Anna Rose (00:00:05): Welcome to zero knowledge. I'm your host, Anna Rose. In this podcast, we will be exploring the latest in zero knowledge research and the decentralized web, as well as new paradigms that promise to change the way we interact and transact online. Anna Rose (00:00:27): This week's episode is a slightly different one. So almost a month ago, OFAC a US government department issued sanctions against Tornado Cash, which is a privacy protocol that uses zero knowledge proofs to provide on chain privacy. It was the first time that OFAC had sanctioned a decentralized entity for which there's no clear ownership. So after the news came out, crypto Twitter was on fire with hot takes and dire warnings. A number of people asked me to do flash episodes right then and there on the topic. But this show isn't a news show. Generally, I like to do a recap or look back when events like this have happened. Once the dust has settled and people have a chance to really digest what's happened. But with this case, the dust doesn't really settle and weekly, we are still hearing about like ripple effects from the action. Anna Rose (00:01:14): I think it's forced a lot of teams building in our community to figure out better where they stand and what they're building for. I think we've seen some companies, usually less privacy focused and based in the US who feel the burden to comply, overstep their compliance at times at the expense of innocent users. I think we've also seen some ZK projects usually outside of the US and in an earlier stage lean further away from compliance into realms that could bring more heat and attention from authorities. So to cover this topic, and since it feels like a deeply important topic for the show, I will be doing a series. We'll be releasing this every few weeks over the next few months, these interviews will be with different members of the ZK community. And hopefully through this, we can understand how this action has impacted our community, how different groups are reacting and what new ideas may emerge from this. Anna Rose (00:02:04): To start off the series with today's episode, I decided to get a sense for what has actually happened from a legal perspective. So I did two interviews for this week's episode. One is with V, who is a partner and head of regulatory and policy at Bain Capital Crypto. She used to work at the SEC and the other guest is Michael from Espresso Systems who used to work at the treasury, both at FinCEN and as I learned in the interview at OFAC itself. In these two interviews, I spend time trying to understand what actually happened, what a sanction is, what kind of a tool is this, why it may have been issued and what issues arise from the way it's been issued and how this might impact future understanding of zero knowledge tech through a legal lens. I hope this helps to shed a little bit of light into what has happened and maybe gives us a glimpse of what we can expect to see next. Before we start in with the episode, Tanya will share a little bit about this week's sponsor. Tanya (00:02:58): Today's episode is sponsored by Polygon. Introducing Polygon zkEVM. We all know that Ethereum needs to scale and Polygon believes that zero knowledge tech is the best way forward. Polygon's vision for zkEVM is simple. Developers can seamlessly deploy any Ethereum smart contract to a layer 2, and benefit from the scaling power of ZK proofs. It's also permissionless meaning anyone can use it, and open source. Polygon zkEVM was built by Polygon, but it's for anyone who wants a cheaper and faster way to use Ethereum without sacrificing security or decentralization, they will be releasing a public test net soon, which will be an opportunity to test their work and make improvements. If you'd like to join them for this journey or learn more about polygon zkEVM, then go to polygon.technology/buildonzkEVM and fill out the developer interest form that's polygon.technology/buildonzkEVM. So thank you again, Polygon. Now here is Anna's chat with V from Bain Capital Crypto and Michael from Espresso Systems. Anna Rose (00:04:01): I'm here with Tuong V Lee, who goes by the name V she's the Partner and Head of Regulatory and Policy at Bain Capital Crypto. Welcome to the show V. Tuong V Lee (00:04:10): Hi Anna. Thanks for having me on today. Our team at Bain loves collaborating with you and are big fans of this podcast. So it's so fun to be here. Anna Rose (00:04:19): Cool. I recently met you when you were giving a play by play of what happened to Tornado. And I thought it was so well said and concise and clear that I wanted to invite you on the show to share that in sort of like a wider way. A lot of the information that we've gotten has come through Twitter and a lot of different takes and perspectives, and some maybe news sources that don't always report things exactly correctly. And I, I thought it would be really cool to actually go over this again with you and see like a little bit more clearly what has happened that we know has happened. Um, but I think before we do that, why don't we start with a little intro, tell us a little bit about yourself and, and what got you interested in, in this space at all. Tuong V Lee (00:04:59): Sure. So like you mentioned, I'm, uh, at Bain Capital Crypto where I have regulatory and policy efforts and, you know, that just means I advise our portfolio companies on regulatory strategy. And then on the advocacy side, I engage a lot with lawmakers, regulators, and others in the industry to push for good crypto policy. Before that I was the deputy GC and compliance officer at World Coin, which you may have heard of it's the, the company with the orb, which is by the way, uh, when I got really into ZK for the first time, because ZK is a big part of how World Coin works. It's how they verify that a person only signs up for the World Coin token once without having to reveal, you know, the person's identity. And it's also how they make sure that the Iris hash is never linked to the user's wallet or transaction history. And then before that, uh, I was at the SEC for almost 6 years as an attorney in the enforcement division where I worked on all sorts of, uh, cases involving securities violations, but including some of the first crypto investigations that the agency did. And that's actually how I got introduced to blockchain and just became really interested in it. Anna Rose (00:06:13): Oh, cool. Tuong V Lee (00:06:14): I don't think that's how most people got into crypto, but, but it was an interesting sort of introduction to it. Like I remember reading, you know, Satoshi's white paper at the time and just being super fascinated and then, you know, a couple of like YouTube video explainers later, I was like totally hooked. Towards the end of my time at the SEC, I was also the chief council of the legislative and inner governmental affairs office where I helped oversee like the SEC's engagement with Congress treasury, the white house, um, including it was last year. So including, you know, a lot of legislation that touched on crypto policy. So it was a really cool time. Um, and then before that in a more even previous life, I was a lawyer at the law firm, Wilmer Hill. Anna Rose (00:07:01): It must be so interesting to have seen everything from that perspective. Now that you're on this side, um, I'm curious, like, does it feel like very different work? Tuong V Lee (00:07:12): I mean, in terms of like having to understand the technology and the different players in this space, like, it's actually very similar because, um, you know, as a lawyer in enforcement on the government side, like you really have to understand and dig into that stuff to be able to investigate, you know, potential securities law violations and then, you know, to bring charges if it comes to that. So in that sense, no, but I, but I do think, you know, especially in hindsight, I think my view of the industry was sort of necessarily very narrow, right. Compared to like the way that I see it now, which is especially being at a fund where you get to, you get a lot of exposure, um, to different companies building just across the ecosystem. Like, I, I think I have much more of a lens and an appreciation for all of the different things that, that people are working on. And I, and I don't know if lawyers on the government side, um, get to see that and appreciate it. Anna Rose (00:08:12): Hmm. So let's start in on this, on this topic. Um, I think the place that I wanna start is sort of defining who is, or was Tornado Cash. Uh, they were on the show. So I will link back to that episode where we talked about the technology, but yeah, let's, let's sort of just describe the scene of like, who, who is this group? What is this thing? Tuong V Lee (00:08:33): As a lot of people probably know, um, Tornado Cash is a decentralized non-custodial privacy tool built on the Ethereum blockchain, uh, using, or it's based on zero knowledge proofs. And it allows users to break the link between their deposits and withdrawals of crypto. So it was a company or at least an initial development team. Um, and they're the ones that created the smart contracts to do this. But I think they've had something like thousands of contributors over the years, and many of their smart contracts were finalized back in Ma, 2020, including some of the, the smart contracts which we'll get into later that were included in the sanctions. Anna Rose (00:09:20): Let's hear a little bit about kind of what's happened. What are the sanctions? Maybe you can give us a little bit of a timeline of how this, uh, all rolled out. Tuong V Lee (00:09:29): Sure. So, um, yeah, let's talk about the sanctions everyone's favorite topic these days, right? Um, so I think it's important just to just like have the context of, you know, what is OFAC, how do sanctions typically work? So there's an office at the treasury department called OFAC, the Office of Foreign Assets Control. And the idea of OFAC is to help protect our national security and foreign policy goals by going after the assets of foreign countries, regimes, terrorists, traffickers, etc. Um, and it's, it's a tool like basically it's a way to fight our enemies without resorting to military action. Um, so one of the powers that OFAC has to do this is the ability to add these types of parties to a sanctions list called the specially designated nationals list or the SDN list. And once something is on this list, that means no US person, including individuals, US companies, organizations, or entities can transact with them. Tuong V Lee (00:10:29): And if you do, OFAC can find you, even if you didn't know you were transacting with a sanctioned entity or didn't intend to, um, that's, what's called strict liability. And that's what makes it really scary and very