Recently, I had the privilege of presenting to the Financial Action Task Force (FATF) on why its updated guidance regarding decentralized finance is not technologically appropriate for the industry.
Rebecca Rettig is general counsel at the Aave companies, the software development team that developed the Aave protocol. She will be speaking at Consensus by CoinDesk, our virtual experience May 24-27. Register here.
According to the FATF, the guidance was intended to provide additional “instruction” in light of the ongoing changes in technology in the blockchain and cryptocurrency space. Although the FATF said it does not intend to broaden the existing definition of virtual asset service provider (VASP) from its original guidance, the latest draft appears to vastly expand who or what may be included. More individuals and entities could be VASPs. And there may be individuals subject to the compliance requirements for running DeFi protocols (unlike today).
That expansion will capture numerous individuals and entities associated with the decentralized finance (“DeFi”) ecosystem. But adopting the guidance in its current form will capture actors who have little to no involvement in the financial transactions that occur on DeFi protocols.
Not only is that detrimental to the growth of an open and transparent financial system, but it is not proportionate to the money laundering and terrorist financing concerns based on available data.
In my presentation, I argued that rather than adopting the guidance in its current form, the FATF should adopt the following three interim steps toward achieving guidance that properly “plugs in” to the DeFi technological infrastructure: The FATF should take additional time for consideration of guidance that is aligned with the reality of DeFi technology and ecosystem; it should collaborate with industry participants and should realize that existing, native anti-money laundering (AML) and terrorist financing (CFT) compliance solutions could be enhanced to offer a path forward.
DeFi vs TradFi
To understand why the guidance as drafted could cause irreparable harm to the DeFi industry, it is important to understand the meaningful differences between DeFi and the traditional financial system. Those differences require a fundamental paradigm shift in how we think about regulation and the monitoring of DeFi transactions.
In essence, there are five qualities of DeFi protocols that make them distinct from traditional financial systems – and more akin to the blockchains upon which they are built (and which FATF recognizes are not VASPs).
- Transparent: Because DeFi protocols are built on blockchains – typically Ethereum – every single transaction that occurs through a DeFi protocol can be surveilled. Unlike information in the traditional financial system, DeFi transactions can be seen in real time and the information is available 24-7 to anyone with an internet connection anywhere in the world. That transparency enhances the ability for risk assessment of the protocol and the transactions.
- Autonomous: Once a party initiates a transaction on a DeFi protocol, the transaction occurs automatically through smart contracts. No one – including the software developers – needs to approve, be involved in or otherwise engage with a party conducting a DeFi transaction, just as Satoshi Nakamoto is not involved in every bitcoin transaction.
- Trustless: Transactions on DeFi protocols do not require reliance on any intermediary because of their automaticity. Individuals or entities interact with DeFi protocols through their own network addresses of which they are in full control.
- Permissionless: Any party can access DeFi protocols from anywhere with an internet connection. There are no “minimum requirements” for DeFi, which provides an opportunity to enfranchise previously marginalized demographics. Individuals who don't have access to traditional financial institutions (for a number of reasons) are able to gain financial autonomy by engaging in transactions on DeFi protocols, which only requires access to the internet.
- Non-custodial: No party, other than the user, exercises control over any virtual assets supplied to the protocol. Smart contracts, in nobody’s control, hold the virtual assets, and users make the decisions on what to do with those virtual assets. That eliminates counterparty risk: A user interacts directly with software rather than with another user.
It is clear from these characteristics that DeFi protocols are as “decentralized” as the blockchains upon which they are built.
In a truly decentralized system, it is not the software developers who built the protocol who make the decisions about the growth and development of the protocol. Unlike traditional finance where control is concentrated in one body, “decentralization” occurs where software empowers a community of users, developers and other entities interacting with the protocol to update or amend various parts of the protocol. This system of control by users is known as “decentralized governance.”
Decentralized governance allows for more secure systems, where users have a stake in seeing the system grow, and meets the needs of individuals everywhere in the world. In this context, these protocols are similar to the Internet Protocol and the Hypertext Transfer Protocol – IP and HTTP – which nobody controls and anyone can use and whose technical decisions are made by consensus.
The transparency of DeFi protocols addresses the AML/CFT concerns underlying the FATF’s proposed guidance. Preventing money laundering and terrorist financing is critical as we progress in the development of the DeFi space. But the inherent features of DeFi and the existing compliance solutions are already addressing such concerns.
