Coinbase's response to the US Department of Treasury's rushed and unreasonable proposed crypto regulation

DocuSign Envelope ID: 2B89914B-3106-4125-BF3C-4AACB1C5D7D4
January 4, 2021
Policy Division
Financial Crimes Enforcement Network
P.O. Box 39
Vienna, VA 22183
Via Electronic Filing (www.regulations.gov)

Re: Docket No. FINCEN-2020-0020; RIN No. 1506-AB47
Dear Sir or Madam:
The Proposed Rule1 is bad regulation done poorly. It is a broad and novel regulatory
expansion that does not serve its stated purpose of preventing illicit transactions. The process
itself is fraught with an “us-versus-them” hostility to the industry’s views—as seen by the
breakneck schedule for a major rule, the thinness of Treasury’s justifications, and the lack of
meaningful engagement before the eleventh-hour holiday rulemaking. This is in stark contrast to
Treasury’s approach to past rulemaking that raises the same policy concerns. And Treasury
appears not to have considered at all the substantial privacy intrusion that the Proposed Rule
would impose on the public. Coinbase asks Treasury to withdraw the Proposed Rule and engage
in earnest with the cryptocurrency industry and the public on how to achieve its goals while
maintaining the integrity of the cryptocurrency ecosystem and protecting the privacy of its
users.2
Treasury provided a sum total of 15 days to comment on a 72-page notice of proposed

rulemaking, including a novel counterparty-identification and reporting requirement. This 15-day
period spans two federal holidays and two weekends. And the issues to consider are significant.
Despite Treasury’s assertion that this is a “targeted expansion of BSA reporting and
recordkeeping obligations,”3 the counterparty requirements in particular have no analogue in
traditional finance and raise privacy and security concerns that would normally trigger
significant deliberation and dialogue in the rulemaking process. More practically, these
requirements will be difficult, if not impossible, to implement at any point in the near future.
Treasury cannot expect to enact reasoned and responsible regulation by posing 24 complex
questions to the industry in a lightning-round notice-and-comment period. Treasury has received
over 5600 comments as of January 3. It is not realistic nor what we expect of sound rulemaking
for Treasury to address all these comments and the questions raised therein before the new
administration takes office.
1
Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital
Assets, 85 Fed. Reg. 83,840 (Dec. 23, 2020) (“Proposed Rule”).
2
Ex. A, 12/21/2020 Letter from P. Grewal to Director Blanco.
3
Proposed Rule at 83,841.
FinCEN Policy Division

January 4, 2021
Page 2
If Treasury will not agree to provide a real notice-and-comment period and engage in its
normal deliberative procedures, as it must by law, Coinbase submits the following Comment to
explain why the Proposed Rule not only fails to achieve its stated goals but also imposes
unnecessary and substantial costs.
● The 15-day period violates the Administrative Procedure Act. Treasury does
not seriously justify the Proposed Rule’s irregular process on national security or
foreign-policy grounds—nor can it. Providing any notice-and-comment period is
inconsistent with a looming foreign threat, which Treasury fails to explain (let
alone tie to the rule itself). The truncated comment period is inconsistent with
other Treasury regulations with 30- or even 60-day notice-and-comment periods,
many of which Treasury justified on the very same grounds that it says now
support an abbreviated timeline to comment on this Proposed Rule. We want to be
absolutely explicit: Coinbase has not had enough time to analyze this Proposed
Rule, let alone identify and then comment on all the issues the Rule raises. If we
cannot do that, then there is no way that smaller cryptocurrency companies and
members of the public have had a real opportunity to do so either.
● The Proposed Rule is impermissibly vague. The Proposed Rule at best partially
identifies what information cryptocurrency exchanges have to collect from their
customers’ counterparties—giving unfettered discretion to Treasury to later add
requirements (“as well as other counterparty information the Secretary may
prescribe”). There are also significant disconnects between the Proposed Rule’s
preamble and the language of the rule itself. For all the discussion in the preamble
of “unhosted wallets,” the actual Proposed Rule does not even use the term and
instead simply applies to cryptocurrency transactions of a certain value with
proscribed carve outs. The Proposed Rule also ignores how the technology
underlying the blockchain makes certain requirements, like counterparty “names
and physical address,” not possible for certain segments of cryptocurrency
transactions. And the period of time for comments is itself vague—the Federal
Register shows conflicting due dates.
● The Proposed Rule imposes unnecessary, expansive privacy invasions on the

public. Treasury also says nothing—literally—about how the Proposed Rule’s
drastic expansion in financial surveillance will impact individual privacy. As a
result of the Proposed Rule, counterparty name, physical address, and other
undefined information at the Secretary’s discretion would be collected (and in
certain cases, reported) for possibly hundreds of thousands of additional people
engaged in cryptocurrency transactions. This information would be collected as a
matter of course—not in response to any suspicious behavior whatsoever. Despite
being in the midst of the largest cybersecurity breach in American history,
Treasury wants to host more financial information on American citizens and
international individuals. Creating a Treasury managed stockpile of name and
address information tied to a public key on a blockchain presents real risks to
privacy and safety and an even more attractive target for hackers. Treasury need

January 4, 2021
Page 3
look no further than the recent Ledger hack and subsequent phishing, fraud, and
extortion attempts to explain why it is such a glaring omission that Treasury fails
to justify this intrusion and risk with any real tangible benefit gained from the
proposal. The threats posed by a Treasury managed store of personal information
are not even addressed in the Proposed Rule.
● Treasury will not use the new information it collects. In exchange for these
risks, the Proposed Rule will simply create a new pile of transaction information
that Treasury does not use. It is an open secret that Treasury has more information
than it can ever use to investigate financial crimes and that large swaths of
currency transaction reports (CTRs) are never examined.4 For a decade, the
Internal Revenue Service (IRS) Inspector General has been saying as much—yet
reams of reported transaction data still go unused.5 Treasury does not identify any
gaps in the currency recordkeeping and reporting regulations that the Proposed
Rule would fill. In fact, Treasury’s recitation of statistics in the Proposed Rule
shows the opposite. This is a regulatory solution in search of a problem.
● The Proposed Rule is not technology neutral. The Proposed Rule violates
Treasury’s stated policy of technology neutrality. The Proposed Rule places
unique (and uniquely challenging) requirements on cryptocurrency transactions.
There are no recordkeeping requirements for fiat transactions of $3,000 or more
between banks and individuals. Fiat transactions over $3,000 do not require a
bank to affirmatively obtain a counterparty’s name and address. A person does
not have to say to whom she will transfer a traveler’s check when she buys one
from a bank. Cryptocurrency exchanges alone will have recordkeeping
requirements on interactions with individuals transacting over $3,000.
Cryptocurrency exchanges alone will be required to affirmatively seek out
counterparty information, regardless of the technological hurdles in the way. And
cryptocurrency exchanges alone will be required to report counterparty name and
address to Treasury on transactions over $10,000, which is not required when
filing CTRs on fiat.
● The Proposed Rule fails to provide the purported benefit. The irony of the
Proposed Rule is that, in the face of all these risks and costs, Treasury has not
identified much less demonstrated any benefits that outweigh the very real costs.
The Proposed Rule will not stop any specific transactions—it is not a blocking
regulation and just requires recordkeeping or reporting of transactions that are not
otherwise suspicious. Regulated exchanges are already required to file reports on
suspicious activity and already respond to lawful law-enforcement requests for
information. There is a striking silence from law enforcement about this in the
4
TIGTA, The Internal Revenue Service Still Does Not Make Effective Use of Currency
Transaction Reports, ref. no. 2018-30-076 (Sep. 21, 2018).
5
See infra at Section V.

January 4, 2021
Page 4
Proposed Rule, in the preamble itself and in the public discussion since the notice
issued. If the point is to aid law enforcement, then Treasury must show that it has
heard and considered law enforcement’s actual views. Nothing in the preamble
demonstrates any such consideration, which begs the question whether law
enforcement’s opposition to this Proposed Rule has been ignored.
● The costs of the Proposed Rule are substantial, unknown, and have gone
unassessed by Treasury. The costs of implementing the Proposed Rule far
outweigh any purported benefits. In the first place, Coinbase has to build new
mechanisms to comply. Blockchains reflect transactions between public keys—
not people. Any technical fix to comply with the Proposed Rule will take time to
develop, as will designing the best system to store and protect the non-customer
counterparty information that the Proposed Rule novelly mandates. Further, while
the estimated known costs will be substantial, because Treasury has the unfettered
discretion to add further requirements and collect further information, the ability
for Coinbase, much less the industry as a whole, to estimate the implementation
costs cannot be known.
The Proposed Rule would fail to solve the stated problems and instead would impose
significant costs on the industry and the public, disadvantaging U.S. businesses with no
meaningful regulatory or law enforcement benefit. The novel counterparty collection and
reporting requirements are the most obvious example of Treasury’s failure in deliberative
rulemaking, imposing burdens on the cryptocurrency industry and our customers far beyond the
requirements imposed on traditional finance, raising real privacy and security concerns for the
public yet receiving zero words of consideration from Treasury, and simply creating challenging
implementation issues that remain unaddressed. But the Proposed Rule as a whole, including its
haste, demonstrates woefully insufficient consideration of the industry and technology being
regulated. Any one of the considerations above warrants abandoning the Proposed Rule
altogether—we urge Treasury to do just that.
I. Background: Coinbase And Cryptocurrency
A. As An Industry Leader, Coinbase Has Long Supported Reasonable

Regulation Developed Through A Fair Process
Coinbase is the largest cryptocurrency exchange in the United States. Coinbase customers
can buy, sell, store, use, and earn cryptocurrency, such as Bitcoin. Since our founding in 2012,
Coinbase has more than thirty-five million verified customers who have traded more than $320
billion dollars in assets. On an average day, Coinbase handles over 90,000 transactions for its
customers. Coinbase employs more than 1,000 people. We are proud of our leadership within the
cryptocurrency industry, and we take seriously the responsibilities that come with that
leadership, including advocating for regulation that makes sense and a rulemaking process that is
fair.
Central to Coinbase’s mission is to earn and maintain our customers’ trust.

Cryptocurrencies are a revolutionary asset class, delivering new stores of value and the necessary

January 4, 2021
Page 5
infrastructure for a distributed and secure economy. Our success depends on customers having
the peace of mind that their assets are secure. Coinbase does that by ensuring that its customers
can safely invest in and trade cryptocurrencies without concern that their assets will be lost or
stolen.
Reasonable regulation plays a central role in earning this trust. For years, we have seen
our regulatory compliance as central to the value we offer to our customers and the industry.
Providing a safe and compliant exchange ensures that cryptocurrency technology continues to
grow and develop—supporting new technologies built on the blockchain and expanding broader
cryptocurrency access. We have developed robust anti-money laundering (AML) and Know
Your Customer (KYC) programs designed to protect the exchange from bad actors and protect
our customers. We have developed and continue to invest in technological tools to screen our
transactions to ensure that people are not using Coinbase’s exchange to support terrorism, bypass
restrictions on banned jurisdictions, or support criminal enterprises.
Coinbase has long worked closely with the United States Congress, Treasury and other
agencies, and governments around the world to develop regulations that nurture and wisely steer
our growing industry. We have commented on several proposed Treasury regulations, providing
(and often organizing) industry insight to allow Treasury to craft effective regulations for the
burgeoning industry.6 We regularly meet with Treasury officials to provide our views on
proposed policy, guidance, or Treasury action.7 For years, we have complied with lawful law-
enforcement requests for information to investigate crimes. Coinbase fully supports reasonable
and effective regulation that is developed with the input and coordination of industry members
and other stakeholders to deepen the trust in a new industry. That is what we are asking for here.
B. Cryptocurrency And Blockchain Technology Require Unique Consideration

In Rulemaking
The Proposed Rule ignores certain basics of blockchain technology, even though these
features are directly implicated by the Proposed Rule’s reporting and recordkeeping
requirements.
A blockchain is in many ways a type of ledger or database, but unlike traditional ledgers,
there is no need for a central authority to maintain it. Instead, the ledgers are public, distributed,
and immutable: anyone can download the ledger and see the entire history of every transaction
that has ever occurred on a given blockchain. That public history is an essential feature of a
blockchain because it ensures that a counterparty in fact possesses the digital asset that is being
6
Letter from P. Grewal to A. Misback et al., Federal Reserve Docket No. R-1726, RIN 7100-
AF97, Nov. 27, 2020.
7
USDT, A Financial System That Creates Economic Opportunities: Nonbank Financials,
Fintech, and Innovation, July 2018, https://home.treasury.gov/sites/default/files/2018-08/A-
Financial-System-that-Creates-Economic-Opportunities---Nonbank-Financials-Fintech-and-
Innovation.pdf.

January 4, 2021
Page 6
transacted. The result is that transactions can occur remotely without an intermediary vouching
for either party.8
The distributed ledger only works because of cryptography. At the core of cryptocurrency
are private keys, complex and secret numbers used by an individual transacting on the
blockchain. A private key is mathematically linked to a public key, which is the address that
others can use to transact with that individual.9 Therefore, a distributed ledger is really just the
history of transactions between public keys. A transaction occurs if the private key associated
with the public key cryptographically signs off on the transaction. But other than the owner, no
one else viewing the blockchain can figure out the private key by looking at the public key.10
As a result of the use of cryptographic math to secure the blockchain, individual users are
pseudonymous. The public blockchain does not indicate that a Coinbase wallet transacted with a
PayPal wallet and does not openly disclose the identities of the individuals transacting. Exposing
this sensitive information on a public ledger would violate core privacy interests. When
onboarding new customers, Coinbase and other exchanges employ a user interface to collect this
personal information. Coinbase is only able to do so because its customers establish that trusted
relationship with Coinbase. There is no information on the public blockchain that lets Coinbase
or other exchanges go in the other direction—that is, reach out to some participant on the
blockchain to collect personal information. Further, there are privacy reasons why law-abiding
individuals would be reluctant to give this information to any third party, including Coinbase.
Because the public ledger contains the entire history of every transaction on that blockchain,
connecting a name and address to a public key could allow that third party to recreate that public
key’s entire transaction history. That type of access to an enormous amount of personal
information has no corollary in traditional finance. Notably, the Federal Trade Commission
warns against providing personal information in response to seemingly legitimate inquiries for
much less information.11
The Proposed Rule does not reckon with these unique and fundamental aspects of
cryptocurrency. To the contrary, in the Proposed Rule, Treasury asks the public whether it
should impose the additional requirement that exchanges must verify counterparty information.
But how does Treasury propose that Coinbase and others verify counterparty information from
strangers when the blockchain is pseudonymous? How could any exchange affirmatively reach
out to unknown people to seek their names and physical addresses and how is verification even
8
For a general overview of blockchain technologies, see C. Jaikaran, Blockchain: Background
and Policy Issues, Congressional Research Service, at 1-2, Feb. 28, 2018,
https://fas.org/sgp/crs/misc/R45116.pdf.
9
Id.
10
Id.
11
Federal Trade Commission, Scams And Your Small Business: A Guide For Business at 3
(May 2018) (“Remember that email addresses and websites that look legitimate are easy for
scammers to fake.”), https://www.ftc.gov/system/files/documents/plain-
language/scams_and_your_small_business.pdf.

