The Bank Secrecy Act, Cryptocurrencies, and New Tokens: What is Known and What Remains Ambiguous
Are compliance obligations triggered when the developers of a new decentralized token protocol sell them to U.S. persons?
This report summarizes how various activities performed with cryptocurrencies and similar tokens have thus far been characterized by FinCEN and other authorities for the purposes of determining the compliance obligations of persons performing those activities under the Bank Secrecy Act. This report will also describe an area where there is great uncertainty in current law and interpretation: are BSA compliance obligations triggered when the developers of a new decentralized token protocol sell that token to U.S. persons (sometimes called a “token sale” or, more unfortunately, an “ICO”)? The report concludes by recommending that FinCEN should clarify that certain token sales are not currently subject to regulation under the BSA. Should there be a desire to regulate these activities, FinCEN must engage in a formal rulemaking.
Coin Center is a non-profit research and advocacy center focused on the public policy issues facing cryptocurrency technologies such as Bitcoin. Our mission is to build a better understanding of these technologies and to promote a regulatory climate that preserves the freedom to innovate using blockchain technologies. We do this by producing and publishing policy research from respected academics and experts, educating policymakers and the media about blockchain technology, and by engaging in advocacy for sound public policy.
A federal law, the Bank Secrecy Act (BSA),mandates that “financial institutions” (a broad category of businesses offering financial services) must collect and retain information about their customers and share that information with the Financial Crimes Enforcement Network (FinCEN), a bureau within the Department of the Treasury. The emergence of Bitcoin and follow-on decentralized crypto-tokens has raised an important question. When do businesses dealing with these new technologies fit the definition of “financial institution” and become obligated to surveil and report on their customers?
This report will summarize and analyze how various activities performed with cryptocurrencies and similar tokens have thus far been characterized by FinCEN and other authorities for the purposes of determining the compliance obligations of persons performing those activities under the Bank Secrecy Act. This report will also describe an area where there is great uncertainty in current law and interpretation: are BSA compliance obligations triggered when the developers of a new decentralized token protocolsell that token to U.S. persons (sometimes called a “token sale” or, more unfortunately, an “ICO”)?
II. The 2013 Guidance
In 2013, FinCEN published guidance on the “Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies” (“the Guidance”). The Guidance interprets rules previously promulgated by the Treasury (“the implementing regulations”) that implement the BSA.
A. Currency, Virtual Currency, and Convertible Virtual Currency
The Guidance invents a new term, “Virtual Currency,” that is not found elsewhere in the BSA or the implementing regulations. Virtual Currency is defined broadly in the Guidance to include all manner of items used as a “medium of exchange.” A narrower term, “Convertible Virtual Currency,” is defined as any virtual currency that “either has an equivalent value in real currency, or acts as a substitute for real currency.” Before we can determine the implications of this new term, we need to understand the reasoning behind its invention.
The BSA regulates “financial institutions.” The statute offers loose definitions of various sub-categories of financial institution, and grants power to the Treasury to craft new or more specific definitions through notice and comment rulemaking. In general, an inquiry into whether a person (individual or business) fits into one of several sub-categories of “financial institution” is focused on what activities that person performs (e.g. money transmission, foreign exchange, banking, etc.), and is not focused on which technologies are used to perform those activities.
However, the majority of these activities are defined in regards to exchanging, storing, or otherwise dealing with “currency,” or instruments denominated in “currency.” Currency is defined in the BSA implementing regulations as “the coin and paper money of the United States or of any other country[.]” Therefore, no activity performed using a private currency or cryptocurrency, like Bitcoin, would fit within the defined activities specifying “currency” as the medium for the activity.
The “money transmitter” sub-category of “financial institution,” however, has a broader definition. It extends to money transmission involving “currency … or other value that substitutes for currency.” Therefore, when the Guidance defines “convertible virtual currency,” it is not creating a newly regulated activity or technology-based regulation out of whole cloth, but rather clarifying why activities performed using Bitcoin or any other currency substitute may fit within the existing definition of “money transmission” in the implementing regulations. As an important aside, money transmitters, along with a few other types of person (e.g. prepaid providers) fall into a broader category of “money services business” (“MSB”), which in turn is one of several categories of “financial institution.” Because of this nesting, FinCEN, in guidance or administrative ruling, may refer to a virtual currency business as a “money transmitter” or as a “money services business” alternatively. For our purposes, the terms are interchangeable.
The definition of convertible virtual currency is deliberately broad and can easily be applied to describe cryptocurrencies (e.g. Bitcoin), as well as Bitcoin-like tokens as found in other open blockchain protocols (e.g. Ether, XRP, and others). A token need not be designed to play a currency-like role in order to qualify; it need only (as per the definition of money transmission) be used as “value” that “substitutes for currency.” The fact that a token was invented to accomplish a highly technical non-currency result (e.g. tallying votes amongst computers in a decentralized consensus protocol) will not undo that token’s eligibility for classification as a convertible virtual currency, if it is also used as a medium of exchange and can be a substitute for real currency.
With this perfunctory matter of terminology out of the way, the Guidance then turns to the question of which persons dealing with convertible virtual currencies fit within the money transmitter sub-category of BSA-regulated financial institutions.
B. Exchangers, Users, and Administrators.
The Guidance creates and defines three categories of persons: administrators, exchangers, and users. It explains why only administrators and exchangers qualify as money transmitters and are therefore subject to BSA obligations.
Exchangers. With respect to exchangers, the Guidance reads:
An exchanger is a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency.
An ... exchanger that (1) accepts and transmits a convertible virtual currency or (2) buys or sells convertible virtual currency for any reason is a money transmitter under FinCEN’s regulations.[and]
It’s critical to read these two sections together to avoid confusion, but the result of that careful reading is clear enough. Here are the essential points:
- You are an “exchanger” only if you run a business. The definition of “exchanger” requires that one be “engaged as a business in the exchange of virtual currency” so it does not include individuals buying or selling bitcoin as a personal investment or for other personal purposes.
- You are only a “money transmitter” if you are an “exchanger” that “accepts and transmits” or “buys and sells” bitcoins or another virtual currency. “Accepts and transmits” means you take bitcoin from one customer and send it (presumably on their behalf) to another person or persons. Note that you have to do both, accept and transmit. So if you only accept bitcoin from someone (possibly in return for a good or service) then you are not a money transmitter. Similarly, if all you do is give bitcoin to someone else (again in return for a good or service, or perhaps as a gift) then you are also not a money transmitter. That said, you are a money transmitter if you are an exchanger who “buys and sells . . . for any reason.” So, providing a brokerage or exchange service for customers qualifies as money transmission.
