Wednesday, December 20, 2023

Are flatcoins a good idea?


I'll start with the conclusion. I don't think flatcoins are a good idea.

The idea for flatcoins has been around for a while, but it got a wider airing when it popped up in a Coinbase marketing piece from earlier this year. Now, arch-crypto hater Nouriel Roubini has undergone a Damascene conversion and is about to introduce a crypto flatcoin, suggesting that these novel instruments are "the way forward."  

What is a flatcoin?

If you own one dollar's worth of stablecoins or one dollar's worth of Wells Fargo deposits, both stay locked at $1 dollar indefinitely. A flatcoin, by contrast, slowly rises in value over time to compensate the holder for inflation. So if you own a single flatcoin worth $1 today, it will be worth $1.0001 tomorrow, and $1.0002 the next day, and so on. Twelve months later its value will have arrived at $1.05. This 5% appreciation protects you from 5% inflation, leaving your purchasing power unchanged.

Roubini and Coinbase are marketing flatcoins as a blockchain-specific thing, but there's no reason the concept couldn't by packaged up as a traditional financial product, one without a blockchain. Imagine a Wells Fargo account that holds 100 in Wells flatbalances which rise by 3-4% a year. Or imagine a flatnote, the issuer indexing the purchasing power of its paper banknotes to inflation by promising to buy them back at progressively higher prices.

Roubini stakes out a role for flatcoins as a potential "global means of payment." As far as monetary/payments technology goes, I disagree. I think flatcoins are an evolutionary dead-end.

One of the key features of money that makes it so popular is that it is directly fused to the dominant commercial language that we all use in our day-to-day economic lives.

What do I mean when I say commercial language? We converse and haggle with each other in terms of the dollar, we think and plan in terms of dollars, we dream in dollars, and we remember in dollars. Every facet of our day-to-day commercial lives revolves around this very basic measuring unit. (In Europe, the euro serves as the basis of Europe's commercial language, and in Japan it's the yen.)

The dollars that we own in our pockets (and in our bank accounts, as well as the stablecoins in our Metamask wallets) have been conveniently designed to be fully compatible with the dollar measuring unit that we refer to in language. That is, our media of exchange are pegged, or wed, to $1. For instance, if I've got to make a $1500 rent payment next week, I know that the 1500 units sitting in my bank checking account are a precise fit for meeting that obligation. I don't know the same about my other assets, say my S&P 500 ETF, my gold, my government bonds, or my dogecoins.

This standardization is a convenient feature. It takes a lot of hassle out of day-to-day commercial life. It means that when we buy things or make plans to buy things, it's not necessary to engage in constant translations between the dollar media in our pocket and the dollars in our speech and thoughts and plans. As Larry White once put it, harmonizing the unit we use in our speech with the units we transact with "economizes on the information necessary for the buyer's and the seller's economic calculation."

Since everyone tends to converge on these very useful standardized units for making payments (i.e. deposits, stablecoins, and banknotes), the markets for them have become highly developed and liquid. This only makes them more useful for payments, in effect locking in their dominance.

A flatcoin, by contrast, has been rendered incompatible with the dollars that we use in our speech. One unit might be worth 1.1145 times the dollars we use in our speech today, and 1.1147 tomorrow, and 1.1205 next month. This erases one of the most user-friendly features of money, its concordance with the commercial vernacular, alienating anyone who might use it for their day-to-day spending. Flatcoins will thus be less liquid than standardized 1:1 dollars, and this lack of liquidity will render them even less useful for making payments.

There's the secondary problem with flatcoins that stems from taxes. Since a flatcoin rises in value over time, all purchases made with flatcoins will generate a small taxable capital gain. This introduces an administrative burden which makes it even less likely that people will use flatcoins as an everyday medium of exchange.

This incongruity between linguistic dollars and flatcoins doesn't mean that people won't hold them. They might be useful as a type of long-term savings vehicle, much like how one might buy and hold a fixed income ETF. But unlike Nouriel Roubini, I don't think they are "the way forward" when it comes to acting as a medium of exchange. No one is going to be buying a coffee with a flatcoin.

Saturday, December 16, 2023

The long arm of OFAC and its reach into the Ethereum network

Coinbase, the U.S.'s largest crypto exchange, is openly processing Ethereum transactions involving Tornado Cash, a piece of blockchain infrastructure that was sanctioned by the U.S. government last year for providing mixing services to North Korea. 

Over the last two weeks Coinbase has validated 686 Tornado-linked transactions, according to Tornado Warnings. I've screenshotted the table below:

This table shows how many blocks each validator has proposed that includes a transaction that has interacted (either depositing or withdrawing) with Tornado Cash contracts in all denominations, or with TORN tokens. Source: Tornado Warnings by Toni Wahrstätter

This is awkward for everyone involved.

First, it's embarrassing for the agency that administers U.S. sanctions, the U.S. Treasury's Office of Foreign Assets Control, or OFAC. OFAC clearly states that U.S. based persons are not to transact with sanctioned entities unless they have a license. Yet here is America's largest crypto exchange interacting with a sanctioned entity, Tornado Cash, without a license.

OFAC can look away and pretend that nothing unusual is happening, which is pretty much what it has done so far. But since these financial interactions are clearly displayed on the blockchain, everyone can see the infraction occurring. Eventually, OFAC will have to confront the problem and make some tough decisions, a few of which may end up damaging companies like Coinbase and the Ethereum network.

The whole affair is also awkward for the crypto industry. After a 2022 in which much of the ecosystem went bankrupt or succumbed to fraud, crypto currently finds itself in the damaging crosshairs of the culture war and the pervasive threat of being banned. It is desperate for social license, yet here is crypto's leading company choosing to operate in contravention of one of the key pillars of U.S. national defence.

Meanwhile, Coinbase's main U.S. competitor, Kraken, has taken a very different approach to dealing with Tornado Cash. As the table above shows, Kraken has processed zero Tornado Cash transactions over the last two weeks compared to Coinbase's 686. These diverging approaches to handling sanctioned transactions only highlight the awkward nature of crypto's "compliance" with sanctions law.

Before I dive deeper, we need to fill in the basics. For folks who are confused about crypto, what follows is a quick explanation why Coinbase is interacting with Tornado Cash, whereas Kraken isn't.

What is validation?

To begin with, Coinbase and Kraken operate in many different businesses. Their most well known business line is to provide a trading venue where people can deposit funds in order to buy and sell crypto tokens.

I suspect that both companies are being very careful to ensure that their trading venues avoid any dealings with Tornado Cash. If someone were to try to deposit Tornado-linked funds to Coinbase's exchange, for instance, I'm sure Coinbase would quickly freeze those transactions, which is precisely what OFAC obliges it to do. Crypto trading venues have gotten in trouble before for dealing with sanctioned entities: last year Kraken was fined by OFAC for processing 826 transactions on behalf of Iranian individuals.

But the issue here isn't these companies' trading platforms. Coinbase's interactions with Tornado Cash are occurring in an adjacent line of business. Let's take a look at how Coinbase and Kraken's validation services business operate.