January 4, 2021
Page 7
feasible? How could a Coinbase user even do that? Has Treasury fully evaluated the risk of fraud
that could occur if bad actors contact (or even engineer transactions with) others precisely to
fraudulently obtain name and address information associated with a public key?
II. Treasury’s 15-Day Notice-And-Comment Period Is Unlawful
Treasury’s 15-day notice-and-comment period is woefully inadequate for the regulated

community and the public to discuss the broad proposed expansion in recordkeeping and
reporting. The only plausible reason for the abbreviated comment period now is to rush through
significant regulation before the administration changes in a matter of days. The APA exists to
protect against this type of effort to short-circuit the rulemaking process by affording interested
parties a “reasonable opportunity to participate.”12 “Notice and comment are not mere
formalities” that can be dispensed with for political expediency.13 On the contrary, “[t]he
essential purpose of according § 553 notice and comment opportunities is to reintroduce public
participation and fairness to affected parties after governmental authority has been delegated to
unrepresentative agencies.”14
Treasury’s excuses for depriving the public of a meaningful notice-and-comment period

for the Proposed Rule fail at every level. And the rush comes at a real cost. Coinbase, our
industry, and the public have not had enough time to assess the Proposed Rule, let alone
provide comments that fully reflect our expertise, our questions, and our concerns. No
reasonable or fair rule on this subject could be crafted under these circumstances.
A. Treasury’s Rationale For The Truncated Notice-And-Comment Period Is

Internally Inconsistent
The brief notice-and-comment period appears calculated to put a sheen of process over
what is otherwise a foregone conclusion. The incoherence of Treasury’s justification for such an
unusually short period proves as much. Treasury claims that the abbreviated period is appropriate
because of “national security imperatives.”15 Of course those imperatives are never specifically
identified. Then two paragraphs later, Treasury says those same imperatives also mean that no
notice-and-comment period was required at all. If national security issues were in fact pressing,
Treasury would not have provided even the meager 15-day notice-and-comment period.
Likewise, Treasury fails to explain why national security imperatives are preserved through a 15-
day notice-and-comment period spanning Christmas and New Year’s Day but would come to
fruition in days 16 through 60. Does Treasury expect bad actors to take the holidays off but not
the regulated community?
12
Forester v. CPSC, 559 F.2d 774, 787 (D.C. Cir. 1977); 5 U.S.C. § 553(b), (c).
13
Nat. Res. Def. Council v. Nat’l Highway Traffic Safety Admin., 894 F.3d 95, 115 (2nd Cir.
2018).
14
Batterton v. Marshall, 648 F.2d 694, 703 (D.C. Cir. 1980).
15

January 4, 2021
Page 8
The fact that Treasury provided notice and comment at all is evidence that Treasury
knows: first, it cannot meet the demanding burden of an exception to the APA required comment
period; and second, there is no national security issue here so urgent and temporally unique that
allows for 15 days of notice and comment but not the standard 60 days. The truth is that nothing
has changed recently in the national security profile to justify a rush now.
B. Treasury Has Failed To Establish A Legitimate Reason For Bypassing Notice

And Comment
The APA strictly limits when agencies can curtail the public’s procedural right to a full
substantive hearing on a proposed rulemaking. These exceptions apply only when the sovereign
interests of the United States are at issue (the “foreign affairs exception”) or where notice and
comment would defeat the purpose of the rule (the “good cause exception”). The Proposed Rule
does not qualify for either exception.
1. The Foreign Affairs Exception Does Not Apply
Treasury first tries to defend its 15-day notice and comment period by arguing that it
need not engage in any notice-and-comment because the “foreign affairs” exception applies.
Courts have expressly rejected such a broad reading of the “foreign affairs” exception—“to be
covered by the foreign-affairs function exception, a rule must clearly and directly involve
activities or actions characteristic to the conduct of international relations.”16 “[T]he exception
covers scenarios in which a rule implements an international agreement between the United
States and another sovereign state. Indeed, that is the only circumstance to which the D.C.
Circuit has applied it.”17 The House and Senate Reports interpreting the APA are equally
demanding. The exception applies to “only those ‘affairs’ which so affect relations with other
governments that, for example, public rulemaking provisions would clearly provoke definitely
undesirable international consequences.”18
The Proposed Rule does not involve the conduct of international relations and it makes
no attempt to explain how providing notice and comment would clearly “provoke definitely
undesirable international consequences.” The Proposed Rule regulates private transactions, not
international relations or the country’s relationship with foreign governments. At most, the only
16
Capital Area Immigrants’ Rights Coal. v. Trump, 471 F. Supp. 3d 25, 53, 55 (D.D.C. 2020)
(“[I]t is worth pointing out that . . . Congress’s use of the word ‘function’—instead of, say,
‘effects’ or ‘implications’—prevent the foreign affairs function exception from swallowing the
proverbial rule.”).
17
Id. at 54.
18
Senate Committee on the Judiciary, “Administrative Procedure Act: Legislative History,” S.
Doc. No. 248, 79th Cong., 2d Sess., at 19 (1947). (emphasis added); see also City of New York v.
Permanent Mission of India to United Nations, 618 F.3d 172, 202 (2d Cir. 2010) (“This
approach accords with Congress’s admonition in the legislative history of the APA not to
interpret the phrase “‘foreign affairs function’ . . . loosely . . . to mean any function extending
beyond the borders of the United States.”).

January 4, 2021
Page 9
aspect of the Proposed Rule that relates to matters outside the United States is that foreign
individuals may transact cryptocurrencies. That falls well short of satisfying the foreign affairs
exception. Mast Indus., Inc. v. Regan, 596 F. Supp. 1567, 1581 (Ct. Int’l Trade 1984) (“The
exception cannot apply to functions merely because they have impact beyond the borders of the
United States.”).
2. The Good Cause Exception Does Not Apply
Likewise, Treasury has failed to properly invoke the “good cause” exception to the APA.
The “good cause” exception allows an agency to forgo notice and comment if “the agency for
good cause finds” that compliance would be “impracticable, unnecessary, or contrary to the
public interest.”19 As with the “foreign affairs” exception, the legislative history of the APA is
clear that the “good cause” exception to the APA is not an “escape clause.”20 Courts have
likewise set a “high bar for satisfying good cause” because otherwise the exception would be the
rule.21
Treasury claims the “good cause” exception applies because “a longer period of public
comment is not necessary and would frustrate the objectives of the rule by unduly delaying
implementation of measures to curb illicit finance and threats to United States national
interests.”22 Not wanting to delay implementation of a rule is not “good cause.” The APA
required delay for public participation must “frustrate the objectives of the rule,” not just the date
of implementation, in order to satisfy the “high bar” of good cause. Treasury offers nothing in its
preamble to suggest that is the case, and courts will not endorse an agency’s declaration of “good
cause” when agencies fail to provide evidence of potential harm beyond their own predictions.23
The content of the Proposed Rule also suggests the opposite. Recording and reporting
requirements do not necessarily prevent any transactions from happening, whether it goes into
effect immediately in 15 days, 30 days or 60 days. Tellingly, Treasury has previously allowed 60
days for notice-and-comment for recordkeeping regulations even where it justified the proposed
regulation on national security grounds or to prevent money laundering.24
19
5 U.S.C. § 553(b)(B).
20
Senate Committee on the Judiciary, Administrative Procedure Act: Legislative History, Senate
Document 248, 79th Congress, 2nd sess. (1946). See, e.g., DOJ, Attorney General’s Manual on
the Administrative Procedure Act, pgs. 30-31 (1947) (“a situation is ‘impracticable’ when an
agency finds that due and timely execution of its functions would be impeded by the notice…
‘Unnecessary’ refers to the issuance of a minor rule…[and] ‘Public interest’ connotes a situation
in which the interest of the public would be defeated by any requirement of advance notice.”).
21
Capital Area Immigrants’ Rights Coal. v. Trump, 471 F. Supp. 3d 25, 45 (D.D.C. 2020).
22
23
See Tennessee Gas Pipeline Co. v. Fed. Energy Regulatory Comm’n, 969 F.2d 1141,1146
(D.C. Cir. 1992); Capital Area Immigrants’ Rights Coal., 471 F. Supp. 3d at 48.
24
79 Fed. Reg. 45,151 (Aug. 4, 2014).

January 4, 2021
Page 10
Coinbase does not deny the importance of national security and the integrity of the
financial system as a general matter. But Treasury cannot forgo notice and comment on its say-so
alone. There must be an actual, identified emergency. Here, Treasury’s justification for the
truncated notice-and-comment period falls short. Treasury claims that “CVCs are used in illicit
financial activity that presents substantial national security concerns” without any support or
citation.25 Treasury claims that “malign actors are increasingly using CVC to facilitate” illicit
activity, but cites only to a 2017 indictment and two press releases (one covering a 2019 speech
by an administration official).26 None of these identify much less demonstrate an “increase” in
use of CVC by malign actors. The single indictment is not only more than three years old, but
also relates to transactions controlled by a drug bazaar—not a pattern of increasing criminal
activity connected to regulated cryptocurrency exchanges. Treasury also cites two articles on
ransomware attacks and blackmail, which do not involve financial institutions let alone implicate
any emerging national security issues that will be prevented through stricter reporting
requirements issued without an adequate comment period.27 Even the 2020 Department of
Justice report on cryptocurrency fails to identify any new or increasing national security
concerns that require new reporting or recordkeeping, and instead notes the benefits of existing
regulations.28 Last, Treasury summarily concludes there “may be gaps” in the current recording
and recordkeeping system.29 But “may” does not equate to any actual gap. None of this amounts
to an urgent need for greater recordkeeping of regulated cryptocurrency exchanges. Even
assuming otherwise, then by providing any notice and comment at all, Treasury has defeated its
own argument that it has “good cause” to forgo notice and comment. The 15-day comment
period has already given illicit actors the ability to move their funds before a new regulation is in
place.
25
26
Id. at 83,841-42.
27
Id.
28
DOJ, Cryptocurrency: Enforcement Framework, Report of the Attorney General’s Cyber
Digital Task Force at 24-25 (Oct. 8, 2020),
https://www.justice.gov/ag/page/file/1326061/download.
29

January 4, 2021
Page 11
C. Treasury Has Abandoned Its Own Standard Practices For Rulemaking,

Singling Out And Harming Cryptocurrency Users
The entire process leading up to the notice of proposed rulemaking, as well as the not-
quite 15-day notice-and-comment period, is wholly inconsistent with past Treasury
rulemaking—imposing enormous burdens on the cryptocurrency industry, and ultimately the
public who use cryptocurrency, that Treasury has never imposed on traditional finance.
Traditionally, the appropriate period for notice and comment under the APA is 60 days,
as evidenced by two Executive Orders,30 the Administrative Conference of the United States,31
and the Office of the Federal Register.32 When a proposed rule impacts a substantial area of
commerce, notice-and-comment periods are often extended beyond the traditional 60-day period,
not shortened.33 Treasury recently reiterated this principle when it wrote that two other
government agencies should “make their rulemaking processes more transparent and incorporate
. . . public input as appropriate.”34
For example, Treasury’s Customer Due Diligence Requirements for Financial Institutions
bear some similarity to the Proposed Rule. There, FinCEN proposed increased customer
identification as a means to “combat[] all forms of illicit financial activity,” just as it claims to be
doing here.35 But unlike the Proposed Rule, FinCEN provided the traditional 60 days for
30
Exec. Order No. 13,563, 76 Fed. Reg. 3,821 (Jan. 18, 2011) (“To the extent feasible and
permitted by law, each agency shall afford the public a meaningful opportunity to comment
through the Internet on any proposed regulation, with a comment period that should generally be
at least 60 days”); Exec. Order 12,866, 58 Fed. Reg. 51,735 (Sept. 30, 1993) (“[E]ach agency
should afford the public a meaningful opportunity to comment on any proposed regulation,
which in most cases should include a comment period of not less than 60 days”).
31
Stating that for “significant regulatory actions”—of which the Proposed Rule is one—
“agencies should use a comment period of at least 60 days.” Admin. Conf. of the U.S.,
Recommendation 2011-2, Rulemaking Comments, 76 Fed. Reg. 48,789 at 48,791 (June 16,
2011).
32
“In general, agencies will specify a comment period ranging from 30 to 60 days.” See
https://www.federalregister.gov/uploads/2011/01/the_rulemaking_process.pdf.
33
Id. “For complex rulemakings, agencies may provide for longer time periods, such as 180 days
or more.”
34
USDT, A Financial System That Creates Economic Opportunities Capital Markets (Oct.
2017).
35
79 Fed. Reg. 45,151. For additional examples of proposed rulemakings under FinCEN’s
authority pursuant to the BSA where FinCEN provided 60 days, see (i) Amendments to the
Definition of Broker or Dealer in Securities, 81 Fed. Reg. 19,086 (Apr. 4, 2016); (ii) Customer
Identification Programs, Anti-Money Laundering Programs, and Beneficial Ownership
Requirements for Banks Lacking a Federal Functional Regulator, 81 Fed. Reg. 58,425 (Aug. 25,
2016); and (iii) Definition of “Monetary Instrument,” 76 Fed. Reg. 64,049 (Oct. 17, 2011).

January 4, 2021
Page 12
comments. FinCEN justified the proposed customer due-diligence requirement using the same
rationale set forth in the Proposed Rule: addressing “national security interests”; preventing
money-laundering; and assisting law enforcement.36 Yet FinCEN offered a notice-and-comment
period four times longer than what is proposed here. FinCEN also provided industry with an
advanced notice of proposed rulemaking, 37 and after comments, held five public hearings where
the regulated community could express views on the proposed rulemaking itself.38 FinCEN noted
that “[t]hese discussions were critical in the development of the Notice of Proposed
Rulemaking.”39 After the comment period to the proposed rule, in which FinCEN received just
129 comments, FinCEN took more than a year-and-a-half to issue the final rule and then gave
financial institutions two years to implement the required changes to comply with the final rule.40
There is absolutely no analysis in the preamble to support treating the cryptocurrency industry
worse than the traditional finance industry.
Allowing for a more reasoned discussion surrounding a proposed rule has long been
Treasury’s norm. The following rules likewise provided a more traditional notice-and-comment
period to implement similar regulations:
● “Threshold for the Requirement To Collect, Retain, and Transmit Information on Funds
Transfers and Transmittals of Funds” – 30-day comment period.41
● “Customer Identification Programs, Anti-Money Laundering Programs, and Beneficial
Ownership Requirements for Banks Lacking a Federal Functional Regulator” – 60-day
comment period.42
● “Amendments to the Definition of Broker or Dealer in Securities” – 60-day comment
period.43
● “Amendment to the Bank Secrecy Act Regulations; Defining Mutual Funds as Financial
Institutions” – 90-day comment period.44
● “Bank Secrecy Act Regulations: Definition of “Monetary Instrument” – 60-day comment
period.45
36
79 Fed. Reg. 45,151.
37
77 Fed. Reg. 13,046 (Mar. 5, 2012).
38
Id.
39
81 Fed. Reg. 29,398 (May 11, 2016).
40
See https://www.regulations.gov/document?D=FINCEN-2014-0001-0001.
41
85 Fed. Reg. 68,005 (Oct. 27, 2020).
42
81 Fed. Reg. 58,425.
43
81 Fed. Reg. 19,086.
44
75 Fed. Reg. 19,241 (Apr. 14, 2010).
45
76 Fed. Reg. 64,049.

