Goodbye Fungibility: OFAC's Bitcoin Blacklist Could Remake Crypto
Joe Ciccolo is the president of BitAML, Inc., a compliance service provider. Andrew Hinkes is an adjunct professor at the NYU Stern School of Business and NYU School of Law.
This article is not intended to provide, and should not be taken as, legal advice.
With just one paragraph, an agency of the U.S. government may have just radically altered the dynamics of the cryptocurrency ecosystem.
The Office of Foreign Asset Control (OFAC) announced on March 19 that it was considering including digital currency addresses associated with its list of persons and entities with whom U.S. persons and businesses are forbidden to transact business.
In a new section of its website, labeled "Questions about Virtual Currency," OFAC noted that it "may add digital currency addresses to the SDN List to alert the public of specific digital currency identifiers associated with a blocked person."
The list of Specially Designated Nationals (SDNs) includes individuals and entities associated with sanctioned governments, terrorism, trafficking in weapons of mass destruction, and illegal drug trafficking. This list includes varying types of records, including in some cases only names, but in other cases names, addresses, aliases, etc.
Financial institutions would be required to screen any virtual currency address provided for a transaction against a list to be provided by OFAC, and to either report, deny service to, or block transactions involving any listed addresses.
The agency's FAQ also encourages reporting of addresses associated with listed individuals, which suggests that they intend to supplement the SDN list on an ongoing basis.
This brings up innumerable questions, a few of which we tackle below:
Who decides what addresses are added to the SDN list?
OFAC is operated by the Department of Treasury, which currently maintains and updates the SDN list. It appears that the existing SDN list will be updated to include addresses associated with individuals and entities already listed by OFAC, and that OFAC is encouraging others to provide additional data to associate addresses with listed individuals and entities.
What if a digital currency address is wrongfully associated with a blacklisted individual?
There is an appeal process available. By appealing you necessarily divulge your identity and contact information to OFAC, which will likely investigate your connection to the listed individual.
If you appeal, expect a long conversation with the regulator, and expect to provide evidence that you are not involved in whatever illicit activity is associated with that listed person or entity.
Taint by association
What happens if you receive a transaction from a listed digital currency address?
It is possible that the received coins would then be "tainted" as being linked back to a listed individual or entity, and that your identity and digital currency address may then be added to the OFAC list.
It is unclear as to whether OFAC intends to add new addresses that send or receive coins to or from listed public key addresses, but it is clear that any transaction with an illicit actor who is listed on the SDN list is prohibited and can result in penalties.
If OFAC uses blockchain tracing software to identify the counterparty to transactions with listed digital currency addresses, it may add the addresses of those counterparties to the SDN list.
This could quickly multiply the number of addresses on the SDN list and would likely include addresses for individuals and entities that are not currently there.
This may also kick off a cat-and-mouse game between OFAC and illicit actors. Can OFAC update its list as fast as illicit actors can move their funds to new digital currency addresses?
Suppose that OFAC wants to add to its SDN list any new addresses that interact with listed addresses. Does that mean that if a listed public address sends a transaction to someone else and receives change, both the recipient address and change address could be added to the OFAC list?
Probably, although it is unclear as to how much of its resources the Department of Treasury intends to devote to reading the blockchain and updating the SDN list. Arguably, it would require full-time staffing or dedicated software to track this, and the list of barred addresses would grow extremely quickly.
We will quickly know what OFAC intends to do, as it regularly updates its SDN list with new data, and rapid-fire updates to add new addresses will be obvious.
What if a digital currency address listed is an address used by a third-party custody provider, (i.e. a multisig wallet provider or a custodial exchange)?
It is unclear, but the addition of a multisig wallet provider's digital currency address to the SDN list could affect all users of that custody provider's service who transfer their funds to that service provider.
Customers of that multisig wallet may find that their funds may be blocked, and thus not able to be transacted through any financial institution. Remember, business transactions with listed individuals and entities are prohibited.
Aren't digital currency addresses typically single-use? If so, does this matter?
In some cases, if a crypto system user observes perfect hygiene, yes. But most crypto users trade security for convenience.
How likely is it that a transaction is reported?
A transaction should be reported if it passes through or is disclosed to an entity that has an obligation to check for OFAC compliance, which does not typically include retailers, or non-financial entities. This means that de minimis transactions will probably fall through the cracks, but large ones will be caught.
