Tornado Cash Update; EU Contemplates AML Regulator; Our Response to Treasury’s RFC
DEF Weekly Roundup - August 19, 2022
Tornado Cash Update
We still have way more questions than answers about the U.S. Treasury’s sanctioning of immutable smart contracts — and the (supposedly unrelated) arrest of Tornado developer Alexey Pertsev a few days later. The Treasury Department has been silent since the initial press release announcing the designations, notwithstanding the novelty of the action and universal confusion with respect to what Treasury did, what Treasury intended to do, and the action’s implications for developers and users around the world.
What we know: Our only definitive information comes from the press release and what Treasury officials reportedly said during the press call announcing the designation. However, there are a few details worth keeping top of mind:
The press release seemingly (and mistakenly) imparts agency on immutable smart contracts and apparently equates last week’s action to Treasury’s designation of Blender.io (a centralized mixing business).
Nik De at Coindesk reported that a “senior Treasury Department official said during a press call that the agency would continue monitoring mixers, and could take further action if Tornado Cash continues as is. ‘Since we sanctioned virtual currency mixer Blender.io, we have not seen evidence to suggest that it has remained active post that designation,’ the official said. ‘We do believe that this action will send a really critical message to the private sector about the risks associated with mixers writ large, which obviously is designed to inhibit Tornado Cash or any sort of reconstituted versions of it to continue to operate’” (emphasis added).
Also ICYMI, here’s Coin Center’s very insightful analysis of the legality (not to mention the appropriateness) of treating autonomous code as a sanctionable “person/entity.”
What we don’t know: Several critical questions remain unanswered, including:
Does Treasury believe that Tornado cash is a centralized mixer like Blender.io?
Does Treasury believe that a person or group of persons ultimately controls the designated smart contracts? In other words, does Treasury reject the fact that the designated smart contracts are immutable?
Does Treasury expect the designations “to bring about a positive change in behavior” of immutable smart contracts? If not, what’s the intent of the designation?
Here’s a useful thread from crypto lawyer Drew Hinkes with other outstanding questions.
What we know: We’ve dug up some more information about the arrest of Alexey Pertsev in the Netherlands, but, here again, the known unknowns are extensive. Some notable elements of the initial press release given additional developments (emphases added):
A “29-year-old man… is suspected of involvement in concealing criminal financial flows and facilitating money laundering through the mixing of cryptocurrencies through the decentralised Ethereum mixing service Tornado Cash.”
“In June 2022 the het [sic] Financial Advanced Cyber Team (FACT) of the FIOD started an criminal investigation against Tornado Cash, that is offered on the Internet by means of a decentralised autonomous organisation (DAO).”
Tornado Cash has “achieved a turnover of at least seven billion dollars. Investigations showed that at least one billion dollars' worth of cryptocurrencies of criminal origin passed through the mixer.”
We’ve also been in touch with the FIOD, whose press office provided some additional information:
Finally, here’s a translation of a Dutch article with Q&A from the FIOD about the situation.
What we don’t know: Like Treasury’s designation of smart contracts, the lack of information about Pertsev’s arrest is troubling. We really don’t know any specifics beyond what was described in the initial press release. We don’t know the factual basis of his arrest, other than that “he is suspected of involvement in concealing criminal financial flows and facilitating money laundering.” We don’t know whether he’s been charged with anything, and if so, what he’s been charged with. While FIOD’s general statements since his arrest have serious implications for the writing and publishing of open-source software in the Netherlands, without more information about the specifics of Pertsev’s arrest, we’re flying blind.
Incoherent thoughts worth what you’re paying for them
In juxtaposition to the U.S. Treasury’s press release, it’s notable that the Netherlands explicitly states that Tornado Cash is not a centralized service (like Blender.io) but rather a decentralized protocol. That’s really cold comfort, however, because in conjunction with FIOD’s subsequent public statements, it implies that the Netherlands intends to hold developers of open-source software protocols liable for the potential illicit use, by other users, of the open source code they wrote. As many on crypto twitter have pointed out, we shouldn’t hold a person responsible for other people’s actions which they have no control over or even knowledge of. On the other hand, with respect to Treasury’s designation, it’s almost encouraging that the press release incorrectly imparts agency on software that cannot be changed by anyone or anything because it at least leaves room for all of this to be a massive and unfortunate misunderstanding. (Please forgive me for grasping for any semblance of good news in this situation.)
That being said, both Treasury and FIOD seemingly don’t grasp the fact that TC smart contracts are immutable, DAO or no DAO, TORN or no TORN.
The most recent statement FIOD sent us is confusing and, to the extent it’s relevant to Alexey Pertsev’s case (again, we don’t know for certain), contradicts the press release announcing the arrest. Clearly Tornado Cash’s “sole purpose” could not be to facilitate criminal activity if, by the FIOD’s own estimation, 6/7ths of the volume through TC smart contract(s) did not have criminal origins. But again, it’s cold comfort because this discrepancy may not be contradictory in the eyes of FIOD if they believe the use of a mixing service is in and of itself illicit.
What we do now
Mitigate: We’re submitting a petition to Treasury for a “general license” that would allow US persons to engage in activities otherwise prohibited by the designation of the Tornado Cash smart contracts. Often when Treasury designates an entity on the sanctions list, it’ll concurrently issue a “general license” to allow for US persons to “wind down” their activities and relationships with newly designated persons, entities, and (in this instance) so-called entities. For example, when Treasury designates a foreign financial institution, it can issue a general license for US persons to withdraw their assets and cease interacting with that financial institution for a period of time. A general license in this case could allow lawful US persons to, among other activities, withdraw their assets from TC smart contracts without breaching sanctions obligations. We (and many others) are also urging Treasury to issue guidance and FAQs with respect to the many outstanding and critical questions that are previewed above. We also submitted a (admittedly ill-fated, more likely than not) Freedom of Information Act (FOIA) request to Treasury last week. In addition, we’ve provided our perspective on the situation in the WSJ, NYT, Time, Cybersecurity DIVE, Decrypt 1, Decrypt 2, Coindesk, and The Information.