Say that Sunil lives in India and wants to make a transaction on the Ethereum network, perhaps a deposit of some ether to Tornado Cash. He begins by inputting the instructions into his Metamask wallet. This order gets broadcast to the Ethereum network for validation, along with a small fee, or tip. A validator is responsible for taking big batches of uncompleted transactions, one of which is Sunil's Tornado Cash deposit , and proposing them in the form of "blocks" to the Ethereum network for confirmation. As a reward, the validator collect the tips left by transactors.

The biggest validators are the ones that own large amounts of ether, the Ethereum network's native token. Since Kraken and Coinbase have millions of customers who hold ether on their platforms, they have become two of the most important providers of Ethereum validation services. Coinbase accounts for 14% of global validation while Kraken stands at 3%, according to the Ethereum Staking dashboard. So even though Sunil is not actually depositing any crypto to Coinbase's trading venue, he may end up interfacing with Coinbase via its block proposal and validation business.  

Validators can choose what transactions to include in their blocks. This explains the difference between the two exchanges. Whereas Kraken chooses to exclude transactions like Sunil's Tornado Cash deposit, Coinbase includes all transactions linked to Tornado Cash in the blocks that it proposes, in the process earning transaction fees linked to Tornado Cash.

To sum up, Coinbase operates its trading venue in a way that complies with OFAC regulations, but it doesn't run its validation service in the same manner, whereas Kraken does. Next, we need to fill in another important part of the story. What does OFAC do?

OFAC around and find out

For folks who don't know how U.S. sanctions work, a big part of OFAC's job is to blacklist foreign individuals and organizations who are deemed to undermine U.S. national security or foreign policy objectives. These blacklisted entities are known as SDNs, or specially designated nationals. U.S. citizens and companies cannot deal with SDNs without getting a license.

OFAC also administers comprehensive sanctions. These prevent U.S. individuals or businesses from interacting with entire nations, like Iran.

With each of the individuals or entities that it designates, OFAC discloses an array of useful information including the SDN's name, their aliases, address, nationality, passport, tax ID, place of birth, and/or date of birth. U.S. individuals and firms are supposed to take a risk-based approach to cross-checking this information against each of the counterparties they transact with so as to ensure that they aren't dealing with an SDN. They must also be aware of U.S. comprehensive sanctions so they don't accidentally interact with an entire class of sanctioned individuals, say all Iranians. Failure to comply can result in a monetary penalty or jail time.

Whereas Coinbase appears to have chosen to ignore OFAC's requirements when it comes to validation, Kraken hasn't, and has incorporated the SDN list into the internal logic of the validation services that it provides. But Kraken has only done so in a limited way, as I'll show below.

Five years ago OFAC began to include an SDN's known cryptocurrency addresses in its array of SDN data. To date, OFAC has published around 600 crypto addresses, including around 150 Ethereum addresses, of which a large chunk are related to Tornado Cash. Kraken is using this list of 150 addresses as the basis for excluding certain transaction from the blocks that it is proposing to the Ethereum network.

Data source: OFAC and Github

Among members of the crypto community, this sort of editing out of OFAC-listed addresses is sometimes described as creating "OFAC-compliant blocks." Hard core crypto ideologues believe that it compromises Ethereum's core values of openness and resistance to censorship.

While Kraken's approach may appear to be the compliant approach to proposing blocks, it's not. It's half-compliance, or compliance theatre. 

OFAC-compliant blocks as compliance theatre 

Right now, Kraken's block validation process merely weeds out transactions involving the 150 or so Ethereum wallets that OFAC has explicitly mentioned, which includes Tornado Cash addresses. But many of the SDNs linked to these 150 wallets have probably long since adapted by getting new wallets. Kraken isn't taking any steps to determine what these new wallets are, and is therefore almost certainly processing these SDN's transactions in its blocks. This would put it in violation of OFAC policy.

Of the 12,000 or so SDNs on OFAC's SDN list, most are not explicitly linked by OFAC to a specific Ethereum wallet. But that doesn't mean that these entities don't have such wallets. To be compliant, Kraken needs to scan the entire list of 12,000 SDNs and verify that none of them are being included in Kraken blocks. Again, it doesn't appear to be doing that.

Complying with OFAC isn't just about crosschecking the SDN list. Remember, OFAC has also levied comprehensive sanctions on nations such as Iran, which prohibit any U.S. entity from dealing with Iranians-in-general. Because Kraken limits its block editing to the 150 or so Ethereum addresses mentioned by OFAC, it is almost certainly letting Iranian transactions into the blocks that it is proposing. Which is ironic, since the very infraction that Kraken was punished for last year was allowing Iranians to use its trading platform. Apparently Kraken has one Iran policy for its trading venue, and another policy for its block proposal service.

Coinbase's decision to ignore OFAC altogether now makes more sense. Perhaps it's better to not comply at all and thereby retain the ability to claim the non-applicability of sanctions law to validation, than to comply insufficiently but in the process tacitly admit that OFAC has jurisdiction over validation. As part of this strategy, Coinbase may try to fall back on arguments that validation isn't a financial service, but qualifies as the "transmission of informational materials," which is exempt from sanctions law.

Having started down the path to compliance, the only way for Kraken's validation business to be even close to fully compliant with sanctions law is to adopt the very same exhaustive process that its own crypto trading venue abides by. That means painstakingly collecting and verifying the IDs of all potential transactors, cross-checking them against OFAC's requirements, and henceforth only proposing blocks that are made up of transactions sourced from its internal list of approved addresses.  

By adopting this complete approach to verifying transactions, Kraken would now be closer to compliance. As for OFAC, it would be relieved of its awkward situation.

There is no easy policy decision for OFAC

However, this approach has its drawbacks. A requirement that IDs be verified for the purposes of block inclusion would be expensive for Kraken to implement. I suspect that the company would react by ceasing to offer validation services. Even if Kraken and Coinbase were to roll out an OFAC-compliant know-your-customer (KYC) process for assembling blocks, most Ethereum transactions would probably flow to no-hassle offshore validators, which don't check ID because they are under no obligation to comply with OFAC.

So in the end, the very transactions that OFAC wants to discourage would end up happening anyway.

Compounding matters, by pushing validation away from U.S. soil, the U.S. national security apparatus would have destroyed a nascent "U.S. Ethereum nexus," one they might have otherwise levered as a tool for projecting U.S. power extraterritorially. If you're curious what this entails, consider how the New York correspondent banking nexus is currently harnessed by the state to exert U.S. policy overseas. A San Francisco-based Ethereum nexus would be the crypto-version of that. But not if it gets chased away.

To prevent validation from being performed everywhere but the U.S., the government could twin a requirement that domestic block validators implement KYC with a second requirement that all U.S. individuals and companies submit all Ethereum transactions to sanctions-compliant validators. This would pull U.S. Ethereum transactions back onto U.S. soil and into the laps of Coinbase and Kraken.

But this is a complicated chess game to play, and you can see why OFAC has been hesitating.  