- If you are a money transmitter, then you must comply with the obligations that the BSA and FinCEN place on those types of businesses. Those obligations are the same as those with which companies like PayPal and Western Union have had to comply for decades. They are, generally, three-fold: (1) register with FinCEN; (2) have a risk-based know-your-customer (KYC) and anti-money-laundering (AML) program; and (3) file suspicious activity (SARs).
Users. Our interpretation of exchanger is reinforced by the definition of a user in the Guidance:
A user is a person that obtains virtual currency to purchase goods or services.
And there is a clear statement that users are not money transmitters under the relevant regulations and have no FinCEN compliance obligations:
A user of virtual currency is not an MSB under FinCEN’s regulations and therefore is not subject to MSB registration, reporting, and recordkeeping regulations.
Nonetheless, this definition of user can be a bit confusing because it seems to imply that for someone to be a user (and thus not a money transmitter), she must obtain bitcoin for the sole and express purpose of purchasing goods or services and not anything else, like investing, making a gift or political contribution, or any other non-exchange-business reason. The problem is that if you are buying or selling your own bitcoins for your own personal uses but not, specifically, to “purchase goods or services,” then under a strict interpretation of the definition you are neither an exchanger (because you are not engaged as a business in exchange) nor a user (because you are not using the bitcoins to buy or sell goods or services). You are an undefined actor according to a strict reading of the Guidance, and your compliance obligations are unclear.
Administrators. This final category of actors is actually less important to users and developers of technologies like Bitcoin because a plain interpretation suggests it only relates to centralized virtual currencies that predated Bitcoin, such as E-gold or Liberty Reserve.
The Guidance defines administrator as follows:
An administrator is a person engaged as a business in issuing (putting into circulation) a virtual currency, and who has the authority to redeem (to withdraw from circulation) such virtual currency.
To fit into that definition you must be able to both issue and redeem the currency. Let’s say that I create a new virtual currency modeled on Bitcoin and that I premine a certain number of coins for myself and then release the software and sell some of my coins to interested buyers. At this point, perhaps I have “issued” new virtual currency. But, can I also “redeem” that currency? If, like Bitcoin, the network is decentralized, then I have no ability (much less “authority” as the definitions states) on that network to seize (withdraw from circulation) and redeem coins that are now held by users of the network. Contrast that with a centralized virtual currency like E-gold or Liberty Reserve where, because I am the party keeping the authoritative record of transactions on the network, I can always redeem the currency as well as issue it.
Our use of the terms centralized and decentralized and their use in making these distinctions is also in keeping with the spirit of the Guidance. Both centralized and decentralized virtual currency are described in the Guidance, and—with respect to centralized virtual currencies—their administrators are classified as money transmitters:
The second type of activity involves a convertible virtual currency that has a centralized repository. The administrator of that repository will be a money transmitter to the extent that it allows transfers of value between persons or from one location to another.
Given all this, we can see that administrators only exist in the centralized virtual currency context, so we don’t need to discuss them with respect to decentralized virtual currencies like Bitcoin, Ethereum, or Zcash where, once released, the units of cryptocurrency are out of the control of the developers and maintainers of the network.
In total, we can summarize the 2013 Guidance with respect to four key points:
- There are no administrators in the decentralized cryptocurrency/token space. So the key question for our purposes will always be: who qualifies as an exchanger and who qualifies as a user?
- Exchangers are persons in the business of running an exchange service who either “accept and transmit” bitcoins or similar tokens or “buy or sell” bitcoins or similar tokens. These persons will be treated as money transmitters and must register, collect information about their users, and do other BSA-related compliance.
- Users are persons who obtain bitcoins or tokens solely to purchase goods or services. These persons do not qualify as money transmitters, but it is unclear if the category is intended to cover all persons using bitcoins or tokens who are not exchangers, or if the category is strictly limited to individuals purchasing goods or services with bitcoins or other tokens.
- If users is narrowly interpreted, then there are a host of other persons, including software developers and investors, who are not exchangers as defined and also not users as defined, and the guidance is silent regarding their status as money transmitters.
III. Later Administrative Rulings and Settlements
Since 2013, FinCEN has issued several administrative rulings clarifying how the original Guidance applies to specific fact patterns described by companies who have sought clarification. Additionally, in 2015 FinCEN reached a settlement with Ripple Labs that also includes an interpretation of the Guidance that may be relevant to other companies in the space.
A. 2014 Software and Investment Administrative Ruling
In 2014, FinCEN, in an administrative ruling (the Software and Investment Ruling), clarified how software development relates to the Guidance:
The production and distribution of software, in and of itself, does not constitute acceptance and transmission of value, even if the purpose of the software is to facilitate the sale of virtual currency.
This interpretation makes it clear that software development alone cannot rise to the level of money transmission. It’s unclear whether we would call developers users but the result is the same; they are not subject to BSA regulation.
The Software and Investment Ruling also seemingly expanded the category of user with respect to investment activities:
[W]hen the Company invests in a convertible virtual currency for its own account, and when it realizes the value of its investment, it is acting as a user of that convertible virtual currency within the meaning of the guidance. As a result, to the extent that the Company limits its activities strictly to investing in virtual currency for its own account, it is not acting as a money transmitter and is not an MSB under FinCEN’s regulations.
So, buying and selling as an investment for yourself does not qualify as being an exchanger. As long as you are dealing only with your own virtual currency, and not acting as a third-party intermediary for others (e.g. running an exchange as a business), you are not a money transmitter and are not subject to FinCEN rules.
Note that this administrative ruling was offered to a “company,” not an individual, so this exemption does not depend on the entity in question being an individual rather than a business operating for profit. If you run a business that has invested in bitcoin and you sell those investments for profit, then you are an unregulated user not a regulated exchanger. If you run a business, however, that is explicitly engaged in helping others buy, sell, or send bitcoin or another decentralized token, then you are a regulated exchanger and do need to register with FinCEN and comply with its rules.
B. Ripple Labs Settlement
In May of 2015, FinCEN reached a settlement agreement with Ripple Labs, a company that builds products utilizing the decentralized cryptocurrency known as XRP. In the settlement agreement’s “Statement of Facts and Violations,” the following activity is described as a violation of the Bank Secrecy Act as interpreted by the Guidance:
Notwithstanding the Guidance, and after that Guidance was issued, Ripple Labs continued to engage in transactions whereby it sold Ripple currency (XRP) for fiat currency (i.e., currency declared by a government to be legal tender) even though it was not registered with FinCEN as an MSB. Throughout the month of April 2013, Ripple Labs effectuated multiple sales of XRP currency totaling over approximately $1.3 million U.S. dollars.
