DOJ’s New Stance on Crypto Wallets is a Threat to Liberty and the Rule of Law
Sudden DOJ charges against non-custodial wallet developers challenge long-standing U.S. policy on money transmission. It is regulation by criminal enforcement.
It has been the clear and consistent policy of the U.S. government since at least 2013 that cryptocurrency wallet developers and the users of those wallets are not money transmitters. So it has come as quite a surprise that the Department of Justice is suddenly intent on charging wallet developers criminally for unlicensed money transmission even if they exercise no actual control over the assets their users choose to secure with their software. This is an insidious development that appears to be nothing less than regulation by criminal enforcement.
Federal prosecutors have put forward this unprecedented interpretation of money transmission law in two recent cases: the April 26th unsealed Samourai Wallet indictment and the DOJ’s opposition to Roman Storm’s motions to dismiss and suppress evidence in the Tornado Cash case, which was published the same day. Simultaneously, the FBI issued a warning to crypto wallet users suggesting that they may lose their funds due to criminal seizures and investigations if they don’t move them to a regulated entity. It is hard to know at this point if this is a deliberate attempt to abruptly change long-established policy through criminal enforcement, or if this is a significant disconnect between the Department of Justice and FinCEN. Either way, this is a disaster for the rule of law, due process rights for the accused, and our fundamental freedoms of speech and privacy. Here’s a brief review of existing money transmission policy, a detailed summary of the recent events, and some preliminary thoughts about how we fight back.
Policy Since 2013
The federal laws that regulate money transmitters are anti-money laundering (AML) statutes, specifically the Bank Secrecy Act and its amendments. These laws define a category of regulated businesses as “Financial Institutions” and also empower the Secretary of the Treasury to redefine that category as he sees fit. Because of this congressionally delegated power to expand the category, it is the implementing regulations of the Bank Secrecy Act (the “regulations”) that actually define the law of who must and must not register as a money transmitter or other financial institution and practice Know Your Customer (KYC) guidelines, file reports with the government, and establish other AML controls.
The regulations define a money transmitter as (1) any person who offers money transmission services, which the regulations define as “the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means,” and (2) “any other person engaged in the transfer of funds.”
In the context of cryptocurrencies, that definition includes some ambiguities about whether cryptocurrency is “currency, funds, or other value that substitutes for currency.” If cryptocurrency is “funds,” then “any person engaged in the transfer” is a money transmitter. If, alternatively, cryptocurrency is “currency” or if it is “other value that substitutes” for currency, then any person who both “accepts” and “transmits” cryptocurrency is a money transmitter. A plain reading of the regulations suggests that cryptocurrency is a substitute for traditional currency and, therefore, a person is a money transmitter if they both accept and transmit that cryptocurrency as a business for other people. In other words, if someone has actual control over another person’s cryptocurrency and uses that control to move that person’s cryptocurrency to another person or location they are a money transmitter. This has been the controlling law since before cryptocurrency existed and it has never been amended or overruled by Congress, the courts, or regulation. The minor ambiguity over whether cryptocurrency is currency, funds, or value that substitutes for currency would be resolved early in the history of crypto regulation by FinCEN.
In 2013, FinCEN released its first “virtual currency” guidance. In it, FinCEN confirmed that cryptocurrency (virtual currency as they called it) is “value that substitutes for currency” and that it is not “funds” or “currency” itself (hence “virtual currency”). In a footnote it also clearly stated that it does not consider virtual currency to be “funds” because doing so would trigger prepaid access regulations that FinCEN felt were inapplicable to cryptocurrency activities:
If FinCEN had intended prepaid access to cover funds denominated in a virtual currency or something else that substitutes for real currency, it would have used language in the definition of prepaid access like that in the definition of money transmission, which expressly includes the acceptance and transmission of “other value that substitutes for currency.”
FinCEN went on to explain that mere users of virtual currencies are not money transmitters and in a subsequent administrative ruling found that software developers are also not money transmitters: “The production and distribution of software, in and of itself, does not constitute acceptance and transmission of value, even if the purpose of the software is to facilitate the sale of virtual currency.” [emphases added].
Coin Center and others lauded this clear statement of policy and over the following years pushed for additional clarity on the lingering question of partial control over virtual currency, as exists in the case of multisig wallets and time-locked contracts like those in the Lightning Network. In response FinCEN published additional guidance in 2019.
The 2019 Virtual Currency Guidance clearly articulated that partial control over virtual currency was insufficient to classify wallet developers as money transmitters because: “the person participating in the transaction to provide additional validation at the request of the owner does not have total independent control over the value.”
Coin Center once again lauded FinCEN for clearly articulating a policy that rightfully required only custodial cryptocurrency businesses to license and be subject to federal money transmission regulations. Even if we set aside these guidance documents and administrative rulings, however, a plain reading of the underlying binding rules also shows that money transmission in cryptocurrency only happens if someone both “accepts” and “transmits” cryptocurrency on behalf of another person. In other words, for as long as cryptocurrency has existed, the law has been unambiguous: non-custodial cryptocurrency developers are not money transmitters.
Recent Actions
On April 26th 2024 an indictment was unsealed that accused the developers of Samourai Wallet (a Bitcoin wallet that uses CoinJoin transactions to enhance user privacy) of unlicensed money transmission among other charges. For the purpose of this discussion we will not discuss the charge of conspiracy to launder money. That charge is fact-dependent and does not necessarily rely on the developers offering a custodial rather than non-custodial wallet service. The defendants may have, as alleged, operated a centralized server to coordinate CoinJoin transactions. However, from our current understanding, the Samourai Wallet did not afford the developers or any other third-parties actual independent control over bitcoins secured by users of the wallet software. Under a plain reading of the regulations and especially in light of the FinCEN guidance and administrative rulings, the developers of Samourai Wallet did not have “total independent control” over any user funds and therefore were thus not money transmitters.
