Bitcoin FINCEN Merchant acceptance Regulation

How FINCEN regulations affects cloud based solutions in payment tech.

Just a few weeks ago, the Financial Crimes Enforcement Network (FINCEN) released a ruling about the applicability of the payment processor exception to a Bitcoin based company.

As a little background, generally any company that transfers value between one party and another (or from one location to another) is deemed a money transmitter and subject to applicable regulatory controls. There is an exception for “payment processors” who merely process payments on behalf of merchants [See (5)(ii)(B) ].

In the recent ruling, the company requesting clarification wanted to accept remittance in U.S. Dollars from presumably U.S. customers of Latin American hotels and send those hotels the commensurate value in bitcoin. The company argued they fell under the payment processor exception. FINCEN disagreed. Without going into to much detail, the basis of the ruling was that for the payment processor exemption to apply, the  “payment processor exemption to apply, the entity must use a clearance and settlement system that intermediates solely between BSA regulated institutions.” (BSA is the Bank Secrecy Act).

While this is bad for the company that requested the ruling, it’s even worse for the Bitcoin community at large. Why?

[Disclaimer, the following is not to be construed as legal advice and s not meant to pick on I’m a customer of and use their API to facilitate transactions for my privacy preserving disposable email service 1ncemail.]blockchain offers a very simple API that allows merchants to accept bitcoin on their websites and integrate such into their shopping cart or other systems. The API works like many other payment processors in that when money is received it makes a call to a URL on the merchant’s server indicating payment has been received. The merchant then appropriately credits the customer’s account.

The problem (from a regulatory perspective) is that’s API generates a payment transaction wallet to accept payment for the merchant and then forwards that payment on to the merchant’s wallet. In that respect, is moving value from one person (the consumer) to another (the merchant) and they can’t rely on the payment processor exception because they are going through BSA regulated entities to send value to the merchant.

Now, of course, if provided the same functionality of the API in software the merchant downloaded and installed on their own servers, there wouldn’t be an issue, because they are merely providing software, not facilitating the actual transmission. I would say the API could provide the primary function (monitoring a transaction wallet address for payment and calling a URL) without running afoul of the regulations. But because has control of that intermediary wallet, they are in fact a money transmitter, for the purposes of the regulations.

I actually think this ruling might be a prelude to FINCEN considering miners as money transmitters. And I hesitate to suggest, if someone presented the Bitcoin system in the abstract (without reference Bitcoin) to FINCEN asking for clarification if miners were money transmitters, they would unquestionably say yes.




Ignorance is Bliss

I would say the vast majority of people, lawyers especially, are completely clueless to the coming revolution of decentralized computing. This is a complete paradigm shift from how most people have been taught to believed over the past 2000 years. The revolution will not be televised (because television is a product of a centralized production system).


Check out this great overview by Gary Sharma


Bitcoin Vending machines

I’ve had a lot of inquiries over the past years about Bitcoin vending machines (aka ATMs). The general concern, and one of the primary reason holding back machine adoption, has been around compliance issues. For the avoidance of confusion, I’m going to refer to the devices as Bitcoin kiosks.

I should mention that this blog post should NOT be taken as legal advice. I am a lawyer but I am not your lawyer. Your fact and circumstances may dictate the application of the law you to in a different manner. This is all new territory and it is unclear how regulation will affect kiosk operators. In other words, my post here is speculative. In addition, this is not meant to be a thorough analysis but rather a quick thought on the issue and I would investigate in more detail the legal issues for a particular client.

The most typical process I see with the kiosks with which I’ve seen are you deposit some paper currency, then hold your QR code up to a camera which captures your public address, and transfers the funds to your Bitcoin address. From a FinCen perspective, the risk here is that you are transmitting funds to another person or another place. Title 31 Section 1010.0100(ff)(5) defines a money transmitter as:

(5) Money transmitter—(i) In general. (A) A person that provides money transmission services. The term “money transmission services” means the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means. “Any means” includes, but is not limited to, through a financial agency or institution; a Federal Reserve Bank or other facility of one or more Federal Reserve Banks, the Board of Governors of the Federal Reserve System, or both; an electronic funds transfer network; or an informal value transfer system; or…

The concern is thus that the QR code doesn’t belong to the person presenting the money at the kiosk. The person depositing the funds in Atlanta, GA could be displaying a QR code to a person in Belarus, thus employing the kiosk operator unwittingly as a money transmitter. The common response of operators is that they will employ a terms of condition forbidding such activity. Unfortunately, the U.S. government will take a dim view of that. As the business owner, the onus is on you. Forget the fact that Bitcoin facilitates its own transfer and so you’re not really providing anything they can’t do on their own, the operator will still likely be on the hook.