On the other hand, OFAC can't prevaricate forever. Sure, crypto is still small. But OFAC is an agency with a democratic mandate to administer law, and law is clearly being broken. It cannot "not govern." To boot, sanctions are a matter of national security, which adds to the urgency of the issue.

One option would be for OFAC to offer an explicit sanctions law exception to U.S. blockchain validators in the form of a special license. But that invokes questions of technological neutrality and equal treatment before the law. Why should Coinbase and Kraken be allowed to maintain financial networks that admit sanctioned actors whereas other network operators, like Visa or American Express, do not enjoy this same exemption?

This isn't just about fairness. By providing a blockchain carve-out, OFAC may unintentionally spur the financial industry to switch over to blockchain-based validation, because that has become the least-regulated and therefore cheapest technological solution for deploying various financial services. At that point, OFAC will find itself with far less to govern, because a big chunk of finance now lies in the zone that OFAC has carved-out.

I don't envy the mandarins at OFAC. They've got a tough decision to make. In the meantime, Coinbase continues to process Tornado Cash transactions every hour.

Tuesday, December 5, 2023

Why do sanctioned entities use Tether?


Tether, a stablecoin, has been in the news for offering sanctioned actors such as Hamas a means to participate in the global payments ecosystem.

In this post I want to explore in more depth how Tether is being used to dodge sanctions. I'm going to avoid drawing on the Hamas example, which has been controversial, and will instead dissect the U.S. Department of Justice's recent indictment of group of business people who brokered oil purchases from PDVSA, Venezuela's sanctioned state-owned oil company.

Let's get right into things. In this particular case, the buyers  who indirectly represented a sanctioned Russian aluminum company  seem to have used two methods for settling payments with Venezuela: bank wires and cash. (Tether makes an appearance in the second.)  

Before we get to Tether, we need to understand how the bank wires worked.

The Russian buyers operated through a network of shell companies, or fronts, set up in places like Dubai. "Because of [sanctions] we are using 'fronting'" the Russians admit. The Russians' Dubai-based shell companies had accounts at an Egyptian bank with a branch in Dubai. In a lovely line, one of the Russians, Orekhov, describes this bank as the "shittiest bank in the Emirates ... They have no issues, they pay to everything."

...the shittiest bank in the Emirates [link]

The more reputable Dubai banks probably didn't want to risk enabling the potentially sanctioned transactions of a Russian shell company, but here was a bank that had no qualms.

The Russian front companies couldn't wire U.S. dollars directly to the PDVSA; it was sanctioned. Instead, the payments were sent via the Egyptian bank to a number of foreign shell companies owned by the PDVSA, located in places like Australia, Hong Kong, and the UK. With the payments sent, the Russian's boats could be loaded with Venezuelan oil.

The second payment method was U.S. banknotes. In fact, the PDVSA seemed to have preferred cash. In the excerpt below, the Venezuelan contact, Serrano, says that the Russian middleman, Orekhov, lost out on a previous oil shipment because a competing buyer offered to pay 100% in U.S. banknotes. "The key is cash," says Serrano. Venezuela is mostly dollarized, and with the PDVSA cut off from U.S. banks, you can understand why U.S. paper money would be quite valuable to the PDVSA.

"The key is cash" [source]

In response, the Russians suggest two cash-based payments options. In the first, they will send a bank wire to a Panamanian bank, and the Panamanian bank will pay the PDVSA cash in Venezuela. "This is simply a service that they do," says Orekhov. The second option that he suggests is to bring paper money to Evrofinance in Moscow. Evrofinance is a bank that is controlled by the PDVSA and has been sanctioned by the U.S.

The indictment doesn't detail whether either of these two solutions was chosen, but instead focuses on a third cash-based solution, one that involves using Tether, or USDt, as a switch.

The indictment documents this transaction particularly well. It's November 2021 and the Russians' ship is about to berth in Venezuela for loading. The Venezuelan contact, Serrano, notifies the Russian, Orekhov, that he needs to get ready to pay for 500,000 barrels of PDVSA oil. Orekhov responds by sending $17 million worth of USDt to a broker in Venezuela, who converts the USDt to cash. "No worries, no stress," says the Russian to his Venezuelan contact. "USDT works quick like SMS."

"...quick like SMS" [link]

Once the broker receives the $17 million USDt, the cash is placed in a bank where PDVSA officials can collect it. Now the boat can be loaded.

So in this case Tether is being used as third-party rail for buying cash in Venezuela. It is serving as an alternative to a set of bank wires made through shell companies, a notably speedier one. "It's quicker than telegraphic transfer," says Orekhov. "That why everyone does it now. It's convenient, it's quick."

Going the Tether route also has the benefit of not requiring a single know-your-customer (KYC) check. Orekhov could have bought $17 million USDt, and sent it to the Venezuelan broker, and neither of the two would have had to show the owner of the platform, Tether, their ID or fill out any forms. It's like using the "shittiest bank in the Emirates," except with even fewer hassles.

Delving further into the indictment, we learn that another key benefit of Tether is that it provides a degree of protection from the legal hazards of a traditional bank wire transfer. If you scroll down to the part of the indictment where charges are being laid, particularly Count Two, it is the bank wires that are at the root of Orekhov and Serrano's legal woes, not the Tether transactions.

Among many other crimes, Orekhov and his Venezuelan counterpart, Serrano, are accused of sanctions evasion, more specifically conspiring to violate the International Emergency Economic Powers Act (IEEPA). The IEEPA is the bit of legislation that contains U.S. sanctions law.

What specific actions incriminated them? This is a good question, because on first glance the defendants seem to be beyond the pale of U.S. jurisdiction. Both men were foreign nationals operating outside of the U.S. They connected a non-US buyer to a non-US seller. The product is not made in the America. Without a U.S. nexus, it would appear that Serrano and Orekhov are safe from the long reach of U.S. law enforcement.

The ultimate hook that catches Orekhov and Serrano is that part of their dealings were deemed to have occurred on U.S. soil. They made wire transfers using the "shittiest bank in the Emirates," and those wire transfers were ultimately processed through correspondent banks based in the New York metropolitan area.

To understand how New York-based banks touched the transaction, you need to know a little bit about how wire transfers work. To be capable of making a U.S. dollar wire transfer, the "shittiest bank in the Emirates" needed to have an account with a large U.S.-based correspondent bank, like JP Morgan. Likewise, the bank that the PDVSA shell companies were using would have also had accounts at a U.S. correspondent bank in order to accept U.S. dollar wires. A correspondent bank is a bank that, in addition to conducting regular banking business, specializes in serving foreign financial institutions.

So long story short, when U.S dollar funds moved from the Egyptian bank to the PDVSA shell accounts, much of the underlying activity to support this fund transfer occurred back in the U.S. the on the books of a bank such as JP Morgan.

That's the Department of Justice's smoking gun. Serrano and Orekhov are accused of having "caused" a U.S.-based financial institution to process tens of millions in U.S. dollar-denominated payments in violation of the IEEPA.

The Tether transactions, by contrast, do not provide the Department of Justice with anything incriminating. USDt transfer occurs on the books of Tether (which is registered in the British Virgin Islands), completely bypassing the New York correspondent banking system. So when they paid with USDt, Serrano and Orekhov didn't "cause" a U.S-based actor to do anything wrong.

