FinCEN Moves To Include Convertible Virtual Currency On FBAR Form

One issue that has always appeared to be a challenge for reporting virtual currency on both the FBAR and the 8938 is identifying where the asset is held. The blockchain that stores the data on virtual currency is hosted on a decentralized network stored upon tens of thousands of computers all across the globe. The keys (analogous to a password) that control the underlying virtual currency could be anywhere as well. While it was generally accepted that keys stored on a desktop in the United States were not held in a foreign account, there were a number of edge cases that became much tricker to administer. For example how do you report a UK based exchange that might hold custodial assets in a server in Iceland? Or if bitcoin is stored locally on a phone does it become a foreign account if the taxpayer travels (with their phone) to Portugal for 9 months?

In recent days FinCEN has been laying the groundwork for a potentially wide application of FBAR reporting requirements.  On December 23, 2020 FinCEN published a notice of proposed rule making that would require virtual currency transactions from self custodial or unhosted wallets (wallets that do not use a financial institution to store the virtual currency) to be reported on Currency Transaction Reports (CTR) if the amount transferred to or from a financial institution was more that $3,000. Part of this proposed rule making was to expand the definition of unhosted wallets as having a high risk of money laundering similar to bank accounts held in Iran or North Korea. And while this is even further removed from tax, administrative law devotees will be interested in the fact that FinCEN’s comment period for these proposed rules was only 14 days which included Christmas and New Years. (If you would like to read comments I submitted they can be found here and they expand on the risk of loss concerns contained below)

Based upon how aggressive FinCEN has been towards unhosted wallets and CTR reports it will be interesting to watch how they treat unhosted wallets for purposes of FBAR reporting, and if the IRS follows suit by amended the requirements for FATCA reporting via Form 8938. It may be that FinCEN takes a hard line and definitionally declares that all unhosted wallets are foreign assets and as such need to be reported on a taxpayer’s FBAR. Those that fail to do so may be subject to the same draconian penalties of $10,000 (non willful) or 50% of the highest account balance (willful) as those who fail to report a Swiss bank account.

A Word of Caution

While FinCEN does have legitimate reasons for potentially using the broadest definition of unhosted wallets possible, such a mandate may cause security and liability issues for tax practitioners. Beyond the technological aspects, the biggest difference between virtual currencies and traditional assets is that virtual currencies users have a 100% risk of loss if the private keys used to transfer the underlying virtual currency are lost or stolen. There is no way for a user to recover compromised keys after a hack or to undo a fraudulent transfer that is a result of a phishing attack. For those reasons, high value virtual currency users have relied on a combination of robust data security using an unhosted wallets, coupled with personal anonymity to protect their assets. The logic behind anonymity is simple. Unless a thief knows that a particular user has enough virtual currency to steal they are not a target. Sophisticated attacks are costly and security developers can quickly fix exploits once they become known or widely used. As such criminals chose there targets carefully.

Why this matters to tax practitioners is that the information required to file the FBAR would also provide a roadmap for bad actors to target and steal virtual currency from your clients. Hacking a law firms internal system would mean that bad actors would have access to a list of clients along with where they lived, their contact information, what their net worth was, and in the case of any voluntary disclosures a narrative of their dealings in virtual currency. Such information could be used to then target the end user directly.

This informational burden would exponentially raise the stakes on tax practitioner data security. Having virtual currency information stored on a firm’s computer would be the digital equivalent of having large amounts of cash stored in the office in perpetuity. It would also significantly raise the need for specialized malpractice insurance because filing a FBAR for someone with $50 million in virtual currency is completely unlike filing an FBAR with someone with $50 million in a Swiss bank account. If the bank account information gets hacked there are still several layers of institutional security that might prevent the attacker from successfully gaining access to the assets, not to mention bank deposit insurance that would compensate for lost funds. If the firm’s virtual currency FBAR client list was hacked, and the information was used to successfully target the client, then the firm would be responsible for an uncompensated $50 million loss.

Given how anonymity is synonymous with criminality in the eyes of law enforcement it is likely that FinCEN will seek to require significant information when drafting the virtual currency FBAR rules. If this does happen tax practitioners need to be aware that simply going back to the old FBAR playbook will not be sufficient, and that there are very real second order consequences for both legitimate virtual currency users and the professionals that they use to comply with the law.