One avenue to ensure compliance is to identify your user. I believe Robocoin is building their machines to do facial recognition, ID verification and possibly other forms of biometrics. I’m not sure if they pre-validate the wallet. In other words, have the person sign something with their private key or initiate a transaction to prove ownership in the address to which funds will be deposited. That would be the safer course. coinoutlet

Another option was on display with CoinOutlet, a kiosk operator that provides printed on the spot new addresses with both the public key and private key (see illustration at left). This certainly alleviates the concern that the person is giving the operator an existing address belonging to someone else in another place. The buyer is still free to transfer that private key or immediately transfer the funds, but that it outside of the operators control.

I’ve seen another kiosk that provides the same thing via an onscreen display. Both of these though raise a security risk to the purchaser. A QR code skimming device could be placed in the printer or a high power camera could watch the computer screen. A better option would be pre-printed Bitcoin wallets akin to what the Bitcoin Foundation gave out at the Financial Cryptography Conference in Barbados last year (see below). The public key is exposed to allow a user to get the balance of the account (and the kiosk to deposit money into it) but the private key is inside an envelope sealed with holographic tape. The user is free to take the paper wallet home and load up their electronic wallet. fc

Feel free to make donations to the above public key!  I haven’t unsealed my private key as of yet, keeping it more as a souvenir than the 0.01 BTC that was given to attendees.

If someone were to implement the above styled machine it would truly be more like a vending machine than an automated teller. I don’t think anybody is doing that to date but if someone is, please feel free to contact me and let me know.

Just to reiterate, this post is not meant to be a definitive legal case for how you should operate a Bitcoin kiosk but rather just suggestive of one solution to avoid a nasty and complex compliance regime.





Apple Pay and Bitcoin

Apple recently introduced Apple Pay throwing a proverbial wrench into the Bitcoin community. But is it really? See my post on my other blog to read more about it.




My response to the BitLicense Proposal

September 8, 2014
DFS Office of General Counsel – Dana V. Syracuse
New York State Department of Financial Services
One State Street, New York, NY 10004

Dear Mr. Syracuse,

I am submitting this comment in response to the proposed “BitLicense” regulatory framework proffered by the NYSDFS on July 17, 2014. Thank you for the additional time allowance granted for feedback.

For reference, I am a licensed attorney in the state of Florida (FL Bar #90009), a certified information privacy professional (CIPP/US) and certified information privacy manager (CIPM) with the International Association of Privacy Professionals (IAPP). I am on the IAPP Faculty. I am currently employed by a Fortune 500 firm working in the Global Information Security department under the Chief Information Security Officer. I have been a member of the International Financial Cryptography Association on and off since 1997 (Financial Cryptography is a term that predates the widely used crypto-currency). I have had knowledge of Bitcoin since late 2010 and acquired my first bitcoin in March 2012. In June 2013 I started a Bitcoin based blog with a preference for discussing legal issues. My consulting company recently launched at App that accepts bitcoin. The App provides one time use email aliases that consumers can use to protect themselves from merchants selling purchasing histories to data brokers.  I am also involved in a startup in the financial technology/Bitcoin space focusing on offline and micropayments. Finally, I’m working on putting together a conference focused on consumer use of bitcoin in Atlanta for the spring of 2015.

I am not going to focus on specific proposals within the BitLicense framework. I will leave that to others. I want to focus on a few core themes that I would suggest should govern your action going forward.