Put differently, if the Russians and Venezuelans had conducted all their transactions with Tether and cash, and avoided bank wires altogether, it would have been impossible for the U.S. to indict them for violating the IEEPA. Thus, not only is Tether "quick like SMS," it also provides a degree of safe harbour from sanctions law.

But not for long?

In a recent letter to Congress, the U.S. Treasury says that stablecoins such as Tether pose a sanctions risk, and requests legislation to close this loophole. The Treasury notes that while it already has jurisdiction over offshore wires transfers because they "transit intermediary U.S. financial institutions," or correspondent banks, it does not have the same authority over "equivalent-value stablecoin transactions, because certain stablecoin transactions involve no U.S. touchpoints." (That's the core of what we were talking about in the previous paragraphs.)

"...stablecoin transactions involve no U.S. touchpoints"


To remedy this, the Treasury wants Congress to update its sanctions toolbox to give it "extraterritorial jurisdiction" over U.S. dollar-pegged stablecoin transactions. In brackets, it also adds "other U.S dollar-denominated transactions" to its wish list. What this appears to be conveying, and I could be wrong, is that the Treasury wants the ability to leverage the U.S. dollar symbol, more specifically the dollar's role as the dominant unit-of-account, as a new nexus for controlling transactions made by foreigners. 

If such a law were to pass, folks like Serrano and Orekhov could now be indicted not only for the traditional crime of making offshore U.S. dollar wire transfers that "cause" New York banks to violate sanctions law, but also for paying with Tether, because the latter invokes the U.S. dollar trademark. 

Leveraging the unit-of-account role of the U.S. dollar to get authority over foreign transactions is a huge step to take, certainly much broader than relying on correspondent banking as authority. Doing so would extend U.S. sanctioning power to a much wider set of foreign economic activity, not just U.S. dollar stablecoin-based transactions, but also potentially to U.S. cash payments, since those too make use of the U.S. dollar accounting unit. Congress will have to think hard before it grants the Treasury's request.

Friday, December 1, 2023

Even crypto mixing deserves a threshold

Many of you may not realize this, but in most parts of the developed world, banks automatically record and report our transactions to law enforcement. The logic behind this is that by giving up our personal data, we get more security, albeit at the cost of 1) losing our privacy, and 2) adding an extra layer of costly red tape into financial life.

It's a pragmatic compromise, and one hopes that the benefits outweigh the costs. The way that we've been balancing this compromise up till now is by using thresholds, so as to reduce the cost side of the equation. Below a certain dollar threshold (i.e. $10,000 for cash), transactions don't get reported. The folks making these sub-threshold transactions thus enjoy the dignity of not having their privacy invaded, nor do they add to the financial sector's administrative burden. However, they also don't contribute to the effort to improve security and safety.

Anyways, last month, the U.S. government announced a new anti-money laundering reporting requirement, one for crypto mixing. In doing so it broke with a long tradition of not including a threshold. That got my hackles up. Thresholds have always been key to balancing the costs and benefits of automatic reporting requirements.

In short, the government thinks that mixing of cryptocurrency is of primary money laundering concern. Any U.S. financial institution that knows, suspects, or has reason to suspect that a customer's incoming or outgoing crypto transaction, in any amount, involves the use of a mixer will have to flag it and send a report to the government. That report must include information like the customer's name, date of birth, address, and tax ID. 

I submitted the following comment on the proposed rule for crypto mixing. If you agree, feel free to copy it and add your own comment to the growing pile. 

Dear sir/madam,

Re: Proposal of Special Measure Regarding Convertible Virtual Currency Mixing, as a Class of Transactions of Primary Money Laundering Concern

Historically, all U.S. anti-money laundering recordkeeping and reporting requirements have been accompanied by a monetary threshold. The current proposal to impose recordkeeping and reporting requirements for crypto mixing is the sole exception. This should be fixed.

When Treasury Secretary Henry Morgenthau published an executive order to implement the U.S.'s first large cash transaction reporting regime all the way back in 1945, for instance, he established a $1,000 reporting requirement for transactions in which only bills in denominations over $50 were present. He also set a $10,000 reporting threshold when small and large denomination bills were involved in the transaction.

Morgenthau's thresholds remained in place through the 1950s and 1960s. They were eventually ratified in 1972 with the implementation of a $10,000 cash reporting threshold for the purposes of implementing the Bank Secrecy Act.

When suspicious activity reports were introduced in 1996, the government's initial proposal did not include a reporting threshold. But after receiving public comments, the government admitted that its first version of the rule would impose a "burden of reporting." In its final version it introduced a $5,000 threshold for filing a suspicious activity report, which remains to this day.

In addition to reporting thresholds for cash transactions and suspicious activity, the government has set a number of thresholds for recordkeeping requirements. For instance, financial institutions are required to keep a log of all cash purchases of monetary instruments between $3,000 and $10,000.

The government's long history of twinning reporting and recordkeeping requirements with thresholds is a pragmatic compromise. It balances law enforcement's need for information against the administrative burden imposed on the private sector as well the invasion of privacy imposed on civil society. It only seems fair and prudent to extend this pragmatic compromise to cryptocurrency mixing recordkeeping and reporting requirements, especially in light of the fact that, as FinCEN admits, there are "legitimate purposes" for mixing.

I would suggest a threshold of at least $10,000, which is in-line with the cash transaction reporting threshold.

Sincerely,
JP Koning
Moneyness Blog

Tuesday, November 28, 2023

Are central banks too reliant on SWIFT for domestic payments?


Central bank settlement systems are the the tectonic plates of the payment system: they are vitally important to our lives, but we never see them in action. All of a nations' electronic payments are ultimately completed, or settled, on these systems. If they stop working, our financial lives go on pause, or at least regress to older forms of payment.

In this post I want to introduce readers to a crucial feature of these payments tectonic plates: their reliance for domestic settlement on SWIFTNet, a financial messaging network used by banks and other financial institutions to communicate payments information. Think of SWIFTNet as a WhatsApp for banks, but exclusive and very secure. 

This reliance  or over-reliance  is best exemplified by a recent decision by the European Central Bank. The Target2 settlement system has long been the bedrock layer of the European payments universe. All domestic payment ultimately get tied-off on the system. Since it was introduced in 2007, Target2 has been solely reliant on SWIFTNet for sending and receiving messages. 

When the European Central Bank replaced Target2 with T2 earlier this year, it modified the system to have two access points: it kept SWIFTNet but added a competing messaging network, SIAnet, to the mix. As one commentator triumphantly put it, "SWIFT’s monopoly for access to the T2/T2S system is broken."

SWIFTNet is owned by the Society for Worldwide Interbank Financial Telecommunication, or SWIFT, which is structured as a cooperative society under Belgian law and is owned and governed by its 11,000 or so member financial institutions. Whenever SWIFT gets mentioned in conversations, it tends to be associated with cross-border wire payments, for which its messaging network is dominant. However, for many jurisdictions, including Europe, SWIFT is also integral to making domestic payments. It's this little-known local reliance that I'm going to explore in this post.