January 4, 2021
Page 13
● “Amendment to the Bank Secrecy Act Regulations—Definitions and Other Regulations

Relating to Money Services Businesses” – 120-day comment period.46
Even these longer periods are sometimes insufficient to adequately evaluate proposed
financial regulation under the Bank Secrecy Act (BSA). Treasury previously expressed a
willingness to extend a 30-day period to 60 days “in order to allow interested parties more time
in which to comment on the proposals in the [Prepaid Access notice of proposed rulemaking].”47
The same rationale applies here, especially where Treasury announced the Proposed Rule during
the holiday season and truncated the notice-and-comment period to a quarter of what is
customary.
Treasury’s stated excuse—that it “directly engaged with the cryptocurrency industry on

multiple occasions and in a variety of formats”—is disingenuous at best. These meetings were
not open to the public and are not a substitute for a proper and meaningful notice-and-comment
period open to all interested parties under the APA. Also, the actual content of a Proposed Rule
was never discussed in a single meeting. Rather, as Treasury notes, the topic of the meetings was
“AML risks” generally.48 No one outside of Treasury knew what the Proposed Rule was going to
be until Treasury released the Notice on Friday, December 18th. And no one has had the
opportunity to discuss the issues in this Notice with Treasury prior to the paltry 15-day notice
and comment period.
Treasury needs to provide more time not just for comments, but to draft reasoned
regulation. As discussed throughout this comment, there are a host of factors that Treasury has
not considered that make the Proposed Rule unnecessary or counterproductive. If given the time
and a dialogue with industry, Coinbase believes that Treasury would realize the fatal limitations
in the Proposed Rule. To that end, Treasury cannot implement the Proposed Rule in the
timeframe it has provided—as a matter of law or good public policy.
How does Treasury distinguish what it has done here from earlier, longer notice-and-
comment periods for regulations implementing the BSA? What has prevented Treasury from
giving notice of the Proposed Rule at any time in the past year and prior to the holidays? How is
this rulemaking consistent with Treasury’s exhortation to agencies to make rulemaking more
transparent and public? What rules has Treasury proposed for the regulation of fiat currencies
that are on the same or similar truncated schedule as this Proposed Rule? How does Treasury
justify treating the cryptocurrency industry and the individuals who use cryptocurrency so
differently than traditional finance, and when will the cryptocurrency industry be given a chance
to address that justification if it exists?
46
74 Fed. Reg. 22,129 (May 12, 2009).
47
75 Fed. Reg. 41,788 (July 19, 2010).
48

January 4, 2021
Page 14
D. Treasury’s Shortened Notice-And-Comment Period Harms The Industry

And The Public
No matter the rationale, the 15-day notice-and-comment period is extraordinarily

insufficient here, especially given the timing and scope of the Proposed Rule.
First, the timing of the Proposed Rule is the opposite of what Coinbase has come to
expect from FinCEN. It is a blatant disregard of the procedural rights ensured by the APA to:
● Release by press release a Proposed Rule after 5pm EST the Friday
before Christmas;
● Give only 15 days from the date of the press release, not even the date
of publication in the Federal Register, to comment;
● Time that comment period so that it covers Christmas Eve, Christmas
Day, New Year’s Eve, and New Year’s Day;
● Allow only six business days for comment following publication in the
Federal Register (two of which are holiday-eves);
● Schedule the notice-and-comment period during the beta-testing of a
new Regulations.gov website, making it harder for members of the
public to comment and harder for organizations to inform the public
about how to comment;
● Ask for comments on a regulation and the answers to twenty-four
complex questions that will impact (at least) hundreds of millions of
dollars in transactions during a period when most businesses are
quieting down for the holidays and many employees are using their
vacation days to spend time with family, not to mention during a global
pandemic.
This schedule is made worse by the disorganization with which the process is being
handled. The comment deadline is inconsistent in the various documents seeking comment. The
Proposed Rule lists January 4th as the date for receiving comments.49 As published in the Federal
Register, however, the Proposed Rule provides conflicting dates for comment—either January
4th or January 7th.50 The ongoing beta testing for a new technical system being performed on
Tuesdays and Thursdays on a new website for receiving comments adds to the confusion.51 What
is Treasury doing to ensure that there are no missed comments based on the technical
development that is underway on Regulations.gov? And what will Treasury do if it receives
49
50
Compare 85 Fed. Reg. 83,856 (“Comments are welcome and must be received by January 7,
2021.”) with id. at 83,841 (“Written comments on this proposed rule may be submitted on or
before January 4, 2021.”).
51
Regulations.gov, https://beta.regulations.gov (“Regulations.gov will redirect users to
beta.regulations.gov on Tuesdays and Thursdays for 24 hours starting at 8am ET. Please note
that all comments submitted through Beta, both during the redirect and regular operations, are
provided to agencies.”).

January 4, 2021
Page 15
comments from the public who have relied on the later comment date contained in the Federal
Register? How is Treasury making sure that the general public is aware of the truncated
comment period when there are such serious privacy issues at stake?
Second, the Proposed Rule asks for industry feedback on twenty-four separate questions
that require substantial technical and legal resources to answer. Given the time of year, Coinbase
does not have access to all of its resources in a truncated 15-day period. Many businesses also
have important year-end responsibilities that cannot be pushed off or dealt with later, and so
many businesses may be forced to decide between having their voices heard on an important,
groundbreaking regulation or completing necessary year-end tasks. Coinbase has worked hard to
try to answer as many of Treasury’s questions as possible in this incredibly short time period,
and on limited resources. But even with this effort, Coinbase needs more time just to assess the
proposed rule, let alone properly investigate and answer the questions Treasury raises, plus
several others that Treasury has not asked. The short schedule makes it impossible for Coinbase
to give full consideration and respond to these 24 questions in time. Most cryptocurrency
companies (not to mention the public) cannot be expected to respond in such a short timeframe.
How will Treasury evaluate the questions it has posed, presumably because they need to be
considered as part of a proper rulemaking process, when they cannot yet be properly considered
and answered by a broad swath of the industry?
These open questions underscore the substantial and legally untenable prejudice the
truncated comment period has imposed on Coinbase, our industry, and the public.
III. The Proposed Rule Is Impermissibly Vague
In its haste to regulate before the end of the current administration, the Proposed Rule
contains several vague provisions that do not properly put the public on notice of what the
industry must even do to be compliant.
First, Treasury fails to specify all of the information that cryptocurrency exchanges will
have to include when filing the new reports, even though they are “designed” to be analogues to
currency transaction reports (CTR). The Proposed Rule instead requires the reporting be done
using a “form prescribed by the Secretary” that includes “the name and address of each
counterparty, and such other information as the Secretary may require.”52 The industry cannot
meaningfully provide feedback on the feasibility or desirability of reporting requirements when
the Proposed Rule will not say precisely what reporting is required or what format the form will
take. Now is the time to identify the “information [that] the Secretary may require” so that the
public can weigh in, not after the rule has legal effect. As written, the Proposed Rule’s reporting
requirement is too vague to allow for meaningful comment.
In addition, there is a significant disconnect between the rationale for the Proposed Rule
and the Proposed Rule itself. The preamble to the Proposed Rule uses the word “unhosted” 68
times. Treasury is explicit that the Proposed Rule will apply “between a bank’s or MSB’s hosted
52
85 Fed. Reg. 83,860-61 (emphasis added).

January 4, 2021
Page 16
wallet customer and an unhosted or otherwise covered wallet.”53 The first sentence of the “Rule
Overview” section says that the Proposed Rule will apply to cryptocurrency transactions between
a money service business and an “unhosted wallet.”54 But the language of the Proposed Rule
itself does not mention the word “unhosted” anywhere in the proposed amendments to the C.F.R.
Instead, the $3,000 recordkeeping requirement applies to “transaction[s] in convertible virtual
currency or a digital asset with legal tender status . . . with a value of more than $3,000,” and
then specific carve outs are provided for transactions with wallets held at BSA regulated
exchanges or foreign financial institutions not located in jurisdictions on FinCEN’s list.”55 Is
Treasury intending to capture only transactions with “unhosted” wallets through the exceptions
in the proposed 31 C.F.R. § 1010.410(g)(4)? The preamble fails to provide meaningful guidance
to the substance of the Proposed Rule, which creates more confusion regarding its scope.
The Proposed Rule also does not identify how “name and physical address” information
can be obtained for a material portion of blockchain transactions. There are many situations
where counterparty names and addresses simply will not exist. One of the most popular areas in
cryptocurrencies is the use of smart contracts. A smart contract is simply a computer program
that runs on a blockchain and is associated with a specific address on that blockchain.56 Smart
contracts have the ability to transfer funds, receive funds, or execute any other function within its
programming.57 They interact with cryptocurrency exchanges by, for example, executing the
transfer of cryptocurrency to a hosted wallet. For transactions where Coinbase is interacting with
a smart contract associated with computer code, the Proposed Rule does not explain how
Coinbase would comply. A smart contract does not have a name or physical address. They are
not controlled by any user, and often there are not even a defined set of entities that are
associated with it.58 The Proposed Rule is vague and ambiguous as to how cryptocurrency
exchanges like Coinbase should deal with transfers to and from smart contracts.
These ambiguities plague the Proposed Rule, and likely any final rule that follows. The
failure to set forth concrete proposals in each of these areas reflects the lack of meaningful
industry input. This is exactly why real engagement with the industry is vital even before a
53
85 Fed. Reg. 83,846.
54
85 Fed. Reg. 83,843.
55
85 Fed. Reg. 83,860.
56
S. Levi & A. Lipton, An Introduction to Smart Contracts and Their Potential and Inherent
Limitations, Harvard Law School Forum on Corporate Governance (May 26, 2018)
https://corpgov.law.harvard.edu/2018/05/26/an-introduction-to-smart-contracts-and-their-
potential-and-inherent-limitations/.
57
Id.
58
Ethereum, Introduction to Smart Contracts (Nov. 29, 2020),
https://ethereum.org/en/developers/docs/smart-contracts/ (Smart contracts are “not controlled by
a user, instead they are deployed to the network and run as programmed. User accounts can then
interact with a smart contract by submitting transactions that execute a function defined on the
smart contract.”).

January 4, 2021
Page 17
notice of proposed rulemaking. Treasury cannot solve these deficiencies without providing more
time and soliciting that input.
IV. The Proposed Rule Poses Unacceptable Risks To Individuals’ Privacy Rights
The Proposed Rule would dramatically increase the amount of personal financial data
that is collected, stored, and reported in the United States. This data would include granular,
transaction level detail on millions of transactions. Much of the data required for collection under
the Proposed Rule would involve third parties who may never have chosen to be a
cryptocurrency exchange customer, never agreed to any terms covering the use of their financial
data, and may not even know their data was collected and stored in the first place. The preamble
has not even attempted to address this impact.
No one, including Coinbase, can determine the full impact that the Proposed Rule
will have on data privacy given the accelerated notice-and-comment period. For example,
because there is not enough time to design the systems and processes needed to comply with the
Proposed Rule, Coinbase cannot fully describe the corresponding data-security systems and risks
(and possible disclosures) that are involved in hosting information belonging to non-customers
for the first time. Nonetheless, several risks posed to individual financial privacy by the Proposed
Rule are apparent and require industry-wide evaluation before they can be fully understood.
A. Taking Customer Privacy Data Seriously Requires Substantial Investment
Privacy is a core value at Coinbase. It is central to Coinbase’s business for our customers
to trust Coinbase with their data, and we consider maintaining our customers’ privacy to be
essential to maintaining their trust. We have a robust program for ensuring our customers’
privacy. We integrate strong privacy protections in the design of new product and feature
launches, and Coinbase engages in privacy review to ensure that we limit the amount of data
collected from our customers. Coinbase has a detailed data privacy policy to explain to
customers how their data is used. Whatever data we do collect is only used for intended and
disclosed purposes.59 And we also dedicate resources to evaluating any request from law
enforcement to review customer data.60
As the recent SolarWinds hack makes clear, companies must ensure that data-security
and privacy extend to their vendors and technological ecosystem more generally.61 Coinbase
subjects all vendors who have access to customer data to a third-party security review to prevent
unauthorized access to user data. Coinbase also enforces granular access controls to systems or
repositories that store personal identifying information, classifying data based on its sensitivity to
59
Coinbase – Global Privacy Policy (Nov. 1, 2020), https://www.coinbase.com/legal/privacy.
60
P. Grewal, Transparency at Coinbase (Oct. 16, 2020), https://blog.coinbase.com/transparency-
at-coinbase-c8edf6dce4d6.
61
K. Poulsen, et al., Solar Winds Hack Victims: From Tech Companies to a Hospital and
University, Wall St. J., Dec. 21, 2020, https://www.wsj.com/articles/solarwinds-hack-victims-
from-tech-companies-to-a-hospital-and-university-11608548402.