So the violation addressed by the settlement was apparently a sale of XRP by Ripple Labs. To be clear, Ripple Labs was selling tokens (XRP) that it, the company, owned. Ripple Labs was not an intermediary selling on behalf of someone else. This could indicate that merely selling tokens on your own account qualifies you as an exchange, seemingly contradicting the interpretation in the Software and Investment Ruling.
The Ripple settlement Statement of Facts and Violations also lists other things that Ripple did under the subheading “violations”:
Ripple Labs has previously described itself in federal court filings and in a sworn affidavit as “a currency exchange service providing on-line, real-time currency trading and cash management . . . . Ripple facilitates the transfers of electronic cash equivalents and provides virtual currency exchange transaction services for transferrable electronic cash equivalent units having a specified cash value.”
But note that this paragraph sets forth how Ripple Labs described itself; it does not state anything Ripple Labs actually did. At no point does the Settlement Agreement or its Statement of Facts and Violations explain how these self-descriptions amounted to a violation.
It is true that Ripple (the network) is more complicated than Bitcoin as far as marketing and technical capacities are concerned because the Ripple network uses “gateways” to move not just XRP but also a range of foreign currencies on behalf of the network’s users. It is also true that these gateways are exchanging electronic cash equivalents and foreign currencies as a business for their customers (which fits our understanding of the definition of exchanger quite well). But Ripple Labs doesn’t (and never did) run or endorse those gateways, and none of these additional facts and details about the Ripple protocol are listed as violations in the settlement. So, the only putative violation of the Guidance and the Bank Secrecy Act set forth in the settlement agreement is the sale of XRP described above.
Does the Ripple Settlement contradict the Software and Investment Ruling? At what point is selling from your own account something that you can do as an unregulated user, and when does it rise to the level of you becoming an exchanger? What made Ripple Labs different than the company in the Software and Investment Ruling that sold Bitcoin from its own account?
At this point it is important to note that what we are discussing is a settlement agreement, not a court judgement. FinCEN is agreeing with Ripple Labs in this document not to prosecute Ripple Labs for “any of the conduct described in the statement of facts.” This means that the interpretation of the Guidance as found in the settlement is not precedential; it binds only Ripple Labs and FinCEN with respect to prosecuting Ripple Labs. If a different company engages in similar behavior in the future but chooses not to settle, then FinCEN would have to elaborate on its claims and clarify which specific acts were actually money transmission and which were not. That hasn’t happened, however, and the 2015 settlement order, as it stands, seems to contradict the Software and Investment Ruling at least as far as selling from one’s own account is concerned. Two years on, this ambiguity has not been clarified.
IV. Applying the Guidance to various persons in the cryptocurrency space.
There are a wide variety of businesses in the cryptocurrency space. Some will fit into the definition of exchanger and they will need to register with FinCEN and comply with KYC/AML requirements. Some will fit into the definition of user and they will not need to register or comply with KYC/AML requirements. None of the companies or individuals in the decentralized cryptocurrency space will fit the definition of administrator.
To make this discussion clear we need categories of our own to describe the various business models that might or might not fit into the definition of exchanger or user. We can use the following categories:
- Custodial Exchange — A company that connects token/bitcoin buyers and sellers, holds their tokens/bitcoin as a custodial intermediary during the exchange, and/or acts as a broker.
- Non-custodial Exchange — A company that allows buyers and sellers to post and accept offer messages, communicate, and find each other for direct peer-to-peer transactions used to settle a trade.
- Non-custodial Wallet Developer — A company that makes, updates, and services software that allows individuals to hold their own tokens/bitcoins locally on their personal devices.
- Full Node or Miner — A company or individual that runs bitcoin or other decentralized token network software that relays signed transaction messages and/or writes new blocks to the network’s blockchain.
- New Token Developer — A company or individual that creates software that, when run by a network of peers, creates a new decentralized token like bitcoin.
- New Token Developer and Seller — A token developer, as described above, who also sells some initial distribution of the token to interested buyers.
Now we’ll take each of these categories and see if they fit the definition of exchanger and therefore will be a money transmitter that needs to register and comply, or if they fit the definition of user and therefore clearly do not need to comply.
A custodial exchange will definitely be an exchanger and a money transmitter according to the guidance. Such a company runs an exchange service as a business and both “buys and sells” bitcoin and “accepts and transmits” bitcoin for their users (rather than merely for their own account). This is not a debated or contested interpretation and, indeed, major custodial exchanges in the U.S. are registered with FinCEN.
An analysis of the implementing regulations leads us to a similar conclusion, albeit via a more complicated path. The foundational question remains, does the custodial exchange “accept and transmit” bitcoin for their users? “Accept” is not defined in the BSA, but it is a defined term in the implementing regulations:
A receiving financial institution, other than the recipient's financial institution, accepts a transmittal order by executing the transmittal order. A recipient's financial institution accepts a transmittal order by paying the recipient, by notifying the recipient of the receipt of the order or by otherwise becoming obligated to carry out the order.
This definition is heavily reliant on the term “transmittal order” so we should also take a look at the implementing regulations’ definition of that term:
The term transmittal order . . . is an instruction of a sender to a receiving financial institution, transmitted orally, electronically, or in writing, to pay, or cause another financial institution . . . to pay, a fixed or determinable amount of money to a recipient if:
(1) The instruction does not state a condition to payment to the recipient other than time of payment;
(2) The receiving financial institution is to be reimbursed by debiting an account of, or otherwise receiving payment from, the sender; and
(3) The instruction is transmitted by the sender directly to the receiving financial institution or to an agent or communication system for transmittal to the receiving financial institution.
A bitcoin transaction, if it is sent from one custodial exchange to another may fit this definition of transmittal order, and the sender’s exchange may then be said to “accept and transmit” the bitcoins. For example, let’s say Alice wants to use bitcoin to pay for shoes sold by a merchant. Let’s assume that Alice uses Coinland (a fictional custodial exchange) to safekeep her bitcoins. To pay for the shoes, Alice will use an application on her phone to ask Coinland to send some amount of those bitcoins to a bitcoin address that was provided to her by the shoe merchant. Let’s say the shoe merchant uses a different custodial exchange, Bitprocess (another fictional company) to accept bitcoin payments. In this case, there is a colorable argument that Coinland has been instructed by Alice to cause another financial institution, Bitprocess, to pay or become obligated to pay a designated amount of Bitcoin to the merchant. Coinland executes that order. Coinland’s activity in the transaction may fit the definition of “accept” in the implementing regulations.
