manipulation
Recommendation 3: Eliminate the requirement to send address information and SSN/EIN for CVC travel rules.
Issue 4: Time to comply
Very few VASPs in the United States have implemented a travel rule technical solutions in production environments. The state of travel rule compliance solution implementation globally would best be described as very early stage with a few Minimal Viable Products at the beta test phase. Adequate time needs to be allotted to avoid negative privacy implications when transacting with VASPs with less rigorous operational security and potential vulnerabilities.
Recommendation 4: Continued regulatory forbearance. Provide a twelve-month safe harbor window for VASPs that are able to demonstrate progress in implementing and actively integrating MVP/POCs. We further recommend a record-keeping period in the interim when data is collected and retained but not transmitted.
Issue 5: Cost of compliance significantly underestimated
In the first three years, exception handling and implementation will cost considerably more than estimated. Information technology implementation costs solely resulting from the need to comply with this proposed ruleSoftware and operational costs for a large to medium-sized MSB will be over could easily cost between $500,000 and $100,000 for commercially supported software and required security infrastructure.
VASPs outside of the US will also bear additional costs of compliance if they transact with US persons and may choose not to so, thereby denying US persons with access to exciting new technology and costs savings.
Recommendation 5: Support the global standard of $1000 to reduce conditional processing and costly manual exception handling.
Thank you for the consideration,
TRISA Board of Directors
Appendix I
Decreasing the threshold to collect, retain, and transmit information on the transmittals of funds that “begin or end outside the United States” would increase the number of transactions that trigger Travel Rule thresholds every year by a factor of at least 2.5, according to CipherTrace analysis.
Minimum Monthly Travel Rule Transactions
According to CipherTrace data, to comply with the current US Travel Rule threshold of $3,000, US VASPs would have had to have sent over 34,000 messages during the month of October. Over 27,000 of these messages—around 78%—would have been cross-border in nature, meaning the sending or receiving VASP was domiciled outside of the United States. This would translate to over 417,000 messages a year at the current threshold.
Lowering the threshold to $250 would push the number of required travel rule messages to be shared and stored per year to over one million. At this lower threshold, cross-border transactions make up 83% of all travel rule triggers for US VASPs.
US VASP Travel Rule Triggers | Current 3k | Proposed Change |
US Domestic only | 7,500 | 7,500 |
Cross US Border | 27,300 | 79,000 |
Monthly Travel Rule Triggers | 34,800 | 86,650 |
If the US were only to lower its threshold to FATF’s de minimis standard of $1,000, then the number of transactions that would trigger compliance would only increase by a factor of 1.7 every year.
Intermediary banks or financial institutions are also required to transmit this information to other banks or nonbank financial institutions in the payment chain. The proposed rule change acknowledges that cryptocurrency can be transferred without third-party bank involvement but states that, in reality, many users rely on hosted wallets and exchanges to transact.
Difficulty in determining “cross-border payments” in the virtual asset world
FinCEN’s proposed rule change is based on transactions that “begin or end outside the United States.” These transactions are defined by whether a financial institution “knows or has reason to know that the transmittor, transmittor’s financial institution, recipient, or recipient’s financial institution is located in, is ordinarily resident in, or is organized under the laws of a jurisdiction other than the United States or a jurisdiction within the United States.”
Due to the cross-border nature and global reach of virtual assets and VASPs, compliance with this definition would be difficult to enforce, especially given many VASPs are often registered in multiple jurisdictions around the world. A financial institution would only have “reason to know” that a transaction begins or ends outside the United States to the extent that such information was shared when receiving the transmittal order or collected from the transmittor—assuming he or she even knows the true extent of the cross-border nature of their transaction.
It is for this reason that the FATF decided in its virtual asset guidance that “countries should treat all VA transfers as cross-border wire transfers, in accordance with the Interpretative Note to Recommendation 16 (INR. 16), rather than domestic wire transfers, based on the cross-border nature of VA activities and VASP operations.”