January 4, 2021
Page 18
the user. Data that rises to the highest level of sensitivity requires additional controls before it
can be accessed, such as enhanced background checks, fingerprinting, logging, and monitoring.
Coinbase also has a comprehensive mitigation and incident-response framework, which includes
dedicated teams to prevent, detect, mitigate and resolve security incidents.
This need for data security and privacy is inherent in the blockchain ecosystem. Because
transactions are open and transparent on a blockchain, it is incredibly important to maintain
privacy for individuals. For this reason, Coinbase seeks to minimize the data that it does collect
and to protect that data through extensive controls.
B. The Proposed Regulation Will Drastically Increase The Amount Of Data

Collected On The Crypto Community
The Proposed Rule would drastically expand the amount of personal information that is
stored about members of the cryptocurrency community. For each transaction greater than
$3,000, Coinbase would have to collect at least the name and physical address information (even
if it does not exist) for any party involved. There are hundreds of thousands of transactions per
week on Coinbase, a material number of which would involve third-party self-hosted wallets
where Coinbase must now collect additional personal information on counterparties.
This expansion in financial data-monitoring alone is concerning. These third parties have
not chosen to interact with Coinbase at all—as a customer or otherwise. They are simply
counterparties to a transaction with a Coinbase customer and do not likely know or care whether
the other party uses a self-hosted or hosted wallet. Forcing exchanges like Coinbase to now
collect non-customer information stands in stark contrast to how information is normally
obtained both at Coinbase and more broadly. When Coinbase collects data from its own
customers, it does so after its customers agree to a disclosed privacy policy and terms of use. It is
a voluntary process. In contrast, third parties have not agreed to anything with respect to their
data. In many instances, these users will not know how their data is used or disclosed. The
Proposed Rule overrides that process for thousands (possibly millions) of people and turns
exchanges into involuntary custodians of non-customer data from around the world.
This significant expansion in recorded personal data should not occur in the shortened
timeframe imposed by the Treasury, if ever. Data privacy is a central issue to society at large and
the cryptocurrency sector in particular. Requiring collection of third-party, non-customer
personal information requires a greater dialogue with the public and analysis of existing data-
privacy laws than can be achieved in 15 days. How does Treasury propose alerting third parties
of the ways in which their data might be used after it is collected? Do cryptocurrency exchanges
have any obligation to do so? Must cryptocurrency exchanges provide data-privacy notices as
part of any collection of counterparty information?
C. The Resulting Tranche Of Personal, Financial Data That FinCEN Wants

Reported To It Would Pose Real Data Privacy Risks
The Proposed Rule requires exchanges to not only collect but also report new troves of
financial data to Treasury, which makes the government an even more attractive target for

January 4, 2021
Page 19
hackers at a time when Treasury itself is currently in the middle of one of the largest and far-
reaching hacks in American history.62 This risk is far greater than that posed by Treasury’s
current collection of CTR information on fiat transactions because, as discussed above, a
distributed ledger contains the entire transaction history for a given blockchain. If a person had a
“Rosetta stone” that linked personally identifying information to the ledger, this could in turn
reveal extensive personal financial information. Once a public key is linked to a specific person,
it is possible to recreate that person’s financial history on that blockchain. This means that the
Proposed Rule creates a potential privacy intrusion on individual users of cryptocurrency far
beyond any existing risks faced for users of traditional finance. Treasury cannot create such a
risk without acknowledging it, which it has yet to do, and without demonstrating that the risk is
outweighed by a benefit or can be mitigated, neither of which is in the Proposed Rule.
The need for this missing analysis is easy to see by comparing the obligations imposed by
the Proposed Rule with information Treasury already can collect from traditional finance. If
Treasury fails to protect CTR information filed on fiat transactions, a customer’s entire financial
history is not likely implicated. The CTRs that banks file on fiat include only information about
that customer’s transactions over a finite period of time and are not required to include
counterparty information—in this way, if disclosed, they do not provide a way to track
everything that happened before and after that transaction. By contrast, if Treasury fails to
protect CTR information filed on crypto transactions such that personally identifying information
relating to a public key is revealed, that person’s entire financial history on that blockchain could
be compromised. And this real risk applies to both the exchange customer and the counterparty,
as the Proposed Rule demands reporting on both sides, which is not required for traditional
finance. The financial value of the data that the Proposed Rule requires to be reported to
Treasury provides a new and significant financial incentive for bad actors to target this data.
Indeed, the Proposed Rule cites examples of personal data relating to cryptocurrency transactions
being hacked by foreign actors.63 And in July 2020, hackers accessed personal customer
information for the company Ledger, which provides a hardware-based cryptocurrency wallet.64
62
B. Chappell et al., What we know about Russia’s alleged hack of the U.S. government and tech
companies, NPR (Dec. 21, 2020), https://www.npr.org/2020/12/15/946776718/u-s-scrambles-to-
understand-major-computer-hack-but-says-little.
63
Proposed Rule at 83,841; Press Release, DOJ, “Two Chinese Nationals Charged with
Laundering Over $100 Million in Cryptocurrency from Exchange Hack” at pp. 1 (Mar. 2, 2020),
https://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-
cryptocurrency-exchange-hack (“According to the pleadings, in 2018, North Korean co-
conspirators hacked into a virtual currency exchange and stole nearly $250 million worth of
virtual currency.”).
64
T. Wright, Ledger users threaten legal action after hacker dumps personal data,
CoinTelegraph (Dec. 20, 2020), https://cointelegraph.com/news/ledger-users-threaten-legal-
action-after-hacker-dumps-personal-data (“People with a large amount of crypto holdings run
the risk of being kidnapped and held until they give up their tokens, as was the case
with Singaporean entrepreneur Mark Cheng in January.”); R. Sharma, Hackers leak customer

January 4, 2021
Page 20
How does Treasury propose maintaining the safety of customer information it receives
where that information can be used to recreate someone’s entire financial history on a
blockchain? How has the recent SolarWinds hack affected the security of data that is reported to
Treasury under existing CTR requirements?
D. The Proposed Rule Poses Substantial Cross-Jurisdictional Issues Regarding

Data Privacy Compliance
The Proposed Rule also raises a number of thorny regulatory questions that the Treasury
wholly fails to acknowledge or address. There are several cross-jurisdictional issues that would
result from this dramatic increase in personal-data collection. For example, Coinbase can only
maintain personal information on EU users for the “shortest time possible” under the European
Union’s General Data Protection Regulation (GDPR).65 Yet the Treasury regulation does not
indicate how to reconcile its proposed five-year retention limit with the requirements imposed
under GDPR that would require companies like Coinbase to have a legitimate interest for that
retention. In addition, Coinbase’s ability to understand which laws govern the retention of a
user’s information is only possible because Coinbase’s users actually choose to establish a
customer relationship with Coinbase, which indicates the jurisdiction in which they reside. The
Proposed Rule provides no guidance on how Coinbase would determine what data retention
obligations it has to apply to third parties to whom it is not providing financial services or how
reliable that information must be to form the basis of such legal compliance.
Requiring Coinbase to increase the scope of its data collection to third-party market
participants also weakens Coinbase’s international competitiveness. European courts have
restricted the ability for U.S. entities to provide services to European citizens out of concern that
broad U.S. data-collection rules will negatively affect the privacy interests of European
citizens.66 These refusals are informed by concerns over the aggregation of large amounts of
personal information, law enforcement, and the corresponding difficulty of implementing data-
protection policies that will ensure the privacy of this information.67 Nonetheless, the Proposed
Rule does not explain how additional broad collection requirements on non-U.S. customers or
third parties outside the U.S. can be reconciled with this recent European court precedent and
how U.S. companies are to navigate these issues. Will storage of this information as required by
info from crypto wallet Ledger, Investopedia (Dec. 23, 2020),

https://www.investopedia.com/hackers-leak-customer-info-from-crypto-wallet-ledger-5093577.
65
European Union, For how long can data be kept and is it necessary to update it?,
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-
organisations/principles-gdpr/how-long-can-data-be-kept-and-it-necessary-update-it_en.
66
H. Mildebrath, The CJEU judgment in the Schrems II case, EPRS (Sept. 2020),
https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073
_EN.pdf.
67
Id. (“The legal bases of US surveillance programmes such as PRISM and UPSTREAM are not
limited to what is strictly necessary and would be considered a disproportionate interference with
the rights to protection of data and privacy. . . .”).

January 4, 2021
Page 21
the Proposed Rule conflict with European data-retention standards? What rationale should
companies like Coinbase give to European regulators as to why a five-year period is the “shortest
time possible”?
***
Treasury is entirely silent about the privacy implications posed by the broad expansion in
financial surveillance required by the Proposed Rule. Again, this is a sign of an infirm regulatory
process. These are the types of issues that warrant public hearings and require the perspective of
not only industry but also the general public. Treasury cannot realistically expect affected
members of the general public to follow federal rulemaking over the holidays to weigh in on this
invasive reporting of their personal financial information. The privacy impact alone is reason
enough to forgo the Proposed Rule entirely. At a minimum, it requires more time so that these
issues are not addressed for the very first time by Treasury in their response to public comment
(if then). Otherwise, the public will not have had a real and meaningful opportunity to participate
in the rulemaking process on issues of highly personal importance, as the law requires.
V. Treasury Does Not Use Most of the Financial Information That It Currently
Collects And Yet the Proposed Rule Seeks To Collect Even More
Treasury is proposing a massive expansion in the collection of user data even though it
does not even use all the data that it already collects. When privacy interests of this magnitude
are affected, there should be some explanation as to the inadequacy of existing systems. But
Treasury makes no effort to justify the need for this expansive financial surveillance based on
gaps in existing recordkeeping or reporting requirements. In addition, among the roughly 1,300
comments Treasury has made public as of January 4, none that we have seen suggest a gap in
information for law enforcement that would be filled by the Proposed Rule. Notably, while the
Department of Justice Report on cryptocurrency that the Treasury cites in the Proposed Rule
discusses the importance of SARs and CTRs, the Report makes no mention of law enforcement
requesting additional reports from cryptocurrency exchanges.68
FinCEN reports receiving 16,087,182 CTRs in 2019.69 FinCEN and other entities that
rely on CTRs struggle to meaningfully act on all the data they receive now—data that contains
mostly innocuous information on customers, as described in previous audits.70 For that reason,
68
See Proposed Rule at 83,842, n.12 (citing U.S. Dep’t of Justice, “Report of the Attorney
General’s Cyber-Digital Task Force, Cryptocurrency: An Enforcement Framework,” (Oct. 8,
2020), https://www.justice.gov/ag/page/file/1326061/download.
69
85 Fed. Reg. 29,022 (July 13, 2020).
70
S. Hrg 115-405, Combating Money Laundering and Other forms of Illicit Finance: How
Criminal Organizations Launder Money and Innovative Techniques for Fighting Them: Hearing
before the Subcomm. on Nat’l Sec. & Int’l Trade & Fin., 115th Cong., 2d Sess. (June 20, 2018)
[hereinafter June 2018 Senate Hearing] (statement of Tracy S. Woodrow, M&T Bank
Corporation) (stating further that a recent survey by The Clearing House showed that financial

January 4, 2021
Page 22
the GAO has stated that “the volume of CTRs could be substantially reduced without
jeopardizing law enforcement needs.”71 The drastic increase in data collection that the Proposed
Rule seeks is not an efficient or useful means of curbing illicit activities. If Treasury does not use
the data it has, it certainly does not make sense for cryptocurrency exchanges to store and report
even more data.
A. FinCEN Does Not Use All Of The CTR Data It Currently Collects
FinCEN receives a significant amount of CTR data that serves no “useful” law
enforcement purpose, and the large volume of data received makes “analysis difficult, expensive,
and time consuming.”72 The message is the same from industry or government. The American
Bankers Association has claimed that up to three-quarters of its filings were for long-established
bank customers.73 The GAO has further estimated that “between 30 and 40 percent of the CTRs
filed are reports of routine deposits by large, well-established…businesses.”74 The GAO has also
stated that “[t]he [FinCEN] system was unable to evaluate the quality of targets and keep up with
the incoming CTR/CMIR data, thus creating database gaps in identifying targets.”75 And
Director Blanco has stated that he did not want financial institutions to provide information that
is “white noise” or “information for information purposes.”76
But the Proposed Rule does just that—creates drastically more “white noise.” A
reasonable regulation will not just increase the volume of data that FinCEN receives or has
access to for the sake of it, which poses data-security, privacy risks, and significant costs to the
institutions might hear from law enforcement less than one-half percent after filing a CTR),
https://www.congress.gov/115/chrg/CHRG-115shrg33424/CHRG-115shrg33424.pdf.
71
Money Laundering: The Volume of Currency Transaction Reports Filed Can and Should Be
Reduced: Hearing on S. 1664 Before the S. Comm. on Banking, Housing and Urban Affairs, 97th
Cong. 1 (1994) [hereinafter GAO Statement on Money Laundering] (statement of Henry R.
Wray, Director, Administration of Justice Issues), http://archive.gao.gov/t2pbat4/151052.pdf.
72
GAO Statement on Money Laundering, pg. 2.
73
Suspicious Activity and Currency Transaction Reports: Balancing Law Enforcement Utility
and Regulatory Requirements: Hearing Before the Subcomm. on Oversight and Investigations,
110th Cong., 1st Sess. (May 10, 2007) [hereinafter 2007 Suspicious Activity Hearing] (statement
of Megan Davis Hodge, American Bankers Association).
74
GAO Statement on Money Laundering, pg. 2.
75
Money Laundering: The U.S. Government is Responding to the Problem, Report to the
Chairman, Subcomm. On Terrorism, Narcotics and Int’l Operations, GAO/NSIAD-91-130 (May
16, 1991), https://www.gao.gov/assets/160/150500.pdf.
76
U.S. Senate Comm. on Banking, Hous., and Urban Affairs: hearing on Combating Money
Laundering and Other Forms of Illicit Finance: Regulator and Law Enforcement Perspectives
on Reform, (Nov. 29, 2018).

January 4, 2021
Page 23
industry.77 Instead, the goal should be to reduce the “white noise” on the data FinCEN receives
such that FinCEN and law enforcement can better use existing resources to achieve better results.
Unfortunately, Treasury does not appear to even currently track the usefulness of the data it
already collects and solely seeks to collect more without justifying how doing so will be
“useful.”78
B. IRS Is Not Using Existing CTR Filings
The Treasury Inspector General for Tax Administration (TIGTA) has found, beginning
with a 2010 audit, that the IRS does not systematically use “CTRs to identify and pursue
potentially noncompliant individuals.”79 By definition, failing to “make effective use of [CTRs]”
means that CTRs, at least in the quantity produced, are not useful to the IRS and have not been
for a long time. Therefore, requiring more reports of a similar nature will likely make them even
less useful to the IRS.
The TIGTA 2010 Audit stated that while the IRS recognized the benefit of CTRs, the IRS
was not using them to pursue non-filers and under-reporters for an IRS audit. Notably, in
reaching this conclusion, TIGTA chose a $20,000 threshold, double the amount required to
trigger the CTR requirement. As FinCEN has stated, doubling the threshold for CTRs will lead
to a 60% reduction in CTRs.80 But even at that higher threshold—which necessarily meant that
77
J. Leopold, et al., The FinCEN Files, BUZZFEED NEWS, Sep. 20, 2020,
https://www.buzzfeednews.com/article/jasonleopold/fincen-files-financial-scandal-criminal-
networks. BuzzFeed News received more than 2,100 SARs, containing data on over 10,000
subjects.
78
The Proposed Rule cites anecdotes of individual prosecutions but does not provide evidence
for the usefulness at the threshold proposed.
79
TIGTA has conducted three audits that appear relevant to the IRS’s use of CTRs: (1) TIGTA,
Currency Report Data Can Be a Good Source for Audit Leads, Ref. No. 2010-30-104 (Sep. 17,
2010) [hereinafter “TIGTA 2010 Audit”],
https://www.treasury.gov/tigta/auditreports/2010reports/201030104fr.html; (2) TIGTA, The
Internal Revenue Service Still Does Not Make Effective Use of Currency Transaction Reports,
Ref. No. 2018-30-076 (Sep. 21, 2018) [hereinafter “TIGTA 2018 Audit”],
https://www.treasury.gov/tigta/auditreports/2018reports/201830076fr.pdf; and (3) TIGTA, The
Accuracy of Currency Transaction Report Data in IRS Systems Should Be Improved to Enhance
Its Usefulness for Compliance Purposes, Ref. No. 2020-30-055 (Sep. 4, 2020) [hereinafter
TIGTA 2020 Audit], https://www.oversight.gov/sites/default/files/oig-reports/202030055fr.pdf.
80
S. Hrg 115-212, Combating Money Laundering and Other Forms of Illicit Finance:
Administration Perspectives on Reforming and Strengthening Bank Secrecy Act Enforcement:
Hearing before the Comm. On Banking, Hous., and Urban Affairs, 115th Cong., 2d Sess. (Jan.
17, 2018) (statement of Sigal Mandelker, Under Secretary, Terrorism and Financial Intelligence,
Department of the Treasury), https://www.congress.gov/115/chrg/CHRG-115shrg29913/CHRG-
115shrg29913.pdf.

