A couple of weeks ago the Financial Times reported that the UK’s National Crime Agency had called for extending anti-money laundering and counter-terrorist financing (AML/CTF) rules to cryptocurrency mixers. The Financial Times writes:
‘Around 15 per cent of all proceeds of crime was routed through mixers in 2021, according to Elliptic, a group that analyses cryptocurrency transactions. Well-known services include Wasabi Wallet, Samourai Wallet and Helix, whose US founder Larry Dean Harmon pleaded guilty to money laundering charges in August last year.
Wasabi, which launched in 2018, operates on a decentralised basis with software anyone can download and use. It is a flagship product of Gibraltar-based zkSNACKs, which describes itself as “unfairly private”. The company takes a fee from each transaction, amounting to 0.003 per cent multiplied by the number of users mixing wallets in each round of a transfer — the level of privacy increases with a higher amount of users. (…)
Elliptic estimates that more than $1bn worth of proceeds of crime has passed through Wasabi, by tracing wallets of known malicious actors.’
It also quotes a statement by Samourai Wallet, which suggests that regulating mixers may in fact be impossible due to their ‘decentralised’ nature.
Another recent article, this time in Fortune, comments on the apparent paradox of mixers not being outlawed. It cites Kim Grauer of Chainalysis, a leading blockchain analytics company, as saying that mixers are ‘not inherently illegal – they can be used for legitimate privacy purposes’.
All of this may sound rather confusing, and to some extent it is. So, I thought it might be useful to try to think aloud about where we stand with the AML/CTF regulation of mixers.
What Are Mixers?
To understand the role of mixers, it is important to note that major cryptocurrencies, such as Bitcoin and Ethereum, operate on transparent blockchains. That means that anyone can see all transactions. They are pseudonymous in the sense that a cryptocurrency address, consisting as it does of random-looking letters and numbers, as such tells you nothing of the person behind it. But there are ways to pierce that anonymity, and once that is done, your record of transactions is laid out in all its glory (or, if you deal in drugs on the Dark Web, in all of its incriminating detail).
Mixers defeat this transparency. They do so by acting as intermediaries. Instead of receiving a payment from your drug-buying customer, it will be routed via a mixer. And, instead of sending bitcoins directly to your favourite grandmother, you will likewise channel it through a mixer. Because mixers receive funds from many payors and transfer them to many recipients, it is excruciatingly difficult for outside investigators to match incoming and outgoing payments. Furthermore, mixers use a variety of clever techniques to further confound blockchain watchers, hence the term ‘mixing’.
How Is this Legal?
One can easily perceive the appeal of mixers to criminals, but nor is it implausible to suggest that some law-abiding, privacy-oriented users could be tempted, too. (They would, however, likely need a pretty good reason to be willing to cough up a 2-5% fee!)
The primary means by which mixers are dealt with is regulation. In the US, businesses that ‘accept’ or ‘transmit’ funds, currency or other value are subject to AML/CTF regulation. This includes mixers. The EU’s 5th Money Laundering Directive is more limited in scope and applies only to businesses that exchange virtual currency into fiat currency, as well as custodian wallet providers (we shall return to them). However, the Financial Action Task Force’s (FATF) Recommendations also cover businesses involved in ‘transfer of virtual assets’. This, too, seems to be exactly what mixers do.
In jurisdictions that have already implemented the FATF standards, the upshot is that mixers must conduct customer due diligence and report suspicious activities to law enforcement, much like any cryptocurrency exchange or bank. But that, of course, is wholly inconsistent with their ethos. In theory, there is perhaps a business case for a mixer that keeps transactions hidden from the prying eyes of the public yet dutifully cooperates with law enforcement. In reality, given the focus of mixers on complete anonymity, regulation has been almost tantamount to prohibition.
So much for mixers in their simplest form. Despite the nigh-inevitable challenges of enforcing AML/CTF rules against them, the legal and policy position is relatively straightforward. Greater challenges arise in the context of mixing protocols. These are, in essence, software that, once installed, mixes up participating users’ transactions. It removes the need for them to entrust the money to a mixer, which is especially welcome since many a mixer has been known to scam its customers.
From a regulatory standpoint, this also means that, save for the automatic operation of software, there is no external party involved in the transfer of cryptocurrency. And, despite occasional flirtation in some quarters with the idea of imposing AML/CTF duties on software developers, it is plain that someone who has developed and published an open-source mixing protocol has no way of conducting due diligence on people who may use it in the future. As a result, there is no obvious way of regulating mixing protocols short of imposing restraints on their publication, which is a distinctly unappealing (and, in some jurisdictions, possibly unconstitutional) proposition.
What Does This Mean?
If we now go back to the NCA’s statement reported in the Financial Times, we should note that the UK’s Money Laundering Regulations 2017, as amended in 2019, define regulated ‘cryptoasset exchange providers’ as involved in:
(a) exchanging, or arranging or making arrangements with a view to the exchange of, cryptoassets for money or money for cryptoassets,
(b) exchanging, or arranging or making arrangements with a view to the exchange of, one cryptoasset for another, or
(c) operating a machine which utilises automated processes to exchange cryptoassets for money or money for cryptoassets.
To me, there is a question mark as to whether any of these provisions is apt to cover mixers. Probably not. That could be dealt with relatively easily by bringing them in line with the FATF Recommendation so as to include ‘transfer’ of cryptocurrency among regulated activities.
But that is not the end of story. As the Financial Times article makes clear, Wasabi and other similar services make a big deal of the fact they are ‘decentralised’. That means, simply put, that at no point do they have control over their customers’ cryptocurrency. Instead, they merely provide an interface for customers to securely access their own cryptocurrency. The mixing function enabled by relying on CoinJoin, one of the open-source mixing protocols.
The distinction is important because EU, US and UK rules alike differentiate between ‘custodian’ and ‘non-custodian’ cryptocurrency wallet providers. A custodian wallet holds the private key that is necessary to transact in the customer’s cryptocurrency, and the customer only has direct access to their account with the wallet. Conversely, a non-custodian wallet is effectively the software that allows the customer to access their cryptocurrency stack but does not hold the private key. So, if Wasabi did hold customer funds in custody, it would be regulated as a custodian wallet.
To some extent, this disparity in regulatory treatment makes sense. For example, a custodian wallet can freeze the customer’s cryptocurrency if required to do so by law; a non-custodian one cannot. It is less clear to me, though, why a provider of non-custodian wallets cannot, if required to comply with AML/CTF requirements, be a useful source of financial intelligence (and this is not to say they should be regulated — I simply don’t know enough about this issue!). I suspect the answer may have to do with the practicalities of seeking to regulate and supervise countless businesses who, in effect, do nothing more than provide an interface to access one’s cryptocurrency holding.
In Wasabi and Samourai’s instance, however, we are talking about much more than that. Here we have businesses that not only serve as a gateway to cryptocurrency transactions, but help arrange them in a manner protective of the user’s privacy – for a fee. In those circumstances, whether or not they hold customers’ funds in custody should be neither here nor there. The term ‘decentralised’ conveys a sense of something networked and amorphous, barely if at all susceptible to regulation, yet in reality we are talking about actual companies whose CEOs give interviews to journalists defending their business model, which so far has been successful in gaming AML/CTF regulation. Defensible it may well be, but it is also, in my view, eminently regulatable, as the NCA is right to highlight.