The Bank Secrecy Act and Bitcoin: A Structural Bypass
The Bank Secrecy Act and Bitcoin: A Structural Bypass
The 1970 Architecture
The Bank Secrecy Act (BSA), enacted in 1970, requires banks and other financial institutions to monitor customers and report certain transactions to the government. It started as an attempt to combat tax evasion, then expanded to drug trafficking, terrorism financing, and most recently — under various administrations — immigration enforcement.
The BSA’s underlying assumption is brittle: it assumes financial surveillance works because money flows through intermediaries. Banks become compliance agents by force. SARs (Suspicious Activity Reports), CTRs (Currency Transaction Reports), KYC (Know Your Customer), OFAC screening, AML programs — all of it is layered onto the intermediary, who is presumed to be the choke point.
The whole regime collapses the moment money bypasses the intermediary.
Bitcoin As Bypass
Bitcoin self-custody is exactly that bypass. The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) acknowledged this directly in two key guidance documents:
- 2013 Guidance (FIN-2013-G001): “A user of virtual currency is not an MSB under FinCEN’s regulations.”
- 2019 Guidance (FIN-2019-G001): “Persons participating in P2P exchange that operate in a CVC for their own benefit and not as a regular business… are not money transmitters.”
Translation: if you hold Bitcoin in your own wallet for your own account, you are not a financial institution. The BSA does not apply to you. The custodian is the regulated entity — the user is not.
This creates a two-tier world:
Tier 1 (Custodial): Coinbase, Kraken, Gemini, Cash App. These exchanges run compliance teams that often dwarf their engineering organizations. SAR filings on transactions over $5,000 with reporting obligations. CTR filings on cash equivalents over $10,000. KYC at onboarding. OFAC screening on every withdrawal. Travel Rule data on transfers above $3,000 (proposed) or $10,000 (current).
Tier 2 (Self-Custody): Anyone holding their own keys. Zero BSA obligation regardless of transaction size. A single individual can move $100M of Bitcoin between their own wallets with no reports to any government.
The Closure Attempts
The regulatory establishment recognized this gap and tried to close it:
FATF Travel Rule (2019): Required Virtual Asset Service Providers (VASPs) to share originator and beneficiary information for transactions over $1,000. Implementation has been chaotic — different jurisdictions interpret VASP scope differently, and the rule cannot reach pure self-custody transfers.
FinCEN Proposed Rule on Unhosted Wallets (December 2020): Would have required exchanges to collect identity information on counterparties when users withdrew to or deposited from “unhosted” (self-custody) wallets above certain thresholds. The rule received massive negative public comment, was finalized in modified form, and remains in regulatory limbo as of 2026.
Tornado Cash Sanctions (August 2022): OFAC sanctioned a smart contract — code, not a person. The 5th Circuit ruled in Van Loon v. Treasury (November 2024) that immutable smart contracts are not “property” of any person and cannot be sanctioned. The mixer remains accessible.
Samourai Wallet Indictment (April 2024): DOJ charged the developers of a Bitcoin privacy wallet with operating an unlicensed money transmitting business. The charges sit in tension with FinCEN’s own 2019 guidance that non-custodial software is not money transmission. The case is ongoing.
The pattern: each closure attempt has run into the technical impossibility of enforcing data collection at the point of self-custody, or the constitutional impossibility of regulating speech (code).
What This Implies
The BSA is a 1970 solution to a 1970 problem. It assumes:
- Money requires intermediaries.
- Intermediaries can be coerced into compliance.
- Most economic activity flows through compliant intermediaries.
Bitcoin breaks all three assumptions. Self-sovereign money does not require intermediaries. The protocol cannot be coerced. As a larger share of value moves to self-custody, a smaller share of total economic activity is observable through the BSA framework.
This is not an argument that the BSA will be repealed soon. It’s an argument that the BSA’s effectiveness — already questioned by its own data — will continue to erode regardless of what regulators do, because the underlying architecture cannot reach the activity it was designed to surveil.
The next decade will determine whether the regulatory response is to:
- (a) Accept the new equilibrium and focus enforcement on the custodial tier
- (b) Try harder to outlaw self-custody itself
- (c) Build alternative architectures (CBDCs) designed to preserve surveillance properties
Each path has costs. But none of them recover the comprehensive financial visibility the BSA was originally designed to provide.
The Wider Pattern
Bitcoin’s challenge to the BSA is a specific instance of a general phenomenon: regulatory regimes are architectural, and when underlying architecture changes, the regime either adapts or becomes vestigial.
Email made postal censorship laws partially obsolete. End-to-end encryption made wiretap laws partially obsolete. Self-sovereign money is making intermediary-surveillance laws partially obsolete.
This is not a moral judgment. Some of those laws had legitimate purposes. Some may need to be replaced with new architectures. But the BSA, in its current form, cannot do what it was designed to do in a world where Bitcoin exists.
That is the structural argument. The political argument — what should be done — is separate.
If this analysis was useful: ⚡ jeffchu@coinos.io
Comments and corrections welcome. I read every reply.
Write a comment