The dilemma faced by central banks such as the European Central Bank is that SWIFTNet is an incredibly useful messaging network. It is ubiquitous: most banks already use it for cross-border payments. And so the path of least resistance for many central banks is to outsource a nation's domestic messaging requirements to SWIFT, too. However, this reliance exposes national infrastructure to SWIFTNet-related risks like foreign control, sanctions, snooping, and system outages.

Financial messaging 101

Before going further, we need to understand why financial messaging is important. For a single electronic payment to be completed, a set of databases owned by a number of financial institutions, usually banks, must engage in an intricate dance of credits and debits. To coordinate this dance, these banks need to communicate, and that's where a messaging network is crucial.

Say, for example, that Google needs to pay Apple $10 million. Google tells its banker at Wells Fargo to make the payment. Wells Fargo first updates its own database by debiting Google's balance by $10 million. The payment now has to hop over to Google Apple, which banks at Chase. For that to happen the payment flow must progress to the core of the U.S's payments system, the database owned by the Federal Reserve, the U.S.'s central bank.

Along with most other U.S. banks, Wells Fargo has an account at the Federal Reserve. It communicates to the central bank that it wants its balance to be debited by $10 million and the account of Chase to be credited by that amount. Once Chase's account at the Federal Reserve is updated, Chase gets a notification that it can finally credit Apple for $10 million. At that point Apple can finally spend the $10 million.

This entire process takes just a second or two. For this "dance of databases" to execute properly, the Federal Reserve, Chase, and Wells Fargo need to be connected to a communications network.

The sort of messaging network to which the central bank is connected, and the stewardship of that network, is thus crucial to the entire functioning of the economy.

Proprietary messaging networks or SWIFTNet? 

The Federal Reserve is somewhat unique among central banks in that it has built its own proprietary messaging network for banks. All of the 9,000 or so financial institutions that use the Federal Reserve settlement system, Fedwire, must connect to the Fed's proprietary messaging network to make Fedwire payments. To make international payments, however, U.S. banks must still communicate via SWIFTNet.  

Let's flesh the story out by trekking north of the border. Whereas the Federal Reserve has no reliance on SWIFTNet, Canada's core piece of domestic settlement infrastructure, Lynx, relies entirely on SWIFTNet for messaging.

For example, if Toronto Dominion Bank needs to make a $10 million to Scotiabank, it enters this order into SWIFTNet, upon which SWIFT forwards the message to Lynx, which updates each banks' accounts by $10 million and sends a confirmation back to SWIFTNet, which tells Scotiabank that the payment has settled.

For payments nerds, this network setup is called a Y-copy topology. The network looks like a "Y" because the originating bank message is relayed from the sending bank via SWIFTNet, the pivot at the center of the Y, down to the settlement system, and then back up via SWIFTNet to the recipient bank. It is illustrated below in the context of the UK's payment system, with the CHAPS settlement system instead of Lynx, but the idea is the same.

A Y-copy network topology for settling central bank payments in the UK [source]

The upshot is that the Federal Reserve controls the messaging apparatus on which its domestic settlement depends, whereas Canada outsources this to a cooperative on the other side of the ocean.

Many of the world's small and middle-sized central banks have adopted the same Y-copy approach as Canada. This list includes Australia, Singapore, New Zealand, Nigeria, UK, Sweden and South Africa. However, some members of this group are starting to have second thoughts about fusing themselves so completely to SWIFT.

Removing the single point of failure

The European Central Bank is at the vanguard of this group. Prior to 2023, the European Central Bank was in the same bucket as Canada, relying entirely on SWIFTNet to settle domestic transactions. 

With its upgraded T2 system, Europe doesn't go quite as far the Fed's model, which is to build its own bespoke messaging network. Rather, European banks now have the option of either sending messages to T2 using SWIFTNet, or they can use SIAnet, a competing network owned by Nexi, a publicly-traded corporation. SIAnet stands for Societa Interbancaria per l'Automazione, a network that originally connected Italian banks but has now gone pan-European.

The reason for this design switch is that European Central Bank desires "network-agnostic connectivity." This dual access model will make things more complex for the European Central Bank. If a commercial bank originates a SIAnet message, the central bank will have to translate this over to a SWIFT message if the recipient bank uses SWIFTNet. Nevertheless, the European Central Bank believes this dual structure will offer more choice to domestic banks.

The ECB also hints at the enhanced "information security" that this new setup will provide, without providing much detail. The UK's recent efforts to update its core settlement layer sheds some extra insights into what these security improvements might be. Right now, the UK's core settlement system, CHAPS, can only be accessed by SWIFTNet, much like in Canada, so that all domestic UK payments are SWIFT-reliant.

In its roadmap for updating CHAPS, the Bank of England is proposing to allow banks to access the system via either SWIFTNet or a second network, which doesn't yet exist. The idea is to enable "resilient connectivity" to the core settlement layer, especially in periods of "operational or market disruption." Should SWIFTNet go down there would be no way for financial institutions to communicate with CHAPS, and the entire domestic economy would grind to a halt. A second network removes the "single point of failure" by allowing banks to re-route messages to CHAPS.

The Bank of England also highlights the benefits of competition, which would reduce the costs of connectivity.

This sounds great, but there are tradeoffs. Using a a single network for both domestic and international payments is valuable to the private sector because it offers standardization and efficiencies in banks' processing. Adding a second option will also complicate things for the Bank of England, since it will have to design and build a system from scratch, much like the Fed did, which could be costly. Either that or it will have to find another private option, like the ECB did with SIAnet. This second network may not be as good as SWIFTNet which, despite worries about resiliency, has been incredibly successful.

When CHAPS went down earlier this year for a few hours, for instance, it wasn't SWIFT's fault, but the Bank of England's fault. The same goes for a full day outage in 2014. 

Comparing a V-shaped network topology to Y-Copy in an Australian context [source]


The type of settlement topology that the UK is proposing is known as "V-shaped," since all messages are sent directly to the central bank settlement system for processing via any of a number of messaging networks, and then back to the recipient bank. The difference between a V-shaped topology and Y-copy is visualized in the chart above in an Australian context, but the principles apply just as well to the UK.

Sanctions and "the SWIFT affair"

The decision to make domestic payments less dependent on SWIFTNet is much more easy to make for outlier nations like Russia. SWIFT is based in Belgium and is overseen by the Belgian central bank, along with the G-10 central banks: Banca d’Italia, Bank of Canada, Bank of England, Bank of Japan, Banque de France, De Nederlandsche Bank, Deutsche Bundesbank, European Central Bank, Sveriges Riksbank, Swiss National Bank, and the Federal Reserve. That put SWIFT governance far out of Russian control.

You can see why this could be a problem for Russia. Imagine that only way to settle domestic Russian payments was by communicating through SWIFTNet. If Russia was subsequently cut off from that network for violating international law, that would mean that all Russian domestic payments would suddenly cease to work. It would be a disaster.