The proposed regulation is too much too early

While many have welcomed regulatory certainty in the Bitcoin space, the proposed regulations are far too early and too restrictive. Many have compared Bitcoin not as money for the internet but the internet of money. Bitcoin and its spark of innovation in the financial technology space has the potential to do for the financial sector what the Internet has done for publishing, content distribution, and communications. It is fundamentally disruptive.  It is also extremely nascent. Bitcoin transactions represent less than 1/100,000 of a percent of the world economy.  Currently, it isn’t even a rounding error compared to US GDP.  Instilling regulations now will is akin to creating a regulatory framework for the Internet back in the 1970’s. Legislators and regulators STILL have a hard time today writing regulation today that isn’t too technology specific and doesn’t disrupt innovation. There are plenty of existing laws on the books and resources to prevent existing illegal activity, whether it happens with Bitcoins or without. Adding additional regulatory burdens only strangles growth in this early industry without commensurate benefit.

The proposed regulation places a high barrier to entry to start-ups

Regulatory burdens increase barriers to entry to new businesses. While this may be acceptable in mature industries like banking, imposing such onerous and specific regulations in a fast growing area like Bitcoin could be detrimental. Imagine the fate of Apple or Microsoft, or the thousands of other early computer firms that grew from the heydays of the 70’s and 80s had early regulations for software developers been instilled. The fact is most start-ups in the Bitcoin space are garage operations, several software developers who see a problem (security of Bitcoin wallets) and develop an innovative solution. Without access to significant capital and legal support, they either risk non-compliance or will focus their attention on other industries, depriving this industry of their innovations and problem solving skills.

The proposed regulations will not benefit consumers

Consumers benefit from choices in the market. Ultimately, Bitcoin and related innovative financial technologies benefit consumers by giving them other options to the traditional financial market. One of the touted benefits of Bitcoin is reduced transaction fees but this ignores an entire spectrum of benefits. It also belies the potential benefits that financial technology not yet conceived of will bring, spurred on by the innovation driven atmosphere which has accompanied Bitcoin. A perennial problem for low income consumers has been a lack of access to the traditional banking sector. They are often at the mercy of alternative financial services, which often extract exorbitant fees because of the lack of options those consumers have. An estimated 13 percent of all households in NY City lack bank or credit union accounts. This is compared to 7.7 percent nationwide (2010 numbers). Bitcoin and associated technology does not discriminate between poor and rich, between credit-worthy and uncredit-worthy.

Many regulators worry about the high profile thefts and loss of funds, where people’s computers were hack or businesses disappeared with customer funds. Bitcoin adoption will clearly never grow with such problems. When talking with potential users, security over their funds is often the first source of concern. However, the market, not regulation, will best address these issues. As a regulator, you have only one solution, the hammer of the law. The market has thousands of solutions, and the best solutions will ultimately win. Already, firms are creating new technologies, such as multi-signature wallets, trustless exchanges, and publically auditable systems which address each of the problems Bitcoin has experienced as it has grown from cutting technology to consumer ready.  Many of the new startups have focused on making Bitcoin both consumer friendly and more secure, but by imposing single required solutions based on a limited view of what Bitcoin does you rob consumers of potential better solutions the market may offer down the road.

The proposed regulations will stall productivity and job growth in New York and, more broadly, in the United States

The image below shows the distribution of Bitcoin related jobs in the US. After California, you will see that NY has the highest concentration. While in the past, NY has enjoyed the reputation as a financial hub for the United States and the world, the proposed regulation could spur the flight of innovative forward thinking firms to more welcoming jurisdictions. Many of the proposals, such as the identification of all users, don’t make sense given the technological design of Bitcoin and similar technologies. Imagine, if private firms were allowed to print cash but told they had to keep track of every person who touched the cash. That would be untenable and essentially put those companies out of business. How is a software company in NY supposed to track a Kenyan goat herder who uses Bitcoin to buy and sell goats? How would you handle an individual, who may not have a defined address, may not have government issued identification or other information that may be required to comply with the proposed regulation? My start-up for instance, is focused on micro-transactions, sub $20 transactions. Identification of all users is simply not an economically viable option.


Bitcoin Jobs
Job breakdown in the Bitcoin space.

Ultimately, the result of such economically inefficient regulations means companies won’t start in NY, won’t be based out of NY and won’t operate in NY, depriving NY citizens of the services and options offered by those companies. Small startups will avoid NY. Individuals in NY who aren’t bankrolled by venture capitalists won’t start businesses, depriving all of us of their innovations. Lest you think the global nature of the Internet and money make it such that non-NY based companies must comply with the NY regulations, there are numerous ways companies can avoid operating in NY. Blocking NY based IP-addresses, not signing up NY based merchant and many other options are available. Since my start up focuses on brick-and-mortar merchants, we can easily avoid operating in NY, by not allowing NY based merchants to use our service.

