I spent decades hunting some of the most elusive fugitives in America. I've watched financial crimes evolve in real time from pre-paid cards to wire transfers to cryptocurrency wallets. I understand, at a gut level, why law enforcement instinctively resists anything that appears to limit investigative tools. That instinct is honorable. In the case of opposition to the Blockchain Regulatory Certainty Act (BRCA), that instinct is aimed at the wrong target.
Two of the Senate's most experienced prosecutors, Judiciary Committee Chairman Chuck Grassley and Ranking Member Dick Durbin, have written to the Senate Banking Committee urging that the Blockchain Regulatory Certainty Act (BRCA) not be included in digital asset market structure legislation. More recently, the National Sheriffs' Association wrote to Chairman Tim Scott and Ranking Member Elizabeth Warren expressing concerns about Section 604 of the same bill, the provision that contains the BRCA, arguing that it could limit law enforcement's ability to apply existing statutes and access critical investigative information. I have deep respect for both the senators and the sheriffs, and for the law enforcement concerns that motivate them. I've worked alongside people like them my entire career. But I believe this opposition solves the wrong problem.
I want to explain why carefully, in the simple language of someone who has spent his career on the enforcement side of these questions.
One Hundred Years of Settled American Policy
Before engaging these concerns, it is worth establishing what the BRCA is, and what it is not. It is not a new idea. It is the latest expression of a principle that has governed American technology policy for over a century.
When the telephone industry emerged in the late nineteenth century, a foundational legal question arose: should telephone companies bear liability for the crimes that criminals committed using their networks? Congress answered that question through the Communications Act of 1934, codifying and reinforcing a principle that had already been developing in common law: a carrier providing neutral transmission infrastructure is not liable for the content or conduct it carries, so long as it does not exercise editorial control or participate in the illegal activity.
The policy logic was straightforward: if a neutral communications provider could be treated as criminally liable every time someone misused its network, the network itself would be hard to sustain. The infrastructure had to be treated as neutral to exist at all.
Congress has reaffirmed related principles in every major technology generation since. In 1996, Congress extended a related principle to the internet through Section 230 of the Communications Decency Act. The legal setting was different, but the policy choice was the same: do not treat neutral infrastructure as the source of unlawful conduct committed by others. That provision was also contested by law enforcement at the time. In each case, Congress made the same deliberate policy judgment: hold the actor and the intent accountable, not the infrastructure.
The BRCA applies that identical principle to blockchain developers. Eliminating the BRCA would make blockchain the first technology in a century where we hold infrastructure builders liable for user conduct. That is not a conservative or cautious position. It is a radical departure from settled American law.
TOR: A Military-Built Lesson in Dual-Use Technology
When I began conducting cryptocurrency training for law enforcement and banks in 2011, I often pointed to The Onion Router (TOR) as a comparison. TOR was developed with U.S. government support, including by the Naval Research Laboratory.
Today it is used by dissidents in places like North Korea or Iran to document human rights abuses, by journalists in authoritarian regimes to communicate safely, and by ordinary citizens who simply value privacy online.
It is also used for some of the darkest criminal activity imaginable. The worst marketplaces for the worst things on the internet including drug trafficking, weapons, exploitation, have operated on the TOR network. I am not minimizing that. I spent my career pursuing people who commit exactly those crimes. The FBI’s arrest of Ross Ulbricht is one example of law enforcement successfully navigating these challenges.
As a matter of policy, no one has argued that the Naval Research Laboratory developers should be charged with conspiracy to distribute narcotics. No one has argued that the researchers who built TOR should be treated as unlicensed money transmitters because criminals use it to move proceeds. The longstanding answer has been to pursue the criminals (with the full force of targeted, intent-based prosecution) not to hold the toolmakers accountable for misuse they neither intended nor controlled.
The Global Positioning System (GPS) was built by the military and is used to coordinate criminal activity. The Signal application is used by cartels for secure communication. Encrypted email is used by terrorist cells. In every case, the answer has been the same: prosecute the actors.
The BRCA applies that same answer to blockchain. If that principle was right for the Navy's own technology, it is right here.
What the BRCA Actually Does
The BRCA has a narrow purpose: it clarifies that blockchain developers and service providers who do not custody or control user funds should not be treated as money transmitters or money services businesses under federal law. The safe harbor applies only where a developer or provider has no legal right or independent ability to initiate transactions or control user assets. It does not apply to exchanges, custodians, or any entity that actually move or hold other people's funds. It also covers the builders who don't touch funds at all: miners who secure the network, validators who confirm transactions, node operators who maintain the infrastructure, and developers of non-custodial wallets. These actors have no more in common with a money transmitter than a telephone company has with a wire fraud scheme.
As a point of comparison, we do not threaten internet service providers with prison when a criminal uses the internet, or prosecute router manufacturers when a cartel routes communications through their hardware. The same principle must apply to blockchain developers. Writing and publishing code is not money transmission.
Respectfully Addressing the Law Enforcement Concerns
The senators and the NSA raised several specific concerns. Each deserves a direct and honest response.