Needless to say, the Central Bank of Russia has ensured that it doesn't depend on SWIFTNet for communications. It has its own domestic messaging network known as Sistema peredachi finansovykh soobscheniy, or System for Transfer of Financial Messages (SPFS), which was built in 2014 after the invasion of Crimea. Prior to then, it appears that "almost all" domestic Russian transactions passed through SWIFTNet  a dangerous proposition for a country about to face sanctions.

Mind you, while Russia has protected its domestic payments from SWIFTNet-related risk, it can't do the same for its international payments. SWIFTNet remains the dominant network for making a cross border wire. There is no network the Russians can create that will get around this.

I'm pretty sure that most larger developing states and/or rogue nations have long-since built independent domestic financial messaging systems to avoid SWIFTNet risk. I believe China has done so. Brazil has the National Financial System Network, or Rede do sistema financeiro nacional (RSFN). India also has its own system, the Structured Financial Messaging System (SFMS), built in 2001. India is even trying to export SFMS as a SWIFT competitor.

The Japanese were typically way ahead on this. The Bank of Japan built its messaging network, the Zengin Data Telecommunication System, back in 1973, several years before SWIFT was founded.

The last SWIFTNet risk is snooping risk. This gets us into the so-called SWIFT affair. After 9/11, the U.S. intelligence agencies were able to pry open SWIFT through secret broad administrative subpoenas. They had the jurisdiction to do so because one of SWIFT's two main data centres was located in the U.S.

To ensure data integrity, SWIFT had been mirroring European data held in its data centre in Belgium at its U.S. site. That effectively gave U.S. intelligence access to not only SWIFT's U.S. payments information, but  also information on foreign payments sourced from Europe or directed to Europe. Worse, it also provided spooks with data on domestic European payments. Recall that the European Central Bank's Target2 settlement system, which settles all digital domestic payments in Europe, was entirely reliant on SWIFTNet for communications.


When the U.S.'s snooping arrangement was made public by the New York Times in 2006, it caused a huge controversy in Europe. SWIFT tried to placate Europe by building a third data warehouse in Switzerland to house Europe's back-up data. But the precedent was set: SWIFT is not 100% trustworthy. And that may be part of the reason why the European Central Bank chose to downgrade its reliance on SWIFTNet when it introduced its new system, and is surely why other nations want to entirely hive their domestic systems off from it.

---

In sum, central banks face a host of complicated decisions in how to bolt on messaging capabilities to their key settlement systems. SWIFTNet is a top notch network. However, too much SWIFT-related risk may be perceived as having negative implications for national security. For large nations with extensive banking industries, building a proprietary domestic messaging alternative seems to be the preferred option. It also seems to be the default choice for rogue states like Russia.

Another alternative is to fallback on using multiple independent networks for access, of which one is SWIFTNet, and thus mitigating exposure to SWIFT-related problems. This is the approach taken by Europe and the UK.

For smaller nations that comply with the global consensus, like Canada, the calculus is different. Building an alternative communications network is likely to be costly. The risk of sanctions and censorship are negligible while the benefits of using a high-quality ubiquitous network for both domestic and foreign payments messaging are significant. Given these factors, it may be worthwhile to bear all SWIFT-related risks and adopt the Y-copy model.

Monday, November 20, 2023

Is it legal to mix cash in a jar?

Chris Blec asks the following question:

Source: Twitter

Chris's premise is that it is "not illegal" for him to get together with a bunch of strangers to mix cash. But that's not quite right. It can be legal. It can also be illegal. To determine which it is, we need to understand the motivations of Chris and the other ten strangers. Why are they getting together to mix in the first place? Alas, Chris doesn't mention this in his tweet.

There are certainly all sorts of perfectly legal albeit quirky reasons to mix cash. We could imagine that Chris and ten other strangers are waiting for the bus, and to decide who goes first, they all put a $20 note into a jar, remembering their respective serial number. After the notes have been mixed, one note is taken out and whoever it belongs to wins. The notes are then given back. Nothing wrong with that.

On the other hand, if Chris and the other 10 strangers are mixing their cash because they want to conceal the source, then they need to be careful. They've taken one step down the path to engaging in money laundering.

The U.S. has several money laundering statutes. Below is part of one of the most contravened ones: 

Source: LII

As you can see, one of the key triggers for a money laundering conviction is making transactions that are designed to "conceal or disguise."

Even if Chris and the other strangers' motivations for mixing is to conceal the origins of their cash, that's not necessarily illegal. Before they reach the point at which they can be accused of having crossed the line over to money laundering, at least one of the strangers needs to contribute banknotes to the jar that are the "proceeds of specified unlawful activity." For argument's sake, let's say that one of the strangers contributes cash that they've earned from contract killing. Chris and the other 10 strangers are now a step closer to a potential money laundering indictment. 

Only one last criteria is lacking. Chris and the other strangers must participate in a "knowing" way. They must be aware that the property involved is criminally-derived. The most obvious example would be if one of the 10 strangers were to loudly announce just prior to putting their notes in the jar that the notes come from contract killing, and everyone hears this yet still participates. 

At this point, the three triggers have been met. Chris and the other strangers have acted in 1) a knowing way 2) to conceal 3) the actual proceeds of unlawful activity.

The state of "knowing" needn't be established in such an explicit fashion as the criminal announcing it loudly. For instance, even if the criminal says nothing, but Chris and the other participants suspect the possibility that dirty money is entering the jar, but they don't do due diligence, then they could be found guilty of money laundering. To demonstrate that they aren't knowing participants, Chris and the other strangers may have to take proactive measures, say like checking ID.

So Chris is right to say that mixing cash in a jar can be legal, but he incorrectly omits to say that it can also be illegal.

Having fleshed out Chris's premise, what about his conclusion? Can the jar-of-cash thought experiment teach us about the legality of crypto mixing methods such as custodial mixers, Tornado Cash, or CoinJoin? I'll let the readers work that one out on their own.

Thursday, November 16, 2023

Kraken v Kraken, or how to protect the public from crypto exchange failures


It's been a full year since FTX International and FTX-US collapsed, and the shocking thing is  there is still no regulated crypto venue in the U.S.! You'd think some lessons would have been learnt.

To best protect the public from the Sam Bankman-Frieds of the world, what the U.S. requires is securities-level oversight of crypto exchanges. Exchanges like Coinbase and Kraken are offering the sorts of investment services to the public that the U.S.'s main securities regulator, the SEC, is ideally positioned to regulate, such as trading, margin, custody, and market making. But one year after FTX's collapse, there doesn't appear to be a single SEC-regulated exchange.

The exchanges blame this on the SEC's lack of clarity. The SEC blames this on exchanges refusing to come in and register. God knows who's telling the truth.

Whatever the case, this intransigence only increases the odds that there'll be another U.S. crypto exchange collapse in the next few years, one that appropriate regulation could have otherwise prevented, or at least sheltered investors from the fallout.

What sort of protections am I talking about? After Canada suffered through the collapse of QuadrigaCX a few years back, and a bunch of Canadians like myself lost money, crypto exchanges were brought under the auspices of our existing securities regulatory framework, with a few nips and tucks to the rules to make them fit. This has led to a lot of changes that make Canadian crypto customers safer. I'm going to share the best example in this blog post.

