Below is an op-ed by Harsha Goli on the boring (but pernicious!) way that compliance can be used to shackle Bitcoin and the companies in its orbit. Harsha Goli is the CEO and founder of bitcoin custody provider Magnolia, and he previously worked as a Lightning Network engineer for Fold and Lightning Labs.
I got into Bitcoin for money free from nation-state control. That was almost 10 years ago, and a lot’s changed since.
Back then, the government was hilariously incompetent when it came to Bitcoin and its universe of altcoins. It felt like they’d never catch up, that this stuff was somehow too slippery for the boring bureaucrats. Some people still feel like that’s the case – but it’s not.
I had a conversation recently that reminded me just how much progress the state has made beneath the noses of most Bitcoiners, even those in the know.
People don’t realize how bad it’s gotten, and even the most cypherpunk among us haven’t realized because well… compliance is boring and these changes took years to manifest.
But make no mistake, compliance is creeping into every corner of the Bitcoin ecosystem. Regulated exchanges are no longer the only ones beholden to KYC/AML/IRS regulations.
The noose is already tied, and exchanges have felt it tighten for a long time. Now other centralized entities that don’t even custody funds are feeling it. Soon, the noose could be around your renegade open source bitcoind node too.
Think I’m hyperbolizing? Let’s see where the line used to be, where it is now, and where it may be in the future based on trends and existing compliance laws in tradfi.
The original sin: If you touch fiat, you’re beholden to regulations
To start, we need to dispel the myth that compliance is a boring, snore-fest thing.
Because it’s not. The “boring” narrative is a lie to keep people from looking into the truth. The reality is that the government holds a legal gun to the heads of founders, and compliance rules dictate which bureaucrat can pull the trigger and under what circumstances.
We’re not talking about fines. The penalty for not complying is prison time — up to 10 years.
Cool, so now compliance is exciting! I’m gonna skip over a lot, but by and large, an entity’s requirement to comply is determined by whether or not regulators designate it as a money transmitter. Money transmitter’s are regulated state by state, and it can be quite complex to determine who is and who isn’t one, especially in the early days.
To help determine what defines a money transmitter, the Financial Crimes Enforcement Network (FinCEN) put out guidelines in 2019, the creatively named FIN-2019.
FIN-2019 dictates a lot, but it essentially says “listen, if you convert fiat to crypto and vice versa, you’re a money transmitter and have to comply with money transmitter regulations.” This typically means KYC/AML and state-by-state applications for approval.
It also explicitly says you aren’t a money transmitter if:
- You use an un-hosted wallet with keys stored locally (FIN-2019 4.2.1)
- You use a hosted multisig setup and control the majority of keys (FIN-2019 4.2.2)
- You are a developer of anonymizing software
- You are a developer of a Dapp
- You are an end user in control of your own value (not holding value on behalf of someone else), using your own home cooked software
Most folks in the know are probably familiar with these rules and they probably think these rules are still in effect.
They’re not. The line’s been moved and the old FinCEN guidelines are more or less completely null.
The noose is tied: Samurai and Tornado Cash
Over the past few years, two cases fundamentally altered how the U.S. government views software that FIN-2109 would not classify as money transmitters.
In the United States v. Storm in September 2023, the DOJ charged the founders of Tornado Cash, a privacy enhancing smart contract on Ethereum, with conspiracy to operate an unlicensed money transmitter service and money laundering. In April 2024 the DOJ indicted the founders of Samurai Wallet, a self-custodial software wallet and coinjoin service, under the same charges.
The Bitcoin Policy Institute put out great work breaking down these cases, and their effects on the industry. I highly recommend you read their report here to get a full understanding of them.
The cases and charges brought by the DOJ directly contradicted FinCEN’s guidelines. In fact, Judge Failla redrew the money transmitter compliance line when she failed to dismiss United States v. Storm. Instead, she sided with the DOJ’s argument that the Bank Secrecy Act (another incredible piece of legislation that allows the government to search and monitor all financial movements in the banking sector) does not require an entity to have control of funds to be considered a money transmitter.