serious. Um, and then if, if you violate sanctions requirements willfully, they can also refer you to the criminal authorities. And so historically the sanctions list has only included the kinds of parties I just mentioned, right? Regimes, organizations, companies, and people. Um, but back in 2018 OFAC did something really interesting, which is that it added some crypto addresses to the sanctions list. For the first time, they were a number of Bitcoin wallet addresses associated with two Iranian individuals who were involved in a ransomware attack who are also sanctioned. Uh, and as OFAC explained at the time, these addresses were added sort of as an additional way to help identify those individuals the same way, you know, they would include like birth date or an address or something about a person as opposed to being sanctioned as like an independent entity apart from their natural owners since then, OFAC has added crypto wallet addresses as a part of sanctions, um, in a similar way, meaning they were added as addresses that were controlled or owned by natural persons, including earlier this year, when they sanctioned decentralized crypto mixer blender, along with, I think it was dozens of Bitcoin wallet addresses that blender owned or controlled. Tuong V Lee (00:12:04): So that brings us to the Tornado Cash sanction. So what happened, um, on August 8th OFAC announced that it was sanctioning Tornado Cash for its role in money laundering criminal proceeds, including over 455 million worth of crypto stolen by the Lazarus group, the infamous north Korean state sponsored hacking group that was itself sanctioned back in 2019. So what's interesting and novel about these sanctions is that along with "Tornado Cash", whatever that refers to the, Tornado Cash website, and a number of Ethereum wallet addresses, OFAC also sanctioned a number of smart contracts that aren't controlled by anyone. Uh, so they essentially sanctioned a software tool. So OFAC doesn't explain why these were included. Um, and doesn't say anything in the press release to suggest that it even recognized that these smart contracts were categorically different than crypto addresses that had been sanctioned in the past, which as I just mentioned, um, have always been aliases of or controlled by natural persons or entities. Tuong V Lee (00:13:14): So that's the first thing that's unusual about these sanctions. The other part that's led to a lot of confusion is the why. So here's where a lot of the headlines and analysis I've seen have been inaccurate or imprecise as to why exactly Tornado Cash was sanctioned. Um, and I think it's always really important to carefully read the language in like the order itself, right? So if you read the press release, it says a few things, it says Tornado Cash was used to launder more than 7 billion worth of virtual currency since its creation in 2019. So the way this is worded is actually really confusing if not outright misleading, right? Because the statement makes it sound like all of this money was dirty, but actually the 7 billion just refers to the total amount of funds that have flowed through Tornado Cash since it was created, including, um, possibly a majority that were actually listed transactions, OFAC doesn't specify how much of the 7 billion were criminal proceeds. Tuong V Lee (00:14:18): And like I said, the way it's written it, it seems almost like they're trying to give the impression that all of it was dirty, right? Because the word launder has an inherently criminal meaning. Yeah. You know, I recently saw chain analysis report, I think from July saying that like only 23% of the funds that go to mixers are from illicit addresses. So there, you know, there's obviously an issue with the way that this is worded. And then the press release goes on to say, treasury is sanctioning Tornado Cash, a virtual currency mixer that launders the proceeds of cyber crimes. So they just said that Tornado Cash was used to launder criminal proceeds, but here they're saying Tornado Cash itself is the one laundering. Mm. So, which is it, it, these two statements to me seem to conflict and at the very least are confusing. And then at another point in the press release, it says Tornado Cash failed to impose effective controls to stop it from laundering funds for criminals. Tuong V Lee (00:15:18): Okay. So now it sounds like we're back to them saying not that Tornado Cash itself laundered money, but that it should have done more to stop others from laundering money. And it didn't. Yeah. So now it's being sanctioned. In other words, it may or may not have been their intention, but they were basically facilitating money laundering. So why does it matter precisely why Tornado Cash was sanctioned? Right. It's it's because, you know, it tells you under what circumstances you could also get in trouble. So it's important to, to be clear and to get this right. Um, and you know, representative Tom Emmer recently wrote OFAC a letter asking a lot of these same questions, um, that all of us have been asking. So I'd really encourage folks to check that out and, and hopefully we get some more guidance or answers from OFAC soon. Anna Rose (00:16:07): Interesting. So that question of does Tornado do it itself or does it just allow others to do it? This does seem to be like this confusion point, but I think like, would there be different implications if Tornado was doing it itself versus allowing others to do it? Tuong V Lee (00:16:23): Yeah. I mean, I think if, if Tornado Cash was itself laundering money, which I, I mean, I haven't seen evidence of that and the press release is confusing. Um, but I don't know if that's what OFAC meant to imply or suggest, but, you know, if they were themselves laundering, obviously the sanctions are much, they make sense, right. Like then it's much more like a, you know, Hydra market or something, which is that crypto marketplace that was sanctioned a while back. Um, but if they were merely facilitating money laundering, meaning, you know, they created and deployed and maybe to some extent still control or administer or have control over a tool that allows others to money launder. Then I think it's a much harder question. Um, legally speaking, and then in terms of like what it means for others in the industry, right? Like other crypto projects out there, especially the decentralized ones, like, could they also be seen as facilitating money laundering or criminal activity or sanctioned activity by virtue of having created and, or deployed and, or like if they're controlling or operating, um, some sort of software tool. Um, so I think that the implications are really interesting and, and I think it's, it's a difficult question if it's one of facilitation. Anna Rose (00:17:48): I also think, I mean, another point here is who are they? Like, I think when we think of this project and once it's deployed, I mean, I know that there was a DAO and there was a number of people who could make kind of like protocol level decisions through a voting mechanism. And so this is where it's like, who are they to kind of go after, would you go over after members of the DAO? Are they then the controllers? Or is it just the the company who created it or is it every single person who's ever interacted with it? Because in a way Tornado's weird because it's like the thing that makes it effective at hiding things is the fact that a lot of people are using it. So, yeah. I wonder if, if you've had any thoughts on that. Tuong V Lee (00:18:31): Yeah. So that's the really interesting thing about mixers, right? Is that the more popular they become with legitimate users, the more attractive they are to elicit actors, because it makes it easier for, uh, those people to hide their dirty money when there's more clean money in the pools. And so, um, you know, unfortunately I think that's probably what made Tornado Cash a target for the government is that it's become so popular with both legitimate, um, and then illicit users. And so, you know, I think the question of facilitation and who exactly can be held liable if like a protocol or a tool is used for illicit activity and, and results in money laundering or sanctions violations can be a really difficult one when you're talking about decentralized protocols. Um, right. So, you know, when we're talking about that, I think it's really important to distinguish between a front end, which may be controlled or maintained by a group of people and the protocol itself, which may just be smart contracts that operate autonomously on the blockchain and which in many cases, including with Tornado Cash can be accessed by anyone in the world through any number of third party interfaces. Tuong V Lee (00:19:53): And often the team behind the front end has no ability to alter those smart contracts anymore. Um, so that was actually the case with most of the Tornado Cash smart contracts that were sanctioned once they were finalized in May 2020 and deployed, no one has been, you know, has had the ability to modify them or even remove them, including implementing any kind of screening or blocking mechanism. Basically they'll continue to run for as long as the blockchain they're on exists in this, in this case, the Ethereum blockchain. Um, so, you know, this is a nuance that OFAC may or may not have appreciated. Uh, but the fact is the sanctions regime was designed with centralized entities in mind. And a lot of us are hoping that the way that OFAC went about this was based at least in part, on a lack of appreciation, let's say for how these decentralized protocols work and the extent to which an actual person actually has control over how the tool is used, which, you know, would be good in a way, right? Tuong V Lee (00:20:55): Because I think there's an opportunity there to engage with them on the nuances and to make sure they understand the difference between the different types of decentralized protocols. Um, and a lot of us in the regulatory and policy community have been working really hard to do that. On the other hand, if OFAC intent was simply to make it as convenient as possible to use the protocol and drain it of users that way, then, I mean, that's probably going to work, right? Like most people aren't going to start running their own Ethereum node and use the command line to access these GFI services. Right. And then sanctions also have the impact of just casting a cloud over the entire thing, which is devastating for a mixer because the more quote, unquote, clean money exits the system, the more all money exits and you're toast. So I think in a lot of cases, and especially for mixers, even if only the front end starts censoring and people can still access the protocol through third party means you've effectively killed the protocol. Anna Rose (00:21:55): Given