A report issued by Chainalysis found that illicit virtual asset transactions make up only 1.1% of total virtual asset transactions. The same report, however, recognized that the transparency of blockchains also allowed law enforcement greater insight into cryptocurrency transactions, including money laundering.
In 2019, former U.S. Commodity Future Trading Commission (CFTC) Chairman Christopher Giancarlo discussed the 2008 financial crisis and recognized the benefits of the transparency of the “real-time trading ledger” of blockchain.
“In short, what a difference it would have made a decade ago if Blockchain technology had been the informational foundation of Wall Street’s derivatives exposures. At a minimum, it would certainly have allowed for far prompter, better-informed, and more calibrated regulatory intervention instead of the disorganized response that unfortunately ensued,” he said.
While in private practice, I experienced firsthand the “better informed” regulatory intervention Giancarlo envisioned. In interacting with law enforcement and regulators in a variety of contexts, I was able to demonstrate that given the transparency of blockchain and the DeFi protocols built upon that technology, law enforcement and regulators had the exact same information about transactions on a DeFi protocol as the companies that built the protocols. In these situations, law enforcement is often able to obtain more information than they would have in the traditional financial system.
Room to breathe
Rather than starting with the premise that DeFi is working toward a greater good – a more transparent, efficient and inclusive financial system – the proposed FATF guidance reads as if the FATF has concluded DeFi is “guilty” or primarily built for criminals. That is wrong, and akin to the assumption made 25 years ago about the internet, when U.S. regulators almost strangled the internet in its cradle in order to target online pornography.
Beyond the presumption of guilt being factually incorrect, adopting the expansive definition of VASP in the proposed guidance would undermine the benefits of DeFi by stifling innovation, slowing economic growth, suppressing financial inclusion and perpetuating the wealth gap.
In addition, the presumption of guilt discourages collaboration from or with even the most willing industry participants. But collaboration is precisely what we need to continue to grow this new financial system while ensuring that AML/CFT compliance solutions “plug in” to the technology appropriately.
The proposed guidance reads as if we cannot have a financial system or a financial transaction without an intermediary. Thst sets a dangerous precedent: It sends the message that innovation is unwelcome unless it can be understood and regulated exactly as it is today.
The presumption of “guilt” is particularly troubling given the fact that developers of and participants in DeFi protocols have been developing solutions to AML/CFT as the DeFi ecosystem itself develops. These native compliance solutions account for the reality of blockchains and DeFi protocols: They “plug in” to them correctly, they account for the ways in which the software can be accessed, and they are building with the software rather than against it.
Some examples of the types of solutions that mimic the monitoring the proposed guidance seeks to promulgate are:
- On and Off Ramps Into DeFi: Initially, users can interact with DeFi protocols only if they hold virtual assets, and the primary way to obtain virtual assets these days is through “on and off ramps” – centralized actors that sell or otherwise exchange fiat currency for VAs and who are undoubtedly VASPs. Those centralized actors all conduct Know Your Customer (“KYC”) checks on anyone conducting a transaction on their platform. These on/off ramps are typically regulated as money transmitters and must comply with stringent requirements in onboarding any users. These days, it is nearly impossible to use crypto without first having been KYC’ed by any number of platforms. In other words, DeFi is a “closed system” because a user cannot enter or exit it without having undergone KYC.
- Transaction Monitoring: Once users hold crypto assets, they will access DeFi protocols in one of two ways: through user interfaces--websites on the internet accessible by anyone – or directly via a blockchain. These user interfaces can be hosted by the software developers who created the protocol or by third parties who have no affiliation with the developers. Many of these user interfaces employ transaction-monitoring companies such as Chainalysis, Elliptic, TRM Labs or Elementus to keep an eye on the wallet addresses interacting with the interfaces. These companies are able to identify wallet addresses associated with illicit activity or otherwise qualify as high risk and provide notifications about such wallets. For any transactions that occur directly on Ethereum, there is no way to block or prevent such transactions in advance, as is the case with cash transactions in fiat. But given the transparency of blockchain technology, such transactions can always be traced in a much easier fashion than cash transactions in fiat currency.
The current AML/CFT solutions in DeFi are robust and continuously getting stronger, especially considering that DeFi is a nascent, emerging financial system.
We need to embrace the benefits of AML/CFT regulations, but the proposed guidance will not provide such benefits and will simultaneously impose significant burdens (most of which cannot realistically be implemented) on this new financial system.
How do we do this effectively? The only way to determine that is through additional time to develop a system of regulation that accounts for the realities of DeFi technology through collaboration with dedicated actors in the DeFi space and by leveraging existing compliance solutions.