Kraken is a well-known crypto exchange that serves both American and Canadian customers. However, if you're an American customers who uses Kraken, you possess a very different sort of asset than Canadian customers do.

Let's look at the fine print of the U.S. platform:

Source: Kraken's terms of service for U.S. customers

So in the U.S., asset are held "by us for you." That is, Kraken itself is doing the holding, safekeeping, or providing custody of crypto for its customers.

A key observation I want to make here is how fundamentally different this is from how standard regulated marketplaces function like the NASDAQ or the Toronto Stock Exchange. Traditional marketplaces offer a venue to trade assets, but they don't offer custody. If they tried to introduce this, their regulator would very quickly say no. I'll explain why below.

But first, let's head over to Kraken Canada. Once again, here's the fine-print:

Source: Kraken's terms of service for Canadian customers

What the underlined wording says is that if you're a Canadian, Kraken does not hold your crypto for you. That's very different from the U.S. Instead, Kraken says that customer crypto is deemed to be "custodial assets" and delegates your crypto to a "designated trust account at a Crypto Custodian." Bingo. There's the separation of trading from custody that I was talking about earlier, which aligns with standard practices for marketplaces.

Scan further through the fine print and you learn who that crypto custodian is: Anchorage Digital Bank:

Source: Kraken's terms of service for Canadian customers


Who is Anchorage? Anchorage is a federally-charted trust that is overseen by the Office of the Comptroller of the Currency, one of the key U.S. federal banking regulators. So if you hold some coins on Kraken, and you are an American, you own what is essentially a Kraken IOU, and you have to trust Kraken, but if you are a Canadian, you're effectively putting most of your trust in a federally charted financial institution. That's pretty stern stuff. 

Canadian securities regulators require all crypto exchanges operating in Canada to delegate at least 80% of customer crypto to a third-party custodian. (The other 20% can be held in a hot wallet for liquidity purposes.) Kraken doesn't appear to be doing this for its American customers, and that's because there's no U.S. regulator prompting it to do so. On top of requiring this separation, Canadian regulators stipulate that third-party custodians must be qualified. That is, they can't just walk in off the street. The custodian has to meet the regulator's standards, which requires having a Systems and Organization Controls (SOC) designation, and a bunch of other stuff too.

You can probably see by now that if you're a customer of Kraken, it's better to be Canadian than American, for the following reasons:

Anchorage is a federally-regulated financial institution and subject to strict oversight. Kraken U.S. is for the most part unregulated. No one is peering over its shoulder to check whether it is doing a good job safekeeping your coins.
Kraken has its fingers in a lot of different businesses, but Anchorage specializes on custody, and so it's probably better at the task.
Anchorage is independent from Kraken. This separation mitigates the risk of loss, theft, or misuse of assets by Kraken management. This is particularly salient in Kraken's case because it engages in many other business activities, such as trading or market-making, and these pose potential conflicts of interest.

In the future, one hopes that Kraken's U.S. exchange provides the same level of customer protection as Kraken's Canadian platform. But that's only go to happen if and when the SEC dictates a fundamental separation of crypto trading from custody, and whether U.S. crypto exchanges actually listen to the SEC.

Addendum (Nov 21): Talk about good timing. The SEC just announced that it is suing Kraken's U.S. entity for, among many other things, failing to segregate customer crypto assets and dollar balances. Segregation is different than third party custody. It basically means that customer property is kept separate from corporate property. This helps to prevent double-dipping. An exchange can make use of a third party custodian, for instance, but not segregate those funds into corporate and customer buckets. The combination of segregation and third-party custody is optimal.

By contrast, Canadian securities law clearly specifies that Kraken and any other Canadian exchange must already be segregating customers crypto and funds from corporate funds. In the regulators' own words, exchanges must keep customer property "separate and apart from its own property." This is in addition to the requirement that they use a third party custodian to store customer crypto and fiat. We can verify by reading Kraken's undertaking with Canadian regulators, in which it promises that it will be keeping customer crypto "separate and apart from its own assets."

Segregation is just one other low-hanging bit of customer protection that U.S. crypto exchanges should already have implemented, but probably won't until prodded by the government.


The next section is for pedants only, of which I'm embarrassed to be, which is why I'm putting this in very small print:

Kraken owns a U.S. bank. How does this fit into the story? Here are the details: In the U.S., the Kraken crypto exchange is really just the trade name for Payward Ventures. Payward Ventures is in turn a subsidiary of Payward, Inc. Payward, Inc has another subsidiary, Payward Financial, Inc, that owns a state-charted bank -- Kraken Bank. Notably, when you sign up as a customer of the Kraken crypto exchange, you are entering into a relationship with Payward Ventures, not Payward Financial. There is no indication in the exchange's terms of service that Kraken Bank is in any way involved in custody. Which seems... odd? Why wouldn't Kraken use its bank for custody?

When Kraken first applied to do business in Canada earlier this year, it said it wanted to use Kraken Bank as its custodian. Given that Kraken is in fact using Anchorage Bank as we speak, I suspect that Canadian regulators told Kraken: "Hey, guys. Kraken Bank is not sufficiently independent, you're going to have to use a third-party." And I suspect they were right about this.

Meanwhile, what about Canada's most popular exchange, Coinbase? Coinbase's Canadian terms of service doesn't indicate that it is using a qualified custodian. Customer assets are "held by the Coinbase Group for your benefit." Yeah, that's not going to fly with the regulators. I suspect that within a few months you're going to see it using a third-party like Anchorage, or its just going to leave Canada.

Tuesday, November 14, 2023

In praise of anti-money laundering thresholds

Two seemingly separate stories, a crypto and a banking story, have a common thread in anti-money laundering thresholds.

In the first story, the New York Times shows how regular folks are increasingly losing their bank accounts because their bank perceives them to be engaging in risky behaviour. In the second, the U.S. government has proposed an expansive new rule that would require financial institutions to report all customers who use cryptocurrency mixers to the government.

Anti-money laundering thresholds underpin what I'll call the Pragmatic Compromise between the government and citizens, albeit a tenuous compromise, for reasons I'll explain.

The U.S. government and its various law enforcement agencies have the ability to get full access to bank records for the purposes of fighting crime. They can do so directly, that is, without having to proceed through the standard process of convincing a judge to approve a warrant. This is an incredible amount of power to have. To counterbalance this, a compromise of sorts has been agreed to that limits the government's access to bank records. A number of key financial thresholds have been established, below which transactions are protected from surveillance.

The most well-known method the government has for accessing your personal financial information is the requirement that banks submit currency transaction reports, or CTRs (see below), every time someone withdraws or deposits paper money. Banks don't submit a report for all cash transactions. The threshold for submitting is set at $10,000. So if you withdraw $9,999, your name and address won't be reported to the government. If you withdraw $10,001, you'll lose the threshold's protection and will be reported.

