The Bank Secrecy Act is broken. Technology can fix it.

From the bipartisan votes in Congress, to President Trump’s impatient signature pen, to the millions of Americans who own and vote crypto, the appetite for crypto legislation has never been stronger. In addition to the President signing the GENIUS Act, landmark legislation that creates a clear federal regulatory regime for stablecoins, Congress is on the precipice of passing the CLARITY Act, a bill to give the 52 million Americans who own crypto and companies like Coinbase rules of the road. And while we've come a long way, there remains one more important and obvious opportunity for improvement: updating the arcane Bank Secrecy Act (BSA).

To state the obvious: the BSA is a critical tool for finding bad actors and combating illicit finance. The law is rooted in good intentions, but good intentions only go so far when technological advances outpace a former reality.

Take the BSA’s Know Your Customer (KYC) requirements. For decades Americans have faced mandatory KYC checks every time they sign up for a new account. That means your sensitive personal data has been shared with dozens of companies – and their partners – during your lifetime. And it’s not just traditional financial institutions that are required to hold your data, even your phone company has to oblige. Thankfully these institutions have mandatory safeguards, but safeguarding is imperfect and your data is valuable.  

Beyond the annoyance customers feel every time they repeat the KYC process, these personal files are honeypots for criminals. Companies are required by law to hold your data for years and to send that data to bureaucrats.  

And then there’s the problem of transaction monitoring. Financial institutions are required to surveil every single transaction passing through their systems, in order to detect suspicious activity and then report it to the government. This sweeps in trillions of transactions, which must be reviewed by tens of thousands of people working for the financial institutions who then decide whether to file a government report. 

To what end? In the U.S. alone, millions of these reports flood the Treasury Department and law enforcement agencies annually, yet the vast majority of them are never even read. The inefficiency of this system is so well known that in 2020 Congress passed a law requiring the Treasury Secretary to modernize this report-filing regime, yet little if any progress has been made.

Despite Congress’ recent action, the BSA is still rooted in decades-old requirements that reflect paper-based compliance protocols and a financial system in which funds moved over days, not seconds. But today funds can move instantly, and compliance teams are developing new ways to find bad actors. Unfortunately, policymakers are now pointing to the speed at which money can move as the problem – but that’s a feature, not a bug. So rather than blaming technology for an increase in problems, Congress should be looking to technology for solutions. 

Thankfully, a better and safer option already exists to update some of the key issues of the BSA: Zero-Knowledge Proofs (ZKPs). 

Simply put, ZKPs use cryptography to enable one party (called the prover) to convince another party (called the verifier) that a certain statement is true without revealing any information beyond what is strictly necessary to prove that. For example, ZKPs allow you to prove your information one time with the ZKP provider, and then use that ZKP going forward without having to disclose superfluous information to additional parties. This may seem minor, but imagine having to show the bartender only a dynamic ID card that tells him that you’re of drinking age rather than producing an ID that tells him precisely the day you were born and where you live.  

In financial cases, you could open a new account with a company like Coinbase without sharing decades of personal data, instead using ZKPs to prove you are not on any sanctions lists, you’re not a minor, etc. And if law enforcement wanted detailed information on the customer, they would be able to subpoena the company that issued the ZKP. 

The use of ZKPs in reports filed with the government would also end the relentless transmission of sensitive customer information to a massive, aggregated honeypot. Specific data could be shared about transactions without transmitting personal data about millions of law-abiding Americans in an effort to find a small number of criminals. The U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) could further reduce the risk, and waste, by mandating that for transactions meeting certain objective criteria, select data points would be automatically transferred without the need for review by the financial institutions. FinCEN could then use AI to detect patterns across a more fulsome dataset than any one private institution would possess. 

Congress – along with the Administration – should ensure the rules are updated to allow companies with BSA requirements to rely on third-party ZKP providers. A historic bipartisan coalition in Congress already believes the current rules of the road don’t keep pace with the technological advancements we’ve seen with crypto. While it’s absolutely critical that the BSA extend to all companies that are engaging in our financial system, Congress must turn to BSA reforms once a comprehensive regulatory regime for crypto is established. In the meantime, Treasury should establish a public-private partnership to identify areas where existing processes built on the antiquated systems need to be adjusted to function properly in a ZKP-based system.  

The bottom line: governments are unnecessarily forcing companies to collect and transfer vast sums of sensitive customer data, and the customers hate it. We're in a much different world than when these laws were enacted in 1970. We now have blockchain and AI technology to modernize our financial systems and bring innumerable benefits to consumers in a privacy compliant manner. We just need our laws to allow us to unlock their potential.