A non-custodial exchange is probably not an exchanger or a money transmitter. If, like Craigslist or any other online classified advertising service, the business merely helps individual buyers and sellers find and communicate with each other, then it is never “accepting and transmitting” tokens or bitcoins for its users, nor is it “buying or selling” tokens or bitcoins. It may be commonly understood as an exchange because it deals in exchange-related information (e.g. order-books, offers, acceptances, communications between buyers and sellers) but it, as a company, is never doing the actual currency conversion or handling the actual tokens or money; that all happens peer-to-peer.
Another way to characterize what these companies do is: development of a web-based software tool (e.g. a website) that facilitates peer-to-peer exchange. As we discussed earlier, FinCEN’s Software and Investment Ruling describes mere software development and distribution as outside the scope of BSA regulation.
Additionally, the individual buyers and sellers, assuming they are merely opening or closing their own personal investment positions, will likely be found to be users as per the Software and Investment Ruling. This will almost certainly be the case if both the buyer and seller are merely exchanging bitcoin to and from their personal software wallets (i.e. a truly peer-to-peer transaction without a custodial intermediary involved). If, however, while negotiating a sale of Bitcoin either the buyer or seller knows that they are helping their counterparty move money into or out of a custodial exchange for particular purposes (especially illicit purposes) then they may be treated as an exchanger. There will be more on this question later, in a section on applicable case law.
A non-custodial wallet developer is likely not an exchanger or a money transmitter. This company does not buy and sell tokens or bitcoins, but they do help individuals hold and transmit their own tokens or bitcoin by building and supporting software tools (e.g. wallet apps). The operative question here is, again, whether the developer of the software ever “accepts and transmits” the bitcoin or tokens. The Software and Investment Ruling indicates that FinCEN would not treat this activity as money transmission because the wallet developer is engaging only in the “production and distribution of software.”
Recall our previous discussion of custodial exchanges and the hypothetical where Alice is paying a merchant for shoes using bitcoin. Imagine that Alice was not using a custodial wallet provider to hold her bitcoins and initiate transactions. Imagine, instead, that she was initiating the transaction herself by running non-custodial wallet software on a smartphone she carries with her. In this case, Alice, herself, is sending bitcoins to an address controlled by Bitprocess, and Bitprocess is obligated to pay those bitcoins to the merchant. The developer who wrote the software that Alice runs on her phone has not been ordered to do anything with respect to this payment, and—indeed—they are likely unaware of the payment and have no power or obligation to execute a transmittal order or otherwise cause Bitprocess to pay the Merchant; Alice has that power.
Bitprocesss, as the merchant’s custodial exchange, is a money transmitter, but the company that developed the software Alice uses is not. The developers simply built the tools that allowed Alice to compose and broadcast bitcoin transaction messages on the peer-to-peer network. She does this using her phone all by herself and without an intermediary acting on her behalf.
This interpretation of “accept” can be buttressed with a look at how acceptance is understood in other legal realms. For example, acceptance is a well understood concept in the law of contracts and delivery of physical goods. A token or bitcoin is not a perfect analog for a physical good, and contract law is not a perfect analog for administrative law dealing with money transmission regulation. However, in these legal traditions “acceptance” is something that happens after delivery and only once there has been reasonable opportunity to inspect and reject the item. At the very least we would expect that for there to be an acceptance of bitcoin or tokens, the recipient should be given actual control or possession of the tokens (something akin to “tender of delivery”) and they should have and retain the ability to determine the future of token’s disposition—e.g. they can unilaterally send them to someone else or withhold them from others indefinitely. A person who merely designs and distributes wallet software will not have access to the data essential to controlling the bitcoins or tokens kept in that wallet—i.e. the private keys—therefore they never will have accepted anything from the users of their software products and should not fit the definition of an exchanger or money transmitter.
A person running a full node or a miner is not an exchanger or a money transmitter. These persons run computers that relay signed transaction messages throughout the network and, in the case of miners, they may bundle signed transactions into a block for addition to the blockchain. While this activity bears a superficial resemblance to financial intermediaries relaying bank wires, the nature of cryptocurrency networks means that none of these participants ever actually accepts the tokens. Only the person designated by the sender as the recipient in a cryptocurrency transaction message can ever spend the funds. Merely relaying or intercepting the transaction message does not grant the full node or miner any actual control over the cryptocurrency being sent.
“Acceptance” also has a legal definition in the payments context, and it is generally understood as: “the receipt of a check or other negotiable instrument by a bank or another drawee.” A bitcoin transaction message received or broadcast by a full node is not a “negotiable instrument” because it is not an “unconditional promise or order to pay a fixed amount of money.” If I try to send you a bitcoin, but my transaction message doesn’t get relayed or included in a block, I am not in breach of any promise to pay you (assuming we don’t have any other agreements outside of my broadcasting the message on the bitcoin network).
Finally, there’s the question of a miner who is rewarded with new bitcoins for maintaining the network (as per the cryptocurrency’s new-money-creation schedule). If the miner uses these bitcoins to buy new mining hardware for its business, are they an exchanger or a user? Clearly they are a user because they fit the basic definition: “A user is a person that obtains virtual currency to purchase goods or services” and FinCEN, in another administrative ruling (Mining Ruling), also made it clear that “obtains” can be by any means, including mining:
How a user obtains a virtual currency may be described using any number of other terms, such as “earning,” “harvesting,” “mining,” “creating,” “auto-generating,” “manufacturing,” or “purchasing,” depending on the details of the specific virtual currency model involved. The label applied to a particular process of obtaining a virtual currency is not material to the legal characterization under the BSA of the process or of the person engaging in the process to send that virtual currency or its equivalent value to any other person or place. What is material to the conclusion that a person is not an MSB is not the mechanism by which a person obtains the convertible virtual currency, but what the person uses the convertible virtual currency for, and for whose benefit.