the fact that OFAC has done what seems like, kind of like a, a broad stroke action. Is this something that you think the community needs to see as like a final say, or do you see this as potentially being challenged or rolled back eventually? Tuong V Lee (00:22:12): You know, I, I think OFAC and, and maybe others in the federal government, um, were very concerned about just the national security implications. And I think rightfully so, right. If, if there was a significant amount of money laundering happening through this tool, then, then I think it was reasonable for them to target it, even if they may not have appreciated all of the implications. So, you know, I don't think they're gonna like roll the sanctions back or anything like that. Hopefully what they'll do is issue some FAQs to sort of clarify, you know, given that Tornado Cash, um, and especially the smart contracts are decentralized. Like what, what does this mean for other projects out there in terms of complying with these latest sanctions? Um, what should they be screening for blocking for how far do they have to go? I don't know how much detail they'll go into on that front, but hopefully they will issue some guidance to give, um, you know, people in the industry, more clarity about what they need to do to, to avoid getting in trouble. Tuong V Lee (00:23:18): And, you know, so for companies that are already regulated by treasury, uh, FinCEN as what's called a money services business, they're already required to do things like KYC, their customers have an AML compliance program, all that good stuff because they have to comply with a Bank Secrecy Act. And although it's not strictly required by that act, they'll typically also have some sort of sanction screening in place, uh, companies like Coinbase. So for them it's relatively straightforward, I would think to screen for additional sanctioned addresses or transactions because they generally know who their users are and where funds are coming and going. Um, not in all cases, but for the most part, it's much harder for decentralized projects or protocols that don't already have these things in place. Right. And that could include both regulated and unregulated projects, by the way, uh, for example, Circle is regulated, but they don't have customers and accounts the same way a company like Coinbase does. Tuong V Lee (00:24:15): So I'm not sure what sort of KYC they already do or are going to do. They do control the USDC smart contracts though. So I suspect that even before Tornado Cash, they were already screening for sanctioned wallets that interacted with those smart contracts. Um, I'm not sure, but what we do know is that after Tornado Cash, they began freezing USDC that was held in those sanctioned wallets. And maybe even in wallets that interacted with those wallets and so on. But, you know, they have to decide how far beyond the addresses, uh, that are strictly on the sanctions list, they wanna go just as centralized crypto companies like Coinbase will have to. I think the harder question is what do companies that are decentralized to some degree, what measures should they implement and what measures like are they even capable of implementing, right. Tuong V Lee (00:25:06): Um, to minimize the risk that they're interacting with sanctioned wallets or being used by others to do so, you know, we talked about front ends, front ends versus the protocol itself earlier. So, um, if there is a front end over which some people have control and their US based like, you know, what should they do? Right. So the most straightforward thing you can do is screen for the wallets that are on the sanctions list. So you hire one of these like compliance providers, like TRM Labs or Chainalysis and implement their sanctions API in your front end, which then blocks sanctioned wallets from accessing the protocol through your website or app or whatever interface you control, you know, but the question that the Tornado Cash sanctions raises, or the question it raises is, is that enough? So one thing that's been confusing about the sanctions against Tornado Cash is that Tornado Cash itself had actually been doing just that, um, back in January, it was reported that they had begun using chain analysis to screen for the sanctions list. Uh, and the way that their "mixer" works is that they also provide a cryptographic node, to each depositor that contains information about the origin of the funds in case law enforcement ever needs to access that information. Um, but they still got sanctioned. Right. So what does this tell us, uh, does it tell us that it's not enough to simply screen for the sanctions list and if so, like what more are you expected to do? Anna Rose (00:26:39): Yeah, yeah. That, that fact that the viewing key, cause I think think there was two things that most privacy projects had always sort of relied on that was like decentralization and having this viewing key, they did have both yeah. And still got this, this sort of action. And that definitely does raise the question of like what else to do to make sure that you're compliant to make sure that, but also, I mean, I guess also to make sure that you don't have lots of crime, like maybe I don't, maybe there's like a, like a technical or a, a product idea or solution that's also out there to protect for that. Tuong V Lee (00:27:16): Those are the questions that a lot of DeFi projects are struggling with right now, right? How far they expected to go and how much backlash are they willing to tolerate from their users? Uh, and again, to the extent that they only control a front end, can they still get in trouble for stuff that happens on the protocol outside of their control, which seems to be what happened to Tornado Cash. Assuming that OFAC understood that no one controlled some of these smart contracts that were sanctioned. The other possibility I've seen raised is, you know, should you be building some sort of screening mechanism into the smart contract itself? And can you be liable if you don't? And the smart contract is later used to say launder money, uh, that obviously doesn't address the issue of the smart contracts that are already out there and immutable. But to be honest, I actually can see a world where the government eventually says, you know, if you're not able to build something that doesn't have the ability to keep out bad actors, then we can't allow that thing to exist because it simply presents too much of a national security risk. Tuong V Lee (00:28:23): But if that were to happen and I think it would be done deliberatively and explicitly in fact, probably legislatively, not through enforcement, so to speak. So I don't think that's the message OFAC was trying to send with the Tornado Cash sanction. And in fact, I think they've been surprised that it's been received that way. Anna Rose (00:28:44): Can you share a little bit about sort of some of the reactions of the big players, like USDC and Circle also? I mean, I had recently the Flashbots folks on for MEV and sort of the software that they're running. I don't know if you've seen, like, if you've been keeping track of all of the reactions of these companies that are often based in the US, but yeah. I'm just curious, like, is that, is that overkill? Are they going kind of too far? Like, I've heard that, you know, in some cases they've, they've blocked all addresses or they've thought of blocking all addresses that interacted with it at all. Even if it's in the past. Tuong V Lee (00:29:18): Yeah. That's, that's actually a question I have with respect to like some of these compliance providers, I don't know that they have the ability to do like time bound, like screening, right? Because sanctions requirements are not retroactive, meaning they only, um, go into effect or they only apply to transactions that happen after the sanctions are announced. Right. So it's obviously problematic if these screening tools don't have the ability to filter that way. Um, so I, I don't know if, you know, you've spoken to, to someone who has more familiarity with the way these tools work, but if that's true, then that's obviously a problem that would be more expansive than what the sanctions requirements require you to do. Anna Rose (00:30:04): Mm. So one thing that really emerged right away was this idea of like USDC being frozen and that this decision had been taken. Can you share a little bit about what actually happened there? Like who froze it and what did they actually freeze? Tuong V Lee (00:30:18): Sure. So Circle is the, the regulated company behind the stablecoin USDC you know, and they froze the USDC in certain wallets that were sanctioned or had, I think, interacted with sanctioned wallets. I don't know how far out they went, but a lot of USDC was frozen after the sanctions were announced. And Circle said that it was actually center or Santara, uh, which is a standard setting consortium between Circle and Coinbase that made the decision to do that. Anna Rose (00:30:49): But was this more than OFAC had asked for actually? Tuong V Lee (00:30:53): I, I don't know, actually they didn't say that. I think it may have just been a decision that they made. You know, every company has to decide how they're going to comply and what their risk tolerance is. And I think Circle being a regulated entity, it's something that they have to take very seriously. Anna Rose (00:31:13): What do you expect in terms of like legal feedback to be happening right now? Like, will there be cases, will there be, I don't know, like request for clarity, like what kind of action can actually lawyers take now or groups take at this time? Tuong V Lee (00:31:32): So it's not at all unusual for companies or, persons who are wondering what they need to do to comply, to reach out, to OFAC directly. Um, and that has been happening these past few weeks. And so I think OFAC has heard players from the industry loud and clear that there's a lot of confusion around this projects and companies aren't sure exactly what they should be doing, how far they need to go. Um, so I think there's, there's been a lot of engagement and like I was saying earlier, I do expect OFAC to issue some guidance and to answer some of these questions, um, especially because, you know, like I said, representative Tom Emmer actually sent them a letter with very specific questions about what the sanctions meant. Um, so I would expect a response from them on that. I mean, I think this whole incident has been really interesting. Tuong V Lee (00:32:24): The thing I would leave you with is, you know, a lot of times when there's like a seemingly heavy handed and confusing government action like this, especially when you're talking about sanctions where it's strict liability, you know, and the consequences of violating sanctions