Also on April 26th, the prosecution in the Tornado Cash criminal case against developer Roman Storm offered a reply brief that responded to the defense’s earlier motion to dismiss. A substantial subsection of the reply is titled “Section 1960 Does Not Require the Business to Have Control of the Funds.” There “Section 1960” is referring to the section of the criminal code that makes it illegal to operate an unlicensed money transmitting business. The brief spends pages arguing that the definition at 1960 is broader than the actual definition in the Bank Secrecy Act and the regulatory definition offered by the regulator that we discussed above. It would be a blatant violation of due process rights if you could be charged under a criminal definition of “unlicensed” conduct even if the actual regulatory definition of which conduct requires a license clearly did not include the conduct in which you engaged. Nonetheless this is what the brief argues.
The brief goes on to argue that the Tornado Cash developers are culpable because the Tornado Cash software “caused cryptocurrency to pass from one place to another on the Ethereum blockchain every time a customer requested a deposit or withdrawal.” This is a massive overreach. By the prosecution’s absurdly broad and unsupported standard, every functioning cryptocurrency wallet and smart contract is “doing” money transmission and every developer is engaged in unlicensed money transmission.
Eventually the reply brief reaches the regulatory definition but it ignores all of the existing guidance that we outlined above and interprets the “funds” section of the definition with absurd breadth, arguing that the law simply asks if someone is “any person engaged in the transfer.” This entirely ignores the fact that FinCEN has previously articulated that virtual currency is not “funds.” To illustrate their point about “control” being non-essential, the prosecution makes a comparison to parcel delivery:
Consider the example of a business that accepts parcels of cash from criminals and moves the money by courier to locations overseas, perhaps the archetypal Section 1960 violation. Under the defendant’s theory, such a business could escape liability by the simple expedient of only accepting cash in locked parcels, as long as its customers did not give it the keys to unlock the parcels. Then, it could claim, it never had “control” over the funds.
This brief section is indicative of the low-ball tactics being employed by the prosecution. First note the immediately prejudicial nature of the parcel service, it “accepts parcels of cash from criminals.” If Tornado Cash was a parcel service it certainly didn’t only accept parcels from criminals. Coin Center happily used Tornado Cash to accept legitimate donations. Second, the comparison proves exactly the opposite of what the prosecutors want it to prove. A delivery service that cannot access the underlying contents of the parcels it delivers is plainly and clearly not a money transmitter. First of all, if you can’t open the parcel how do you even know what is in it? Can you be guilty of unlicensed money transmission if you were told you were only moving boxes of canned Spam and had no way to open the boxes? Second, FinCEN has expressly ruled that armored car businesses that are “limited to secure transportation of currency” are not money transmitters under their rules! Sadly, the prosecution may dismiss that administrative ruling just as they have dismissed the otherwise comprehensive and clear guidance that FinCEN has offered on virtual currencies.
As we have argued in our own civil lawsuit to remove the Tornado Cash smart contracts from the OFAC list and in our amicus brief in this criminal case, no third party including the Tornado Cash developers ever had any actual control over the cryptocurrency that users of the tool owned. Under clear and long established FinCEN guidance and under any common sense reading of the underlying law, these developers are not money transmitters. Nonetheless the prosecution persists unjustly.
Rounding out the very bad week, the FBI released an alert bulletin on crypto wallets. It “warns Americans against using cryptocurrency money transmitting services that are not registered as Money Services Businesses (MSB) according to United States federal law.” Typically, Coin Center would applaud such a statement from the FBI or any other policy arm of the US Government. As we have argued repeatedly, noncompliant custodial cryptocurrency exchanges are responsible for the lionshare of illicit activity in our space; stopping them and starving them of customers is the most important step towards reducing terrorist and criminal usage of these valuable technologies. In light of the Tornado Cash and Samourai Wallet prosecutions, however, this warning is a big problem. If it is the position of the Department of Justice that a money transmitter is anything that (as the Tornado Cash reply brief argues) “cause[s] cryptocurrency to pass from one place to another on the Ethereum blockchain,” then every cryptocurrency wallet is a money transmitter whether it is just software running on your phone, or software running on your Trezor or Ledger thumb-drive, or software running on Coinbase’s servers. The only one of those three that is registered as a Money Services Business is Coinbase. In light of these recent prosecutions, the warning from the FBI can be interpreted as a not-so-subtle threat that Americans who keep their crypto off of regulated exchanges are likely to have their crypto seized. As the FBI Warning continues:
People who use unlicensed cryptocurrency money transmitting services may encounter financial disruptions during law enforcement actions, especially if their cryptocurrency is intermingled with funds obtained through illegal means.
But don’t worry, “a few simple steps can prevent unintentional use of non-compliant services. For example, avoid cryptocurrency money transmitting services that do not collect know your customer (KYC) information.” That’s good advice if you are hoping to actually hand your crypto over to a business that says it will keep your money safe; but if that’s required before you hold your own crypto in a non-custodial app on your own device, it’s essentially a ban not a requirement.
Next Steps
We will continue our efforts to help the courts understand how the technology works and how the existing law applies to that technology. These cases are still being argued and we have a chance to defend both the wrongly accused developers and the good policies previously laid out by regulators. Additionally, we will also engage with members of Congress to be sure that they are aware of this apparent policy change through criminal enforcement. As always we’ll be on guard for any additional overreach from regulators and law enforcement.