The Coin Center Annual Dinner will be on 10/6  in NYC. Get tickets here. 

Comment to FinCEN on AML/CFT Programs

Regulatory Filing Financial Surveillance Privacy & Autonomy Treasury

A PDF version of this filing is available here.

To whom it may concern:

Coin Center is an independent nonprofit research and advocacy center focused on the public policy issues facing cryptocurrency technologies such as Bitcoin and Ethereum. Our mission is to build a better understanding of these technologies and to promote a regulatory climate that preserves the freedom to innovate using open blockchain technologies. We do this by producing and publishing policy research from respected academics and experts, educating policymakers and the media about blockchain technology, and by engaging in advocacy for sound public policy.

We thank the Financial Crimes Enforcement Network (FinCEN) for the opportunity to comment on Anti-Money Laundering and Countering the Financing of Terrorism pursuant to the Department of Treasury and FinCEN’s efforts to modernize the Bank Secrecy Act (BSA). Coin Center agrees with FinCEN’s recognition that financial institutions are best positioned to assess their own ML/TF risks and allocate compliance resources accordingly. We also welcome FinCEN’s openness to innovative technologies for combating illicit finance. But FinCEN should make clear that AML/CFT risks are not limited to a financial institution collecting too little information when overcollection can itself create serious risks.

Current customer identification and data-collection practices remain badly outdated. Americans are still expected to send .jpg files of driver’s licenses, photos of themselves, and passport scans to open or use financial accounts. These identity signals are trivially forged by sophisticated criminals, meaning the process often achieves little real deterrence. Meanwhile, ordinary customers comply with the ritual, and institutions build comprehensive dossiers about them, their transactions, and their intimate associations. Those dossiers become honeypots for hackers, who can then use the same stolen data to open more accounts, commit more fraud, and launder more money.

The result is a compliance regime that mistakes examiner comfort for public safety. Financial institutions have become so concerned with the risk of disappointing regulators by failing to collect the same invasive but cheap data they have always collected that they may now be creating more illicit-finance risk than they mitigate. A system that forces good actors to overshare, gives bad actors reusable fraud material, and still fails to stop sophisticated criminals is outdated and backwards.

FinCEN should therefore direct financial institutions to consider and, where possible, quantify the operational risks created by collecting and retaining sensitive customer information. Customer identification programs (CIP) should not be judged only by whether they collect enough information to satisfy legacy expectations, but also by whether they create unnecessary fraud, cybersecurity, privacy, and illicit-finance risks through the collection and retention of sensitive personal data.

FinCEN should also explicitly permit and encourage financial institutions to use alternative onboarding methods that preserve privacy and reduce the overcollection of customer data when a financial institution determines that traditional collection and retention practices would increase operational, cybersecurity, or AML/CFT risk. Privacy-preserving digital identity systems, including portable credentials, attribute-based proofs, and dynamic risk-scoring mechanisms, can allow regulated entities to verify relevant facts without exposing full identity details or transaction histories.

Success should not be measured by the volume of information collected. It should be measured by reductions in illicit finance, cybercrime, fraud, and unnecessary risk to innocent users. A modern AML framework should reward institutions that can verify relevant facts with less data, fewer honeypots, and stronger privacy protections.

I. Cybercrime and Fraud

Financial institutions are persistent targets for cybercriminals because they collect and retain the very information criminals need to defeat identity controls.1 Once personally identifiable information (PII) is stolen, it can be used to open accounts, compromise existing accounts, conduct fraudulent transactions, and launder money in the name of an innocent person. As PPSIs become more widely used, they will face the same incentives for attack. The more sensitive customer information they collect and retain, the more valuable a target they become, and the more harm their customers will suffer when that information is compromised.