January 4, 2021
Page 24
TIGTA used fewer CTRs to determine its audit scope than were generated—the IRS was still not
sufficiently using them for “tax…investigations or proceedings.”81
In 2018, eight years after the initial audit, TIGTA concluded an audit titled “The Internal
Revenue Service Still Does Not Make Effective Use of Currency Transaction Reports.” The title
speaks for itself. During the 2018 Audit, IRS officials stated that “the IRS is not systemically
using the CTRs to identify and pursue individuals who are not meeting their filing obligations.”82
Finally, in the TIGTA 2020 Audit, TIGTA identified individuals in the CTRs with more
than $100,000 of cash-in transactions—therefore 10 times the threshold for filing a CTR. TIGTA
again recommended that the IRS use CTR data to “systematically identify potentially
noncompliant taxpayers and nonfilers.”83 Therefore, even when TIGTA raised the CTR level to
$20,000 in 2010 and to individuals with CTRs above $100,000 in 2017, the IRS still did not
systemically identify individuals who were out of compliance with IRS tax-filing requirements.
The IRS has known about this problem for 10 years and has agreed for all of those years
that it should systemically use CTRs more than it does. But the IRS has not appeared to adopt the
recommended changes. The current volume of CTRs exceeds the IRS’s ability to make use of
them for “tax…investigations or proceedings,” and nonetheless, Treasury now proposes to
substantially add to that volume of unused information.84
As an estimate of the volume of additional useless white noise that this Proposed Rule
would generate, Treasury should consider that our projections based on past data indicate that
Coinbase could end up filing 7,000 CTRs every business day—and that’s just a single crypto
exchange. A marginally better system would be for cryptocurrency exchanges to keep (rather
than report) records of customer information for transactions greater than $10,000, not $3,000.
As things stand based on the reported data, the usefulness of CTRs for $10,000 transactions is
still minimal. Requiring cryptocurrency exchanges to maintain rather than report customer data
for transactions over $10,000 would at least not multiply the size of the unused tranche of data
maintained by Treasury. But any of these changes require real analysis by Treasury before
imposing, as data analytics are far better for tracking and understanding suspect transactions than
blanket reporting requirements based on a transaction threshold.
81
31 U.S.C. § 5311.
82
TIGTA 2018 Audit, pgs. 4-5.
83
TIGTA 2020 Audit, pg. 3.
84
31 U.S.C. § 5311.

January 4, 2021
Page 25
C. The Proposed Rule Fails To Identify, Let Alone Fill, Any Gap In The
Benefits Currently Achieved From Risked-Based Suspicious Activity Reports
The Proposed Rule is an unnecessary expansion of data collection in a system that

already effectively uses risk-based analysis to file suspicious activity reports (SARs).85
Currently, Coinbase and other regulated exchanges are required to file SARs for potentially
suspicious activity. To that end, Coinbase has built sophisticated risk-based analytics systems to
help identify any such transaction. The Proposed Rule’s recordkeeping expansion to all
transactions over $3,000 is by definition pulling in all the transactions regardless of whether they
would be flagged as suspicious by Coinbase’s system. In other words, whereas the Treasury has
previously encouraged the industry to invest and develop sophisticated data-based systems to
identify and report activity that is suspicious (and therefore useful), the Proposed Rule prioritizes
recording of all data, regardless of whether it is suspicious.86 Moreover, Treasury cites to the risk
of “unregulated peer-to-peer transactions” in defense of the increased reporting and recording,
85
Chainalysis, What You Need to Know About Treasury’s 72-page NPRM for Transactions with
Unhosted Wallets and Certain Foreign Jurisdictions, Dec. 22, 2020,
https://blog.chainalysis.com/reports/treasury-department-nprm-unhosted-wallets-2020 (“The
current system is working, both in the US and internationally, and efforts to improve
enforcement should be driven by what would actually improve the effectiveness of the system,
not by adding box-checking compliance requirements.”).
86
See, e.g., FinCEN, The Financial Crimes Enforcement Network Provides Further Information
to Financial Institutions in Response to the Coronavirus Disease 2019 (COVID-19) Pandemic
(Apr. 3, 2020), https://www.fincen.gov/news/news-releases/financial-crimes-enforcement-
network-provides-further-information-financial (“FinCEN encourages financial institutions to
consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet
their BSA/anti-money laundering compliance obligations, in order to further strengthen the
financial system against illicit financial activity and other related fraud.”); Board of Governors of
the Federal Reserve System, FDIC, FinCEN, National Credit Union Administration, Office of
the Comptroller of the Currency, Joint Statement on Innovative Efforts to Combat Money
Laundering and Terrorist Financing (Dec. 3, 2018),
https://www.fincen.gov/sites/default/files/2018-
12/Joint%20Statement%20on%20Innovation%20Statement%20%28Final%2011-30-
18%29_508.pdf (recognizing that “private sector innovation . . . can help banks identify and
report money laundering, terrorist financing, and other illicit financial activity by enhancing the
effectiveness and efficiency of banks’ BSA/AML compliance programs” and emphasizing
FinCEN’s “innovation initiative to foster a better understanding of the opportunities and
challenges of BSA/AML-related innovation in the financial services sector”); FinCEN,
Advanced Notice of Proposed Rulemaking, Anti-Money Laundering Program Effectiveness, 85
Fed. Reg. 58,023 (Sept. 17, 2020) (soliciting public comment on regulatory amendments to
enhance effectiveness of anti-money laundering programs).

January 4, 2021
Page 26
yet the Proposed Rule imposes recording and reporting obligations only on already regulated
exchanges.87
Treasury has not explored or even asked whether the current system could be modified or
enhanced to collect information about other transactions that it thinks are suspicious but go
unreported. Nor does the Proposed Rule explain why a blanket recordkeeping rule applying to all
transactions above $3,000 will be more effective at flagging illicit activity than the more
intelligent and data-based searching Treasury already requires cryptocurrency exchanges to use.
The Proposed Rule also does not explain why the current SAR systems are insufficient. Quite the
opposite, the Proposed Rule actually admits that SARs are overinclusive. 88 Knowing that the
information Treasury receives is already overinclusive, why is a risk-based analytics approach
not sufficient to identify money-laundering transactions? What are the gaps that exist in the
current risk-based analytics approach that will be filled by a blanket recordkeeping and reporting
requirement? The Proposed Rule is once again silent.
At the same time, the Proposed Rule overstates the amount of illicit activity in the
cryptocurrency market. Treasury’s rationale for the Proposed Rule is to “address the illicit
finance threat created by” unhosted wallets and LTDAs.89 However, Treasury’s method for
quantifying the alleged amount of illicit activity in the cryptocurrency market is flawed. To
determine the amount of illicit activity in the cryptocurrency market, Treasury first cites a
January 2020 Chainalysis report finding that illicit activity makes up around 1% of
cryptocurrency transactions.90 Even within this report, Chainalysis shows that scams—not
terrorism financing, sanctions, child-abuse material, or other illegal activities—“are the biggest
threat in crypto crime.”91 If anything, these findings should support government policy that
drives users to regulated exchanges, not create unnecessary privacy concerns that could drive
users to unregulated exchanges with fewer consumer protections.92
87
88
See Proposed Rule at 83,842, n.15 (“FinCEN emphasizes that suspicious activity is not a clear
indication of a crime but is activity that is potentially illicit. See 31 CFR 1020.320, 1022.320
(laying out the standards for suspicious activity).”).
89
90
See Chainalysis, “The 2020 State of Crypto Crime,” (Jan. 2020),
https://go.chainalysis.com/2020-CryptoCrime-Report.html [hereinafter “Chainalysis Report”].
91
Id. at pgs. 6-7, 17-29.
92
The Proposed Rule also cites Treasury’s own analysis for the proposition that “[a]nonymity in
transactions and funds transfers is the main risk that facilitates money laundering.” 85 Fed. Reg.
83,844. But the cited report notes that “Criminal actors involved in drug trafficking, human
smuggling and trafficking, illicit retail transactions, and various activities associate with
organized crime continue to prefer U.S. currency-denominated cash due to its widespread use in
the U.S. as well as its global use due its wide acceptance as a stable store of value and medium of

January 4, 2021
Page 27
Treasury disputes the validity of the Chainalysis Report by stating that it may undercount
illicit activity. Treasury says that it received SARs associated with cryptocurrency activity that
exceeds the 1% listed in the Chainalysis Report by an order of magnitude. But Treasury’s
approach to quantifying illicit cryptocurrency activity is flawed. Per public reporting resulting
from a FinCEN data leak last year, FinCEN received more than two million SARs.93 Compare
the number of SARs that appear to have been filed in a year to the number of SARs that Director
Blanco stated hit on a match:
“Every day, FinCEN takes the…SARs, filed by financial institutions, and we

run them through automated business rules to identify reports that merit further
review by our analysts. This process generates around 50 matches a day, more
than 1,000 matches each month.”94
In other words, the vast majority of SARs do not evidence criminal activity or even
suspicion of criminal activity. This is likely because the existing system creates perverse
incentives to generate “white noise.” Financial institutions have admitted they file unnecessary
“defensive SAR filing[s]” because they want to limit regulatory criticism or penalties.95
Coinbase is not discounting the severity of harm that arises when scams or other crimes
are perpetrated on cryptocurrency users or facilitated by the use of cryptocurrency. Nor does
Coinbase dispute that FinCEN and law enforcement can learn valuable information from SARs
that assist in tackling anti-money laundering and other illicit activities. But the use of SAR
values to assess illicit activity is a weak basis to judge the scope of illicit activity in any given
exchange.” DOT, National Money Laundering Risk Assessment, at 4 (2018),

https://home.treasury.gov/system/files/136/ 2018NMLRA_12-18.pdf (emphasis added).
93
J. Leopold, et al., The FinCEN Files, BUZZFEED NEWS, Sep. 20, 2020,
https://www.buzzfeednews.com/article/jasonleopold/fincen-files-financial-scandal-criminal-
networks.
94
K. A. Blanco, Prepared Remarks of FinCEN Director Blanco at the NYU Law Program on
Corporate Compliance and Enforcement, June 12, 2019,
https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-blanco-nyu-law-
program-corporate-compliance-and.
95
Improving Financial Oversight: A Private Sector View of Anti-Money Laundering Efforts:
Hearing Before the Subcomm. on Oversight and Investigations, 108th Cong., 2nd Sess. (May 18,
2004) (statement of John Byrne, American Bankers Association) (stating that enforcement
concerns cause many entities “to file SARs as a purely defensive tactic…”); see also Bank
Secrecy Act: Suspicious Activity Report Use is Increasing, but FinCEN Needs to Further
Develop and Document Its Form Revision Process, Report to Congressional Requesters, GAO-
09-226 (Feb. 27 2009), https://www.gao.gov/assets/290/286619.pdf; 2007 Suspicious Activity
Hearing (statement of Scott K. McClain, Deputy Gen. Counsel, Financial Service Centers of
America)(stating further that “MSBs are adopting a ‘when in doubt, fill out’ philosophy.”).

January 4, 2021
Page 28
market, including cryptocurrencies. This reliance on admittedly flawed data undermines both the
Proposed Rule itself and the truncated timeframe for notice and comment.
Ultimately, alternative and much less invasive approaches will be more effective in
preventing illicit activity, and Coinbase has and continues to work with Treasury on developing
such measures. The Proposed Rule will only create more white noise. How has Treasury
determined that there is a gap in documenting suspicious activity that justifies a blanket, dollar-
value rule? Has Treasury considered whether it makes more sense to change the requirements for
reporting suspicious activity in lieu of a grossly overinclusive reporting requirement that will
capture mostly innocent behavior?
VI. The Proposed Rule Expands The Scope Of The Bank Secrecy Act And Is Not
Technology Neutral
The Proposed Rule is a remarkable expansion of the reporting and recordkeeping

requirements under the BSA. Treasury states in the Proposed Rule that the Bank Secrecy Act
requires it to “determine” that the recordkeeping and reporting would “have a high degree of
usefulness” before it can implement a rule like this.96 But there is no explanation anywhere in the
notice of how the new requirements meet that standard. The Proposed Rule is also unique in that
it imposes—for the first time—a broad and affirmative duty on a financial institution to obtain
information about third parties with whom it has no preexisting relationship. What’s more, that
information-gathering must occur before the financial institution can send the transaction. This
rule has no precedent in the BSA and no analogue in non-cryptocurrency transactions. Consistent
with other Treasury rules affecting similar but lesser requirements, the regulation cannot be
pushed through in a truncated timeframe with limited public involvement.
A. Treasury’s Regulations To Date Have Not Imposed Affirmative Data-

Collection Duties Regarding Counterparties
With this Proposed Rule, Treasury effectively plans to impose disclosure requirements on
users of cryptocurrency, albeit indirectly through cryptocurrency exchanges. Treasury fails to
explain why cryptocurrency exchanges are in a better position to obtain the name and address
information for third parties who are not their customers when Treasury has repeatedly
considered and rejected direct regulation of those third parties over the past decade. The industry
has relied on that regulatory approach, and Treasury should not change tack over the course of a
15-day notice-and-comment period.
The BSA focuses on generating information that is useful for the investigation of
financial crimes or terrorism.97 The law’s purpose was and remains to require reports where they
96
85 Fed. Reg. 83,845; see also 31 U.S.C. § 5311.
97
Bank Secrecy Act Regulations; Definitions and Other Regulations Relating to Money Services
Businesses, 76 Fed. Reg. 43,585 (July 21, 2011). See also 31 U.S.C. § 5311.