Under this interpretation, even software developers of fully self-custodial software can be considered money transmitters, as can developers of coordination software like privacy-focused coinjoin wallets.
Remember that list of exclusions for money transmitters from before? This ruling rewrites it to look like this:
You use an un-hosted wallet with keys stored locally (FIN-2019 4.2.1)You use a hosted multisig setup and control the majority of keys (4.2.2)You are a developer of anonymizing software- You are a developer of a Dapp
- You are an end user in control of your own value (not holding value on behalf of someone else), using your own home cooked software
The noose tightens with IRS-TD-10021
The next notch in the knot comes from IRS regulation submitted in December 2024.
Again, I’ll leave out the deep dive for the sake of this article. You can find my full breakdown on Twitter here.
This IRS regulation does a few key things:
- It formally tosses out nearly every crypto regulation both foreign (MiCA) and domestic (FinCEN 2019)
- It broadens the scope of a broker to anything that “effectuates transactions” (basically if you’re helping facilitate a transaction, you’re now a broker)
With IRS-TD-10021 (what a boring name for something so insidious) a broker is required to fill out a 1099-DA to force users to pay taxes on currency exchange, even between similar assets (BTC to WBTC for example), and accurately filling out the 1099-DA requires KYC data.
This particular piece of bureaucratic work expands on the judicial work from earlier, broadening the scope of money transmitting to any entity that helps facilitate a transaction.
They know exactly what they’re doing here. This is shrewd. They acknowledge that the purpose of decentralized applications is to circumvent regulations – however, there are still pain-points with centralized entities in the process.
And they intend to coerce those entities into obedience.
If you combine these broker definitions with the ruling from United States v. Storm, lightning network node runners are also categorically defined as both money transmitters and even brokers.
Lightning network node runners could be defined as money transmitters because they facilitate the movement of funds, and they could be defined as brokers if they are involved in currency conversion between USDT and bitcoin (i.e., they are running taproot-assets) and because they are effectuating transactions via coded orders.
That list of exceptions from earlier? It now looks like this
You use an un-hosted wallet with keys stored locally (FIN-2019 4.2.1)You use a hosted multisig setup and control the majority of keys (4.2.2)You are a developer of anonymizing softwareYou are a developer of a Dapp- You are an end user in control of your own value (not holding value on behalf of someone else), using your own home cooked software
How the noose turns into a leash
By now, you ought to have picked up on a few things:
- The government cares about asserting AML compliance and, by extension, OFAC compliance (which is how they financially strangle state enemies)
- Centralized entities have already been drawn and quartered – the cases are in the books, the precedent exists
- All that’s missing is comprehensive rules/guidelines on what compliance looks like so law enforcement can target offenders
It looks bad, but wait you say! We still have FIN-2019’s final exception!
- You are an end user in control of your own value (not holding value on behalf of someone else), using your own home cooked software
This sense of safety is unjustified. Regulators have gone after centralized touch points because they’re easier to police, and with them, regulators can effectively control all commerce on Bitcoin.
They’ll never outlaw bitcoin. What they’ll do instead is force everyone who facilitates transfers to only use “clean” coins – a guilty until proven innocent approach.
In case you think this is absurd, this is how AML works for fiat today. When you apply for a loan, you provide bank statements that prove your funds are not ill-gained.
They achieve this explicitly by forcing institutions to be the front line defense for AML. If an institution is found to have accepted tainted funds, the institution is liable. Therefore, institutions are left with one choice: make sure all funds are clean before entering.
Right now, compliance participation in firms that facilitate transfers between bitcoin being bought and sold via exchanges (like wallet providers and lightning nodes) is still too low to fulfill that obligation cleanly.
But once that participation begins, it will be possible for institutions to see enough KYC checkpoints through a Travel Rule Protocol (TRP) such as Coinbase’s TRUST to enforce a “certified clean funds only” policy.