But what if this miner goes and sells the tokens they mined for dollars; are they now an exchanger? The Software and Investment Ruling suggests that the miner is merely selling from her own account and is, therefore, excluded. And the Mining Ruling was specifically directed at a company with this exact fact pattern:
From time to time, as your letter has indicated, it may be necessary for a user to convert Bitcoin that it has mined into a real currency or another convertible virtual currency, either because the seller of the goods or services the user wishes to purchase will not accept Bitcoin, or because the user wishes to diversify currency holdings in anticipation of future needs or for the user’s own investment purposes. In undertaking such a conversion transaction, the user is not acting as an exchanger, notwithstanding the fact that the user is accepting a real currency or another convertible virtual currency and transmitting Bitcoin, so long as the user is undertaking the transaction solely for the user’s own purposes and not as a business service performed for the benefit of another. A user’s conversion of Bitcoin into a real currency or another convertible virtual currency, therefore, does not in and of itself make the user a money transmitter.
FinCEN has been very clear about miners; they are users, not exchangers, and they are not subject to BSA financial surveillance requirements. It is reasonable that the same analysis would apply to stakers in a proof-of-stake decentralized token scheme, or other participants on a decentralized computing system who are automatically rewarded with tokens for their honest maintenance of the network infrastructure.
A new protocol developer who does not sell tokens to others but, instead, gives them away or distributes them through mining (e.g. Bitcoin’s release schedule) is likely not an exchanger or a money transmitter for the same reasons as the non-custodial wallets and exchanges described above. As per the Software and Investment Ruling, this person or company is only engaged in the “production and distribution of software” and they do not “accept and transmit” tokens or bitcoins for others.
A new protocol developer who also sells their protocol’s tokens may or may not be an exchanger under the Guidance. This area is extremely uncertain and warrants further analysis. As we previously discussed, according to the Software and Investment Ruling, a company that sells virtual currency from its own account is treated by FinCEN as a user. In the context of creating a new virtual currency or token, the creator is selling from their own account when they sell something they created. It would therefore seem clear that a person developing and selling new bitcoin-like tokens is not a money transmitter because they fit into the expanded understanding of user according to FinCEN’s administrative rulings, which would save them from being classified as regulated exchangers.
Unfortunately, given the Ripple Settlement, it’s not that simple. In that settlement, FinCEN alleged that Ripple Labs, merely by selling XRP that it owned as a business, qualified as an exchanger and therefore a money transmitter.
One might try and square this circle by suggesting that the Software and Investment Ruling only applies to companies that are making and then selling investments in bitcoin or tokens, and doesn’t apply to persons that have bitcoins or tokens for reasons other than investment (e.g. development, experimentation, etc). However, recall that in the Mining Ruling FinCEN explained how selling from one’s own account does not qualify as being an exchanger and suggested that how one obtains the tokens before selling them is immaterial to the question:
The label applied to a particular process of obtaining a virtual currency is not material to the legal characterization under the BSA of the process or of the person engaging in the process to send that virtual currency or its equivalent value to any other person or place. What is material to the conclusion that a person is not an MSB is not the mechanism by which a person obtains the convertible virtual currency, but what the person uses the convertible virtual currency for, and for whose benefit.
And that ruling suggested that “creating” is one of the descriptive labels that fall within the term “obtaining” tokens. A developer that pre-mines tokens running on a decentralized network of its own design is, almost certainly, “creating” those tokens. If they then sell them, how is that distinguishable from a mining company that sells bitcoin on its own account? This is unclear.
V. New Token Sales: An answer in the regulations?
At this point we’ve reached the end of the guidance material that's probably helpful to discuss. Guidance is merely the agency’s interpretation of the actual laws that control—laws that were passed by Congress and that FinCEN is tasked with enforcing (not creating or reinventing). In the case of the 2013 Virtual Currency Guidance, we are actually two steps removed from the statute. The Guidance interprets FinCEN’s previously promulgated rules found in the Code of Federal Regulations (31 CFR Part 1010), which, in turn, interpret and implement the actual law passed by Congress, the Bank Secrecy Act.
The implementing regulations have this definition of money transmission:
The term “money transmission services” means the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.
Let’s analyze this by looking at a hypothetical: Let’s say Alice develops a brand new decentralized virtual currency, pre-mines some units of virtual currency for herself (let’s call them AliceCoins), and then sells some AliceCoins to her friend Bob, who’d like to invest in AliceCoin, for dollars in a face-to-face cash transaction. Is Alice a money transmitter? Let’s walk through the questions in the analysis:
Has she “accepted” currency from one person? Yes, Bob gave her dollars.
Has she transmitted a currency substitute to another person? No, she gave some AliceCoin (which might be a currency substitute) to the same person, Bob, who gave her the dollars.
Has she transmitted AliceCoin to another location? To answer that question we must understand what the regulation is trying to achieve by specifying “from one location to another.”
Generally, this language is used to describe a company that helps a person move money from a bank account they have in one country, say the United States, to a bank account they have in another country, say Switzerland. The money is transmitted from one location to another even if it is not transmitted to another person but to an account the same person controls.
Asking whether someone has moved virtual currency between two locations, however, is a very, very strange question in the context of decentralized virtual currency networks. There really is no location within which the virtual currency can ever be said to exist. Is it in the blockchain? In a way, yes, but not really. The blockchain is just a list of past transactions that involve the currency; it doesn’t have any currency inside of it; it is a data structure. Where is the blockchain? It is simultaneously replicated across every computer on the decentralized network, which could easily be most countries in the world simultaneously. In our Alice and Bob example, is that blockchain another location? If so, what was the first location for the transaction? Is it wherever Alice and Bob were standing in our face-to-face AliceCoin sale? What if the sale isn’t in person? What if Alice is negotiating with Bob over the Internet and one of them is in New York while the other is in California. Which is the first location?
It could also be said that an amount of virtual currency exists in the form of knowledge kept secret by a person. When Alice sends Bob some AliceCoins she’s sending them to an AliceCoin address that was generated by Bob’s smartphone or laptop along with the private key that is required to move those AliceCoins in the future. So is the first location the place they are meeting (where Bob’s cash changed hands) and the second location Bob’s phone, which generated and holds the private keys?
And yes, you can definitely use decentralized virtual currency networks to transmit value across an ocean, but it’s the decentralized network that is performing that function for you, or it might be said that you are performing that function for yourself when you cross national borders with a bitcoin software wallet on your phone, but it’s certainly not the creator of the virtual currency who performs that function.
This all reads more like a bad metaphysics treatise than a legal analysis with serious criminal consequences.
Even if we accept that the location has changed between the dollars in hand to the private keys in phone, and even if we accept that this is a “transmission” that must only be performed by entities that are collecting information about their counterparties, how do we square this with the previous administrative rulings and the Ripple Settlement? How is anyone selling any virtual currency for any reason not always doing money transmission? Maybe they always are unless FinCEN decides they are not, but that would be an alarmingly arbitrary way to do regulation.