requirements are severe. The danger is sort of that everyone around you starts to self censor, they panic and, and go overboard, right? So I think the priority for us right now should be to, you know, help educate the government about the positive use cases for on chain privacy and, you know, talk to them about the solutions that a lot of people are working on right now, as you know, right. Including a lot of ZK based solutions that potentially offer a better way of complying while also preserving privacy. And, and this isn't just about mixers. It's about DeFi protocols, more generally, it's about self-hosted wallets and so on. Tuong V Lee (00:33:20): And, you know, it's always hard to get the government to change the way that they've been doing things for ages, but we, we need them to understand right that blockchain by its very nature of being entirely transparent and public just, it can't survive or reach its full potential without some element of privacy for its users. And I, I also wanted to say that, you know, I know privacy is the focus here, but if we're going to talk about, you know, what sorts of compliance measures we should implement across different parts of the crypto ecosystem, I think we really need to stop and consider the current system of like KYC and AML that we have here and around the world. And like why it's so deeply flawed. Right? One of the reasons it's so flawed is not just that it's a privacy nightmare, but also that it shuts out so many people, like one of the things that drew me to crypto, maybe you too. Tuong V Lee (00:34:18): Um, and I know a lot of others was the promise of a new financial system that was a lot more inclusive, right? Like over a billion people around the world, lack any form of government issued ID. And in a lot of places, companies simply choose not to serve these unbanked or underbanked populations because it's just too costly or risky to do so under our current system of compliance. So I really think we need to ask ourselves, like, why would we wanna perpetuate such a broken system, one that was originally designed for centralized entities? Why would we wanna import that onto this completely new and different system? That's premised on decentralization and that's supposed to give access to more people, not less like this is our chance to reimagine a better system of compliance if that's, you know, what we choose to do. And one that not only makes sense for how blockchain actually works and how decentralized systems actually work, but also one that's more inclusive and less costly and of course, more protective of privacy and security. And so I think that's the exciting opportunity we have here and we should do it in a way that's thoughtful and measured and, and not based on like panic or, you know, knee jerk reactions. Anna Rose (00:35:33): V, this was so well said. I just wanna say, thank you so much for coming on and sharing this with us. I also really like the framing and how this, I mean, it's, it feels maybe like a darker time in the ZK space or the privacy space, but it could be an opportunity to really understand the parts of the system that need fixing and need clarity and try not to bring with us some legacy stuff that really, you know, that should be left in, in history. So thanks again for that. Tuong V Lee (00:36:01): Of course it was so fun to be on and, and to chat with you about this. Thanks for having me. Anna Rose (00:36:09): So I'm here with Michael Mosier, the General Counsel at Espresso Systems. Welcome to the show, Michael. Michael Mosier (00:36:15): Thanks, Anna. Great to be on with you. Anna Rose (00:36:17): So we just went through a play by play of the Tornado Cash OFAC sanction, uh, in the previous part of this interview with V. So for this one, what I'd like to do is talk a little bit more about the different kind of regulatory bodies that exist in the US. Maybe we can actually talk a little bit about an international perspective on this as well. And then I wanna talk about opportunities for zero knowledge tech in the context of some of these regulatory bodies, because I feel like obviously a lot of the dialogue right now is focused on the risk or the way that there's a conflict between their goals and the goals of privacy tech. But I know that there's a lot of opportunities. Michael Mosier (00:36:57): Absolutely. Anna Rose (00:36:58): So let's start off with, first of all, a little bit about you. So tell us a little bit about your background and what led you to work at Espresso and on Zero Knowledge tech. Michael Mosier (00:37:08): Sure. So I'm, yeah, I'm the General Counsel now at Espresso Systems, which is building, uh, configurable, scalable privacy with auditability and selective disclosure, um, applications to it but, um, I was most recently before this, in the government, I was the Acting Director of FinCEN, which is the treasuries financial crimes enforcement network and that's a combination of the financial intelligence unit for the United States. And it's also the, um, administrator of the what's called the Bank Secrecy Act. But it's basically the primary money laundering authority for the United States. And, and to your question about working with other agencies, they also delegate certain aspects of, of the money laundering authority to like the SEC, CFTC and, and the banking regulators Um, but overall administer that and before that was the Deputy Director and the first Digital Innovation Officer at FinCEN, um, which was also driven partly through what you mentioned, which was getting a handle on sort of emerging risks from digital innovation that was happening, but also on opportunities like digital identities, zero knowledge actually proofs, which we can talk more about later. Michael Mosier (00:38:20): Um, but that was something we were actually encouraging and, and setting up some innovation, uh, around. And then, um, before that I was at Chainalysis and was their first in-house counsel and had gone there out of Treasury also where I was, um, at Treasury's office of Foreign Assets Control, which actually, uh, is the sanctions arm. And there I was the Associate Director in two positions, one was sanctions policy and implementation. It's a separate office and then another office there that I was also Associate Director for was the office of Compliance and Enforcement and spent some time as the Acting Deputy Director as well during some administration change. And before that I won't go through everything, but I was at the I'm very old, so... Anna Rose (00:39:04): Me too Michael Mosier (00:39:05): Um, I was at the Department of Justice in the Money Laundering section. I was Deputy Chief there and did a tour at The White House, National Security Council and the Obama Administration. I was the Director for Transnational Organized Crime and started everything at the Manhattan District Attorney's office, uh, as a prosecutor coming out of a law firm where I actually had done a lot of pro bono cases, um, for victims of domestic violence and after working with victims of domestic violence to get protective orders decided I just needed to be in public service full-time. There's a lot of bad stuff happening and, uh, exploitation of people, um, which also winds through to sort of crypto and sort of, you know, empowering people. In fact, a lot of, um, these cases that I worked on, that it was certainly physical abuse, but there was also financial abuse and control that was happening and there is a, in fact, we've talked, uh, about that as a use case of sort of there's ways to get, and it would have to be privacy preserving, um, for sure, but privacy preserving ways to get financial assistance, to victims of domestic violence that are fleeing abusive relationships. Um, I mean, it's a, it's a crazy fact, I don't remember the exact date, but actually in the US, um, like women literally could not get bank accounts without husband's approval. Anna Rose (00:40:29): Until like the seventies, like the seventies crazy Michael Mosier (00:40:31): It's like mind blowing. Anna Rose (00:40:34): Yeh, also like hospital stuff. Like I think my grandmother was not able to like, make decisions about the children. Michael Mosier (00:40:41): Oh, for sure. I'm sure. Anna Rose (00:40:42): Like that's so crazy. Yeah, Michael Mosier (00:40:43): Yeah, yeah. It's like, and the dates on these, you think it's gonna be like the 1570's. Um, but it's like the 1970's. Um, but there's, there is like, there's a lot of control happening and that was, and that was a big driver to get into public service, but it's also a big driver of where public service actually does dovetail really well with sort of personal sovereignty issues and, and certainly democratization um, but counter exploitation too, like there's the whole point is not just chasing bad guys. It's actually preventing the victims to start. So, uh, and we can circle back to that in terms of some of the applications, uh, that governments looked at to, and things that, that I worked on, but you don't, I mean, especially from doing, for prosecuting violent crime cases and, and working with victims, like somebody once said after a case, you know, it's not a reporter asked this prosecutor like, hey, you won like, like, are you happy with the victory? Michael Mosier (00:41:42): And the prosecutor was like, no, like, like every conviction is a tragedy. It's like, it's a personal tragedy for the person convicted, but it's also a personal tragedy for their family. It's a personal tragedy for the victim. I mean, you don't, nobody walks out of these cases, whether it's physical or financial, um, exploitation cases feeling like great, there was a conviction, I'm all set. You know, like once you've been violated in that way, whether it's financial or physical or whatever, you're not gonna just like, get, get everything back. You might get some of the money, but you don't get that feeling of safety or control back. And I think that's a, a big part of, of why Anna Rose (00:42:20): You wanna prevent it. Michael Mosier (00:42:21): You wanna prevent it and that was, and that was also a big draw to Espresso Systems for me. I, I was acting director of FinCEN at the time and, and, uh, had the opportunity to stay on, but met Jill Gunter. Anna Rose (00:42:37): who's been on the show. Michael Mosier (00:42:38): Yeah. Who's amazing. And Ben Fisch and Benedikt Bünz and, uh, and just Anna Rose (00:42:43): Also on the show, all on the show, all awesome. Yes. Michael Mosier (00:42:45): I'm happy to be in their footsteps as I was coming into Espresso. And, um, you know, it just, this was, this was configurable privacy that was going to, I, I feel it has the potential to really empower people, but also have an opportunity through zero knowledge proofs and selective disclosure to empower