That is the future we’re barreling towards, and there are only a few speed bumps in sight.
Factoring in Trump
Trump’s presidency has granted the crypto industry’s neck a reprieve from the proverbial noose. So far, the administration has essentially deregulated the SEC and is giving a good spanking to a few bureaucracies involved in Operation Chokepoint 2.0.
This is all good. But it’s not what we need. We need one of two things. First and foremost, we need more privacy tools in Bitcoin that provide for higher degrees of fungibility without centralized tradeoffs, which are easy targets for regulators.
Failing hard-coded, cryptographic protections, we need legislative protections from Congress to shield this industry from overzealous bureaucratic actors and to provide a clear and fair framework that still embraces the ideals that many Bitcoiners share.
It’s not very punk to beg for a law to protect us, but I’m fed up with seeing my friends get prosecuted.
“Lightning is private Bitcoin, stop being alarmist!”
Lightning is great. I’m a Lightning contributor and most of my bitcoin work is Lightning-related or adjacent. But Lightning nodes are servers, and servers are centralized and regulators can target them. Further, on-chain policing can effectively neuter lightning.
Have dirty funds and want to wash them with onion routing? In a Lightning-regulated world, no exchange will want to accept a direct channel open with you. Okay, so you open a node to some smaller intermediary node that isn’t OFAC compliant and is likely just a node runner.
Congratulations, you’ve figured out a way to defraud that node runner. By routing through them, you’ve managed to wash your coins and sell them on an exchange – but the dirty coins still exist. It’s just that the node runner holds the bag now, and likely doesn’t even realize he holds tainted bitcoin he won’t be able to purchase goods with or convert to fiat.
This is assuming fiat conversion points aren’t pressured into dropping support for anything that is even kind of private, as is the case in the EU where Kraken and Binance have been forced to drop support for the privacy coin monero.
This isn’t great for Lightning. So what’re Lightning companies doing about it? Unfortunately, not much. Because of Lightning’s built in privacy, complying with AML/KYC requirements for a money transmitter license is impractical. Combined with the egregious costs for money transmitter license (around 30 million dollars for all 50 states), and a general notion of “I’ll wait and see,” most Lightning companies don’t possess money transmitter license.
Even Lighting-only provider Lightspark (whom Coinbase partners with) only received licenses a few months ago, and only for 10 states.
Where’s the fight and who’s leading the charge?
The front lines for this fight are the courts, the ballot box, Twitter, and every town square.
Our largest allies at the legal, institutional, and zeitgeist level are Coinbase, David Sacks, Marc Andreessen, and countless others.
In contrast, there are no champions at the Bitcoin protocol level. There are some proposals with some cool privacy improvements whose work I follow closely (Payjoin and Silent payments come to mind). But none of them are as drastic as we need, largely because the tools in Bitcoin are currently lacking for any significant, decentralized privacy upgrades.
Cut the noose
Bitcoin is the face of crypto, and crypto has too much momentum to be outright banned at this point. If a functionality is possible on layer 1 Bitcoin with no special software, it’s stapled to the Bitcoin narrative.
The government has co-opted the Bitcoin narrative towards its own ends with regards to a strategic Bitcoin Reserve or U.S. branded stablecoins.
It’s time we get smart, upgrade Bitcoin right under their noses and force them to rubber stamp privacy functionality they hate. It’s time we co-opt the government’s crypto adoption toward our own means.
If we don’t, the U.S. government gets to have its cake and eat it too. They get to have USD-backed stablecoins, they get to buy up as much of the supply of bitcoin as they like, and they get to completely gate keep Bitcoin’s ingress and egress points, controlling who gets access and knowing exactly what all participants are up to at any given time.
We can’t afford to dismiss compliance concerns and underestimate a fully crypto-aware government.
I didn’t get into Bitcoin to give the government a new financial weapon. Did you?
Photo by Ye Jinghan on Unsplash