January 4, 2021
Page 29
“have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings.”98

To that end, the Treasury (through FinCEN) enforces reporting requirements for “financial
institutions,” which include all businesses that “facilitat[e] the transfer of money.”99 These
businesses report and record transaction information that can later be used as an investigatory
tool by an appropriate law-enforcement agency. Over the past decade, Treasury has adapted the
BSA’s recordkeeping and reporting rules to the cryptocurrency industry. These regulations have
all concerned a financial institution’s collection of information about its customers to provide
actionable information in the investigation of financial crimes.
In 2011, following a proper notice-and-comment process,100 FinCEN issued a final rule

related to cryptocurrencies that applied the requirements of the BSA to cryptocurrency “money
services businesses” (MSB) that operate as “money transmitters.”101 These requirements were
meant to ensure that a cryptocurrency exchange’s customers were not facilitating financial
crimes. Like other entities subject to the BSA, cryptocurrency exchanges must implement AML
programs to prevent the exchange from being used to launder money.102 Cryptocurrency
exchanges also have to report suspicious transactions and certain cash transactions as well as
maintain certain records to facilitate financial transparency.103 By extending BSA requirements
to cryptocurrency exchanges, the exchanges became subject to the same KYC rules as traditional
financial institutions. As the name implies, the financial institution’s reporting and recordkeeping
requirements only extend as far as its customers.104 None of these regulations required financial
institutions to proactively gather information as a matter of course on counterparties to their
customers’ transactions.
98
31 U.S.C. § 5311. Note that the USA PATRIOT Act revised the section to add “, or in the
conduct of intelligence or counterintelligence activities, including analysis, to protect against
international terrorism.” The requirement remained the same – that the reports “have a high
degree of usefulness.”
99
31 U.S.C. § 5312.
100
Note that the comment period for this rule was 120 days. 74 Fed. Reg. 22,129. See supra
Section II.C. for further analysis of how the Proposed Rule deviates from other FinCEN
rulemakings.
101
76 Fed. Reg. 43,585.
102
Id.
103
Id.; see also Application of FinCEN’s Regulations to Certain Business Models Involving
Convertible Virtual Currencies, FIN-2019-G001, at 3-4 (May 9, 2019),
https://www.fincen.gov/sites/default/files/2019-
05/FinCEN%20Guidance%20CVC%20FINAL%20508.pdf.
104
31 C.F.R. § 1022.380.

January 4, 2021
Page 30
In March 2013, FinCEN released its first guidance addressing why it has authority to
regulate entities that transmit cryptocurrencies or convertible virtual currencies (CVC).105 The
2013 Guidance created three categories related to cryptocurrency—administrators, exchangers,
and users—and explained that a “user of virtual currency” was not “subject to [money service
business] registration, reporting, and recordkeeping regulation.”106 FinCEN reiterated this
distinction a year later.107 Once again, FinCEN did not regulate users of cryptocurrencies.
In May 2019, FinCEN consolidated nearly a decade of previous statements on virtual

currencies and released a detailed interpretive guidance.108 Here, FinCEN extended its distinction
between “users” and other actors by creating a regulatory distinction between “hosted” and
“unhosted” (or self-hosted) wallets.109 In so doing, Treasury recognized that cryptocurrency
exchanges do not own or control the cryptocurrencies transacted using self-hosted wallets.110
This factor drove Treasury’s rationale for not applying AML or KYC requirements to self-hosted
wallets. For self-hosted wallets, the owner interacts with the blockchain directly and has total
control over the value stored in or transacted from the wallet.111 Unlike cryptocurrency
exchanges, Treasury did not subject users or developers of self-hosted wallets to any form of
identification or reporting obligations.112
Treasury has never directly regulated self-hosted wallets despite having several
opportunities to do so. Those regulations could have included name and physical address
requirements for self-hosted wallets but did not. Unsurprisingly, industry relied on this decade of
regulations and published FinCEN guidance by building technologies that do not gather and
transmit this information from self-hosted wallets.
105
Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using
Virtual Currencies, FIN-2013-G001 (Mar. 18, 2013),
https://www.fincen.gov/sites/default/files/shared/FIN-2013-G001.pdf.
106
Id.
107
Application of FinCEN’s Regulations to Virtual Currency Software Development and Certain
Investment Activity, FIN-2014-R002 (Jan. 30, 2014),
https://www.fincen.gov/sites/default/files/shared/FIN-2014-R002.pdf.
108
Application of FinCEN’s Regulations to Certain Business Models Involving Convertible
Virtual Currencies, FIN-2019-G001, at 3-4 (May 9, 2019).
109
Although Treasury used the term “unhosted” wallet in its interpretive guidance, this is a
misnomer. A wallet has to be “hosted” somewhere. The distinction Treasury appears to be
drawing is between those wallets hosted by a third-party on behalf of a user versus those wallets
that a user hosts himself or herself. “Self-hosted” is a more accurate description of this
relationship than “unhosted.”
110
Id. at 16.
111
Id.
112
Id. at 3.

January 4, 2021
Page 31
As explained above, historically, when Treasury is considering an expansion of the

BSA—or imposing new requirements on financial institutions in the name of national security—
Treasury engages in meaningful discussions with the industry and the public and gives a proper
notice-and-comment period to allow all voices to be heard on issues that have broad impact.113
Treasury failed to do so here.
B. Treasury Does Not Require Traditional Financial Institutions To Collect The

Same Type Of Third-Party Transaction Information For Fiat Transactions
As Required In The Proposed Rule
Until now, Treasury’s treatment of traditional fiat transactions and cryptocurrency

transactions has been on equal footing. When Treasury applied the AML or KYC requirements
to cryptocurrencies, it was simply extending the general rules applicable to financial institutions
in a novel setting. This Proposed Rule, by contrast, discriminates against cryptocurrency
exchanges and cryptocurrency transactions in favor of traditional financial institutions and fiat
transactions.
This is because the Proposed Rule requires cryptocurrency exchanges (and any financial
institution engaging in cryptocurrency transactions) to gather counterparty information for a
class of transactions that has no analogue in traditional finance. In traditional finance, the Travel
Rule and its accompanying recordkeeping requirements only apply when a financial institution
transacts with another financial institution in the amount of $3,000 or more. There are no
corresponding requirements when a financial institution interacts with an individual.114 Here, by
contrast, the Proposed Rule requires cryptocurrency exchanges to keep records of any transaction
greater than $3,000 that involves a self-hosted wallet (managed by a user)—which would be akin
to imposing wholly new requirements on banks to maintain similar records for their customers’
transactions with other individuals.
Further, there is no corresponding requirement for a bank to affirmatively obtain

information about a customer’s counterparty in a fiat transaction, as there is in the Proposed Rule
for cryptocurrency transactions. When a bank is originating a money transfer of $3,000 or more,
the bank only has to verify the identity of the person sending the money.115 When a bank
receives a money transfer of more than $3,000, it only has to verify the identity of the receiver
(its customer).116 And even though the Proposed Rule equates cryptocurrencies with cash, if a
person tries to deposit more than $10,000 in cash, the bank only has to verify and report his
identity—not inquire where the cash came from.117 The Proposed Rule, by contrast, requires
113
See supra at Section II.C., 79 Fed. Reg. 45,151.
114
31 C.F.R. §§ 1010.410(e), 1020.410(a), 1010.410(f).
115
31 C.F.R. § 1020.410(a).
116
31 C.F.R. § 1010.410(e)-(f).
117
31 C.F.R. § 1010.311; FinCEN Currency Transaction Report (FinCEN CTR) Electronic
Filing Requirements, Version 1.2 (July 2013),

January 4, 2021
Page 32
cryptocurrency exchanges to serve as a clearinghouse—collecting information not just on their

customers with whom they directly interact but also with non-customers—when the same
transactions are subject to lesser regulations when involving fiat currencies.
Finally, the Proposed Rule imposes more burdensome counterparty-identification

requirements on cryptocurrency transactions than are imposed on traditional fiat transactions. For
money transfers greater than $3,000 in fiat, it is only necessary to maintain details on the
counterparty “as [they] are received” from the customer and only if they are received from the
customer.118 This is a passive requirement. Neither the Travel Rule nor its associated
Recordkeeping Rule mandates that the bank or financial institution request and receive
information about the counterparty before a fiat transaction can be completed. Financial
institutions receive third-party information if it exists, but they do not have an affirmative duty to
otherwise gather that information on non-customers. By contrast, the Proposed Rule imposes
such an affirmative duty on cryptocurrency transactions alone.
Treasury has long maintained that it formulates financial regulation on a technology-

neutral basis. The rules are the rules for everyone. As Director Blanco stated last year, “FinCEN
applies the same technology-neutral regulatory framework to any activity that provides the same
functionality at the same level of risk, regardless of its label. It is not what you label it; it is the
activity you actually do that counts.”119 But the Proposed Rule expressly singles out
cryptocurrencies and imposes a unique recordkeeping obligation even though a $3,000
cryptocurrency transaction “provides the same functionality at the same level of risk” as fiat
transactions. What is Treasury’s basis for requiring additional information from cryptocurrency
exchanges than what it requires from traditional finance? The Proposed Rule fails to justify this
departure from Treasury’s stated regulatory policy.
VII. The Proposed Rule Cannot Be Implemented Immediately Nor Without Disruption
The Proposed Rule imposes an enormous burden on the cryptocurrency industry without
any indication that sufficient time will be provided for the industry to build the technical
solutions required for compliance. First, cryptocurrency exchanges cannot easily obtain the
personal information of third parties transacting with their customers.120 In some cases, that
https://www.fincen.gov/sites/default/files/shared/FinCEN%20CTR%20ElectronicFilingInstructio
ns%20-%20Stand%20Alone%20doc.pdf; see also 85 Fed. Reg. 83,845 (“CVC and LTDA are
‘similar material’ to ‘coins and currency of a foreign country, travelers’ checks, bearer
negotiable instruments, bearer investment securities, bearer securities, [and] stock on which title
is passed on delivery . . . .’”).
118
31 C.F.R. § 1020.410(a)(1)(i)(F); 31 C.F.R. § 1010.410(e)(1)(i)(F).
119
K. Blanco, Prepared Remarks of FinCEN Director Kenneth A. Blanco at Chainalysis
Blockchain Symposium, Nov. 15, 2019, https://www.fincen.gov/news/speeches/prepared-
remarks-fincen-director-kenneth-blanco-chainalysis-blockchain-symposium.
120
See D. Perkins, Cryptocurrency: The Economics of Money and Selected Policy Issues,
Congressional Research Service, R45427 at 7 (Apr. 9, 2020),

January 4, 2021
Page 33
information does not exist, as discussed above with the example of a Decentralized Finance
(DeFi) smart contract. Exchanges also do not have an established way to reach counterparties
who are not their customers, and their customers may not have the required name and address
and whatever other information the Secretary later decides is required.121 Second, before
Coinbase collects this vast amount of non-customer information, Coinbase will likely need to
design a new system to store and protect it, in particular to keep it appropriately separate from
customer information. Third, there are yet to be calculated compliance costs in understanding
retention and notice obligations depending on where the counterparties are located and what
privacy information laws apply. Fourth, Treasury did not specify what the form will look like, so
Coinbase has to estimate costs without certainty of the information it must provide. Fifth, should
the Proposed Rule take immediate effect, there is no question that exchanges including Coinbase
will need to hire or engage compliance resources to support manual CTR filing, which will result
in substantial costs in light of transaction volumes.
Coinbase has tried to assess and describe these costs in this comment. But as with all of
its responses here, Coinbase has had inadequate time to evaluate those complex issues while
other questions are unanswerable given the vagueness of the rule as described above. However,
below are our initial estimated costs to Coinbase from the Proposed Rule.
A. Potential Costs Of Implementation Are Substantial But Not Fully Estimable

During This Brief Comment Period
In the brief notice-and-comment period, Coinbase first tried to create an estimate of what
it will cost to engineer, design, and build a system that would comply with the portions of the
Proposed Rule we understand to date. Given the short time, these estimates are conservative and
incomplete, which means we believe the actual costs would be substantially higher.
In order to design, develop, implement and run a system through which Coinbase can
record and report as required by the Proposed Rule, Coinbase preliminarily estimates it will incur
the following costs. First, Coinbase estimates $3 million in additional headcount for the
engineers and product managers to design, develop and implement the technical solution.
Second, Coinbase estimates that it will require $1.5 million in additional support staff for the
https://crsreports.congress.gov/product/pdf/R/R45427/3. To be clear, Coinbase supports the

Proposed Rule’s determination that cryptocurrency exchanges should use risk-based procedures
to verify the identity of its own customers. See Proposed Rule at 83,850. And more generally,
Coinbase supports the adoption of regulations that focus on risk-based determination of
suspicious activity, instead of blanket data collection.
121
The Proposed Rule also asks whether cryptocurrency exchanges should be required to
“verify” the identity of the counterparty. Proposed Rule at 83,851. Such a requirement is vague
as to how institutions could possibly verify the identity of a counterparty—particularly in those
circumstances where that party is not an individual. It would also impose even greater costs on
cryptocurrency exchanges. Given the truncated comment period, Coinbase has not had any real
opportunity to consider whether verification is possible, what additional concerns it would raise,
and at what cost (to the industry and the public).

January 4, 2021
Page 34
implementation of the technical solution and customer support. Third, Coinbase estimates that
the opportunity cost of hiring and dedicating resources to this development will result in a $21
million lost opportunity cost. In addition, should the Proposed Rule take immediate effect,
Coinbase and others in the industry would have to hire or engage resources to support manual
CTR filing until Coinbase has an automated system in place. Given expected transaction
volumes—based on current forecasts, Coinbase estimates that it will need to file CTR reports for
more than 7,000 transactions every day, and Coinbase anticipates that it would have to hire or
otherwise engage 235 resources to support manual CTR filing, at a cost of another approximately
$9 million over six months. In total, Coinbase estimates that the cost to develop the technology
to be compliant with the Proposed Rule is substantially more than $35 million in 2021 alone.
In the abbreviated time allotted for comments, Coinbase has been unable to determine the
cost of implementing and maintaining an infrastructure that can safely secure and manage the
sheer volume of third-party data that the Proposed Rule requires, nor the cost of managing a
team to run that data. But the costs of doing so will undoubtedly run in the millions in addition to
the estimates above, and Treasury’s projected costs are unrealistic and inadequate.122 For
example:
● Labor costs for companies like Coinbase are significantly more than $24 per hour.
The work involved in designing, developing and implementing a system
compliant with the Proposed Rule involves the work of highly skilled engineers
and analysts.
● The Proposed Rule’s projection of “annual burden hours” is a drastic under-

estimate based on the volume of additional CTRs that will need to be filed.
Coinbase alone predicts that it will need to report more than 7,000 additional CTR
reports per business day in 2021. And until Coinbase can build the technology to
automate its submissions, it will need to do so manually.
In light of the minimal expected benefit, Treasury has failed to explain how this
outweighs the very real expected costs to companies like Coinbase. In addition, it is particularly
notable that Treasury gave banks two years to comply with new customer due diligence rules for
fiat transactions.123 Yet here Treasury is seeking the “rapid implementation” of the Proposed
Rule.124 Given the substantial costs that will be multiplied across the cryptocurrency industry
under the Proposed Rule, why is Treasury not giving cryptocurrency exchanges a similar period
of time to design and develop the complicated technological tools required to comply with the
Proposed Rule?
122
See Proposed Rule at 83,857-58.
123
81 Fed. Reg. 29,398.
124

January 4, 2021
Page 35
B. Impact of Regulation
Because of the abbreviated comment period, Coinbase is unable to identify all the ways
the Proposed Rule might affect us and the industry as a whole in terms of costs, let alone attempt
to calculate those costs. We assume as discussed above that the Proposed Rule’s unnecessary
intrusion into our customers’ personal information may motivate some customers to move some
or all of their assets off of Coinbase’s platform or to store new assets entirely off platform. After
all, in our experience, additional steps or friction in the customer experience typically reduce
user engagement. This is exactly the type of consideration that should be evaluated by Treasury
and the industry as partners. Treasury and other agencies have assessed the impact of privacy
intrusions as part of regulations before and should bring that analysis and expertise to bear here
so the industry can comment. Coinbase would have to undertake a review of other significant
customer interest-related events within Coinbase or our industry to try to find a basis for
calculating customer loss. At best, that is a weeks-long exercise. Treasury has given us no time
to do so here, even though there is no reason to doubt there will be some customer and asset loss
from Coinbase. In the absence of any of this information, what will Treasury use as a placeholder
to weigh against the limited benefits of the Proposed Rule? And what justification does Treasury
have for preventing any real attempt at including real estimates of these costs in its rulemaking
process?
VIII. Response to Treasury’s Questions
As part of the Proposed Rule, Treasury lists 24 separate questions that it asks interested
parties and stakeholders to address during the 15-day notice-and-comment period. Coinbase has
worked hard over those 15 days, spanning two major national holidays, and during a global
pandemic, to address as many of those questions as possible, as thoroughly as possible with
limited time and resources.
Coinbase has attempted to address the following questions to the best of its ability in the
unacceptable time allotted:
● (1) Has FinCEN been sufficiently clear that the impact of the definitional change to
“monetary instruments” would be limited to the reporting, recordkeeping,
verification, and other requirements of this proposed rule, and not to preexisting
regulatory obligations such as the CTR reporting requirement at 31 CFR
1010.311? Coinbase understands that the impact of the definitional change to “monetary
instruments” is limited to the significant and burdensome reporting, recordkeeping and
verification requirements of the Proposed Rule. Coinbase notes, however, that the
vagueness issue with the Proposed Rule (discussed in Section III) could pose additional
concerns and confusion.
● (2) Describe the costs from complying with the proposed reporting requirement.
Coinbase has addressed the current known costs in Section VII. Including the most
important issue, that the true costs are impossible to identify or assess in the 15-day
notice and comment period provided and given vagueness of the Proposed Rule more
generally, as discussed above in Section III.