This is not a speculative risk. The Identity Theft Resource Center’s (ITRC) 2025 annual report found that data compromises in the U.S. are transitioning from “mass identity theft… to pervasive identity fraud and scams, where stolen credentials are weaponized with precision.”2 The report also found that criminals increasingly prioritize “static identifiers that facilitate long-term identity fraud over easily replaceable data, such as credit card numbers.”3 Static identifiers include Social Security numbers (SSNs) and driver’s licenses, for which there have been drastic increases in compromises over the past five years.4

Financial institutions have increasingly been the main targets. A 2024 study out of the University of Brasília, Impact, Compliance, and Countermeasures in Relation to Data Breaches in Publicly Traded U.S. Companies reviewed 506 breaches across 274 companies, and found that financial institutions were the most breached and the primary target for malicious actors.5 This is because a breach at a financial institution does not merely expose ordinary consumer information, but also the information used to pass identity checks, defeat AML/CFT controls, and impersonate legitimate customers.

The National Institute of Standards and Technology (NIST) has recognized the same problem. In its special publication, Digital Identities—Mobile Driver’s License (mDL), NIST identified “the need for secure, usable, and privacy-preserving identity solutions” in light of “the emergence of new threats to identity proofing systems.”6 NIST observed that “[f]inancial institutions, who have direct access to money and sensitive personal information, are subject to emerging cyber threats. Attackers seeking to drain bank accounts, open fraudulent lines of credit, launder money or steal PII, may target financial institution identity proofing systems.”7 Additionally, NIST reported that FinCEN “linked $212 Billion dollars to identity-related suspicious activity in 2021, a figure that reached as much as $394 billion by 2023,” and that “inadequate digital identity systems cost institutions an estimated 3.1% of annual revenue.”8

In several recent reports, FinCEN has identified that weaknesses in identity processes at financial institutions are exploited by impersonating others, exploiting insufficient processes to circumvent verification, and using compromised credentials to gain unauthorized access to accounts.9 In 2021, about 1.6 million BSA reports—or 42% of roughly 3.8 million total BSA reports—involved identity-related suspicious activity,10 and that fraud was the most frequently reported illicit finance typology.11 FinCEN has also identified that “data breaches compromising [PII], synthetic identities, and artificial intelligence (AI) may further enable bad actors to exploit identity processes more easily, quickly, and inexpensively to drive money laundering, fraud, and cybercrime.”12

And while these hacks and exploitations may harm financial institutions and their AML/CFT efforts, the real victims are everyday Americans who are simply abiding by the process and handing over sensitive information for financial services. Once stolen, personal information can be reused repeatedly over many years for financial gain or other criminal purposes. Federal complaint data show the scale of the problem. In its 2025 Internet Crime Report, the FBI reported 67,456 complaints involving personal data breaches and 31,675 complaints involving identity theft through the Internet Crime Complaint Center.13 The Federal Trade Commission’s most recent Consumer Sentinel Network Data Book showed that the number of fraud, identity theft, and other reports increased each year—from 860,383 in 2004 and 2,620,931 in 2014 to 6,471,708 in 2024.14

These figures show why overcollection should be treated as an AML/CFT risk, in addition to being a privacy concern. Once collected, sensitive personal information becomes a target and a tool for fraud, cybercrime, account compromise, and money laundering. FinCEN should therefore clarify that a risk-based AML/CFT program does not require financial institutions to collect and retain sensitive personal information beyond what is genuinely necessary, especially where the financial institution reasonably determines that doing so would increase the risk of hacking, identity theft, fraud, or downstream money laundering. FinCEN should also treat good-faith deployment of privacy-preserving digital identity tools as an innovative activity capable of achieving equivalent or better AML/CFT outcomes, provided financial institutions can produce demonstrable compliance outputs.

II. Privacy

Financial transactions can reveal intimate details about a person’s life: payments, counterparties, balances, donations, memberships, habits, beliefs, and associations. In the hands of the federal government, that information invites warrantless financial surveillance and political abuse. For example, a hostile administration or agency may leverage this information for discrimination, harassment, debanking, and the chilling of lawful expressive and associational activity. In the hands of a foreign adversary, it can be used to identify dissidents, diaspora communities, journalists, religious minorities, or politically exposed persons, and may endanger their relatives abroad. In the hands of criminals, it can be used to identify wealthy customers and facilitate targeted extortion.