The modern U.S. currency transaction report [source]
 

The U.S. has a long history of providing direct government access to banking records. The practice began in 1945 when Treasury Secretary Henry Morgenthau Jr, invoking war-time powers, issued an executive order (see below) instructing banks to begin reporting currency deposits and withdrawals made by the public. Known as TCR-1 forms, these reports were to be forwarded every month to the government with information about the cash amounts involved and the identification of the individual making the transaction.

Morgenthau's reporting requirement was motivated by the desire to stamp out black marketeering, writes Paul Camacho, which had emerged as a way to evade war-time rationing programs. But even though the war soon ended and rationing ceased, the practice of cash reporting continued through the 1950s and 1960s, albeit on what must have been legally dubious grounds now that it was peacetime.

Henry Morgenthau's 1945 executive order on currency reporting [source]

In 1970, the necessary legal formalization to justify the reporting of bank information was provided when Congress passed the Bank Secrecy Act, which encoded directly into law the requirement that banks record and report cash transactions, as well as legislating a set of extra recordkeeping and reporting requirements. Over the years, additional recordkeeping and reporting standards were added by Congress to the Bank Secrecy Act, including the 1994 requirement that banks screen for "suspicious" transactions and report them to the government by submitting a suspicious activity report, or SAR (see below).

While there's certainly a law & order case to be made for providing governments with direct (i.e. warrantless) access to financial records, there's a pretty clear set of reasons why society should want to limit this power. Allow too much access and banks will inevitably get bogged down in the expensive bureaucracy of filing reports, which can lead to accessibility problems as the accounts of customers deemed to be a compliance nuissance are terminated—especially the ones who tend to make riskier but legal transactions. There's also the crucial question of the public's right not to be be snooped on, especially without a warrant and probable cause.

Suspicious Activity Report form, introduced in 1995


The first legal challenges to the government's direct access to bank records only came in the mid 1970s. But after hearing these cases (California Bankers Association v. Shultz and United States v. Miller), the Supreme Court allowed the entire data collection apparatus to remain intact. The majority ruled that there was no expectation of privacy in bank records, and that the recordkeeping and reporting requirements imposed by the Bank Secrecy Act do not violate bank customers' constitutional rights.

With the public having no constitutional protections against direct government access to bank records, the lone remaining counterbalance is the various anti-money laundering thresholds.

Which gets us back to the New York Times article (we'll touch on the cryptocurrency further down). The reasons for the growing debanking problem that the Times article highlights is complicated, but I'd suggest that one driver is a steady deterioration of two key reporting thresholds at the heart of the Pragmatic Compromise.

The original $10,000 cash reporting threshold was set back in 1945 by Henry Morgenthau, a level that was ratified in 1972 after the passage of the Bank Secrecy Act. This level has never been adjusted. (Morgenthau also set a second and lower $1,000 threshohold, but this only applied when banknotes in denominations of $50 or higher were involved).

Alas, inflation has been steadily eating into each thresholds' real value. When the Bank Secrecy Act was passed, $10,000 was worth $75,000 in today's dollars. In Morgenthau's time it was equal to $173,000. Either way, when the data collection apparatus was first established and the Pragmatic Compromise reached, most people's day-to-day cash withdrawals and deposits would have been sheltered from reported requirements. With the passage of time and inflation, a much wider swathe of civilian cash transactions have lost the protection offered by Morgenthau's $10,000 threshold. That means more snooping. It also means more debanking. Rather than absorbing the growing compliance costs of having "risky" cash-reliant customers, banks are closing accounts.  

As for suspicious activity reports, when they were first legislated in 1994 the government subjected them to a $5,000 threshold, which is equal to around $10,000 today. With inflation having effectively destroyed half of the value of the threshold, more and more regular transactions are falling under suspicion. As the Times points out, suspicious customers don't make for good customers: "Multiple SARs often — though not always — lead to a customer’s eviction."

The Pragmatic Compromise that society came to decades ago is being poorly administered. To restore it, what is needed is a reasonably-sized one-time "catching up" of the various thresholds to account for at least part of the inflation that has occurred over the years, and then periodic adjustments to these levels each year to account for subsequent inflation. Maybe that'll solve some of the problems brought to light by the Times.

Now let's turn to the crypto story. In addition to the two classic anti-money laundering reporting requirements, CTRs and SARs, the U.S. government is now proposing a third reporting requirement: one for crypto mixing.

Last month, the government announced that it deems mixing of cryptocurrency to be of primary money laundering concern. Any U.S. financial institution that knows, suspects, or has reason to suspect that a customer's incoming or outgoing crypto transaction involves the use of a mixer will have to flag it and send a report to the government. That report must include information like the customer's name, date of birth, address, and tax ID.

The US Treasury's proposed rule for treating crypto mixing as a primary money laundering concern [link]

Notably, there are no thresholds to this proposed reporting requirement. Any customer crypto transfer with even just a whiff of mixing must be reported by financial institutions to the government.

In its proposal (it isn't final, yet) the government grants that there are "legitimate purposes" for mixing. What are they? I think the popular view of crypto is that it is anonymous, but this isn't quite right. Every bitcoin or ether transaction gets recorded on transparent databases. This makes them trackable by anyone. In some respects, crypto may be the least privacy-friendly financial medium ever created. Mixing your coins in a jumble along with other's coins is one of the ways to free oneself from this all-seeing eye, both for criminals who have stolen coins and regular folks who don't want their financial lives displayed for all to see.

Given that there can be licit reasons for mixing, and putting this in the context of the decades-old Pragmatic Compromise, precedent would seem to suggest that the government should include a reasonably-sized threshold for reporting crypto mixing. If this was set at, say, $10,000 (and then adjusted yearly for inflation), then a customer could in theory mix $8,000 worth of bitcoins and then deposit them at an exchange, and that exchange would not need to report the transaction and the person who made it. Go above $10,000, and the customer will end up in a government computer.

Without a reasonable threshold, the same phenomenon that the Times documents with respect to bank customers will happen to crypto users. A wave of deplatforming will hit as financial institutions close the accounts of any customer that betrays even a hint of risky activity, much of which might only appear to be mixing when it isn't.

The government has the capacity for changing its initial stance on thresholds. If you go back to the early 1970s when the Bank Secrecy Act's thresholds were set by executive order, the government initially proposed a $5,000 threshold. After the public provided comments and grievances were aired, the final rule compromised and pushed it up to $10,000.

Likewise for SARs.

The government's original 1995 proposed rulemaking for suspicious activity reporting included no thresholds. So even a $10 or $20 suspicious payment would have been reported to the government. In response to public push-back, the government admitted that its first version of the rule would impose a "burden of reporting," and in its final version it introduced a $5,000 threshold for filing a SAR, which the U.S. has to this day.

The government also granted in its 1995 SAR decision that the adoption of a threshold was intended to "conform the treatment of money laundering and related transactions to that of other situations in which reporting is required." This seems to me to be a pretty clear admission of the Pragmatic Compromise; that reasonably sized dollar thresholds are a standard element of any anti-money laundering reporting requirement. I don't see any reason why the government's 1995 olive branch for suspicious activity reporting should not be extended to crypto mixing.