VI. New Token Sales: An answer in the case law?
There is only one judicial opinion, U.S. v. Faiella, that explicitly offers an interpretation of what “accept and transmit” means in the context of people selling tokens on their own account. The defendant, Faiella, was selling his own bitcoin's peer-to-peer in exchange for dollars. Faiella argued that he was merely selling on his own account. The court, however, found that he was engaged in money transmission because he was, in fact, acting as an exchange intermediary between his customers (the individual buyers) and the Silk Road (an online drug marketplace that held individual bitcoin accounts for its users). Here’s the court’s reasoning (emphases added):
Defendant argues that while Section 1960 requires that the defendant sell money transmitting services to others for a profit, see 31 C.F.R. § 1010.100(ff)(5)(1)(2013) (defining “money transmission services” to require transmission of funds to “another location or person”), Faiella merely sold Bitcoin as a product in and of itself. But, as set forth in the Criminal Complaint that initiated this case, the Government alleges that Faiella received cash deposits from his customers and then, after exchanging them for Bitcoins, transferred those funds to the customers’ accounts on Silk Road. Ind. ¶ 5; Complaint ¶¶ 14, 17-18. These were, in essence, transfers to a third-party agent, Silk Road, for Silk Road users did not have full control over the Bitcoins transferred into their accounts. Rather, Silk Road administrators could block or seize user funds. I, Complaint ¶¶ 29, 41. Thus, the Court finds that in sending his customers’ funds to Silk Road, Faiella “transferred” them to others for a profit.
Reasoning in the negative, this would indicate that selling directly to a buyer, rather than serving as an intermediary between a buyer and another custodial institution, would not be transmission of funds to “another location or person.” However, that interpretation likely stretches the court’s reasoning to cover facts and situations that it did not contemplate.
Now, you might say, we need to look to the statute if the Guidance, the rulings, the regulations, and the case law are all unclear. Unfortunately, that’s not how the Bank Secrecy Act works. That law merely tells the Department of Treasury and FinCEN to define a set of actors that are “Financial Institutions” and then to make them comply with anti-money-laundering recordkeeping and reporting requirements. It is silent on more specific questions such as these. As a result, we are left having surveyed all the relevant legal sources and we still do not have a clear understanding of when selling a decentralized currency you own and helped develop constitutes money transmission.
VII. Conclusions and Recommendations
FinCEN’s Virtual Currency Guidance brought much needed certainty to cryptocurrency innovators in 2013. It clearly settled what was at the time the most fundamental question facing persons using or interested in using these networks: will I need to register with FinCEN and comply with the BSA if I’m helping others exchange their Bitcoin for dollars or other cryptocurrencies? The answer was yes, exchangers are money transmitters. Subsequent administrative rulings clarified several remaining ambiguities: miners are not money transmitters, neither are investors or software developers.
In 2017, however, with token sales and new decentralized token development accelerating, a remaining grey area threatens to dampen innovation in the US by casting a shadow of legal risk and uncertainty across some of the most exciting new projects in the ecosystem. Are the developers of a new decentralized token protocol also money transmitters if they sell their tokens to U.S. citizens? Applicable administrative rulings, the Guidance, the case law, and the Ripple Settlement Agreement point to different possible answers and none offer any certainty.
Common understanding suggests that money transmission is an act performed by an intermediary, a person who stands between two parties accepting money from one and transmitting it to another. When a person transacts directly with another person, giving them money for any reason—as a gift, a payment, a donation, a grant, a tip—she does not play this intermediary role. She does not hold herself out as a trusted third party. She is engaged in private, personal transactions rather than being engaged as a third party to the transactions of others.
Deputizing third-party intermediaries to surveil their users on behalf of the government is a policy choice Congress made long ago; one that carries risks to individual privacy but also potential benefits to national security and peace. It’s a tradeoff Congress made back in the 1970s and it isn’t going away anytime soon. However, mandating the same kind of surveillance from individuals who are not intermediaries—who are merely transacting on their own account with another citizen—is a considerable recalibration of the balance between privacy and security. It tips the scales against personal privacy and may even be unconstitutional.
This is not a recalibration that should be made merely by issuing administrative rulings or guidance, the approach thus far taken by FinCEN when dealing with these questions. Instead, FinCEN should clarify that selling decentralized virtual currency on one’s own account does not constitute money transmission, regardless of whether the purpose of that sale is to pay a merchant, to sell tokens received through mining, or—indeed—to sell one’s own newly invented decentralized token.
Should FinCEN or Congress wish to regulate this activity for financial surveillance purposes, that change must be the subject of a larger, more public debate within a notice and comment rulemaking or an amendment to the statutory law itself. Only those formal processes can enable necessary debate over financial surveillance and the constitutionality of warrantless search.
 31 USC §§ 5311-5332.
Id. at §5321(a)(2)
 FinCEN is a Bureau within the Treasury established by order of the Secretary of the Treasury (Treasury Order Numbered 105-08).
 There are multiple different projects that use open source software to create a public network on the internet capable of recording and verifying important data shared between the network’s participants. If that shared data is related to a ledger of transactions made in a native token we often call these systems cryptocurrency networks. Bitcoin was the world’s first cryptocurrency, and several similar projects have followed. However, the tokens described on that ledger need not be used as currency. Just as tokens and other bearer instruments in real life can represent various entitlements (e.g. theater tickets, vouchers, stock and bond certificates, etc.) so too can tokens described by a decentralized ledger maintained by an open network of participants. A list of many active token projects can be found at http://coincap.io. For more on building a token project on top of Ethereum’s existing decentralized computing infrastructure, see Peter Van Valkenburgh, “What does it mean to issue a token ‘on top of’ Ethereum?” Coin Center (May 2017) https://coincenter.org/entry/what-does-it-mean-to-issue-a-token-on-top-of-ethereum.
 See Smith + Crown, What is a token sale (ICO)? (last accessed May 2017) https://www.smithandcrown.com/what-is-an-ico/.
 Department of the Treasury Financial Crimes Enforcement Network, FIN-2013-G001 Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies (March 18, 2013) available at https://www.fincen.gov/sites/default/files/shared/FIN-2013-G001.pdf.
 31 CFR §§ 1010-1060
 Guidance supra note 6 at 1 (“In contrast to real currency, “virtual” currency is a medium of exchange
that operates like a currency in some environments, but does not have all the attributes of real
currency. In particular, virtual currency does not have legal tender status in any jurisdiction.”).