These risks are avoidable. Financial institutions should not continue to be pushed toward compliance models that require them to build databases of sensitive customer information when less invasive alternatives can achieve the same or better AML/CFT outcomes. Privacy-preserving digital identity, portable credentials, attribute-based proofs, and risk-score attestations can allow financial institutions to verify relevant facts without retaining the raw materials for identity theft.

FinCEN requires financial institutions to maintain an effective AML/CFT program, but “effective” does not mean maximally invasive, especially where privacy-preserving alternatives can produce equivalent or better compliance outputs. And with the operational risks in mind, traditional methods have not demonstrated meaningful effectiveness against cybercrime and fraud.

FinCEN should therefore expressly recognize privacy-preserving digital identity as an acceptable customer onboarding method for financial institutions. A modern customer identification program (CIP) should allow financial institutions to verify the facts they need to know while minimizing the data they collect, the honeypots they create, and the risks they impose on lawful users. That approach would better serve AML/CFT goals while protecting the freedom, dignity, and security of everyday Americans.

III. Privacy-Preserving Digital Identity

FinCEN’s 2024 Financial Trend Analysis (FTA) identifies three points in the identity process that can be exploited for illicit finance: validation, verification, and authentication.15 These terms are drawn from NIST’s Digital Identity Guidelines, most recently updated in July 2025. NIST defines them as follows:

  • Validation: “The process or act of checking and confirming that the evidence and attributes supplied by an applicant are authentic, accurate, and associated with a real-life identity.”16
  • Verification: “The process or act of confirming that the applicant undergoing identity proofing holds the claimed real-life identity represented by the validated identity attributes and associated evidence.”17
  • Authentication: “The process by which a claimant proves possession and control of one or more authenticators bound to a subscriber account to demonstrate that they are the subscriber associated with that account.”18FinCEN identifies three corresponding modes of exploitation: impersonation, circumvention, and compromise.19 These risks are amplified by the current BSA model, which generally requires financial institutions to independently collect, verify, and store extensive personal information about their customers.

    The CIP should therefore evolve to mitigate these risks and better protect Americans’ sensitive information. Privacy-preserving digital identity tools can allow financial institutions to verify relevant facts about customers without collecting and retaining large stores of sensitive personal information. Properly designed, these tools can address the risks FinCEN identifies in validation, verification, and authentication while reducing the harms that flow from overcollection. For purposes of this proposed rule, FinCEN should expressly allow alternative onboarding methods that are portable, attribute-based, and dynamically risk-scored. Each component serves a distinct function.

    1. Portable Onboarding

    Portable onboarding allows customers to use digital identity credentials across multiple financial institutions.20 Today, each institution typically repeats the same onboarding process: collecting copies of identity documents, storing addresses and Social Security numbers, and maintaining its own silo of sensitive customer data.

    Portable onboarding reduces that duplication. A customer who has already completed a high-assurance identity proofing process could present a verifiable digital credential (VDC) to a financial institution, rather than resubmitting the same sensitive documents. The financial institution would verify the credential’s authenticity, status, and binding to the customer, without necessarily retaining the underlying identity evidence.

    VDCs are cryptographically signed attestations about a person or entity. They may prove facts such as age, citizenship, verified account status, or successful completion of an identity proofing process.21 The basic model involves an issuer, a holder, and a verifier. The issuer signs the credential using a private cryptographic key. The holder stores and presents the credential. The verifier checks the credential’s integrity and authenticity using the issuer’s corresponding public key.

    Portable credentials should be designed to preserve privacy. Otherwise, they risk recreating the same identity-linked surveillance problems described above. Zero-knowledge proofs (ZKP) can allow a holder to prove that a credential supports a relevant fact without revealing the credential itself or the underlying personal information. Secure multi-party computation can allow multiple parties to compute a risk or eligibility result using private inputs without exposing those inputs to one another. In an onboarding or customer due diligence context, these tools could allow multiple institutions to contribute limited signals to a fraud or eligibility assessment without requiring any one financial institution to collect and store the full underlying data.

