Money Services Business - Max Fang's Notes

# Money Services Businesses (MSBs) ## FinCEN Guidance, FIN-2019-G001, May 9, 2019 **[[FinCEN Guidance CVC FINAL 508.pdf]]** - [Source](https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20Guidance%20CVC%20FINAL%20508.pdf) (pdf) ![[FinCEN Guidance CVC FINAL 508.pdf]] ### Four-factor test (under Section 4.2., "CVC Wallets") >The regulatory treatment of such intermediaries depends on four criteria: >- (a) who owns the value; >- (b) where the value is stored; >- (c) whether the owner interacts directly with the payment system where the CVC runs; and, >- (d) whether the person acting as intermediary has total independent control over the value. > >The regulatory treatment of each type of CVC wallet based on these factors is described in the next subsection. ### FinCEN differentiates between custodial ("hosted") and non-custodial ("unhosted") cryptocurrency ("CVC") wallets. **Hosted** wallet providers are money transmitters, and are thus [[Money Services Business|MSBs]], and thus need to comply with [[Bank Secrecy Act]] Obligations. >**Hosted** wallet providers are account-based money transmitters that receive, store, and transmit CVCs on behalf of their accountholders, generally interacting with them through websites or mobile applications. In this business model, the money transmitter is the host, the account is the wallet, and the accountholder is the wallet owner. In addition, > >(a) the value belongs to the owner; >(b) the value may be stored in a wallet or represented as an entry in the accounts of the host; >(c) the owner interacts directly with the host, and not with the payment system; and >(d) ==the host has total independent control over the value (although it is contractually obligated to access the value only on instructions from the owner)==. > >... > >**Unhosted** wallets are software hosted on a person’s computer, phone, or other device that allow the person to store and conduct transactions in CVC. ==Unhosted wallets do not require an additional third party to conduct transactions==. In the case of unhosted, single-signature wallets, > >(a) the value (by definition) is the property of the owner and is stored in a wallet, while >(b) the owner interacts with the payment system directly ==and has total independent control over the value==. > >In so far as the person conducting a transaction through the unhosted wallet is doing so to purchase goods or services on the user’s own behalf, they are not a money transmitter. The sentence "unhosted wallets do not require an additional third party to conduct transactions" is somewhat ambiguous, since it is technically contradicted in the very next (illuminating) section on multisignature wallets: >4.2.2. Multiple-signature wallet providers > >Multiple-signature wallet providers are entities that facilitate the creation of wallets specifically for CVC that, for enhanced security, require more than one private key for the wallet owner(s) to effect transactions. Typically, multiple-signature wallet providers maintain in their possession one key for additional validation, while the wallet owner maintains the other private key locally. When a wallet owner wishes to effect a transaction from the owner’s multiple-signature wallet, the wallet owner will generally submit to the provider a request signed with the wallet owner’s private key, and once the provider verifies this request, the provider validates and executes the transaction using the second key it houses. With respect to an un-hosted multiple signature wallet, > >(a) ==the value belongs to the owner and is stored in the wallet;== >(b) ==the owner interacts with the wallet software and/or payment system to initiate a transaction, supplying part of the credentials required to access the value; and== >(c) ==the person participating in the transaction to provide additional validation at the request of the owner does not have total independent control over the value==. > >If the multiple-signature wallet provider restricts its role to creating un-hosted wallets that require adding a second authorization key to the wallet owner’s private key in order to validate and complete transactions, the provider is not a money transmitter because it does not accept and transmit value.56 56. 31 CFR § 1010.100(ff)(5)(ii)(A). On the other hand, if the person combines the services of a multiple-signature wallet provider and a hosted wallet provider, that person will then qualify as a money transmitter. Likewise, if the value is represented as an entry in the accounts of the provider, the owner does not interact with the payment system directly, ==or the provider maintains total independent control of the value==, the provider will also qualify as a money transmitter, regardless of the label the person applies to itself or its activities. This passage uses a 2-of-2 multisig scheme as an example. If the multisig wallet provider refuses to cooperate (or ceases to exist), it would be true that the user would not be able to make transactions, and thus it would not be true that the user "do\[es\] not require an additional third party to conduct transactions". I believe this contradiction is a technical detail that was missed by the likely nontechnical person who drafted this guidance. A non-contradicting example would have been a 2-of-3 multisig wallet where two of the keys are held by the user (one primary key, one backup or cold key), and one key is held by the multisig wallet provider (validating key). In this case, even in the case of a non-cooperative multisig wallet provider, the user "do\[es\] not require an additional third party to conduct transactions". Although they never state it directly, it appears that the intent of their guidance is that non-custodial wallets qualify as "unhosted". The phrase that appears in the definitions of both hosted and unhosted wallets is "total independent control of the value", where the user must have this control in the case of an unhosted wallet, and where the wallet provider has this control in the case of a hosted wallet. It is also worth noting that even if a wallet is "contractually obligated to access the value only on instructions from the owner", it will still qualify as a hosted wallet if the wallet has "total independent control of the value". In other words, "we are a trustworthy custodian" counts for nothing in the determination of whether you are a hosted or unhosted wallet; if you are a participating party or facilitator in the transaction, you must be acting purely in the capacities of an untrusted third party in order to qualify as unhosted.