Concern 1: The BRCA "weakens" the federal criminal code.
This is the most serious concern, and it rests on a mischaracterization of what the BRCA touches. The BRCA does not alter the existing anti-money laundering statutes — 18 U.S.C. §§ 1956 and 1957 — which are tailored to punish knowing involvement in illicit financial activity and require proof of intent and a nexus to unlawful proceeds. Those statutes are untouched. Conspiracy charges, aiding and abetting, and sanctions violations all remain fully available wherever prosecutors can demonstrate knowledge and intent.
What the BRCA narrows is one specific theory: that writing and deploying non-custodial software alone constitutes operating an unlicensed money transmitting business under 18 U.S.C. § 1960. That theory was never well-grounded in law. FinCEN’s 2019 guidance pointed in that direction by focusing on control over user funds and the role of intermediaries. Recent DOJ remarks have also underscored the importance of control and intent in this area. The BRCA codifies what the government's own agencies have already said: the core element that defines money transmission is control over customer funds. Aligning the statute with its purpose is not weakening the criminal code. It clarifies it.
Concern 2: The BRCA removes tools law enforcement depends on.
The NSA letter specifically flags the risk of losing access to "basic identifying information" that investigators use to build cases. I want to take that concern seriously, because it is the most operationally grounded argument against the BRCA, and it is still aimed at the wrong target.
The concern assumes that non-custodial blockchain developers are currently registering with FinCEN in meaningful numbers and generating useful investigative leads. In practice, they generally are not. The developers who built non-custodial protocols were never the intended targets of BSA obligations. The most useful FinCEN data, the data that actually helps investigators, comes from exchanges, custodians, and money services businesses that hold and transmit customer funds. Those entities remain fully subject to BSA obligations under the BRCA. Nothing changes for the data sources investigators actually use.
There is also a deeper point. Public blockchains are, by design, transparent and durable ledgers. Law enforcement agencies that have invested in blockchain analytics have developed powerful investigative capabilities precisely because of that transparency. These capabilities are entirely independent of whether a software developer filed a FinCEN registration. Furthermore, the broader Digital Asset Market Clarity Act, the bill in which the BRCA is embedded as Section 604, contains substantial enforcement architecture beyond the BRCA itself: mandatory SEC and CFTC registration for digital asset intermediaries, expanded BSA obligations for all entities with custody or control over user funds, and Treasury authority to impose special measures against offshore platforms presenting money laundering or sanctions risks.
The BRCA is a narrow safe harbor for non-custodial developers. The enforcement tools the sheriffs are rightly concerned about are either untouched or strengthened by the rest of the bill.
Concern 3: The BRCA creates a "blind spot" for state and local law enforcement.
The gap Senators Grassley and Durbin, and the NSA describe, is real. It is primarily a training and resource problem, not solely a legal one. Crypto literacy and blockchain analytical capabilities must become integral to all investigative programs, not just elite federal cyber units. The ledger is public. The evidence is there. The key is attribution, and that is a tool and training problem that Congress can solve directly through dedicated funding. If we give investigators the tools to follow the money on the blockchain, they will be better positioned to find the criminals.
The Bigger Picture
I have followed crypto development closely for fifteen years. Not as a fanboy, but as someone who believes technology is neither inherently good nor evil and that the guardrails we build should be proportionate, well-aimed, and durable. Because financial regulations designed for traditional money services businesses have sometimes been applied to software developers who never custody or control other people’s funds, the result has been "regulation-by-prosecution." This has a chilling effect that pushes U.S. developers offshore.
According to industry reports, America's share of open-source blockchain developers fell from 25% in 2021 to 18% in 2025, driven by a lack of clear, durable rules for software development.
From a national security standpoint, that trend should alarm every law enforcement professional in this country. If innovation migrates overseas, adversaries gain leverage in shaping core protocols. Pushing developers offshore can cede U.S. influence over design and standards, weaken oversight, and hamper illicit-finance detection. We do not make America safer by driving the builders of this technology to jurisdictions with no (or weak) rule of law and no transparency requirements. We make ourselves far more vulnerable.
Pass the BRCA
Senators Grassley and Durbin, the National Sheriffs' Association, and the law enforcement community they represent are undoubtedly acting in good faith. Their underlying concern, that investigators must be equipped to pursue crypto-related crime, is one I share completely. But the answer is not to preserve a flawed prosecutorial theory directed at the wrong targets, nor to strip a narrow safe harbor from a bill that already contains robust enforcement tools for the actors who actually matter. The BRCA and robust crypto enforcement are not in tension. They are complementary.
We protected telephone companies from liability for criminal calls, and we still prosecuted the criminals. We protected internet platforms from liability for user content, and still prosecuted bad actors. We did not prosecute the Naval Research Laboratory researchers who helped develop TOR because drug dealers use it. In every case, we regulated the actor and the intent, not the underlying technology. That has long been the right balance. It is the one I would encourage Congress to pursue.