    To maintain a high standard of implementation, FinCEN should look to NIST Identity Assurance Level 2 (IAL2) as a benchmark for portable onboarding. A financial institution that verifies a credential issued through an IAL2-compliant process, confirms its validity and revocation status, and authenticates the holder’s control of the credential should be permitted to treat that process as satisfying relevant customer identification requirements.22

    2. Attribute-Based Onboarding

    FinCEN should also permit financial institutions to rely on attribute-based proofs rather than full identity disclosure where appropriate under the financial institution’s risk assessment. Attribute-based onboarding allows a financial institution to verify the specific fact it needs to know, rather than collecting an entire identity dossier.

    In many cases, a financial institution does not need to know every detail of a customer’s identity to satisfy an AML/CFT objective. It may need to know that the customer has completed identity proofing at a specified assurance level, is not on a sanctions list, is located in an eligible jurisdiction, is not using a prohibited account type, or falls below a defined risk threshold. Those facts can be proven directly through credentials or derived proofs without requiring the financial institution to retain the customer’s full identity documents and static identifiers.

    This approach would reduce the honeypot risk described above. It would also better protect Americans from criminals who seek to steal and reuse their PII. Therefore, the compliance question should be whether the financial institution can produce reliable, auditable evidence that a relevant requirement was satisfied, not whether it has collected the maximum possible amount of personal information.

    One practical path would be a FinCEN-supervised pilot program. FinCEN could permit financial institutions to onboard a defined number of customers at low transaction thresholds using attribute-based proofs and data-minimized identity workflows. The pilot should test which facts are genuinely necessary for AML/CFT purposes, how those facts can be verified, and whether data-minimized onboarding produces equal or better outcomes than traditional document collection. FinCEN should issue a Request for Information (RFI) on how to structure such a pilot, including eligible attributes, assurance standards, audit requirements, transaction limits, and safe harbor conditions.

    3. Dynamic Risk-Scoring

    Dynamic risk-scoring could allow financial institutions to satisfy customer due diligence (CDD) obligations in a more privacy-preserving and adaptive way.

    Today, customer risk scoring is generally internal, opaque, and data-intensive. Each institution collects personal information, monitors customer activity, and applies its own risk model. That approach encourages duplicative collection, makes scores non-portable, and leaves customers with little understanding of what facts matter or how to improve their standing.

    A better approach would allow certain risk-scoring components to become standardized, widely understood, and reusable across the market. A customer could voluntarily subject themselves to a recognized risk-scoring process before engaging with any particular financial institution. That process could evaluate relevant attestations and signals, such as credential freshness, liveness checks, prior successful identity proofing, jurisdictional eligibility, wallet longevity, source-of-funds attestations, or non-appearance on sanctions or fraud lists. The customer could then present the resulting score or attestation to the financial institution they want to use, without necessarily revealing the underlying personal information that produced it.

    The financial institution would receive a compliance output: for example, that the customer satisfies a defined low-risk onboarding threshold, falls within a permitted transaction tier, or requires enhanced due diligence. The underlying proofs, credentials, or inputs would remain private unless a higher-risk score, higher transaction threshold, or other legally relevant trigger required additional disclosure. This would preserve the risk-based structure of AML/CFT regulation while reducing the need for every financial institution to independently collect and retain the same sensitive data.

    An oracle, smart contract, or other neutral computation layer on a blockchain could aggregate multiple independent credentials and behavioral proofs into a portable score. Customers would retain control over which credentials or attestations they submit to improve their score. Financial institutions and regulators could audit the scoring logic, thresholds, and accepted inputs to determine whether the process reliably satisfies AML/CFT objectives. Open-source scoring methods, public criteria, and auditable parameters would help ensure that dynamic risk scoring does not become another opaque surveillance system.

