Letter to Attorney General Becerra Re: FinCen Proposed Rule Privacy concerns

February 22, 2021

The Honorable Xavier Becerra

California State Capitol

SENT VIA EMAIL

Dear Attorney General Becerra,

On behalf of the Blockchain Advocacy Coalition, an organization of blockchain and virtual currency businesses in California, I write to bring to your attention a pending federal regulation that would preempt and refute many of the important privacy protections your office has led the nation on. On December 18, 2020 the US Treasury led by Steve Mnuchin, released a concerning proposed rule that would put into place first of its kind reporting requirements for virtual currencies and digital assets. The agency initially proposed a 15 day comment period over the holidays due to unsubstantiated ‘national security concerns’. After widespread pushback from private citizens, virtual currency companies and members of Congress, the Treasury Department provided another 15 days for reporting requirements and an additional 45 for recordkeeping and counterparting reporting. Fortunately the Biden administration, faced with an avalanche of such poorly thought out rules, gave a 60 day pause and extension on the rulemaking and now the industry is facing a March 1st deadline to comment on a rule that would significantly stifle innovation, limit access to these new products and massively extend the reach of government surveillance of financial transactions far beyond the Bank Secrecy Act (BSA).

If it were to become policy, this rule would preempt California’s consumer privacy laws, significantly weakening the data privacy protections around financial information voters deemed important when approving the Californian Privacy Rights Act in November of 2020. While many parties have opined on the slapdash process and lack of clarity in the proposed rule, we do not believe that the blatant and far reaching consumer privacy implications have been brought to attention . Your office has led the charge implementing and enforcing the nation’s first and strongest consumer privacy framework, particularly for sensitive financial information. Because of this, we wanted to raise the following concerns with the proposed FinCEN rulemaking and ask for your action. The proposed rule complements existing BSA requirements applicable to banks and MSBs (money service business) by proposing to add reporting requirements for virtual currency transactions exceeding $10,000 in value. Pursuant to the proposed rule, banks and MSBs will have 15 days from the date on which a reportable transaction occurs to file a report with FinCEN. Further, this proposed rule would require banks and MSBs to keep records

of a customer’s virtual currency transactions and counterparties, including verifying the identity of their customers, if a counterparty uses an unhosted or otherwise covered wallet and the transaction is greater than $3,000.

Our concerns with the consumer privacy implications of this proposed rule are twofold:

First, the proposed rule’s requirement that MSB’s collect identifying information associated with wallet addresses will create reporting that extends well beyond the intent of the rule or the transaction. According to the EFF “For some cryptocurrencies like Bitcoin, transaction data — including users’ Bitcoin addresses — is permanently recorded on a public blockchain. That means that if you know the name of the user associated with a particular Bitcoin address, you can glean information about all of their Bitcoin transactions that use that address.” California consumers do not have the expectation that a future reporting requirement will link to their entire financial transaction history from that wallet.

Second, this rule creates requirements for disclosure of counterparty information beyond what the BSA requires banks and other financial institutions to collect. It wouldn’t only require these businesses to collect information about their own customers, but also the information of anyone who transacts with those customers using their own cryptocurrency wallets. Specifically:

1. The name and physical address of each counterparty to the transaction of the financial institution’s customer;
2. Other counterparty information the Secretary may prescribe as mandatory on the reporting form for transactions subject to reporting pursuant to § 1010.316(b);
3. Any other information that uniquely identifies the transaction, the accounts, and, to the extent reasonably available, the parties involved;

Unlike KYC (know your customer) requirements which arise from a direct customer relationship, KYCC (know your customer’s counterparty) requirements unreasonably obligate non-customers to provide personally identifying information to a VASP/MSB (virtual asset service provide/money services business) they do not know or do business with, and whose security and privacy practices they have not evaluated, simply because they happen to transact with one of its customers.

In its haste, the Treasury did not adequately consider the impact of these rules on consumer privacy for those that choose to use virtual currency and would create large scale government surveillance of small personal transactions. We call upon your leadership and expertise in this space to once again lead the charge for consumer protections and submit a comment letter opposing these portions of the proposed rule. Thank you for your consideration and please do not hesitate to reach out with any questions.

Kind Regards,

Ally Medina

Director, Blockchain Advocacy Coalition