The Bank Secrecy Act Might Finally Be on the Chopping Block

Privacy researchers, crypto advocates, and even regulators are questioning whether half a century of the BSA has worked.

10/29/2025

Brogan Law provides top-quality legal services to individuals and entities with questions related to cryptocurrency. Cryptocurrency law is still new, and our clients recognize the value of a nimble and energetic law firm that shares their startup mentality. To help our clients maintain a strong strategic posture, this newsletter discusses topics in law that are relevant to the cryptocurrency industry. While this letter touches on legal issues, nothing here is legal advice. For any inquiries email info@broganlaw.xyz

A Crack in America’s Financial Panopticon

This month, there’s been quite a lot of drama about market structure and the new CFTC Chair. You’re probably expecting I’d write about one or both of those this month.

But here’s the thing: those sagas have already seen a lot of good reporting. So instead, I’ll direct you to the folks who’ve been breaking the news at Bloomberg and Punchbowl, and my editor’s prior coverage.

This week, I instead want to touch on a topic that’s been under-covered: the shift in sentiment we’re seeing to the financial surveillance mechanisms built upon the Bank Secrecy Act (BSA). For the first time in more than 50 years, the powers that be may bring real reform to this infamously ineffective system of stopping financial crime.¹

This was the subject of a panel I moderated at the DC Privacy Summit earlier this month. I knew the system was broken before I sat down, but the panelists opened my eyes to the extent of work being done to fix it. I also didn’t realize how much of that work might be counter productive.

The History of the American Financial Surveillance State

The idea that financial institutions must collect identifying information on their customers, monitor their transactions, and provide that data to the government originated on October 26, 1970. That’s the day the BSA was signed into law by then-President Richard Nixon. At the start this system was simple: the original BSA focused on the source, volume, and movement of financial transactions coming in or out of the United States system.

But this simple system didn’t work, and so it was expanded in the decades since through laws like the Money Laundering Control Act of 1986, the Money Laundering Suppression Act of 1994, and the infamous Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001.

Despite these efforts to increase regulatory oversight, the volume of illicit crime has only grown in the decades since, with the system apparently catching a shrinking share of it. As of 2011, the United Nations estimates that only 0.2% of criminal funds are successfully seized or frozen under existing practices. That’s despite the fact that the global financial industry spends more than $300 billion on compliance, with firms in the US alone spending $26 billion. University of Maryland Cryptographer Ian Miers, who spoke on my DC Privacy Summit panel, and Coin Center Executive Director Peter Van Valkenburgh write about this extensively in their paper “Tear Down this Walled Garden: American Values and Digital Identity.”

The failures arise for a couple of reasons. For one, most of these surveillance methods are, as Miers noted on my panel, “static.” They try to understand whether a user is criminal or subject to sanctions at that very moment in time, rather than whether they will be in the future.

But there’s also other issues. Many of the transactions which these systems flag go uninvestigated, because the financial institutions’ suspicious activity reports (SARs) are so voluminous, they generate vast quantities of false positives that are difficult to review effectively. Existing regulations also create massive repositories of sensitive data — so-called “honeypots” — that are like catnip for hackers. Critics consider this bad for privacy because it requires users to disclose sensitive information to financial institutions, the government and in the case of that information getting hacked, all sorts of malicious actors.

And, sure, it’s difficult to quantify the degree to which these anti-crime measures deter financial crime. But I’d argue they are more likely to deter the amateurs more than the organized entities we’re worried about. “When I talk to people in DC, or, well, Maryland, most of the things they’re worried about are the Iranians and the North Koreans,” Miers explained at the privacy summit.

Reform of Revolution?

Both academics and entrepreneurs have set out to tackle these issues for some time, primarily by designing new and, hopefully, more effective ways of proving a user’s identity online without requiring them to disclose sensitive information by using cryptography. A sampling of this industry segment was showcased at the Digital Privacy Summit: Miers, representatives from the Ethereum L2 Aztec, and the privacy network TACEO are just a few.

But what’s most exciting to me now is the fact that the United States federal government is signaling intent on actually enshrining some of the more innovative ideas into law — or, at the very least, taking more unconventional solutions seriously.

The first signal was the White House Crypto report, in which an entire, 24-page section was dedicated to “Countering Illicit Finance.” The report suggested that Congress consider statutory changes to the BSA that better define reporting requirements for different types of crypto firms, including DeFi and those located overseas, and asked Treasury to develop more “tailored” anti-money laundering obligations for stablecoin issuers. It also said Treasury should research innovative and novel methods through which companies could meet reporting requirements.

Senate Republicans Tim Scott and John Kennedy also introduced a bill just last week to “modernize the Bank Secrecy Act.” The bill, cosponsored by seven other Senate Republicans (and no Democrats) increases reporting thresholds under the BSA. It has many bank advocates very happy — though it hasn’t really captured crypto advocates’ attention.

The cynical take on all of this is that Republicans are interested in lowering business costs, and so they’re looking for ways to do that regardless of its impact on financial crime.

But the optimistic perspective is that the growing interest in reforming the BSA could lead to lasting change that prepares American finance to better defend itself and allows business to flourish. And that’s enough to get many of the sources I talk to in DC, on both sides of the aisle, very excited.

