The crypto collapses of 2022 spurred widespread fear that U.S. officials would soon clamp down on the industry, but don’t expect sweeping new crypto regulations anytime soon. As much as Washington, D.C., bigwigs might want to put crypto in a box, regulators should first get their priorities in order.
The primary regulatory approach of relevant federal agencies is rulemaking, or the process by which bodies like the U.S. Securities and Exchange Commission (SEC) craft, review and finally approve and establish legal boundaries. But this would likely fail with crypto for two reasons.
This article is part of CoinDesk's "Policy Week." Mark Lurie is the CEO of Shipyard Software.
First, the legally mandated process – which involves drafting the rule, publishing the rule and taking public comments before a judicial review – takes years. Given how quickly crypto moves, there’s a good chance that by the time a new set of rules goes into effect the industry will have evolved beyond it or adapted their products to avoid it.
Second, regulators must work within the framework of the Bank Secrecy Act (BSA). This law lays out a comprehensive framework for AML/CFT – shorthand for anti-money laundering and combating the financing of terrorism rules – built on the foundation of “know your customer,” aka KYC.
But stringent KYC within decentralized finance (DeFi) is not only unnecessary, it’s all but impossible.
DeFi platforms do not actually hold user funds, so it’s not clear how KYC is even relevant. Sure, these protocols oversee and approve users’ financial transactions, but DeFi’s non-custodial nature makes it all but impossible to implement effective and responsible KYC policies. For instance, if the SEC were to shut down Uniswap, a popular decentralized exchange, 1,000 developers around the world would simply deploy forks without batting an eye.
Regulators would soon end up playing whack-a-mole with DeFi – a quixotic exercise that would echo efforts to end file-sharing by suing college students for downloading music. The likeliest outcome would be regulators with egg on their face.
Another option is regulation by enforcement, with laws that are so broadly written they could apply to just about any transaction but in the end are rather selectively enforced. Strategic ambiguity is itself the deterrent. This route is likely to further disorient and frustrate many honest crypto actors, but it appears to be the only practical path for regulators to walk.
Instead of updating existing legislation, Congress should unravel the BSA.
Role of regulation
Enacted after the Sept. 11, 2001, attacks, the BSA is a compilation of several acts, including the Patriot Act. By outlining a comprehensive AML/CFT framework, the BSA essentially mandates all financial institutions to enact stringent KYC policies and monitor all transactions, including increasingly rigorous due diligence as transactions become larger and more suspicious.
If the risk is seen as significant, banks and financial bodies must submit a Suspicious Activity Report (SAR) to the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), which reviews the reports to detect illicit activity.
Financial institutions filed more than 3 million SARs in 2022 alone. That’s a lot of SARs. Yet, BSA enforcement is delegated to a variety of agencies. The SEC enforces it for securities exchanges, for instance, while the Office of the Comptroller of the Currency (OCC) enforces it for banks. FinCen enforces it for any actors not explicitly assigned to another federal regulator, such as money transmitters.
The foundational problem with the BSA is that when it was written large sums of money could only be transmitted through intermediaries. Further, transaction databases were siloed within each intermediary, making them easy to surveil. In this context the BSA is logical and effective.
But blockchain and DeFi have changed the game, enabling the legal exchange of vast sums of money with no intermediary. Such transactions are also permissionless, meaning they require no administrative oversight and are largely anonymous. This contradicts the basic assumptions of the BSA, rendering it largely impractical and unenforceable.
Yet, the BSA’s KYC framework is so ingrained within U.S. regulators’ compliance culture that it has become gospel. Speaking out against the received wisdom on KYC is blasphemous, akin to siding with crooks and grifters.
But in the real world, guilt until proven innocent has never been an effective means of regulation. KYC is not an end in itself but a means to an end. Preventing money laundering and terror financing need not require a broad brush stroke that kneecaps new business models and stunts innocuous user activity.
The reality is that crypto comes with its own regulatory tool: the blockchain. Rather than siloing transaction databases across multiple financial oversight bodies, the blockchain ledger provides a single consolidated database for all relevant transactions.
Know your transaction
Instead of KYC, regulators should shift to KYT, or Know Your Transaction. Given blockchain’s open-source nature, the noncustodial design of most DeFi platforms, and users’ ability to effortlessly spin up multiple addresses, the only way to effectively regulate the space is on the individual transaction level.
After all, it’s not the financial histories of individual users that should concern regulators but the origins of the funds. KYT would institute blockchain review mechanisms that would follow the money and prohibit unsanctioned transactions.
From the tech perspective, requiring platforms to check funds’ origins before transaction approval would be relatively straightforward with existing tools and technology. Whenever wallets and its funds are found to have been tainted by a bad actor, such as a sanctioned address or known hacker wallet, the protocol could simply reject the transaction.
This approach could be risk-based, allowing protocols to avoid banning innocent DeFi users for transactions they did not facilitate. Something along these lines happened after Tornado Cash was sanctioned by the U.S. government, when Aave's frontend website temporarily blocked victims of a dusting attack involving funds from the sanctioned anonymizing protocol.
See also: Stop Attacking DeFi Founders for Complying With the Tornado Cash Sanctions | Opinion
KYT could be even more effective than KYC, enabling authorities to monitor the entire transaction database, not just the red-flagged transactions within submitted SARs.
The BSA is considered untouchable, but when the law was first drafted back in 1970, its creators could never have imagined today’s financial reality. It’s time to haul this outdated regulatory mechanism into the 21st century and effectively mitigate money laundering while ensuring the continued maturation of crypto.
CORRECTION (JAN. 25, 2023 – 20:45 UTC): Aave's frontend website accidentally blocked victims of a Tornado Cash "dusting attack" due to a misconfiguration from data provided by TRM Labs. It was not an intentional act by the protocol's developers, as initially suggested.