Balancing risk and opportunity as a regulator - an interview with Mike Mosier, former acting director of FinCEN
This week, we interviewed Mike Mosier - who was the Acting Director of FinCEN and also served in senior positions at the Treasury Department and Department of Justice. His work in the private sector has included Chainalysis and Espresso Systems and he co-founded the law and advisory firm, Arktouros, dedicated to civil society and emergent society.
Mike has been present at many pivotal moments in the regulation of crypto/Web3, including the 2019 virtual currency guidance at FinCEN. Our interview dives into his mindset as a regulator when thinking about how to balance risk and opportunity as well as advice for founders on an alternative way to approach building in a regulated environment. You can find Mike on Twitter at: @m_mosier_.
Programming note: If you’ll be in Austin for Consensus and would like to meet up, feel free to drop us a DM on Twitter at @matt_homer or @DigitalDrex.
The Interview
The Axial Studio
Mike, tell us what you wanted to be when you were growing up and how it is that you entered the law enforcement and regulatory space?
Michael Mosier
Growing up, it was some mix between a police officer – my grandfather was a police officer in a little mining town in western Pennsylvania – and probably a drummer or something like that. When I got to a law firm I was actually in the tech and emerging tech space focused a lot on intellectual property and working with startups in the prior tech boom. There, I also worked with victims of domestic violence for protective orders in pro bono cases.
That fundamental sense of injustice in the way people treat each other got me involved in court. So I left and joined the Manhattan District attorney, and was trying cases. I started with smaller cases but quickly got into money laundering cases. But there’s a point where it feels like you’re moving sand at the beach – it’s one person victimizing another over and over – so you start to look at the macro picture.
I eventually went to OFAC (Office of Foreign Assets Control) to spend more time thinking in economic statecraft terms. That led me to the Department of Justice and the Money Laundering Section, first as a trial attorney, then a Deputy Chief, doing a lot on sanctions evasion as well as human trafficking, money laundering, and foreign corruption. Then I ultimately ended up as the deputy director and acting director at FinCEN thinking through these things at a very macro level.
The Axial Studio
What do you see as the difference between law enforcement and regulation?
Michael Mosier
They get conflated a lot, particularly in the current era. People ask: “what’s the difference, they’re both enforcing?” I think it is really fundamentally different. From a law enforcement standpoint something has happened and you're trying to either vindicate victims or stop a corrupt official from doing more of it. You’re potentially seizing assets and getting them back to the people that were taken from. But it’s retroactive - you’re looking at past conduct.
For regulators, there is an enforcement element to it, but it's really proactive risk management. If you’re doing right and providing a lot of proactive risk management guidelines and getting out new risk indicators to people, then you’re actually not spending a ton of time doing enforcement. You're engaging with people, aligning on what the risks are, and communicating risks across an industry.
The Axial Studio
What are you most proud of during your time in government?
Michael Mosier
I'm really proud of the 2019 virtual currency guidance at FinCEN because I think it was deliberately really comprehensive. And I think we made a point to do something that regulators very rarely do, which is talk about the things we don't regulate, such as your software developers, non-custodial wallets, etc. And it really was supposed to be guidance, not just gotcha enforcement later.
In terms of personally satisfying, it was trying to hold the line against the self hosted wallets rule that Secretary Mnuchin was pushing. It was really important to us from a FinCEN perspective that there was adequate notice and comment because that’s how you get it right. And it was an absolute battle, till 4am sometimes. We literally refused to post it on the FinCEN website until the Secretary was willing to provide a Notice and Comment period.
The Axial Studio
It's so interesting, even now you continue to see a reluctance to use notice and comment periods.
Michael Mosier
Yeah, it's kind of surprising and I think it does get back to the sense of like conflating enforcement with regulation, the latter of which is proactive guidance. When you’re not engaging in collaborative guidance with industry at a minimum through notice and comment, if not through conversation, then you’re setting things up for misunderstanding. And then you’re really chasing instead of helping people.
The Axial Studio
Can you expand more on the role of regulators as it relates to crypto specifically?
Michael Mosier
The purpose of regulation is balancing risk and opportunity. We spent a lot of time at FinCEN talking about how we're not looking for a zero-risk environment. We could all unplug our computers and have no cyber crime. What opportunity are you providing for people in that?
The Axial Studio
What do you think people most misunderstand about regulation?
Michael Mosier
In addition to conflating law enforcement and regulation, it’s a misapprehension that regulation is about eliminating risk entirely. It's really about reasonable risk management. For example, the current Under Secretary for Terrorism and Financial Intelligence at Treasury is doing a really thoughtful and timely initiative right now on overcompliance and de-risking. If people aren't getting access to financial services because you're just blanket de-risking that’s not helpful. Really give Under Secretary Nelson credit for that work he’s doing, illuminating the fact that de-risking does not serve National Security and policy goals.
And some of that is probably not helped with some of the SEC enforcement that goes on right now because people feel like there's a risk of just getting swept up into it. You can get listed in a collateral enforcement action where you're not even a party that has the ability to challenge it in court. Where is the due process in that scenario? How is that justice being served?
The Axial Studio
What do you see as the relationship between law enforcement / regulation and innovation?
Michael Mosier
I think genuine engagement among all of those elements serves everyone best. You know, not just not just enforcement and rulemaking. We did this engagement quite a bit at FinCEN, and it helped increase alignment across the regulator’s understanding of the tech and industry’s perspective on our risk-concerns. Before you put a proposed rulemaking or guidance out you should be having a lot of conversations to make sure you understand the technology – the risks and the opportunities, including opportunities to mitigate risk built-into the tech. If there's a silver lining to Secretary Mnuchin’s wallet’s rule, it's that we spent an enormous amount of time bringing in technical experts and academics to talk through wallet technology and better understand it. In part so we could say, “no, it's not the same as a Swiss bank account” or “no, it's not the same as an IP address.”
And so I think you really need a constant conversation about the tech and talking together about the risks and what the tech itself might be able to do to mitigate the risks. Otherwise you're just sort of just missing the real risks. For instance, there's such an overemphasis right now on securities risk from the SEC and that's time that people are not spending on cyber risk.
The Axial Studio
What advice would you have for founders and companies that are trying to innovate in the blockchain space that are trying to do it in a compliant and responsible manner, particularly for early stage startups where founders aren’t coming from a regulated industry?
Michael Mosier
Manage your risk reasonably and document it at the time. Think less in terms of “who's my regulator,” but “what's the risk-space I'm operating in?” And assuming you care about your business reputation, “how do I manage risk for that?” So you don't want to say “I'm not a broker dealer, I'm not MSB so I don't need to do any risk management under those frameworks.” Forget for the moment that FinCEN and the SEC exist, let's assume you want people to feel comfortable using your product. Think about the people you want to use this and your business reputation, and manage your risk in a reasonable manner.
The Axial Studio
What are you optimistic about right now in the blockchain/crypto space?
Michael Mosier
I’m particularly optimistic about Web3 stakeholders – including public servants who want to see innovation create more opportunities for people – working together on terminology and best practices for risk management. Getting much more concrete in defining what all these layers are and building-blocks within the layers. So that everyone's being more precise about functions. The fact that people are really working on deliberately making things concrete is good. There's more and more informal conversations that I'm seeing between government and industry, actual engagement to make the most of the opportunities here, in seeing that we need increased resilience and democratization of opportunity.