people to also manage counterparty risk. I mean, I think part, part of it is that beyond, like, forget about regulations, there, there is a point where people don't wanna necessarily buy their house by putting cash in a brown paper bag on the front porch. Like the, the, you do wanna manage counterparty risks in some ways, but it doesn't mean that you wanna put your social security number everywhere, and your home address. Anna Rose (00:43:30): So let's come back to the sort of use cases or future uses for ZK stuff. Because first I wanna explore a little bit about what you had just shared about your biography and having worked in these different organizations, when you said you worked at Treasury, and then you worked in sort of the crime and like kind of area of that. Something I just realized is I don't actually know where OFAC is. It is possible that in the previous interview V did say it and I'm blanking, but like, first of all, what does it exactly stand for and where is it? Michael Mosier (00:44:03): Yeah, no, that's a good question. Actually, so OFAC stands for the Office of Foreign Assets Control. Anna Rose (00:44:09): Okay. Michael Mosier (00:44:10): And it is, it is a component within Treasury. Anna Rose (00:44:13): It is in Treasury. Michael Mosier (00:44:15): Okay. It is in Treasury and actually OFAC and FinCEN are two components within Treasury that are separate standalone, but they're within Treasury and they both report to the same Undersecretary for Terrorism and Financial Intelligence, which right now is, is Brian Nelson. Uh, so they are very connected. For sure. Anna Rose (00:44:33): And SEC is somewhere else. Michael Mosier (00:44:37): SEC is a totally standalone agency. So more of a counterpart to Treasury with far more resources, I will say also, but, um, but yes Anna Rose (00:44:45): Where do the resources come from? Do they all get funded by tax for all of these things? Or is there like private donorship or like what, how does it actually work? Michael Mosier (00:44:53): No, it's, it's largely tax it's taxes and there's an element of certain penalties that might go into certain forfeiture funds and like whether it's from whistleblowers and other things, but most of those are not, they mostly get paid out. If it's a whistleblower, they get paid out to the whistleblowers or to the victims. Of course and the priority of all those is going out to the victims, but there are some like massive money laundering cases. Like there was a big HSBC and BNP Paribas cases, um, where like the HSBC one, they were, it was like literally suitcases of cash that were being handed across the counter in Mexico they're not doing it anymore. I'm told, so I'm not getting sued, but, um, but some of those big fine cases, a portion of that can go to the Treasury Forfeiture Fund, but not a lot. I think it really gets put back into the National Budget, um, and go into victims of any of any crimes and the point is that you don't wanna actually over incentivize public service to collect fines just to be able to buy computers and that sort of thing, like you wanna go through the budget process. So, there's a bit of a, um, push and pull on that. Anna Rose (00:46:09): Interesting. When you said you were working at Treasury, you were always at FinCEN, you were never at OFAC, right? Michael Mosier (00:46:17): No, actually I was at OFAC. Anna Rose (00:46:19): You were? Michael Mosier (00:46:19): Okay. Before I was at FinCEN. Yes. I was, um, at the Department of Justice and then I went to OFAC, um, where I was Associate Director there. Anna Rose (00:46:28): Interesting. So I did do an episode with Peter from Coin Center two years ago or something where he did actually map out a lot of these different groups. So I will add that link to the show notes, but now I do wanna explore a little bit more what's going on in OFAC itself. I love that you have worked there. I actually only knew that you'd worked at FinCEN and this is really interesting to me. What's it like in there? What is a case? What does it look like and how do decisions actually get made inside? Michael Mosier (00:46:57): Yeah, that's a great question, actually. And I should say in between all of this, I actually did spend some time in the targeting side of OFAC right out of the Manhattan DA and then quickly went to Justice. So I've built this, Anna Rose (00:47:09): What does that mean? What does targetintg mean actually? Michael Mosier (00:47:12): That's where they actually build the case. That will say, like for instance, um, one of the things I worked on was Somali piracy. So it was, uh, these, they were these pirate groups up in Somaliland, uh, that were, um, taking boats, hostage and, and demanding ransoms and we were trying to figure out, um, okay and arms dealers related to that, for sure, like the classic Viktor Bout arms dealing network. So you're trying to figure out who's moving money and who's supplying arms to conflict areas or in this case, um, who's funding the piracy, you know, to get the boats that they need or the ladders or the arms and then also, where is it going? Is it going to corruption, local corruption, or is it going to warlords somewhere? Like what's behind that and so you're, you're building evidence. Michael Mosier (00:48:02): In that case, we worked with actually with the UN monitoring group, we worked with NGOs, um, that were on the ground dealing with like aid that was getting diverted to find out like who's extorting aid and all of that builds into sometimes it's a network like in arms trafficking, you're looking at the networks like Viktor Bout, but you're also looking at who are the financial facilitators and what are the touch points so that you can impact. So it's, I should be clear, like in Department of Justice, you're prosecuting for criminal violations. It's punishment. Like, just to be clear like that's what it is. OFAC is set up, is designed to be a behavior change mechanism for national security and foreign policy goals. So it is not meant to be punishment. The goal of it is to change a political calculus like Russia invading Ukraine, or Crimea or authoritarian regimes, like the military hunter taking over Myanmar and quashing democratic elections. Michael Mosier (00:49:05): And so a lot of that engagement is like, look, we're gonna slowly in certain ways create, um, economic resistance for you we'll calibrate that to be, to increase it or decrease it based on like, whether you're getting closer to democracy and allowing elections and the whole point is to turn it, to be able to turn it off and so that is different and the legal standards are different because of that as well as constitutional protections, because it is designed to be under the International Economic Emergency Powers Act to be basically foreign located. So you're not designating US persons, they take enforcement if US persons aren't minding the sanctions, but you designate foreign entities Anna Rose (00:49:50): It's always foreign. So it's like when you get on that sanctions list, it's always non-Americans on the sanction, if you were to engage and then didn't get caught, could you, as an American get put on it? Michael Mosier (00:50:02): I don't know that there's any American that's ever been put on the list. I know there was some discussion of someone at one point, and I have to be careful about this, but that was like, you know, became a foreign terrorist and there was debate about that but in general, they don't because then you have you have constitutional due process rights as an American that would not really allow for them to just suddenly freeze assets. Like you would have to get notice and an ability to dispute that, that sort of thing and so, I mean, there's still an appeals process for anybody that's put on the list but you would actually serve that. In fact, there's been issues where somebody was flying over the US, uh, or flying in when you were gonna designate them and do we need to go re-meet them at the airport and give them notice that sort of thing? Michael Mosier (00:50:50): There was some money launderers actually from Central America that happened and so it, it is always calibrated to be you can get off the list it's not forever and that's a sort of complexity when you talk about a smart contract and I should say like one bit of history on OFAC, because I think it's important also in thinking creatively about like what the point of this is, but also what's possible is it has roots that go all the way back to the Civil War in some forms, but it wasn't called that. Looking at who was giving aid to the Confederacy and stuff like that and embargoes around that but it really came to the fore in the World War II and the reason it was called the Office of Foreign Assets Control ultimately was that it was actually freezing assets that had touchpoints to the US when the Nazis would go into countries and start taking over. Michael Mosier (00:51:46): So like the Nazis would invade, like, let's say Denmark, and there would be Danish government gold at the Federal Reserve or somewhere in the US and OFAC would actually freeze assets, the foreign assets that were in control of US banks or in the US system, so that the Nazis couldn't take it out and you had to use an authority. You can't just say we've decided someone we don't like is there, it's like you need an International Economic Emergencies Act power and an executive order to declare a national emergency and say, so it was really preserving assets. Like it certainly is used and it was like the civil war version of it was an embargo against, you know, those that were funding the Confederacy. So it always had a sort of behavior change mechanism but it also has a protective function and there's been other uses of that in more modern time, including, you know, in Libya, during Gadafi regime change and uncertainty where assets have been sort of protectively frozen so that somebody didn't just come in when there's a dispute between who's the real central bank and stuff like that or if there's looting that sort of, we're gonna freeze the assets in the US control and when it's resolved, we'll sort of let those go again. So it does have a protective, it's a multifaceted organization. Anna Rose (00:53:06): How does a case start? So you sort of mentioned this targeting what actually prompts even that what's the step before that, that it becomes like highlighted or flagged? Michael Mosier (00:53:16): Yeah. It's a mix. It's a good question because it's a real mix, like sometimes it could be like when I worked on Somalia, the global supply chain was getting jammed up and obviously, and people were being, uh, held hostage and the conflict, there was a lot of concern about Al Shabaab, um, which was wreaking havoc in the country that they were getting funding from