My Panel

Perhaps the most significant development, however, is a Request for Comment (RFC) issued by Treasury in August. The RFC queried the public to submit comment on “innovative or novel methods, techniques, or strategies to detect and mitigate illicit finance risks involving digital assets.” Specifically, the report asked for ideas which fell under the categories of APIs, Artificial Intelligence, Digital Identity Verification, and Blockchain Technology. The 216 commentsTreasury received in response will be used to inform a report pursuant to the GENIUS Act on methods to improve tools, according to the GENIUS Act text, that “regulated financial institutions use, or have the potential to use, to detect illicit activity.”

SpruceID, whose Senior Software and Policy Engineer Ross Schulman spoke on the panel, submitted a comment letter proposing a range of solutions, from those which Schulman described as “non-controversial” like allowing people to upload digital identity documents to allowing an “identity trust” to do the KYC work and then issue “pseudonymous cryptographic credentials.”

Meanwhile, a joint letter from the DeFi Education Fund, whose Research Director Lizandro Pieper spoke on my panel, the Solana Policy Institute, and Paradigm focused on enhanced cybersecurity measures and public-private partnerships. (Disclosure: I do some research consulting for the Paradigm policy team, though I was not aware of this comment letter before it was published). It also argued that the best way to protect crypto from bad actors was with crypto, using multiple tools and strategies to prevent, detect and combat illicit finance rather than a uniform system of disclosures. Separately, the DeFi Education Fund submitted a second letter focused on the pros and cons of digital identity technology, stressing the value of privacy.

But the letter I found most interesting came from Coin Center. PVV & Co argued that Treasury should implement processes that allow privacy software that utilizes zero-knowledge proofs to obscure sensitive data while confirming that a user fits the legal requirements to obtain a financial service to exist within the bounds of the law, without backdoors or honeypots. It also recommends Treasury consider “smart-contract-mediated freeze controls,” i.e. software which can automatically and swiftly freeze-and-seize funds.

More importantly, the Coin Center letter extends Miers’ criticism of “static” solutions to many of the privacy-minded reforms crypto industry groups are proposing. Effective solutions, Coin Center explained, must verify not only that a person has the right documents but that they are uploading them from a location that isn’t suspicious, from a device that doesn’t appear to be stolen, and that they’ve had access to them relatively recently, all while protecting their privacy as well. Van Valkenburgh refers to this as creating an “ecosystem of digital credentials.”

“Today your passport has an RFID — in other words, you can actually touch it to your phone, if your phone has the right software on it, and read the digital signature and collect the information. And then you could create a zero knowledge proof that you tapped your passport to your phone, and now you carry that around with all the data in your passport and the signature of the government attesting that it’s yours,” Van Valkenburgh explained. “But who are you? You’re just a guy who touched a passport to a phone, right? What if that wasn’t your passport?”

Coin Center also asserts in its letter that it is even more important this data be kept private in the context of digital assets than in traditional finance. Storing this type of information on public blockchains is even worse than creating privately held honey pots, because if public stablecoins reach broad adoption, then you could see everyday Americans exposing their most sensitive information to anyone who reads the blockchain data. “We’ve built a panopticon,” Van Valkenburgh warned.

Next Steps

Of course, Treasury doesn’t have to do anything with this report. If they chose, they could deliver it to Congress and then never discuss these issues again. The same should be said for Congress, whose responsibility it would be to make any amendment to the text of established law, like the BSA.²

But the BSA and the laws that followed give a significant amount of discretion to Treasury on writing rules which implement its requirements.³ Treasury is already tasked by the GENIUS Act to write tailored rules for stablecoins, and they could experiment with some of the solutions commenters suggested for stablecoin reporting requirements to start. They could also propose rules that seriously alter anti-money laundering requirements for traditional finance, if they want to take the big swing.

Nobody seems to think Treasury will go that far right away. But my panelists said that this administration — and Washington in general, on both sides of the aisle — is eager to continue this conversation. With each large stakes financial crime, like the shocking pig butchering scam intercepted earlier this month, that interest grows. And with the passage of the GENIUS Act, even the most anti-crypto Senators are interested in updating the methods by which agencies pursue financial crime.

“We’re talking about the federal government here, so things may still move incredibly slowly,” Schulman said on the panel. However, “this is the most movement that we have seen in 20, 30 years on financial privacy.”

Thanks again to our sponsor Avoq. Avoq bridges innovators and policymakers. For trusted government relations in Web3, reach out at crypto@teamavoq.com.

Brogan Law is a registered law firm in New York. Its address and contact information can be found at https://broganlaw.xyz/

Brogan Law provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.

1

As a Democrat voter myself, I’m actually pretty sympathetic to the idea that existing measures are unfairly overbearing, but nonetheless I get this critique.

2

As we all know, Democrats and Republicans are having a hard timeworking together on just about anything right now, so I’m not getting my hopes up about legislative change.

3

Case in point: the words “Know Your Customer” don’t even appear in the bill’s text — those requirements were the product of interpretive rulemaking.

Brogan Law Link: https://open.substack.com/pub/broganlaw/p/the-bank-secrecy-act-might-finally?utm_campaign=post-expanded-share&utm_medium=post%20viewer