Id. (“This guidance addresses “convertible” virtual currency. This type of virtual currency either has
an equivalent value in real currency, or acts as a substitute for real currency.”).
 31 USC § 5312(a)(2).
 31 USC § 5312(a)(2)(Y).
See e.g. 31 CFR § 1010.100(ff)(1) where FinCEN defines a “dealer in foreign exchange” as a “person that accepts the currency, or other monetary instruments, funds, or other instruments denominated in the currency, of one or more countries in exchange for the currency, or other monetary instruments, funds, or other instruments denominated in the currency, of one or more other countries in an amount greater than $1,000 for any other person on any day in one or more transactions, whether or not for same-day delivery.”
Id. at § 1010.100(m)
 Additionally, according to the FinCEN guidance, virtual currency activities do not fall within the definition of prepaid access providers. See Guidance supra note 6 at note 18 (explaining that “‘prepaid access’ under FinCEN’s regulations is limited to ‘access to funds or the value of funds.’ If FinCEN had intended prepaid access to cover funds denominated in a virtual currency or something else that substitutes for real currency, it would have used language in the definition of prepaid access like that in the definition of money transmission, which expressly includes the acceptance and transmission of “other value that substitutes for currency.”).
 Implementing Regulations supra note 7 at § 1010.100(ff)(5).
Id. at § 1010.100(ff).
 Guidance supra note 6 at 2.
Id. at 3-5.
Id. at 3.
 Guidance supra note 6 at 2.
 Guidance supra note 6 at 2.
Id. at 4-5.
Id. at 4.
 FinCEN’s administrative rulings are available at https://www.fincen.gov/resources/statutes-regulations/administrative-rulings.
 FinCEN, FinCEN Fines Ripple Labs Inc. in First Civil Enforcement Action Against a Virtual Currency Exchanger (May 5, 2015) available at https://www.fincen.gov/news/news-releases/fincen-fines-ripple-labs-inc-first-civil-enforcement-action-against-virtual.
 FinCEN, FIN-2014-R002 Application of FinCEN’s Regulations to Virtual Currency Software Development and Certain Investment Activity (January 30, 2014) https://www.fincen.gov/sites/default/files/shared/FIN-2014-R002.pdf, [hereinafter Software and Investment Ruling].
Id. at 2.
Id. at 4.
 FinCEN, FinCEN Fines Ripple Labs supra note 34.
 FinCEN, ATTACHMENT A: STATEMENT OF FACTS AND VIOLATIONS (May 5, 2015) available athttps://www.fincen.gov/sites/default/files/shared/Ripple_Facts.pdf [hereinafter Statement of Facts].
Id. at ¶ 20.
Id. at ¶ 16.
See Ripple Labs, Becoming a Ripple Gateway (last accessed May, 2017) https://ripple.com/build/gateway-guide/#ripple-gateways-explained.
See infra pp. 7-8.
 This category could describe Craigslist or any other generalized online classified advertising service. Similarly, it could described a classified advertising service specializing in placing advertisements for offers to sell or buy bitcoins.
See, e.g., https://www.fincen.gov/fcn/financial_institutions/msb/msbstateselector.html#
 Implementing Regulations supra note 7 at § 1010.100(a).
 Implementing Regulations supra note 7 at § 1010.100(eee).
 This is, admittedly, an awkward fit. In reality, Alice did not instruct Coinland to do anything other than send some bitcoins to a bitcoin address. Bitcoin addresses will generally look something like this:
And Alice’s instruction to pay this address would generally not be accompanied by any other information about the recipient, our merchant. In this sense it is strange to suggest that Coinland has been instructed to cause Bitprocess to do anything. Coinland doesn’t know anything about Bitprocess or the merchant, or even that either of those parties are at the other end of the bitcoin address. Alice has simply asked Coinland to send bitcoins to a bitcoin address. It is difficult to find an accurate metaphor, however, it would not be dissimilar than imagining that (in a future that involves physical teleportation) a bank customer ordered their bank to teleport cash to a particular set of geographic coordinates that just so happens to be the vault of another person’s bank. The bank initiating the teleportation of the cash knows nothing about the recipient or the recipient’s bank, it only knows that it has been ordered by its customer to teleport her cash to a set of coordinates.
As described earlier, the classification of custodial exchanges as money transmitters has been widely accepted by regulators and companies, and several major custodial exchanges based in the U.S. are registered with FinCEN. However, it is very possible that the Bitcoin transactions initiated by custodial exchanges on behalf of their customers do not fit the definition of “transmittal orders.” In that case, custodial exchanges who do not also deal in real currencies, would not qualify as money transmitters because they do not “accept” anything that fits the definition of a “transmittal order.” They do not execute an order that is intended to cause, and causes, another institution to pay a recipient; they simply execute an order to broadcast a Bitcoin transaction message to the peer-to-peer network. That message is not an unconditional order demanding that anyone pay anyone else; indeed there is a substantial condition placed on the message. If the message is not incorporated into a block by a miner, no payment will be made. While the existing interpretation with respect to custodial exchanges will likely remain unchallenged, we would be remiss to not bring this analyses to its full conclusion.
 See infra pp. 20-21.
 The foregoing analysis should also apply to so-called multi-sig wallet developers when they do not retain access to sufficient private keys to execute unilaterally transactions out of the user’s wallet.
 Software and Investment Ruling supra note 35 at 2.
 See, e.g., U.C.C. § 2-606. What Constitutes Acceptance of Goods.
 Nonetheless, Bitcoin is widely understood as a commodity good. See, e.g., U.S. Commodity Futures Trading Commission, RELEASE: pr7231-15, http://www.cftc.gov/PressRoom/PressReleases/pr7231-15. Therefore laws regulating a bitcoin’s acceptance are in pari materia with laws dealing with typical goods acceptance, and their interpretations should be shared.
 U.C.C. § 2-606. What Constitutes Acceptance of Goods.
 U.C.C. § 2-503. Manner of Seller's Tender of Delivery.
 This understanding of when a person has actual control over a bitcoin or other virtual currency is derived from the excellent work of the Uniform Law Commission's drafting committee for a model Regulation of Virtual Currency Businesses Act. The current draft (likely to be finalized Summer of 2017) defines control as follows: “‘Control’ means: (A) When used in reference to transactions or relationships involving virtual currency, the term means power to execute unilaterally or prevent indefinitely virtual currency transactions.” National Conference of Commissioners
On Uniform State Laws, Draft Regulation Of Virtual Currency Businesses Act, May 4-7, 2017 Style Committee Meeting. (May 2017) http://www.uniformlaws.org/shared/docs/regulation%20of% 20virtual%20currencies/2017may_RVCBA_Style%20Mtg.pdf. Coin Center strongly supports this definition and the approach taken by the ULC.