Advocate: We need to convince Treasury that sanctioning, restricting, or targeting the use of open-source software (and potentially those who write and publish open-source software) isn’t the best way to accomplish their policy objectives and isn’t in the national interest on net. While the basis of last week’s action involved the designation of non-persons/non-entities as persons/entities, the executive has a vast array of related and unrelated authorities that it could potentially tap to effectuate a substantively similar outcome. My point here is that I don’t want to test that hypothesis and find out. The damage already caused by this situation has been pretty consequential, and it’s not in anyone’s interest for something akin to this action to happen again.
Litigate?: Our friends at Coin Center have laid out (same post already linked above) why they believe the designation of a non-person/non-entity may be beyond the authority OFAC based its action on and may be unconstitutional.
FAQs + Resources
What are sanctions? What is OFAC?
Sanctions are a national security and foreign policy tool that are applied to non-US persons and entities (hereafter, “person”). The sanctioning of a person doesn’t impose any obligation on that person. Instead, the sanctioning of a person generally imposes obligations on US persons, requiring them to cease transactions and commercial relationships with the sanctioned person and to block/seize the assets of the sanctioned person. The Treasury Department’s Office of Foreign Assets Control (OFAC) administers and enforces U.S. sanctions. (Source: US Treasury FAQs)
What is the objective of sanctions?
Sanctions are not a punishment but rather a tool intended to influence the actions of a foreign person. As Treasury explains, “the power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior.” (Source: US Treasury)
What information has Treasury released about the sanctioning of Tornado Cash?
Press release announcing the sanctions
List of specific websites, wallets, and smart contracts designated
What is a “specific license” and under what situations would a US person seek a license?
“A license is an authorization from OFAC to engage in a transaction that otherwise would be prohibited. If your funds have been blocked or ‘frozen’ by a financial institution or other party due to a possible link to OFAC-administered sanctions, you may apply for a specific license…” (Source: US Treasury)
You can apply for a specific license at this link.
What’s a more in depth (but not too long) description of the US sanctions system?
This opinion from US magistrate judge Zia Faruqui provides a good overview of the system.
As a U.S. person, is it true that I can have criminal liability for something I had no control or knowledge of in the context of sanctions?
No. As Judge Faruqui explains (citations omitted and emphases added):
“Criminal penalties may arise from willful violations, while civil penalties are imposed on a strict liability basis.”
As a U.S. person, do I have other obligations?
Yes. As Judge Faruqui explains (citations omitted):
“U.S. persons are prohibited from participating in or facilitating transactions, even if ultimately concluded by foreign persons, which would be prohibited if performed by the U.S. person directly.”
I’m not a U.S. person. Do I have anything to watch out for?
Yes. As Judge Faruqui explains (citations omitted):
“Non-U.S. persons or entities are liable for sanctions violations when they cause a U.S. person or entity to violate OFAC’s regulations. For example, a sanctioned Russian Oligarch who wires funds via a front company that transit through a U.S. correspondent bank, violates [U.S. sanctions laws] by causing the correspondent banker in the U.S. to (unwittingly) export financial services to a sanctioned entity.”
You didn’t answer a question that I am curious about.
Please reach out. Dm us on twitter @fund_defi or email us at email@example.com.
EU Contemplates New AML Regulator for Crypto
The European Parliament is set to release its version of the 6th Directive AML/CFT (AMLD6) proposal after its August recess. The legislation was first introduced by the European Commission who released a version of the proposal in July 2021. The European Council followed by releasing its version this past July.
Once the European Parliament concludes negotiations and finalizes its version, the three bodies will enter into the final stage of negotiations called trilogues.
If passed, the new legislative package will create an EU-wide regulatory body called the “Anti-Money Laundering Authority,” or AMLA. Based on the current versions of the legislation that have been released, the body will be charged with monitoring “high-risk” crypto entities as financial services and will have direct oversight authority over crypto activity.
A briefing from the European Parliament said the following about the newly proposed system:
“EU-level supervision consisting of a hub and spoke model – i.e. supervisor at the EU level competent for direct supervision of certain financial institutions (FIs), indirect supervision/coordination of the other FIs, and a coordination role for supervising the non-financial sector as a first step.”
The timeline for finalization will depend on the extent of the negotiations in the European Parliament and the trilogues that will follow. This process will likely take several years.
What does this mean?
While it is unclear who in the crypto space falls within the scope of this new regulatory body’s authority and what constitutes a “high risk” crypto entity, we can say with confidence that this new body is likely coming.
Of the three houses, the European Parliament has been the strongest supporter of regulations addressing the use of crypto for money laundering, so we do not expect any significant changes to the legislation before trilogue.
The current AML regime advises member states to regulate crypto exchanges in the same way financial institutions are regulated. By contrast, AMLD6 provides the AMLA with direct oversight authority.
ICYMI: Our Response to Treasury’s RFC
Last month, the US Department of Treasury issued a request for public comment regarding President Biden’s Executive Order, “Ensuring Responsible Innovation in Digital Assets.” The DEF submitted a response addressing these key questions earlier this month which is linked here.