January 4, 2021
Page 36
● (3) Describe the benefits to law enforcement from the data obtained from the
proposed reporting requirement. Coinbase has addressed this question to the best of
its ability in this limited time in Section V. Most fundamentally, Coinbase repeats its
concern that Treasury itself has failed to articulate any benefit to law enforcement nor
cite to any support from the law enforcement community for the Proposed Rule—all of
which Coinbase should be able to respond to in a proper notice-and-comment period.
Coinbase has had little opportunity of our own to directly engage with the law
enforcement community about the Proposed Rule given the abbreviated comment
period.
● (5) Describe how the costs of complying with the proposed reporting requirement,
or the benefits to law enforcement from the data obtained from the proposed
reporting requirement, would vary were FinCEN to adopt a higher or lower
threshold than $10,000. Coinbase has addressed this question in Sections V and VII.
Coinbase repeats its concern that Treasury itself has failed to articulate the benefit to law
enforcement nor cite to any support from the law enforcement community for the
Proposed Rule—all of which Coinbase should be able to respond to in a proper notice-
and-comment period. In addition, the true costs are impossible to know given the 15-day
notice-and-comment period and vagueness of the Proposed Rule more generally, as
discussed above. Finally, Treasury’s record of using the CTR data it currently receives is
lacking at best, and Treasury has failed to explain how lowering the threshold and
increasing the amount of reports it receives will aid Treasury, especially in light of the
significant privacy concerns at issue.
● (6) Describe how the costs of complying with the proposed reporting requirement,
or the benefits to law enforcement from the data obtained from the proposed
reporting requirement, would vary were FinCEN to apply the reporting
requirement to all CVC/LTDA transactions by hosted wallets, including those with
hosted wallet counterparties. Coinbase has addressed this question in Sections V and
VII. Coinbase repeats its concern that Treasury itself has failed to articulate any benefit
to law enforcement nor cite to any support from the law enforcement community for the
Proposed Rule—all of which Coinbase should be able to respond to in a proper notice-
and-comment period. In addition, the true costs are impossible to know given the 15-day
notice and comment period and vagueness of the Proposed Rule more generally, as
discussed above.
● (12) Describe the costs from complying with the proposed recordkeeping and
verification requirements. Coinbase has addressed the current known costs in Section
VII. Again, the true costs are impossible to know given the 15-day notice and comment
period and vagueness of the Proposed Rule more generally, as discussed above.
● (13) Describe the benefits to law enforcement from being able to access data
verified and obtained based on the proposed recordkeeping and verification
requirements. Coinbase has addressed this question in Section V. Coinbase repeats its

January 4, 2021
Page 37
● (15) Describe the potential changes to the costs and benefits that would be available
to law enforcement were FinCEN to maintain the reporting requirement of 31 CFR
1010.316 but also require that banks and MSBs verify the identity of the
counterparties of their hosted wallet customers. Coinbase has addressed this question
in Sections V and VII. Coinbase repeats its concern that Treasury itself has failed to
articulate the benefit to law enforcement nor cite to any support from the law
enforcement community for the Proposed Rule—all of which Coinbase should be able to
respond to in a proper notice-and-comment period.
● (17) Would it be appropriate for FinCEN to require additional data be retained

pursuant to 31 CFR 1010.410(g)? Coinbase has addressed this question in Sections III
and VI. Most fundamentally, what additional data is FinCEN asking about in this
question? It is impossible for Coinbase to answer without knowing what FinCEN is
considering.
● (18) Describe the costs from complying with the proposed recordkeeping and
verification requirements. Coinbase has addressed the current identifiable and known
costs in Section VII. The true costs are impossible to know given the 15-day notice and
comment period and vagueness of the Proposed Rule more generally, as discussed
above.
● (19) Describe the benefits to law enforcement from being able to access data
verified and obtained based on the proposed recordkeeping and verification
requirements. Coinbase has addressed this question in Section V. Coinbase repeats its
● (21) Describe the potential changes to the costs and benefits that would be available
to law enforcement were FinCEN to maintain the recordkeeping requirement of 31
CFR 1010.410(g) but also require that banks and MSBs verify the identity of the
counterparties of their hosted wallet customers. Coinbase has addressed this question
in Sections V and VII. Coinbase repeats its concern that Treasury itself has failed to
articulate any benefit to law enforcement nor cite to any support from the law
respond to in a proper notice-and-comment period. In addition, the true costs are
impossible to know given the 15-day notice and comment period and vagueness of the
Proposed Rule more generally, as discussed above.
● (4) Has FinCEN struck a reasonable balance between financial inclusion and
consumer privacy and the importance of preventing terrorism financing, money

January 4, 2021
Page 38
laundering, and other illicit financial activity? If not, what would be a more
appropriate way to balance these objectives? Coinbase has preliminarily described in
Sections IV and V why the balance under this Proposed Rule would be extraordinarily
unreasonable, specifically that the harm to consumer privacy and financial inclusion
greatly outweighs any purported benefits to preventing illegal or illicit activity, which
Treasury has failed to articulate. Coinbase believes a better approach is for Treasury to
work with the industry to design appropriate risk-based, technical solutions to identify
transactions that are of concern, rather than imposing an across-the-board prophylactic
reporting or recordkeeping requirement that will lead to the collection of mass amounts
of “white noise” on top of the CTRs that Treasury is already unable to use. Moreover, if
Treasury is going to require blanket reporting without regard to suspicious activities, the
rule should not exceed what is required of financial institutions for fiat transactions
given the complete absence for any justification to make such a distinction. For example,
at a minimum, Treasury has yet to provide any justification for requiring the collection
of counterparty information here. Collecting such information creates serious privacy
and security concerns, with no demonstrable benefit to law enforcement.125 But the
accelerated notice-and-comment period did not provide Coinbase with enough time to
provide more information on this approach.
● (24) Describe technical challenges to implementation could impact reasonable

ability to implement these requirements? Coinbase has identified some of the
technical challenges to implementation in Sections I and VII. But many of these
“challenges” are better described as impossibilities. Blockchain technology does not
allow for the identification of third parties to a transaction that have no relationship with
Coinbase. As a result, there is no “technical” solution to obtain this data apart from
requiring users to obtain this information on counterparties or Coinbase developing some
system for soliciting this information from third parties. In addition, the 15-day notice-
and-comment period and vagueness of the Proposed Rule more generally makes it
impossible to identify or assess all the challenges to implementation.
Given the unreasonably short notice and comment period, Coinbase has been unable to
address several of Treasury’s questions. For many of these questions, Treasury appears to be
shifting the burden of its own role in the rulemaking process—identifying the appropriate
justification for rulemaking choices—onto the public. These types of questions might make
sense as part of an early dialogue between Treasury and the industry in advance of a notice of
proposed rulemaking (as it did with the consumer due diligence rule).126 The fact that Treasury
poses them within the notice here, yet appears to have virtually no answers or analysis of its
own, only serves to illustrate the deficiency of the rulemaking process. In particular:
● (7) Should FinCEN add additional jurisdictions to the Foreign Jurisdictions List or
remove jurisdictions currently on that list? Are there any particular considerations
125
Notably, Treasury did not consider any of these alternatives in the Proposed Rule. See
126
77 Fed. Reg. 13,046.

January 4, 2021
Page 39
FinCEN should take into account when adding or removing jurisdictions?

Answering this question requires detailed analysis of the various jurisdictions that could
be included in the Foreign Jurisdictions List, which Coinbase has not had the time or the
resources to investigate given the abbreviated comment period. However, Coinbase will
note that the stated national security rationale for the expedited rulemaking cites
countries that are not included in the Foreign Jurisdictions List. For example, the
indictment in United States. v. Cazes was of a Canadian national living in Thailand.127
Other examples concerned Chinese nationals.128 And the cited remarks of Sigal
Mandelker concerned efforts by Russia and Venezuela to use cryptocurrencies to evade
sanctions.129 In short, Treasury does not provide a coherent rationale tying the urgency
of the Proposed Rule to specific jurisdictions, making Coinbase’s analysis of this issue
impossible on this truncated schedule.
● (8) Has FinCEN provided sufficient clarity to financial institutions on the scope of
the aggregation requirements that apply to the proposed CVC/LTDA transaction
reporting requirement? Coinbase has not had the time or resources to investigate this
given the abbreviated comment period. Coinbase does note that this requirement ignores
certain technical aspects of blockchain transactions. For example, blockchains can reject
transactions due to congestion. The Proposed Rule does not contemplate how
cryptocurrency exchanges are supposed to account for such instances. Does Coinbase
remove it from the total for that day until it goes through? Or does the transaction take
place at the time the sender/receiver intended it to go through, even if it does not actually
transmit until a later time?
● (9) Discuss the costs and benefits of modifying the aggregation requirement to
require aggregation for the purposes of the proposed CVC/LTDA transaction
reporting requirement across both fiat and CVC/LTDA transactions. Coinbase has
not had the time or resources to investigate given the abbreviated comment period.
Coinbase estimates that requiring aggregation across both cryptocurrency and fiat
transactions would pose significant technical and functional challenges to implement.
Many wallets can only hold one type of cryptocurrency. So, for example, a user may
have a bitcoin wallet, an Ethereum wallet, a Litecoin wallet, and a fiat wallet. Building
the technological capabilities to track values and identities across multiple wallets owned
by the same user is not something the technology currently allows. This would be a
significant additional cost that Coinbase cannot accurately estimate in the truncated
127
Proposed Rule at 83,841 n.2; Indictment at ¶ 1, United States. v. Cazes, No. 1:17CR-00144
(E.D. Cal. June 1, 2017).
128
Press Release, DOJ, “Two Chinese Nationals Charged with Laundering Over $100 Million in
Cryptocurrency from Exchange Hack” (Mar. 2, 2020), https://www.justice.gov/opa/pr/two-
chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack.
129
Press Release, USDT, Remarks of Sigal Mandelker, Under Secretary for Terrorism and
Financial Intelligence, CoinDesk Consensus Conference (May 13, 2019),
https://home.treasury.gov/news/press-releases/sm687.

January 4, 2021
Page 40
comment period. Second, cryptocurrency and fiat have vastly different and always
changing values. It is not clear how cryptocurrency exchanges could accurately reflect
the total value across multiple accounts. This is particularly true in an industry where the
value can move several percentage points between the time a transaction is initiated and
when the network fully confirms the transaction. In this situation, what price should the
cryptocurrency exchange use? Finally, the technological payment networks are entirely
different for fiat and cryptocurrencies, and between cryptocurrencies. Coinbase uses
different internal systems managed by different teams to oversee each. Designing and
developing a technological capability to coordinate all of those separate functions will be
costly and time consuming. Coinbase will need significantly more time to estimate what
the actual costs would be.
● (10) Has FinCEN properly considered the extension of the mandatory and
discretionary statutory exemptions at 31 U.S.C. 5313(d)-(e) that are currently
applicable to the CTR reporting requirement to the proposed CVC/LTDA
transaction reporting requirement? Has FinCEN extended exemptions either too
broadly or too narrowly? Was FinCEN correct to not extend the exemption from
the CTR reporting requirement at 31 CFR 1010.315 related to transactions
between a non-bank financial institution and a commercial bank to the proposed
CVC/LTDA transaction reporting requirement? Coinbase has not had the time or
resources to investigate whether exceptions should be extended given the abbreviated
comment period. But Coinbase does believe preliminarily that Treasury must spend
more time looking at the issue and giving interested parties time to do the same. For
instance, there very well may be non-bank financial institutions that should be exempt if
they are transferring to or from a self-hosted wallet that the institution controls itself.
Additionally, although commercial banks may not transact with self-hosted wallets today
in any significant way, Coinbase believes that enabling an exemption would permit
banks alone to continue innovating in the digital asset space (particularly with certain
protocols that rely on self-hosted wallets), and that a failure to extend such an exemption
risks curtailing development in the U.S. financial sector.
● (11) Should FinCEN extend the obligation to file reports under the proposed
CVC/LTDA transaction reporting requirement to financial institutions other than
banks and MSBs (e.g., brokers-dealers, futures commission merchants, mutual
funds, etc.)? What would be the cost and benefits of extending the proposed
CVC/LTDA transaction reporting requirements to other financial institutions?
Coinbase has not had the time or resources to fully investigate how this issue would
impact other financial institutions given the abbreviated comment period. But Coinbase
preliminarily has serious concerns with the general concept of extending such reporting
obligations to additional financial institutions. For example, Coinbase’s licensed broker-
dealer entities, Coinbase Capital Markets and Coinbase Securities, are regulated by the
Securities and Exchange Commission (SEC) and Financial Industry Regulatory
Authority (FINRA) and may not engage in anonymized transactions under such
oversight. Moreover, these entities are already subject to strict KYC and reporting
requirements. Extending the Proposed Rule to these entities would be both costly and
superfluous based on other regulations.