 See Peter Van Valkenburgh, “What is Bitcoin Mining, and Why is it Necessary?” Coin Center (Dec. 2014) https://coincenter.org/entry/what-is-bitcoin-mining-and-why-is-it-necessary.
 As such these participants are better compared with the financial telecommunication provider SWIFT. SWIFT relays messages between financial institutions but never, itself, takes custody of any valuables or funds.
 Specifically, the sender of a bitcoin transaction will generally specify a recipient bitcoin address and an amount of bitcoins to be sent. She will broadcast that transaction message to the network. Miners, by incorporating the message into the blockchain, effectively reassign bitcoins from the sender address to the recipient address. Each address is mathematically related to a cryptographic key retained only by the person who generated that address. All bitcoin transactions must be validly signed using the cryptographic key that corresponds to the address that is currently assigned the bitcoins according to the blockchain. So once Bitcoins are assigned to the recipient address, only the person(s) with knowledge of the cryptographic key related to that address can now spend those bitcoins in the future.
 Jonathan Wallace, Webster's New World Law Dictionary (2010) at 7.
 U.C.C. § 3-104. Negotiable Instrument.
 See Peter Van Valkenburgh, “What is Bitcoin Mining, and Why is it Necessary?” Coin Center (Dec. 2014) https://coincenter.org/entry/what-is-bitcoin-mining-and-why-is-it-necessary.
 Guidance supra note 6 at 2.
 FinCEN, FIN-2014-R001 Application of FinCEN’s Regulations to Virtual Currency Mining Operations (January 30, 2014) at 2. available athttps://www.fincen.gov/sites/default/files/shared/FIN-2014-R001.pdf [hereinafter Mining Ruling].
Id. at 3.
See generally, Ethereum, Proof of Stake FAQ (last access May 2017) https://github.com/ethereum/wiki/wiki/Proof-of-Stake-FAQ.
See also Peter Van Valkenburgh, No, FinCEN Policy is not Relevant to the Bitcoin Forking Debate (Feb. 2016) https://coincenter.org/entry/no-fincen-policy-is-not-relevant-to-the-bitcoin-forking-debate.
 Mining Ruling supra note 65 at 2.
See Chevron U.S.A. v. NRDC, 467 U.S. 837, 842-43 (1984) (“If the intent of Congress is clear, that is the end of the matter; for the court, as well as the agency, must give effect to the unambiguously expressed intent of Congress. If, however, the court determines Congress has not directly addressed the precise question at issue, the court does not simply impose its own construction on the statute . . . Rather, if the statute is silent or ambiguous with respect to the specific issue, the question for the court is whether the agency's answer is based on a permissible construction of the statute.”).
 31 USC §§ 5311-5332.
 31 CFR § 1010.100(ff)(5).
See Peter Van Valkenburgh, “What is ‘Blockchain’ anyway?” Coin Center (Apr. 2017) https://coincenter.org/entry/what-is-blockchain-anyway.
 US v. Faiella, 39 F. Supp. 3d 544 Dist. Court, SDNY (2014).
Id. at 545.
Id. at 546.
 In 1974, the Bank Secrecy Act’s constitutionality was challenged in California Bankers Association v. Shultz. Plaintiffs argued that the statute violated the Fourth, Fifth and First Amendment rights of banks and bank customers. The Supreme Court, in a 6-3 decision, upheld the statute as applied, but Justice Brennan’s dissenting opinion offered a spirited lamentation of the statute’s vague and expansive delegation of authority, “That vice. . . is the delegation of power to the Secretary in broad and indefinite terms under a statute that lays down criminal sanctions and potentially affects fundamental rights.” California Bankers Assn. v. Shultz, 416 U.S. 21 (1974) https://supreme.justia.com/cases/federal/us/416/21/case.html
 See Peter Van Valkenburgh, “What are Appcoins?” Coin Center (Oct. 2016) https://coincenter.org/entry/what-are-appcoins. (“Developers of these services and their potential investors are already moving to take advantage of these new opportunities. Services for cloud storage are being developed by IPFS, Storj, Swarm, and may be supported by tokens (Filecoin, Storjcoin, or Ether respectively). Services for cloud computing power are being developed by Ethereum, Counterparty, and others, while utilizing tokens (Ether and XCP respectively). Services for content-curation and attribution are being developed by Steemit, Mediachain, and others (some, like Steemit, are already supported by a token, others are not but may wish to include tokens in the future). This list is incomplete and new projects and new developers emerge weekly. Simultaneously, investors interested in helping finance applications built on open networks, have begun looking at whether they can buy and hold tokens rather than take ownership interests in the firms developing these networks.”).
 California Bankers Association v. Shultz, the decision that upheld the constitutionality of the BSA, was a 6-3 decision. Justice Powell wrote a concurring opinion that Justice Blackmun joined. That concurrence upholds the BSA’s constitutionality only as it was enforced by the Treasury at the time of the case. In 1974, the only domestic reporting requirements demanded by the Treasury were currency transaction reports; since then the reporting requirements have significantly expanded, most notably with the inclusion of a suspicious activity reporting requirement, similarly the list of “financial institutions” has significantly expanded. The constitutionality of these expansions has yet to be challenged and upheld. As Justice Powell wrote in his concurrence:
“A significant extension of the regulations' reporting requirements, however, would pose substantial and difficult constitutional questions for me. In their full reach, the reports apparently authorized by the open-ended language of the Act touch upon intimate areas of an individual's personal affairs. Financial transactions can reveal much about a person's activities, associations, and beliefs. At some point, governmental intrusion upon these areas would implicate legitimate expectations of privacy. Moreover, the potential for abuse is particularly acute where, as here, the legislative scheme permits access to this information without invocation of the judicial process. In such instances, the important responsibility for balancing societal and individual interests is left to unreviewed executive discretion, rather than the scrutiny of a neutral magistrate. United States v. U.S. District Court, 407 U. S. 297, 407 U. S. 316-317 (1972). As the issues are presently framed, however, I am in accord with the Court's disposition of the matter.” California Bankers Assn. v. Shultz, 416 U.S. 21 (1974) at 78-79.
 The BSA requires a formal rulemaking for an expansion to the definition of “financial institution.” 31 USC § 5312(a)(2)(Y).