the pirates and it wasn't clear if they were really working together or if they were just getting protection that money from them or what it was. So it's always fundamentally tied to a national emergency because the president is declaring a national emergency on whatever the issue was and so the president declared a national emergency involving Somalia that was for the terrorism that was destabilizing the whole government and terrorizing people and then also included the piracy that was terrorizing people but it was also funding Al Shabaab, but it was also disrupting the global supply chain. Anna Rose (00:54:11): Would this have been highlighted partly through like the media or was it like how, like who reports it? People call the government and be like, something's happened. My business has been robbed or like, is there my boats, like who's telling on like, who gets that information over? Michael Mosier (00:54:27): It's a mix like it's not that like, they're tiny, it's a tiny, tiny organization so it's not, they're not that sort of able to be responsive to private actors that much, although they will certainly get information from like political dissidents under an authoritarian regime that's like, hey, this person just escaped from Evin Prison in Iran or wherever or the military hunter in Myanmar and has information about who's causing the exploitation, something like that but it's generally, these are presidential declarations of emergency. So it's a mix of geopolitics, the State Department, there are analysts at Treasury that are constantly monitoring crises and the intelligence community, certainly in law enforcement so something like Somalia, you're seeing the State Department's talking about it, foreign partners are talking about it, NGOs are coming to us saying we cannot deliver aid. Michael Mosier (00:55:19): And some of those are like the World Food Program that might be partly funded through USAID so we're hearing it from all sorts of touch points and the UN itself, sometimes something like Russia's invasion of Ukraine. You'd be hearing it from the intelligence community, like, well before the news and you'd start working up, what are the pressure points? What can we actually impact because the other thing is they're very limited resources and you don't wanna spend a lot of time just putting names on the list that aren't gonna be impactful 'cause each name that goes on the list is a full legal package of here's why we believe this, here's multiple sources that, you know, it's not just somebody says they seem bad. It's a legal review, so you can't just, you don't wanna be putting names on that you can't impact. Anna Rose (00:56:07): I wanna bring this to the Tornado case because now I wanna understand, like, was there a directive from the top that like crypto scary, bad? Or was it more like North Korea never. Like, what was the rule at the top that led to this? Michael Mosier (00:56:27): Yeah, that's the question. I don't know. Uh, it's not, that's not public, so we don't know. Anna Rose (00:56:33): Oh, it's never public, so this is something non-published, this is not known necessarily. Michael Mosier (00:56:38): Right. What you have that's public is whatever the press release says and people will do sort of Freedom of Information Act requests, but those can take a long time to come out and they're not gonna put sensitive information out. Normally, if you're like the person named you have an appeal, right, an appeal process, and you would normally write in and ask for more information, which it would be up to you, whether you'd make that more public or not, but if you're challenging it they're not gonna just give you the whole file. There might be sensitive sources involved in that, including by the way, in like Global Magnitsky is a sort of human rights and foreign corruption authority and they're not gonna just reveal, like, here's the human rights actor that told us about you Lucas Chenko or whoever just because you appealed, uh, they're gonna protect, you know, human rights actors and that sort of thing. Michael Mosier (00:57:30): But um, so you won't necessarily know what I think we gleaned from the public statements is that it was largely driven by the amount of money that was going to North Korea and I say, going to North Korea, people weren't like fundraising through Tornado Cash. It was North Korean cyber hackers that were sending their money to the smart contract to try to obscure the tracing so that they would have a better chance of trying to cash it out at centralized exchanges because the reality is there's not a lot that you're gonna buy, they aren't gonna buy centrifuges in North Korea with Dogecoin or even ETH. So it does seem from the press releases like very North Korea driven and then looking at the numbers it was in the sort of hundreds of millions to billion, couple billion that were related to these hacks, and so that's in the scale of North Korea's economy, like that's an enormous amount, like in traditionally North Korea, it was it's like coal smuggling and ship to ship transfers of oil and front company. Anna Rose (00:58:32): I actually, yeah, I don't understand like if they do the hack, they put it into Tornado, they take it out. They're still looking for an offramp where's the offramp is it in North Korea? Is it like in American accounts? I don't know. Maybe there is reporting on this, but like I don't actually know where this crime goes. How do they like, how do they use the money? Michael Mosier (00:58:51): Yeah. That's the big question. I don't have anything access to anything that's not public, I'll say that but I think part of the issue, I think how this arose was like, obviously they're not the US government is not interdicting money at Tornado Cash. They're not, they can't seize it at Tornado at the smart contract level because there's no admin key so they're not interdicting it there so it's really North Korea's trying to get it to a centralized exchange somewhere probably it could be OTC desks somewhere in Asia, some of it could be Russian or other centralized exchanges, um, that don't do any sort of AML or KYC and then others could be, it's not US exchanges but they're trying to get it to a Fiat currency that they can use and so that, and that also by the way, will sort of determine where they're gonna go, because if they're looking for Chinese Yuan, they're not gonna come to the US or even Russia necessarily they've gotta go where there's liquidity, particularly at the amounts we're talking about, Anna Rose (00:59:53): Could OFAC have actually targeted those exchanges or they know so little, so they didn't know which ones or like yeah, I like could, that's another thing to do. Michael Mosier (01:00:05): Yeah. That would've been my first thought, having also spent time there, I think it's a combination, so yes, like you're always gonna on some level have one better chance of changing behavior if it's a centralized actor and also you're gonna get closer to where you're sure that it's going to cause impact because it's the place they need to get to whereas something like Tornado Cash is just one means Anna Rose (01:00:32): One step on the way Michael Mosier (01:00:33): It's one step on the way but my sense is probably from the press release, you know, where they're talking about the amount that was going through that, it just got to a point where we don't know all the OTC desks that get used and you're probably getting some centralized exchanges saying, hey, uh, you know, I'm doing my thing here, but if they go through a mixer, I can't always tell. So don't hold me accountable, you know, even though the reality is it's not, they're not sending this through Coinbase and Gemini and Kraken, it's going to foreign exchanges. There may be all sorts of regulatory arbitrage going on and there may be engagement with those centralized exchanges that's happening that's not public 'cause you don't, in a normal situation it's a pretty high bar to actually designate a financial institution. Michael Mosier (01:01:18): Like if you look at the history of OFAC, there's very, very, very few actual financial institutions or exchanges and I include exchanges in that, that have ever been designated because the collateral impact is just so high. Um, I think the Banco Delta Asia was a 3.11 action, which, which we won't go down that rabbit hole, but it's like, a FinCEN version of sort of this, but there's been very, very few when I was there, there was one, a bank in Honduras that was, it was largely controlled by money launderers. But even there, there was extensive guidance very quickly and wind down licenses saying, we know that not everybody that banks there is a money launderer and you can't just stop people from paying mortgages or getting their salary or paying their electricity bills and so it's a really heavy lift and it's always an analysis of collateral impact versus how much you can actually impact the bad actor. Michael Mosier (01:02:14): And that makes it really, really rare for like, there's been a handful maybe at most and they were largely like controlled by bad actors, not just used by them. Um, so it's a rare, like you would much more likely have engagement, you know, threats on it, potential enforcement because you can take enforcement in fines or you'd use FinCEN authorities, which are, which are a little lighter because they cut you off from the US financial system, but they don't necessarily freeze assets. Which is a bit of a nuance, but, but it's a pretty exceptional step Anna Rose (01:02:46): What they did? Michael Mosier (01:02:48): Yeah and normally you would quickly have sort of some sort of frequently asked questions, guidance, general licenses out that would say, okay, we get it like even by the most sort of aggressive, you know, chain analysis, TRM, Elliptic, looking at I should say the most aggressive numbers, not that those services are aggressive, the most aggressive numbers it's like, you know, 30% maybe up towards 40% that has some historical ties to illicit and sanctions. Although chain analysis was quick to clarify that when they said that it's roughly 20% were tied to sanctioned entities, most of that activity was tied to entities before they were sanctioned so it wasn't actually a ton of it and there was some from maybe 10% or so from hacks. So you still had like 70-80% potentially of totally illicit legitimate use, maybe the worst case, 60%. Michael Mosier (01:03:43): But that's still more than half of all these people that have assets, that one it's a smart contract so North Korea can take their money out whenever they want like the sanction doesn't change that remotely. If you have your receipt, you take your money out but if you're a US person who wanted your salary paid through there because you