The U.S. Treasury Department is 233 years old, but this summer, it did something for the first time ever: attempted to sanction a piece of code. The U.S. Treasury Office of Foreign Assets Control (OFAC)'s sanction of currency mixer Tornado Cash represents a moment of reckoning for financial regulation in the age of virtual assets. If regulation is going to be effective in a new sector, law enforcement and regulators will need to work with the industry to develop innovative approaches for oversight and supervision.
On August 8, OFAC sanctioned Tornado Cash on the grounds that the platform was used to launder more than $7 billion since its creation in 2019, including $455 million by a North Korea-sponsored hacking group. OFAC also highlighted the lack of standard controls for anti-money laundering (AML).
This decision was understandably met with pushback from the broader virtual assets industry. In September, Coinbase employees and Ethereum supporters sued the Treasury over this decision, alleging federal overreach that violated free speech and property rights. In a new industry like virtual assets, this case could establish a precedent that determines just how much oversight the federal government can exert over web-based financial services going forward.
There is no question that Tornado Cash was used to facilitate illicit activities. But this decision presents significant questions and ambiguities, primarily about which specific actors, activities, and technologies are subject to federal government jurisdiction. The U.S. government is in a precarious position—these punitive sanctions impact individuals who legally used Tornado Cash, along with those who did so illegally. Do legitimate users deserve to lose access to the platform just because some illicit actors have exploited it? And are the resulting obligations sufficiently clear to the industry as to how and by whom essential AML controls should be implemented?
I worked on AML issues for the U.S. Treasury for many years at the inception of its Office of Terrorism and Financial Intelligence, and understand the need for controls in highly regulated financial environments. I also understand the unique role that the federal government plays in influencing the international financial system. OFAC sanctions are a useful and necessary tool for the government to enforce financial crimes compliance (FCC) and AML protocols, as it is imperative that we have mechanisms to target and isolate illicit actors.
The Tornado Cash lawsuit represents a new, more ambiguous realm of compliance that OFAC is not currently prepared to address unilaterally. Going forward, law enforcement and regulatory compliance oversight in decentralized finance need a more targeted approach to ensure clarity on the application of AML controls and, importantly, to prevent the exclusion of legitimate actors from the growing digital financial ecosystem.
Regulators should work proactively with industry to establish effective mechanisms for regulation, AML controls, and targeted enforcement actions. This type of cooperation will be key—innovative private sector solutions backed by regulatory power will reinforce democratic values, consumer safety, and system integrity. Distributed ledger technologies and innovative web-based applications are enabling financial services and products in new ways that address ongoing challenges like transparency, auditability, and verification, which remain challenged even within the traditional financial system.
Ironically, decentralized protocols and tools are designed to address the exact problems that human- or enforcement-centric regulatory systems are challenged with, like human bias/error and lack of real-time audit and forensic tools. In other words, promising new technologies can bolster financial inclusion while also protecting the ecosystem and enabling innovation.
Direct collaboration between industry and regulatory bodies also paves the way for incentivized self-governance. In cases where government intervention can negatively impact legitimate parties, this approach can better target illicit actors, prevent financial exclusion, and embed traceability, auditability, and transparency. In resource-constrained regulatory environments, enforcement-centric approaches will continue to harm legitimate actors without achieving the goal of regulation—protecting the system from abuse—or promoting financial inclusion.
There are many promising solutions, from digital identities and verifiable credentials to embedded know-your-customer (KYC) controls and user-defined AML/FCC, to name just a few. But ultimately, regulating the activity rather than the technology itself will lead to a more productive, competitive, and ultimately safer environment for both users of digital assets and the financial services industry at large.