January 4, 2021
Page 41
● (14) Could the verification requirements be adjusted to enhance the benefits to law
enforcement without a significant change to the costs to banks and MSBs, or to
reduce the costs to banks and MSBs without a significant change in the benefit to
law enforcement? Coinbase repeats its concern that Treasury itself has failed to
articulate any benefit to law enforcement nor cite to any support from the law
respond to in a proper notice-and-comment period. So Coinbase first has to ask, what
benefits? Even if Coinbase could guess at these hypothetical benefits, we have not had
adequate time to determine how it can identify individuals who transact with its
customers. Coinbase continues to support the use of risk-based measures to verify its
own customers and proposes that instead of formalizing the rushed and unvetted
Proposed Rule that Treasury work with the industry to further develop appropriate risk-
based analytics tools to collect information that is actually useful to law enforcement.
But to address Treasury’s question, Coinbase is missing information and sufficient time.
In particular, what is the possible justification for Treasury to require verification for
counterparties of cryptocurrency transactions but not fiat transactions? What level of
personal information does Treasury envision requiring an exchange to collect of a non-
customer that it has no privity with? How would this work when the counterparty is a
citizen of the EU and the transaction is subject to GDPR? How would this work for
transactions involving smart contracts or DeFi instruments where there is no name and
physical address? Treasury has not said. And even then, Coinbase would also need to
investigate what verification is possible legally and practically for a non-customer
counterparty, which cannot be done in this abbreviated comment period.
● (16) Is it necessary for the anti-structuring prohibition to be extended to the

proposed CVC/LTDA transaction reporting requirement? Coinbase has not had the
time or resources to fully investigate how this issue given the abbreviated comment
period. Coinbase does note that extending the anti-structuring prohibition to the
Proposed Rule is unnecessary and costly to cryptocurrency exchanges like Coinbase.
Coinbase already employs significant Transaction Monitoring Systems and files SARs
related to suspicious structuring. Any additional regulation will lead to additional costs
with no additional benefit.
● (20) Could the verification requirements be adjusted to enhance the benefits to law
enforcement without a significant change to the costs to banks and MSBs, or to
reduce the costs to banks and MSBs without a significant change in the benefit to
law enforcement? Our previous answer applies equally here, especially with respect to
the information Treasury has failed to provide.
● (22) Is it reasonable to require that records be retained in electronic form? Are the
retrievability criteria reasonable? Coinbase has not addressed this question because it
is unclear what other form the Proposed Rule would require. How else would Treasury
want cryptocurrency exchanges to keep this information? But for the reasons discussed
above about counterparty information in Section IV, Coinbase is concerned about storing
any information related to counterparties and the privacy implications of such a
requirement.

January 4, 2021
Page 42
● (23) Should FinCEN extend the obligation to keep records under the proposed
CVC/LTDA transaction reporting requirement to financial institutions other than
banks and MSBs (e.g., broker-dealers, futures commission merchants, mutual
funds, etc.)? Coinbase has not had the time or resources to fully investigate how this
issue would impact other financial institutions given the abbreviated comment period.
But Coinbase has serious concerns with the concept generally. For example, Coinbase’s
licensed broker-dealer entities, Coinbase Capital Markets and Coinbase Securities, are
regulated by the SEC and FINRA and may not engage in anonymized transactions under
such oversight. Moreover, these entities are already subject to strict recordkeeping
requirements. Extending the Proposed Rule to these entities would be both costly and
superfluous based on other regulations.
Beyond the questions Treasury poses, there are a significant number of questions
Treasury should have itself considered and asked the public before publishing the Proposed Rule,
many of which illustrate Treasury’s failure to grapple with the unique technology that underlies
cryptocurrency. For example:
● How is Treasury going to ensure the privacy of the large cache of personal identifying
information that it seeks to store and that can be linked to a particular individual’s
financial history on a blockchain?
● What does “name and physical address” mean for a particular counterparty? Will P.O.
boxes suffice? Are IP addresses sufficient?
● Does this regulation affect the 2019 guidance on multi-sig wallets?
● How does the regulation account for new CVCs with uncertain or unstable market value
or where the price varies across exchanges?
● How does this regulation apply to transfers for goods and services? Are they exempt?
● Does the regulation affect lightning networks and other layer-two payment protocols?
● How will this regulation apply to digital assets with legal tender status?
● How does this regulation apply to smart contracts and DeFi instruments, which do not
belong to an individual and therefore have no name and address associated with it?
***

January 4, 2021
Page 43
This rulemaking process utterly fails to meet the requirements of the Administrative
Procedure Act at every turn. The Proposed Rule fails to solve the stated problem and causes
more—and more serious—problems in return. Treasury entirely fails to justify the burdens it
proposes imposing on the cryptocurrency industry and the public. These failures would be the
same even if not a single member of the public provided a comment. But the volume of
comments in this very short period shines a bright light on both the substantive and procedural
failings of this rulemaking process. The overwhelming thrust of the thousands of comments we
have seen before our own submission is that this is too much, too fast. Coinbase has worked
almost around the clock to provide a comment in time to meet the artificially short deadline
imposed by Treasury. Yet we have still been unable to assess fully the Proposed Rule and
provide the input a regulatory change like this requires. Coinbase asks that Treasury abandon the
Proposed Rule altogether and engage in a proper and meaningful notice and comment period that
takes into account the views of the industry and the public.
Sincerely,
Paul Grewal
Chief Legal Officer
Coinbase Global, Inc.
Exhibit A
December 21, 2020
Kenneth A. Blanco
Director, Financial Crimes Enforcement Net ork
United States Department of the Treasur
P.O. Bo 39
Vienna, VA 22183
V a email to kenneth.blanco2@fincen.go
: D . C -2020-0020; . 1506-AB47
Dear Director Blanco:
Late Frida afternoon, the Financial Crimes Enforcement Net ork released a 72-page notice of
proposed rulemaking, Requirements for Certain Transactions In ol ing Con ertible Virtual Currenc or
Digital Assets, that ould impose ne and onerous reporting and recordkeeping requirements for
cr ptocurrenc transactions. FinCEN asked the public to pro ide comments in just 15 da s, spanning
Christmas E e, Christmas Da , Ne Year s E e, and Ne Year s Da , in the middle of a global
pandemic lea ing just a handful of actual orking da s for comments. Because e ha e historicall
enjo ed and alued a producti e orking relationship ith FinCEN, this recent de elopment is an
unfortunate and disappointing departure. Put another a , this latest NPRM is not ho effecti e
regulation is made. We therefore ask that FinCEN reconsider its haste and pro ide the t pical 60-da
period for such significant proposed rulemaking.
As a leader in the cr ptocurrenc industr , Coinbase routinel pro ides input and formal
comments as agencies consider and de elop ne regulations. We are proud of our record in orking ith
go ernments around the orld to de elop producti e regulation, and e take seriousl our obligation to
do so on behalf of our industr and all users of cr ptocurrenc . But e ha e ne er seen such a rushed
effort for such a significant proposed change in our industr .
In the notice, FinCEN asks for comments on 24 separate questions (more than three pages of the
notice alone). Based on our initial re ie o er the eekend, responding to those issues ill require
Coinbase and man other companies to undertake detailed technical anal ses, e tensi e costs
assessments, and comple balancing of pri ac interests for the customers hose personal information
ould no be required to be turned o er automaticall to a go ernment agenc . As just one e ample,
FinCEN asks for estimates of not just the costs of compl ing ith the proposed record keeping and
reporting requirements, but also estimates if reporting thresholds changed, co erage e panded to include
all cr pto transactions, and additional identit erification as mandated. FinCEN makes no attempt of its
o n to estimate the cost of the proposed rules, lea ing that ork entirel to the industr in this
abbre iated comment period. Coinbase is equall concerned about the issues not included in the three
pages of questions. For e ample, the cr ptocurrenc industr is built on technolog ith critical and
meaningful distinctions from traditional finance, but the notice does not adequatel account for those
rele ant differences hen proposing these ne requirements. Addressing all of the questions FinCEN has
posed and the additional issues FinCEN has not et considered ould take much longer than 15 da s in
the best of times. To do so in a handful of orking da s across the national holida s and during the latest
surge in COVID is quite ob iousl impossible. And that impossibilit ill materiall hinder FinCEN s
Kenneth A. Blanco
December 21, 2020
Page 2
abilit to craft regulation that considers and addresses the concerns of the communit it is regulating, as it
is required to do.
Despite the justifications pro ided in the notice, there is no basis in the la to take a a the
public s opportunit to de elop e idence in the record to support their objections to the rule.... Ca a
A ea I a R C a. .T , 471 F. Supp. 3d 25, 44 (D.D.C. 2020). It is not enough to cite
genericall to significant national securit imperati es and a handful of e amples of rongdoing related
to cr ptocurrenc around the globe untied to the proposed rules themsel es and man of hich are more
than a ear old. See Notice at 2-3. The APA s good cause e ception requires an agenc to pro ide a
specific, factual justification for claiming an emergenc . Te e ee Ga P e e C . . F.E.R.C., 969
F.2d 1141, 1146 (D.C. Cir. 1992). But FinCEN s notice here sa s this issue has been under consideration
since at least 2019, if not earlier, ithout an e planation of ho an emergenc has suddenl arisen ears
later, and coincidentall just as the current administration is set to lea e office. See Notice at 3. The
foreign affairs function e ception in the APA pro ides e en less of an escape hatch from a notice and
comment period here, as that e ception relates narro l to acti ities or actions characteristic to the
conduct of international relations. Ca a A ea I a R C a .T , 471 F. Supp. 3d
25, 53, 57 (D.D.C. 2020).
For significant regulator actions and this proposed rule is one agencies should use a
comment period of at least 60 da s. Administrati e Conference of the United States, Rulemaking
Comments, Recommendation number 2011-2 (June 16, 2011). That is precisel hat FinCEN has done
for the traditional financial industr . For e ample, FinCEN s Customer Due Diligence Requirements for
Financial Institutions pro ided the traditional 60 da s for notice and comment. 79 Fed. Reg. 45,151 (Aug.
4, 2014). In fact, FinCEN justified the proposed customer due-diligence requirement using the same
rationale set forth in this proposed rule: addressing national securit interests ; pre enting
mone -laundering; and assisting la enforcement. Id. Yet FinCEN offered a notice-and-comment period
that as four times longer than hat is proposed here and did so after also holding fi e public hearings
here the regulated communit could e press ie s on the proposed rulemaking itself. Id.
There is no emergenc here; there is onl an outgoing administration attempting to b pass the
required consultation ith the public to finali e a rushed rule before their time in office is done. There is
also no justification for treating the cr ptocurrenc industr so differentl from our counterparts in
traditional finance. FinCEN has pre iousl e pressed a illingness to e tend a 30-da deadline for
comments to 60 da s for a proposed BSA rule in order to allo interested parties more time in hich to
comment on the proposals in the [Prepaid Access notice of proposed rulemaking]. 75 Fed. Reg. 41,789
(Jul 19, 2010). The same rationale applies e en more so in the midst of a global pandemic.
Coinbase requests that FinCEN appl the traditional 60-da notice-and-comment period to this
notice, at a minimum, to ensure that Coinbase and other industr stakeholders ha e a true opportunit to
engage in the re ie and comment process ith respect to the proposed rule as the la requires.
Sincerel ,
Paul Gre al
Chief Legal Officer
Coinbase

Coinbase&#39;s response to the US Department of Treasury&#39;s rushed and unreasonable proposed crypto regulation

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Coinbase&#39;s response to the US Department of Treasury&#39;s rushed and unreasonable proposed crypto regulation

Transféré par

Droits d'auteur :

Formats disponibles

DocuSign Envelope ID: 2B89914B-3106-4125-BF3C-4AACB1C5D7D4

Via Electronic Filing (www.regulations.gov)

Dear Sir or Madam:

Treasury provided a sum total of 15 days to comment on a 72-page notice of proposed

FinCEN Policy Division

● The Proposed Rule imposes unnecessary, expansive privacy invasions on the

FinCEN Policy Division

FinCEN Policy Division

I. Background: Coinbase And Cryptocurrency

A. As An Industry Leader, Coinbase Has Long Supported Reasonable

Central to Coinbase’s mission is to earn and maintain our customers’ trust.

FinCEN Policy Division

B. Cryptocurrency And Blockchain Technology Require Unique Consideration

FinCEN Policy Division

FinCEN Policy Division

II. Treasury’s 15-Day Notice-And-Comment Period Is Unlawful

Treasury’s 15-day notice-and-comment period is woefully inadequate for the regulated

Treasury’s excuses for depriving the public of a meaningful notice-and-comment period

A. Treasury’s Rationale For The Truncated Notice-And-Comment Period Is

FinCEN Policy Division

B. Treasury Has Failed To Establish A Legitimate Reason For Bypassing Notice

1. The Foreign Affairs Exception Does Not Apply

FinCEN Policy Division

2. The Good Cause Exception Does Not Apply

FinCEN Policy Division

FinCEN Policy Division

C. Treasury Has Abandoned Its Own Standard Practices For Rulemaking,

FinCEN Policy Division

FinCEN Policy Division

● “Amendment to the Bank Secrecy Act Regulations—Definitions and Other Regulations

Treasury’s stated excuse—that it “directly engaged with the cryptocurrency industry on

FinCEN Policy Division

D. Treasury’s Shortened Notice-And-Comment Period Harms The Industry

No matter the rationale, the 15-day notice-and-comment period is extraordinarily

FinCEN Policy Division

III. The Proposed Rule Is Impermissibly Vague

FinCEN Policy Division

FinCEN Policy Division

A. Taking Customer Privacy Data Seriously Requires Substantial Investment

FinCEN Policy Division

B. The Proposed Regulation Will Drastically Increase The Amount Of Data

C. The Resulting Tranche Of Personal, Financial Data That FinCEN Wants

FinCEN Policy Division

FinCEN Policy Division

D. The Proposed Rule Poses Substantial Cross-Jurisdictional Issues Regarding

info from crypto wallet Ledger, Investopedia (Dec. 23, 2020),

FinCEN Policy Division

FinCEN Policy Division

FinCEN Policy Division

B. IRS Is Not Using Existing CTR Filings

FinCEN Policy Division

FinCEN Policy Division

The Proposed Rule is an unnecessary expansion of data collection in a system that

FinCEN Policy Division

FinCEN Policy Division

“Every day, FinCEN takes the…SARs, filed by financial institutions, and we

exchange.” DOT, National Money Laundering Risk Assessment, at 4 (2018),

FinCEN Policy Division

The Proposed Rule is a remarkable expansion of the reporting and recordkeeping

A. Treasury’s Regulations To Date Have Not Imposed Affirmative Data-

FinCEN Policy Division

“have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings.”98

In 2011, following a proper notice-and-comment process,100 FinCEN issued a final rule

FinCEN Policy Division

Coinbase's response to the US Department of Treasury's rushed and unreasonable proposed crypto regulation

Coinbase's response to the US Department of Treasury's rushed and unreasonable proposed crypto regulation