didn't want everyone in the world to know every time you got paid, you're sitting there with the key to your lockbox, that you're anxiously not using while your mortgage is coming due, because you're thinking I'm gonna get, I'm gonna have an enforcement action, um, for using this thing and so that's the kind of clarity and guidance we're looking for hopefully very quickly and normally that happens pretty quickly. Anna Rose (01:04:26): I'm gonna go just one step back on like sort of how OFAC works, because I'm just realizing that it's like, you'd only sanction foreign, but you'd only punish Americans for interacting with it Michael Mosier (01:04:37): Generally. Yes. Anna Rose (01:04:38): That's so interesting. So it's like, it's like against everyone outside, but like so anyone outside interacting with any of those, are they actually endangered as well? Michael Mosier (01:04:50): Well, yes Anna Rose (01:04:51): I'm Canadian. Not, I'm not planning on doing anything like that, but I'm just wondering if I did, does America care? Because I thought it's just for Americans. Michael Mosier (01:05:00): Uh, America always cares. Anna Rose (01:05:03): Okay. Michael Mosier (01:05:04): Um, in a good way, in a good way but yes, so it follows like all general, well it's two things. It follows general jurisdictional principles, but it also has some additional authorities related to this. So the most immediate enforcement would be US persons. You may not, uh, send money to the Iranian government let's say but it also follows personal jurisdiction, which is every country has versions of this, which is if you purposely avail yourself of the US jurisdiction, we expect you to follow our rules too. So you might be Canadian, but if you're doing business here regularly and like let's say you, you have advertisers, not trying to make the case against you but you have Anna Rose (01:05:48): Maybe we shouldn't use me as an example. Michael Mosier (01:05:50): Let's not use you, Anna is completely cut off from the US. No ties. Um, but let's say, let's say a hypothetical entity. Anna Rose (01:05:59): Say a person is doing business with the US would that mean, this is actually, this speaks to another kind of question, but like, so if that person's interacting with someone on the sanctions list, potentially an address, are they then sort of sullied themselves? Are they untouchable to an American, even if it's one step away? Michael Mosier (01:06:19): Yeah and that's the part of the issue that, so let's say you're somebody outside the US, but your wallet has interacted with the designated smart contractor addresses. There's almost no chance that you're gonna then head over to Kracken or Coinbase or Gemini and just cash out anything and part of the issue because of the transparency and the sort of long time immutability that you're seeing everything you're now gonna be from someone like Chainalysis or TRM or Elliptic, they're constantly doing risk scoring and so yeah, you probably, the address is gonna come into the exchange and the US, it will say if it was a direct contact or not, but it's still probably gonna get a risk flag, even if it was a couple steps away and then the question for like a Coinbase or a Gemini is okay, now what do I do with this? Michael Mosier (01:07:10): Like I have an indicator of risk. I don't know if this person was like money laundering or if it was just their salary, they might reach out to you by the way, these are all touchpoints that require people to do stuff. So you know how much they want to invest in that and by the way, if you're talking about like, AMM's, that's just an AMM front end, like, do they really have a Coinbase compliance team to reach out for that? Or are they just saying, you know what, there's too much risk here, we need to just not do it. I mean, this has partly been driven from the Tornado Cash with the blockchain analytics companies to say, can we get more granular on alerts and have like a decay function, because you're gonna get a hit if you ever had a touch point with Tornado, which might have been way before any designation point and I know that the analytics companies are working on that like feverishly it's always been in demand now it's like really high demand. Anna Rose (01:08:07): Because what you're talking about here is, as I understood from the last interview, sanctions actually happen as like the moment it's been sanctioned, that's when it starts usually and it is not retroactive, but because of the way analytics on blockchain work, it's often just scanning forever having touched including retroactively and then they're potentially, and we've heard about that, like banning addresses that have ever touched it, that's something that some products and some exchanges are actually using that like they're applying that so I'm glad to hear that they're fixing that. I'm glad to hear that that would become more granular and that it would potentially start correctly showing that it's only if after the sanction you've interacted with it. Michael Mosier (01:08:51): Yeah and I should clarify for them, like you still can go and investigate at any of those exchanges, can still go into the analytics tool and see exactly how far back it was and they can make the judgment of like, you know, what reasonably risk based approach to this is like that was three years ago or whatever so we're just gonna let it through. It's more that you can't at this stage yet automate it and we wanna get it to a point where, okay, it's probably gonna be not just time or hops, it's probably velocity, you know, because there's always re-layers people can put it in between so I think it would probably be like, well, look, it was like three months or 20 hops from the designation that the complication for something like Tornado Cash is that was already considered risky because of the amount of illicit activity that was going through so I think you most likely had exchanges that weren't blocking in a sanction sense, but they were already flagging wallets as like, well, wait a minute, this is a privacy tool that also has a bunch of illicit stuff going through. We've probably need to like, have a sense of like what we may wanna ask some questions like, or do we have a heightened risk profile, that sort of thing. Anna Rose (01:10:04): So I feel like I could ask you so many more questions about how OFAC works and just continue to like give theoretical idea, like what would happen if, but we don't really have that much time on this interview. So maybe we do another one in the future. Michael Mosier (01:10:19): Um, yes, sure. Anna Rose (01:10:20): But what I wanna talk about next is sort of moving over to more of your work at FinCEN because, well, first of all, I wanna understand how that's different and I wanna understand if having worked in it, did you actually see places where instead of thinking about this privacy technology as a threat to national security, it could instead be seen as like an opportunity for better security and protection of people, but yeah, let's sort of move to FinCEN a little bit. First what's the difference? How does it act differently? Is it not for behavioral change? Michael Mosier (01:10:52): Not ostensibly, I mean, yes, no. In the sense of it's a financial integrity focus. So they like, you want people to manage risk and, and counter exploitation, but not, yeah. It's not using tools to change behavior that might be geopolitical. It's a more straight regulator. So whereas OFAC might get told by the National Security Council in hhe White House, um, you just need to do this, employ your tool in this way. We tried to resist that more at FinCEN and say, hey, we're just regular folks like doing regulation and anti-money laundering. Um, we'd rather not get into that too much. There's a couple authorities like around the section 311 of the Patriot Act that FinCEN has that can get into that a little bit, but we try to keep them just the facts ma'am like, we're not a tool for that. This is anti-money laundering, we're going after whatever the highest risks are. Anna Rose (01:11:42): Does FinCEN go after people or does it write laws or does it like what is it doing? Michael Mosier (01:11:49): No, that's a great question. We're not, they has an enforcement function, but it's, it's systemic AML risk. So it would be like there, like when I was there, we did a big case against Capital One where it was, uh, it wasn't just like somebody didn't file a suspicious activity report or like a person money laundered. It was. Uh, I can't remember which crime family Genovese or one of the mafia crime families was laundering like after somebody was convicted of money laundering for a mob family was still banking and running a check operation, you know, hundreds of thousands of dollars, like for years or whatever. Um, one of those things, so FinCEN and usually with a banking regulator with the Department of Justice would be part of it as the Financial Intelligence Unit and also the primary anti-money laundering authority would say, okay, that's a systemic deficiency. Michael Mosier (01:12:39): That stuff kept going on and we're gonna together do an investigation and, and recommend changes and potentially fine you money, uh, as a penalty for that. So that's a function within it, but a lot of it is really in the guidance and the rule making, where they implement the statute of the Bank Secrecy Act for anti-money laundering. Like in 2019, we put out extensive guidance on virtual currency that said, here's our approach to the money laundering risk. It should be reasonable risk based approach, like everything else. So it doesn't mean turn everything off or like shake everybody down the moment they come into your hotel to check in, like, you don't need a full background check of everyone, but you know, reasonably, uh, if it's a bag, if it's a suitcase of bills or whatever, like maybe ask a question. Um, so there's some reasonableness to it. Michael Mosier (01:13:28): And the 2019 guidance said, you know, there is risk to this FinCEN regulates based on intermediaries. So it's a person which could be either an individual or an entity that accepts and transmits money. And so that's very specifically defined to be a person that's accepting and transmitting. And so also in that guidance, we said just to be clear, software is not a person. Um, and in fact, anonymizing software is not a person. So we specifically carved out and said like a mixer, for instance, if it's not centralized controlled, if it's just a smart contractor, software is not something that FinCEN regulates. And if you do, you would have to have an anti-money laundering program that's reasonable risk based, you know, do customer due diligence and there's overlap there, obviously, because like when OFAC designated