The power and promise of cryptocurrencies as a decentralized, permissionless, cross-border value transfer at the speed of the internet is to build a more democratic and complete financial system. Decentralized finance (DeFi) takes the promise of crypto and builds on it, creating an entire on-chain Wall Street—a digital financial services industry. But how do you build compliance for an entirely decentralized ecosystem?
There are really two main questions. First, are DeFi projects required to have anti-money laundering (AML) compliance programs? And second, how can already regulated entities, such as cryptocurrency exchanges and traditional financial institutions (FIs), safely engage with DeFi?
The name DeFi conjures up images from Star Wars where independent planets operate to create a galaxy of financial services disintermediated from an Empire. This article will take a trip to a galaxy not that far away for the answers.
What is DeFi?
In DeFi, users typically engage with smart contracts. As IBM explains, “smart contracts are simply programs stored on a blockchain that run when predetermined conditions are met. They typically are used to automate the execution of an agreement so that all participants can be immediately certain of the outcome without any intermediary’s involvement or time loss. They can also automate a workflow, triggering the next action when conditions are met.”1
In smart contracts, users engage directly with each other based on a set of rules coded into the application itself. So, if condition A is met (e.g., defaulting on a loan), then B happens (e.g., the borrower’s collateral is transferred to the lender). These smart contracts are decentralized applications (DApps) that can be used for many purposes, including undercollateralized loans, gaming and gambling. DeFi is simply the DApp use case for bringing financial services to cryptocurrency.
DeFi allows users to access most banking services, such as earn interest, buy insurance, trade derivatives, trade assets, borrow, lend and more; but without requiring paperwork or third-party involvement. Like cryptocurrency, DeFi is global, peer-to-peer (meaning directly between two people, not routed through a centralized system) as well as pseudonymous and open to all.
As MSBs engage with DeFi, they want to do it safely and in line with regulatory requirements
A DeFi project or protocol creates a software program that provides financial services. During the early days of a project, many DeFi protocols possess the characteristics of other cryptocurrency businesses—marketing, business development, engineers, data scientists, investors and lawyers—structured to ultimately be governed by a community of users whose authority comes from holding the DeFi project’s tokens.
So how does this work exactly? Just like traditional finance, decentralized financial services require liquidity. But rather than that liquidity coming from institutions, DeFi users create liquidity pools, which are crowdsourced cryptocurrencies or token pools that are locked in a smart contract that facilitates trades between the assets on a decentralized exchange (DEX). Many DeFi platforms use automated market makers (AMMs), which allow the automatic and permissionless trade of digital assets through liquidity pools.
Are DeFi Projects Regulated?
Are DeFi projects regulated entities for purposes of AML compliance? The answer is a resounding maybe. In the U.S., the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) enforces the Bank Secrecy Act (BSA)2—the primary AML law in the U.S. The BSA requires that any money services business (MSB), a person or an entity that provides money transmission services or engages in the transfer of funds (e.g., a “money transmitter”), implement and maintain a modern risk-based AML program. In a 2019 guidance, FinCEN made clear that many cryptocurrency businesses are MSBs. Persons that by any means accept and transmit currency, funds or other “value that substitutes for currency” from one person to another location or person fall within the federal definition of “money transmitter.”3 According to FinCEN, virtual currency “has an equivalent value as currency, or acts as a substitute for real currency.”4 Since a money transmitter is a type of MSB, cryptocurrency exchanges, brokers, custodians, ATMs and a myriad of others are required to build AML compliance programs. Registering with FinCEN, maintaining written policies and procedures, filing suspicious activity reports (SARs), utilizing a blockchain intelligence solution to monitor transactions, screening wallets as well as mitigating the risk of fraud and financial crime are some of those requirements.
In the U.S., the question is whether or not a DeFi project is an MSB and hence required to implement risk-based AML compliance controls. While FinCEN and global regulators have, to date, been mostly silent on DeFi, insights from the Financial Action Task Force (FATF) can be found in the October 2021 guidance. FATF is a task force composed of 39 member nations. It is the standard-setting body for AML and counter-terrorist financing (CTF). For the first time, the recent guidance from the United Nations’ “Global Programme against Money Laundering”5 attempted to address the regulatory complexities of the DeFi space. FATF, which uses the term virtual asset service provider (VASP) to describe cryptocurrency businesses such as those regulated as MSBs by FinCEN, explained that some DeFi projects might be VASPs; therefore, responsible for compliance. Specifically, the guidance explained that a smart contract or software application is not a VASP. However, some DeFi projects simply use the term “DeFi” or “decentralized” but are actually centralized in practice. Therefore, these can be regulated like other cryptocurrency businesses. FATF sets a functional “owner/operator” test to determine whether a DeFi project is a VASP or not. The test holds that “creators, owners, and operators...who maintain control or influence,” may be considered a VASP even if the project may seem decentralized.6 Under the new “owner/operator” test, FATF asserts that indicia of control include exerting control over the project or maintaining an ongoing relationship with users.