    Dynamic risk-scoring is not a substitute for CDD, but it could be a way to make CDD more precise, portable, and privacy-preserving. If implemented correctly, it would allow financial institutions to rely on well-understood risk outputs, update customer risk assessments as facts change, reduce dependence on static identifiers, and reserve intrusive data collection for cases where heightened diligence is actually warranted.

    IV. Demonstrable Outputs

    FinCEN need not treat privacy-preserving digital identity as an abstract promise. Financial institutions should be able to demonstrate whether alternative onboarding methods achieve AML/CFT objectives while reducing the risks created by excessive collection and retention of PII. Relevant outputs could include reduced identity-related suspicious activity, fewer incidents of identity-theft-enabled fraud, stronger assurance at onboarding, lower rates of account takeover, and fewer compromises of sensitive customer data.

    These metrics should be evaluated over time. A financial institution that uses portable credentials, attribute-based proofs, or dynamic risk-scoring may not show system-wide effects immediately, especially if adoption is limited. But FinCEN can structure pilots, safe harbors, and reporting expectations to compare outcomes against traditional onboarding methods. The question should be practical: does the alternative method produce equal or better AML/CFT results while creating fewer cybersecurity, fraud, and privacy risks?

    FinCEN should therefore study the use of privacy-preserving digital identity in regulated financial services, including financial institutions’ onboarding. That study should assess whether data-minimized identity workflows reduce cybercrime, identity theft, account compromise, and fraud while maintaining or improving AML/CFT compliance outcomes. FinCEN could pair that study with a new FTA focused on identity-related suspicious activity, building on its 2024 FTA. Such an analysis should examine whether institutions using privacy-preserving identity tools experience different rates of identity-related suspicious activity, customer-data compromise, account takeover, and fraud than institutions relying on traditional document collection and retention.

    FinCEN need not bear the full cost of this evaluation. It could begin with a low-cost RFI, followed by a narrow pilot in which participating financial institutions submit anonymized and aggregated metrics as a condition of safe-harbor participation. Relevant metrics could include onboarding completion rates, identity-related suspicious activity, account takeover, identity-theft-enabled fraud, false positives, enhanced-due-diligence triggers, data-retention volumes, and incidents involving compromised customer information.

    FinCEN could also coordinate with NIST—and particularly the National Cybersecurity Center of Excellence (NCCoE)—Treasury’s innovation programs, academic researchers, and private standard-setting and civil liberties bodies23 to evaluate the technical performance of privacy-preserving identity tools. FinCEN’s role need not be to build or fund the infrastructure. It can define the AML/CFT questions, identify the compliance outputs it needs to see, and allow regulated participants and independent evaluators to generate the evidence. That approach would let FinCEN build a record for future guidance or rulemaking without creating a large new agency program.

    To make that evidence possible, FinCEN should provide a clear pilot pathway and an appropriate safe harbor for financial institutions that deploy privacy-preserving identity tools in good faith, subject to defined controls, auditability, and reporting obligations. Without such protection, financial institutions will rationally continue with legacy data collection, even where less invasive methods may better serve AML/CFT goals. With time, adoption, and measurable outputs, FinCEN can determine which methods actually reduce illicit finance risk, rather than assuming that more data collection means better compliance.