blender.io, it was a centralized custodial mixer. They would've, if they had US touchpoints with theoretically after register with FinCEN in and have an anti-money laundering program, because they like your money went in to their custody and they transmitted it out. Anna Rose (01:14:34): Does FinCEN ever get to change the AML laws or like change the policies? Change the recommendations? Michael Mosier (01:14:40): Yeah. Yeah. Actually through rulemaking. Through public rulemaking. So actually it recently happened, there was uh, the, so Congress implemented the AML Act a couple years ago, which sort of updated the Bank Secrecy Act and then said to FinCEN, now you do rule making to implement it. And so, you know, so we put out rules in in fact, one of them was a, was a request for comment saying, we think the Bank Secrecy Act and AML should be modernized. Like we think it should be more based on priorities, not just collect everything. Uh, and we wanna hear from the public, like what's too burdensome, what could be more effective? Like give us feedback, um, on what thresholds should be, that sort of thing. Anna Rose (01:15:22): So the, I mean I'm the reason I'm asking too is, is to sort of lead us towards like in your time there, you knew about zero knowledge proofs. Like, was that a conversation? And I know it's still very, very early, but like, you know, one of the big use cases that's been proposed is like ZK for ID or as you had mentioned, sort of like selective disclosure of some sort of information without revealing everything, this could be an incredibly powerful tool to protect consumer privacy and still get information that you need to prove something. Would it be FinCEN who could like start that process once there was a really good concept and product and people felt comfortable with it? Michael Mosier (01:16:04): Yeah. In fact, we, we did, uh, when I was there. Yes. Uh, as a Digital Innovation Officer and the Deputy Director and then while I was Acting Director, um, we actually, we did a few things on that. Um, in fact, one of them announced during the first time I met Jill when I was doing a, a fireside with her at, at Consensus. Oh cool. Um, we did a whole initiative on privacy, preserving technology, uh, and it's called an innovation hours where it turned out to be two days instead of a half day because we had so much overwhelming response, but we said, we wanna encourage all these, everyone to come in who's in the privacy technology space and the AML space and find ways for everybody to be approaching financial integrity in a much more privacy preserving way. We want to be encouraging people to like prevent exploitation and do this in a more privacy preserving way. Michael Mosier (01:16:54): And also I also brought in, um, specifically a Digital Identity Counselor. So it was someone she had, she had worked before with India and setting up their digital identity system. And it was like, come on in, let's carve this out and just, just focus on digital identity. Um, we also had a, someone who specifically was focused on virtual currency, put them together with other innovation folks to focus on some of the zero knowledge and privacy preserving work. Um, and so did a couple days with just encouraging people to come in. We think we specifically called out zero knowledge proofs, homomorphic encryption like there have to be ways to, for instance, just prove someone's not on the OFAC list. Yeah. You don't, you don't need to know what your name is at all. In fact, it really doesn't matter. We just need to know that you're not on the OFAC list and people can move on. Michael Mosier (01:17:42): And some of this came out of, um, working in, uh, COVID during the economic relief programs, the Treasury needed to get money economic relief to people really, really fast. And so part of it was like from FinCEN's perspective, working with the folks doing that saying, you know, on the one hand they, they said, we know this is gonna get looked at later. If it all turns out to go to fraud, we're gonna be in trouble. We don't want that but we also need to get it out really fast and so what's the line of like AML that we need to have and identities and of course there was like hundreds of millions of fraud. Um, partly because it needed to go out so fast and also it's and you had people that couldn't get it because their bank was not, especially community banks were not connected into the Fed System directly. Anna Rose (01:18:29): Oh wow. Michael Mosier (01:18:29): to get the money and so people had to change banks, but you had to start over with your KYC. And it was like, well, why isn't this portable KYC? Why do you have to redo that? We worked on ways to try to lower the lower, the time to say for the new banks, Hey, if someone's been at one, a bank for a certain amount of time, can you sort of wave them in while, while you do it and then some of the banks said, I'm not sure I'm comfortable with that. Um, Anna Rose (01:18:52): This is where you need something else you can tell there's like it's systems of yesterday trying to deal with like the speed of now. And it's like kind of not working. There's like Michael Mosier (01:19:02): and it doesn't work Anna Rose (01:19:03): It sounds like there's like really important pieces missing. Michael Mosier (01:19:06): And it's a that's concrete. Like it's always theoretical until you have like a crisis like that and that was a concrete crisis to say, we could not get aid to the people that needed it because they didn't have portable identities, KYC. And by the way, they didn't need to give their social security number to 30 new people. Um, like they just needed a zero knowledge. Like, yes, you've been verified by JP Morgan proof. You're fine. Like, let's move on. And so that was actually, it was a place where we, like, I had theoretically been talking about it for a while and, and our folks had too, but it was one where you could go to main Treasury and say, we really have to do this. Like, uh, this is why concretely and working with other, um, agencies in the identity space. And now there's a lot of work in the US with like actually the driver's license folks to work on digital identity. Yeah. The DMV, um, because Anna Rose (01:20:01): They're gonna be the cutting edge. You'll see. Like they never were, but maybe they will be, huh. Michael Mosier (01:20:06): Well, ironically, they, they are actually actually yes. Like they are actually, it's turning out like, uh, there are some states doing a pilot with Apple actually. Anna Rose (01:20:15): Oh cool. Michael Mosier (01:20:15): Because at the end of the day, nobody wants to be the one that's like, this is really Anna like, it's all great to have your NFT or whatever. Um, but someone has to be on the hook to say the NFT or the zero knowledge certificate that you got was legit and it's hard to do that and actually the DMV at this point is the place where somebody really checks you out to make sure it's really you in real life. So there's some pilots actually happening in the US right now and it's like between Apple and some states that are, that you will get a certificate, Anna Rose (01:20:47): Um, except nice, but also not nice that it's a centralized company. That's kind of a bummer. Yes. Michael Mosier (01:20:52): Yeah, yeah, yeah. But we gotta start, we gotta start somewhere, Anna Rose (01:20:54): Start something digital. Okay. Michael Mosier (01:20:55): Yes. Yay. We'll get there. We'll get to decentralized, uh, credential verify. And I should say like part of the interest from a FinCEN perspective too was one was preventing victims, um, by not having personal information everywhere and in COVID, it wasn't just that people couldn't get aid. It was also that people and criminals all went online more and the amount of like identity theft, synthetic identity and identity fraud, credential stuffing that was going on like cyber crime went through the roof and part of that is because like your credentials are not safe online. Um, I feel like there are so many banks that are still not even doing two-factor authentication, like let alone whatever else. And you had criminals that like, they were, they weren't gonna go out they were doing more online. So, so like the need was sort of through the roof on both sides of it. And so, and part of what we've pushed, especially in the virtual currency space where you have a public ledger anyway, was like, there's so much synthetic identities and identity fraud going on anyway, let's move away from this identity base and go to activity based. And like, what are other indicators, uh, of bad activity that we can use beyond just like a fake ID. Anna Rose (01:22:06): Totally. At a dinner yesterday, uh, with some of the Aztec folks, I actually had a chat about this idea of like the ID and having that live under a ZKP, but also needing for that to really work. You need to also have an ability to kind of correct, potentially like misinformation associated with your identity under that, like under the cryptography, because the worst thing, and there is this sort of like scary vision of like, you have this identity it's cryptographic, it can never be changed and it follows you forever. And maybe, yeah, you did make a mistake or maybe you were like, maybe you didn't make a mistake, but someone assumed you did. And somehow that's like on your record forever buried in cryptography, unable to be changed, immutable. Like that's scary too. Michael Mosier (01:22:51): Yeah, yeah. For sure. Yeah. Anna Rose (01:22:53): You need a jury or some sort of group that could like correct it. Michael Mosier (01:22:57): A multisig I'm sure. Anna Rose (01:22:59): Multisig DAO. That was definitely the proposal at the dinner table, but, um, Michael, we don't have very much time left. I want you to maybe just share a little bit more about what you're doing today and, uh, yeah and then we'll sign off. Michael Mosier (01:23:12): Yeah. So what Espresso Systems is building and the reason I'm there from out of government working on counter exploitation is, is exactly that where it's empowering people to use zero knowledge, to have configurable privacy, to make things more private. So you're not exploited to begin with, but have the ability to selectively disclose or verify in a zero knowledge way that there is some sort of verifiability behind this and manage risk. Uh, and I think that's does dovetail with the work that governments should be doing and I think many are to prevent exploitation on the front end. Anna Rose (01:23:44): Cool. Michael, thanks so much for coming on. Michael Mosier (01:23:47): Thanks Anna. Anna Rose (01:23:48): So that wraps up our two interviews. I wanna say a big thank you to the ZK podcast team, Henrik, Tanya, and Rachel, and to our listeners, thanks for listening.