Even if the NY regulations are successful at getting some businesses in the United States under their control, this is a worldwide phenomenon and firms will either move overseas or the innovation will happen overseas, depriving the US not only of their services but of its leadership role in new technology.

The proposed regulations will not deter criminal activity

One of the other alleged benefits of the regulation is to forestall use of Bitcoin and other financial technology in the aid of criminal activity. Crime has existed long before Bitcoin and it will exist long after Bitcoin. We don’t criminalize cars because bank robbers flee using them or because people steal them. There are plenty of activities that are already criminalized and law enforcement has tools at its disposal for rooting out that activity. The alleged operator of the Silk Road and many of the drug dealers on that system have been identified, despite their use of Bitcoin and anonymous communications methods. In fact, this too has spurred innovation with forensic analysis firms popping up to track the flow of funds on the very public Bitcoin blockchain.  Putting a tight grip on Bitcoin won’t deter criminal activity, it will only spur innovation by criminals to develop tools to even further hide their activity. The only ones deterred will be young innovative firms who don’t have the resources to comply with onerous regulations or where such regulation is fundamentally in opposition to their business model.


In conclusion, I’ll hope you’ll see that your proposed regulations are antithetical to the results which you desire. They will harm consumers by limiting their options, harm business and innovation, and will not deter criminal activity. I hope you will reconsider and develop a much thinner, lighter and more workable framework which invites businesses to work with you to meet

your goals rather than driving business and innovation away from New York and the United States.



FinCen encourages banks not to de-risk (i.e. terminate relationships) with clients in high risk industries because those clients provide valuable intelligence into financial money movement.



New disposable email address App.

I post not because it has anything to do with the law, not because it has something to do with Bitcoin (it does), but because it is one of my babies. As a privacy advocate, I’m always trying to find ways to help increase people’s privacy. I was always annoyed at merchant’s asking for my email address to send me a receipt. Unlike the majority of people I knew they were using  that email not only to send  me a receipt but also to track me across not only sales with them but likely sales across other vendors and perhaps selling it to data brokers to merge with my online activities.

Now we have a solution. 1ncemail is a simple Android APP that will give you a disposable email alias on demand that you can give to your merchant. Once they email you, the alias is destroying making it useless in the future. In addition, because each transaction gets a unique alias, they can’t track you across purchases.

More information has been posted on the Enterprivacy Consulting Group blog.


Porcupine Freedom Festival

PorcfestI was at the Porcupine Freedom Festival in upstate NH last month and was conducting a survey about usage of Bitcoin.

The reason I chose to do the survey on Porcfest is because of the high concentration of Bitcoin users and enthusiasts and the high number who had likely used Bitcoin at an actual store. Without further ado, here are the statistics.

Total number of respondents: 168 (80 Bitcoin users, 88 Non Users)

For Bitcoin users:
74% had used Bitcoin online to purchase a product or service
74% had used Bitcoin in a store to purchase a product or service
(not the same 74% and many of the stores were vendors at Porcfest)

52.5% had experienced a problem when paying with Bitcoin
Most frequent problems included:
Bad network connection (53% of those with problems)
Commit time was too long (39%)
Other problem (31%)

For the 88 Non Bitcoin users:
44% didn’t use Bitcoin because the didn’t understand the technology
42% didn’t use Bitcoin because of a lack of Merchant acceptance
32% didn’t use Bitcoin because it was hard to obtain
32% didn’t use Bitcoin because the price fluctuated too much
11% didn’t have a computer or smartphone
62% cited other reasons including (too lazy, live off social security and they pay dollars, have iphone, not backed by physical asset, don’t trust the code, worried about the power going out, being broke, and security issues)

Respondents were further asked what would drive them to use Bitcoin more. The most popular answers were
If they could use Bitcoin without an internet connection
If it were easier to understand the technology
if it were more secure

The survey was conducted for a new business I’m involved in, Microdesic. To learn more about Microdesic, follow on Twitter @microdesic.