Professionals must ask themselves if their project is covered with the “owner/operator” test questions below.
- “Does an individual or entity exhibit control over assets or over the service’s protocol itself?
- Does an individual or entity have ‘a business relationship between yourself and customers, even if this is exercised through a smart contract?’
- Does an individual or entity profit from the service being offered to customers?
- Are there other indicia of an owner/operator?”7
FATF makes it clear that a country should interpret the test broadly, and if it determines that the owner/operator test applies, “owners/operators should undertake [money laundering/terrorist financing] ML/TF risk assessments prior to the launch or use of the software or platform and take appropriate measures to manage and mitigate these risks in an ongoing and forward-looking manner.”8
Essentially, there is little regulation enforced on the DeFi space. FATF’s guidance is just that—guidance in which global regulators have yet to weigh. Therefore, FinCEN’s definition of MSBs could easily apply to certain DeFi projects in the same way that FATF includes less decentralized projects in its definition of a VASP. Like many in the cryptoverse, current DeFi projects are having to skate to where the puck is headed when it comes to AML compliance. This means that some DeFi projects may choose to implement compliance controls themselves.
How Can MSBs Safely Engage with DeFi?
While we are still not sure whether or not certain DeFi projects will be regulated entities, we do know that regulated entities with risk-based AML compliance programs such as cryptocurrency businesses and traditional FIs are looking to engage with DeFi today. How can these businesses engage safely with DeFi in the confines of a risk-based AML approach?
There is a lot that can be done with technology. Advanced blockchain intelligence software can generate real-time risk scores for smart contract addresses, monitor exposure to sanctioned entities, money laundering, fraud, financial crime and other illicit activities such as scams, hacks and ransomware attacks. Blockchain intelligence can identify and screen against risk exposure in liquidity pools that can range from sanctions, terrorist financing and ransomware, to child sexual abuse materials. In addition, it can help businesses decide whether they should engage or continue to engage with that pool.
After identifying risk exposure in an active pool, that is when the risk-based approach further kicks in. Risk management is not a binary world, so every approach will be slightly different. When a compliance Jedi is alerted to risk from a DeFi protocol, they will assess the next steps within their organization’s risk management framework. Perhaps this means further investigation, filing a SAR, alerting law enforcement or disengaging with the platform.
In addition to reacting to historical risk exposure, best practices likely include monitoring a pool for new risk exposure. If a regulated entity is engaging with DeFi, it should likely be performing continuous monitoring on that pool to mitigate the risk of exposure to high-risk categories. If a new risk occurs, compliance teams must have a plan in place to mitigate that risk by investigating and reporting the suspicious activity.
The following are recommended best practices for MSBs or VASPs engaging with DeFi:
- Prescreen for risk exposure prior to engaging with a DeFi platform.
- Continuously monitor the DeFi platform once engaged.
- Investigate and report suspicious activity to the company’s regulator based on the risk-based approach.
DeFi—a galaxy in which users engage with financial services propelled by smart contracts entirely on-chain—is likely not far, far away. As MSBs engage with DeFi (from traditional FIs to cryptocurrency businesses), they want to do it safely and in line with regulatory requirements by building a modern risk-based DeFi framework to ensure that this new galaxy remains safe and secure.
Ari Redbord, head of legal and government affairs, TRM Labs, Washington, D.C., firstname.lastname@example.org, Twitter: @ARedbord
- “What are smart contracts on blockchain?” IBM, https://www.ibm.com/nl-en/topics/smart-contracts
- “Title 31—Money and Finance” U.S. Government Publishing Office, https://www.govinfo.gov/content/pkg/USCODE-2011-title31/pdf/USCODE-2011-title31-subtitleIV-chap53-subchapII-sec5311.pdf
- “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” Financial Crimes Enforcement Network, May 9, 2019, https://www.fincen.gov/sites/default/files/2019-05/FinCEN Guidance CVC FINAL 508.pdf
- “Global Programme against Money Laundering,” United Nations Office on Drugs and Crime, https://www.unodc.org/unodc/en/money-laundering/global-programme-against-money-laundering/.html
- “Virtual Assets and Virtual Asset Service Providers,” Financial Action Task Force, October 2021, https://www.fatf-gafi.org/media/fatf/documents/recommendations/Updated-Guidance-VA-VASP.pdf
- “FATF Provides Final Guidance,” TRM Labs, October 28, 2021, https://www.trmlabs.com/post/fatf-provides-final-guidance