There is a great deal of fear among blockchain companies and investors that increased regulatory compliance will be harmful to the industry. There is certainly the possibility that regulators, in their haste to increase transparency and compliance, impose impossible-to-achieve requirements on crypto companies. I’ve read more than one apocalyptic view forecasting the collapse of the blockchain business or the rise of China’s global economic dominance, should we somehow fail to meet this challenge.
The internet already gives us some pretty good models for managing compliance in a massively complicated, highly decentralized and global environment. For 20 years we have debated on and off about how far to go, for example, with content verification and anti-piracy measures. None of the internet-destroying disaster scenarios came to pass, nor did the media and entertainment industry die under a blizzard of piracy. (Here, here or here or here).
The first component of a regulatory approach that may be borrowed from the internet is the idea of implementing compliance at the edge of the network. Companies that are the on- or off-ramps to the ecosystem are the best point to start with compliance rules around Know Your Customer (KYC) and Anti-Money Laundering (AML). In the world of crypto that means banks and exchanges take the place of ISPs and content distributors. Their size and sophistication make them a good target for regulators, but they are also able to implement and digitize process at scale.
Decentralized models for verification of identity and qualifications can be similarly adapted from the public internet. Security certificates are used by nearly every website and all e-commerce systems. These certificates effectively represent a form of verified identity. They are managed in a decentralized model where they are not mandatory and there are multiple providers for these certificates. Of course, it is hard to do business without one, but in most countries companies have a choice of providers. There is no reason why this same infrastructure can’t be put to work issuing identity tokens or qualified investor tokens that can go in users’ blockchain wallets.
Finally, we can write compliance rules into smart contracts. Indeed, this is already starting to happen. At EY, we have built the option to have allowed and blocked addresses and parties into the Nightfall privacy technology that we donated into the public domain. More sophisticated approaches are sure to follow, such as only allowing a trade to execute if both parties have validated identity tokens in their wallets from a set of authorized providers. This makes it possible to verify compliance without centralized control of individual transactions. The challenge here will be to balance compliance with simplicity, because as you add code and complexity you also increase the risk of exploits and errors.
The regulatory balance that exists on the internet cannot be described as elegant or simple, nor did it emerge smoothly. The internet today is far from the ideal, unified, global network that existed in the early 1990s. National regulations and firewalls, IP-based geofences and other tools have all chipped away at the feeling of limitless connectivity that existed in the early days. Despite those restrictions, in much of the world there is still no single, all-powerful gatekeeper that can block a company or idea from accessing the network. The internet remains, for the most part, a permissionless network.
This is most essential element of the internet that makes it an incubator of innovation, and it is the one that is most critical to preserve as we grow the regulatory maturity of the blockchain ecosystem. Many services that we take for granted every day have emerged on the internet in spite of fierce opposition from established industry players. From ridesharing to streaming audio to voice over IP telephony, not only are these businesses disruptive but, at least in some contexts, it could be argued that they are against the law or at least violate some rules users have agreed to upon signing up for internet service.
Thanks to the permissionless and decentralized nature of the internet itself, there was no single regulator or entity that had the power to bestow or refuse permission to operate on these startups. Instead, cases against particular companies had to pursued through a variety of means. Often, those firms had time to get established and make their case. The result was gradual maturing of the regulatory ecosystem where the public’s interest in using these services was balanced against the interests of incumbents.
Very simply, the difference between a permissioned system and a permissionless one is the difference between killing a service when it’s just an idea and one that already has millions of users. It’s the difference between killing off ridesharing when it is a concept rather than when it has millions of users who prefer it to taking a taxi. The same will be true with decentralized finance (DeFi) and the blockchain financial ecosystem. Thanks to the permissionless nature of Ethereum the DeFi ship has already sailed. While it might be reined in by regulators, ending it altogether would be hard.
This does not mean that, once established, services are entirely free from regulatory scrutiny. It does mean any restrictions that come to exist are implemented in the context of a public discussion about the benefits compared to the costs. The regulators will be acutely aware of the millions of users they risk angering if they move with too heavy a hand.
Risks and rewards
I anticipate two major risks to the delicate balance that needs to exist for regulatory compliance to move forward without having significant negative consequences for the industry. The first is that very clever companies clash with regulators who are struggling to keep up with emerging technologies. What will happen the first time a company submits a mathematical proof as evidence of compliance?
If you must show that only authorized parties participated in a transaction, it is possible to generate a mathematical proof in verification without identifying either party. There are no regulators who are yet ready to receive and respond to such a submission, and, indeed, they might interpret such a submission as willful “too-clever-by-half” non-compliance with the spirit of the law, if not the letter.
The other big risk is regulatory capture. KYC and AML regulations are complex and expensive and widely known to be ineffective, yet they remain in place in part because financial services incumbents know that regulatory complexity is a major barrier to competition. A flood of complex regulations or directions on implementation could dramatically slow the growth of the DeFi ecosystem.
Against all those risks, there is one final countervailing force: It is difficult to kill a decentralized system. Just ask the Recording Industry Association of America. Streaming music services today are a veritable miracle compared to the world we lived in during the 1990s. My children will never know the horror of having to buy an entire album just to listen to one good song. They will never tape a single song from the radio. And none of this would ever have happened without BitTorrent, the fully and properly decentralized data network.
Napster, the original streaming service, was easy to kill because it wasn’t really decentralized. BitTorrent was decentralized and remains so. In fact, if you really want to steal some music you still can, and you can still do it with BitTorrent. Why don’t more people bother? Because given the opportunity to pay for a reasonably priced streaming service (with digital rights management so well executed it’s barely noticeable) that is enough for most people.
There is no reason to believe that we cannot, in the future, see the same for regulatory balance when it comes to DeFi as we have in the world of digital entertainment – leading to a huge range of services far better than the ones we use today. Like the internet, it will at times feel a little limiting compared to the truly open ecosystem we enjoy today, but, done well, it will be cheap, effective, automated and nearly invisible to most users.