Alt Coins Bitcoin

Bitcoin and Recurring Billing

I had a discussion a few weeks back with one of the team working on SexCoin, one of the myriad of alt-coins flooding the market. They definitely have name branding right but still miss the boat in the overall justification section.

Litecoin recently tanked after one holder dump his/her holdings.

DogeCoin took a similar dive, recently.

The problem with the alt-coins is there is no reason to use them or have them, other than speculation. When that is the only value, you end up with another tulip bubble. Currency (or money) gets its value from its useability in commerce, but the level of commence for the alt-coins, let alone Bitcoin, is negligible. Unless an altcoin can be used in a very closed loop, closed community, with internal circulation, participants are just as well off using Bitcoin. In other words, A pays B in sexcoin, who pays C in sexcoin, who pays D in sexcoin, which eventually gets back to A. The circulation might not be exact and some in and out exchanges can occur but it won’t work if A pays B in sexcoin who sells it for Bitcoin to pay her rent. (Use of her pronoun is ONLY coincidental, right?). Seriously, though the same problem plagues Bitcoin because right now, people are buying Bitcoin to purchase stuff and then Merchants are cashing right out. This is unsustainable and will eventually make Bitcoin useless as a currency. The transaction costs are just too high to make this viable.

However, my post today is not about the viability of alt-coins or Bitcoin even, but about the notion of recurring billing. You see, in discussions with the sexcoin promoter, he admitted that most adult oriented websites wouldn’t touch it (or Bitcoin) with a 10 foot pole. Why? Well because they can’t do recurring billing. A typical adult website pays about $30-40 per signup in acquisition costs (advertising, promotions, etc). The average consumer who signs up ends up paying $29.95 per month for THREE months (before they realize they are still being billed). Some cancel after a month, some longer but the average is 3 months. [The actual numbers may vary but they are made up here for illustrative purposes]. The point is, the cost shift the costs of providing the service to those to unaware to cancel the recurring billing on the credit card.

Unfortunately, Bitcoin doesn’t have this capability. It’s more akin to cash, you pay it, can’t get it back, but also the merchant can’t get more of it than you authorize. And it isn’t just porn companies doing this. Many mainstream services do recurring billing onto people’s credit cards. I recently had a case of Blizzard Entertainment (the producers of WOW) doing the same to my credit card on an annual basis. I notice a charge fro $74.74 from Blizzard on this month’s CC statement. I called to cancel but this was actually a 2 year old service I signed up for my then girlfriend. She no longer used the service but I was still getting billed. How many people are blissfully ignorant of Blizzard’s billing practices as they fail to notice the charge on their CC long past their active uses of Blizzard’s services?

This is the dirty little secret of Industry, they often do cost shifting with low usage users footing the bill for high usage users. Can Bitcoin help stall that? Some companies like Coinbase are trying to replicate recurring billing, but for that to work they actually have to have a coinbase account, which is tied to a bank account or credit card.

Bitcoin Merchant acceptance

An open letter to Priceline

I’ve been an avid user of Priceline’s Name Your Own Price™ for hotels for years. I have 56 hotel stays in the last 2 years (from my history) and before that I refused to register but used Priceline in guest mode. I’m sure I’ve had over 100 hotel stays, mostly with Name Your Own Price™ though a few were Express Deals. I rarely pay full price except when I have to attend a conference and must stay at the conference hotel.

Recently, Expedia began accepting #bitcoin for hotel bookings. Michael Gulmann, executive VP of global product at Expedia, had this to say about their results:

“We did some estimates based on the size of Overstock and the size of Expedia, and came up with our own estimates of what we could expect, and we’re meeting and exceeding those.”

I am writing this letter to ask, nay beg, Priceline to begin accepting Bitcoin. At the very least, you should accept it for the Name Your Own Price™ product. Bitcoin is perfect for that auction because it is irrefutable. Name Your Own Price works because the bidder (me) basically agrees that if you can find me a decent hotel at this price, I will stay there. While I’m sure Priceline does some analysis to reduce the risks of charge backs from credit cards, the risks of fraud and charge backs is still there. Not so with Bitcoin. I could prepay and if I change my mind, tough luck on me.

So price line, what say you?