    Sincerely,

    Lizandro Pieper

    Research Director of Coin Center

    Notes

    1. In 2024, the United States experienced 3,158 data compromises impacting 1.35 billion individuals; in 2023, 3,205 compromises impacting 353 million individuals; and in 2022, 1,802 compromises impacting 422 million individuals. Statista Rsch. Dep’t, Number of Data Breaches and Victims in the United States from 2005 to 2025, Statista (Feb. 15, 2026), https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/. “In 2024 about 48 percent of all data breach incidents in global organizations involved customer personally identifiable information (PII), thus making it the most frequently breached type of data.” Id. Financial services had the most data compromises of any U.S. industry in 2025 with 739 compromises, up from 2024. Identity Theft Res. Ctr., 2025 Data Breach Report (Jan. 2026), https://www.idtheftcenter.org/wp-content/uploads/2026/01/2025-ITRC-Annual-Data-Breach-Report.pdf.  
    2. Identity Theft Res. Ctr., 2025 Annual Data Breach Report (Jan. 2026), https://www.idtheftcenter.org/wp-content/uploads/2026/01/2025-ITRC-Annual-Data-Breach-Report.pdf.  
    3. Id. at 9. 
    4. ““Social Security Numbers (SSNs): Compromises involving SSNs nearly doubled, from 1,146 in 2021 to 2,236 in 2025.” Id. at 9. “Driver’s Licenses: Jumped from 456 in 2021 to 1,094 in 2025 as the use of driver’s license information has increased with the rise of remote transactions.” Id
    5. Guilherme A. P. Rodrigues et al., Impact, Compliance, and Countermeasures in Relation to Data Breaches in Publicly Traded U.S. Companies, 16 Future Internet 201, 9–10 (2024), https://www.researchgate.net/publication/381199703_Impact_Compliance_and_Countermeasures_in_Relation_to_Data_Breaches_in_Publicly_Traded_US_Companies. 
    6. Yee-Yin Choong et al., Nat’l Inst. of Standards & Tech., Digital Identities: Mobile Driver’s License (mDL): Accelerating Development and Adoption of Digital Identity for Financial Institutions, NIST Special Publication 1800-42A, at __ (Initial Public Draft Mar. 2026), https://www.nccoe.nist.gov/sites/default/files/2026-03/nist-sp-1800-42a-ipd_0.pdf. 
    7. Id. at 6. 
    8. Id
    9. Fin. Crimes Enf’t Network, Identity-Related Suspicious Activity: 2021 Threats and Trends, FinCEN Financial Trend Analysis, Jan. 2024, at 1–2, https://www.fincen.gov/system/files/shared/FTA_Identity_Final508.pdf.  
    10. Id. at 3-4. 
    11. Id. at 8. 
    12. Id. at 5. 
    13. Fed. Bureau of Investigation, Internet Crime Complaint Ctr., 2025 Internet Crime Report 7, https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf. 
    14. Fed. Trade Comm’n, Consumer Sentinel Network Data Book 2024 6 (2025), https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf. 
    15. Fin. Crimes Enf’t Network, Identity-Related Suspicious Activity: 2021 Threats and Trends, FinCEN Financial Trend Analysis, Jan. 2024, at 3–6, https://www.fincen.gov/system/files/shared/FTA_Identity_Final508.pdf. 
    16. Supra note 15, at 83. 
    17. Id
    18. Id. at 65. 
    19. Fin. Crimes Enf’t Network, Identity-Related Suspicious Activity: 2021 Threats and Trends, FinCEN Financial Trend Analysis, Jan. 2024, at 6–8, https://www.fincen.gov/system/files/shared/FTA_Identity_Final508.pdf.  
    20. Id
    21. Id.  
    22. “Under IAL2, the user’s identity must be verified through validated documents and authoritative record checks, then cryptographically bound to a digital credential. The credential must also incorporate liveness and proof-of-possession controls to ensure that it is being used by the legitimate, live person who was originally proofed and not by a thief or an automated agent.” Peter Van Valkenburgh, Comment of Coin Center on Treasury’s Request for Comment on Innovative Methods to Detect Illicit Activity Involving Digital Assets, Coin Ctr. (Oct. 20, 2025), https://coincenter.org/comment-of-coin-center-on-treasurys-request-for-comment-on-innovative-methods-to-detect-illicit-activity-involving-digital-assets/. 
    23. Coin Center’s John Hancock Project is one example of this kind of private-sector effort. The project is intended to convene technologists, civil-liberties advocates, academics, and regulated-market participants around privacy-preserving digital identity standards, including portable credentials, attribute-based proofs, and dynamic risk-scoring mechanisms. See Peter Van Valkenburgh & Ian Miers, Tear Down This Walled Garden: American Values and Digital Identity 4, Coin Ctr. (Sept. 18, 2025), https://coincenter.org/tear-down-this-walled-garden/.