What is the duty of inquiry for OFAC-charged entities?
This is unclear. A direct transfer from a listed address would be detected, but it is not clear if the there is a duty to look further back for a transaction with a listed digital currency address, or how far back any entity is required to look.
Guidance suggests that financial institutions are required to identify parties that are majority-owned by listed individuals and entities. However, identification of the current user of any given digital currency address may be difficult.
If OFAC adds to the SDN list digital currency addresses of transferees from listed addresses and I receive a transaction from a listed digital currency address, are all of my assets associated with that digital currency address now tainted? What about my other unspent transaction outputs (UTXOs) that did not come from a listed digital currency address?
Under this hypothetical, it looks like it, unless OFAC distinguishes between UTXO's based upon sending address, which is unlikely.
Unlike cash deposits in a depository account, receiving a crypto UTXO does not commingle assets - each one can be separated even when it resides in a wallet. So, while a distinction can be made, it is unclear how a regulator would approach this argument.
Again, it depends on the amount of resources that OFAC devotes to this project, and what software they use.
If OFAC is tracking transactions from listed addresses to other addresses and intends to add addresses of transferees, wouldn't that mean that OFAC would have a list of addresses it wants to bar, but not necessarily have the identity of the persons who use that address?
Probably. In a sense, it is always difficult to entirely map identity to a specific address, as the assets associated with a public key address can be used by anyone with a private key for that public key address, and ownership can change without any information about that ownership change being reflected on the system.
Mapping between user and public key address may be more ephemeral than regulators expect, which may frustrate the exercise.
Nodes, miners and Lightning
Are node operators or miners required to screen out transactions from blacklisted addresses?
Maybe (we know, total cop-out).
Node operators arguably may not have any obligation, but miners may have a compliance obligation, which would radically change mining and confirmation of new transactions.
Mining pools may need to kick out any listed addresses participating in their mining pools for fear of pool-wide conspiracy or liability for aiding and abetting. Miners may be obligated to not confirm, or to block, transactions involving listed addresses, which runs counter to mining itself.
This would be an example of policy and law directly intersecting with code and governance of these systems, and would bring up lots of fun issues that law professors love to put in final exams.
How does this effect the Lightning Network?
If Lightning Network is deemed to be a money transmitter, Lightning Network node operators may have to comply and either refuse or block transactions involving listed addresses.
Does this affect coin fungibility?
Kiss fungibility goodbye. Expect a premium on freshly minted coins, or traced "clean" coins on the market provided they come from a "clean" miner.
This may cause a bifurcation in price between what was otherwise a functionally clean asset, and a "dirty" coin that has passed through a listed address.
We may even see a trifurcation, as "grey" tumbled or mixed coins reside somewhere in the middle.
What about tumblers and mixers?
Tumblers would likely produce "grey" tokens that would not be initially blacklisted, but ultimately would be tagged as tumbled and blacklisted once the regulators get the software tools, resources and staffing to allow this level of detailed analysis and implementation.
Transactions using tumbled or mixed coins will probably be reported on suspicious activity reports, anyway.
Will coins be permanently "marked" if they are transacted to or from a listed address?
Nobody knows at this point.
What about exchanges?
Exchanges would undoubtedly be required to comply, which would shut off liquidity in the U.S. for blacklisted addresses.
However, this may hasten the shift of trading volume to decentralized exchanges or overseas exchanges, whose participants would risk listing or trading at pain of enforcement by the U.S. government.
What about privacy-enabled coins like zcash or monero?
Expect an uptick in support, development, and usage of these tokens, and an uptick in their usage in their privacy-enabled mode.
What to do now
How do I make sure my coins are clean?
There will likely be tools developed to determine the "taint" of a given UTXO and vendors that provide OFAC-compliant coin services.
Could this backfire? What's the doomsday scenario?
Sure. Operators of listed digital currency addresses could spray satoshis at any address they can find and essentially "taint" the entire blockchain.
After listing addresses and implementing appropriate tracking software, OFAC may find that all addresses are two or three transactions away from a listed address, and the tool becomes essentially worthless.
I run a [insert crypto business here] and I am concerned. What should I do?
Get a qualified lawyer or compliance consultant who understands banking law and understands crypto systems and pay that lawyer or consultant for real advice.
Do not rely upon Twitter or Reddit comments for legal advice.
Passport in chains image via Shutterstock.