Aug 1, 2023 - 52min
EPISODE 40
TRM Talks: Answering the Questions in Treasury's DeFi Risk Assessment
With Rebecca Rettig, and Michael Mosier, and Jai Ramaswamy and
In April 2023, the US Department of the Treasury published its Illicit Finance Risk Assessment of Decentralized Finance. TRM’s Ari Redbord hosted a TRM Talks with experts on DeFi regulation, Rebecca Rettig, Chief Legal Officer at Polygon Labs; Michael Mosier, co-founder of Arktouros PLLC and former Acting Director of FinCEN; and Jai Ramaswamy, Chief Legal Officer of A16Z and former DOJ money laundering chief, to discuss questions posed in the risk assessment.
Watch the video replay to catch the full conversation and read our recap below for a quick overview of the main discussion points.
US Treasury’s DeFi Risk Assessment is just a first step
The panelists welcomed Treasury’s Risk Assessment as, what Treasury’s Caroline Horres called a “discussion starter” in an earlier TRM Talks on the risk assessment. Before any rule setting occurs the risk assessment sets out, contextualizes and defines the risks around DeFi which our panelists agreed was the right approach.
Mr. Mosier praised the risk assessment’s “intellectual honesty” for framing the risks around DeFi as being of a “lower priority for industry and policymakers” than those linked to fiat currency or centralized cryptocurrency financial crime, given that it constitutes just a small proportion of the overall virtual assets market. He characterized the document as a “helpful signpost of how to prioritize addressing illicit finance risks.”
A key challenge facing industry is to align on a definition of “DeFi services” to determine the extent to which they fall under the current U.S. AML regime
The risk assessment asserts that the Bank Secrecy Act (BSA) – the U.S. AML regime – applies to what it calls “DeFi services.” However, it is unclear what precisely is covered by this term, and the document itself acknowledges that sector participants conceive of DeFi in various – often inconsistent – ways. The document asks what factors should be considered to determine whether DeFi services are akin to financial institutions as defined by the BSA.
Ms. Rettig described this question as “one of the trickiest” in the risk assessment. In her view, while some “services” currently considered within the DeFi umbrella contain centralized aspects, this alone should not necessarily mean they are automatically defined as financial institutions.
A central aspect to consider is the types of activities carried out by DeFi and whether they should all be placed in the same “financial services” bucket. For example, does being a multi-signature wallet holder really equate to the types of activities performed by securities or commodities brokers? Other relevant factors include the specific responsibilities of anybody whio could be deemed as a centralized point of contact within the software-based systems, as well as the definition of the term “financial institution,” which does not currently extend to software. According to Ms. Rettig, we should think practically about how and where regulation would attach in DeFi.
Existing blockchain intelligence tools work and are a vital resource in the fight against illicit finance
Deploying existing resources effectively – rather than attempting to build a new toolkit from scratch or extending the regulatory parameter – holds the key to addressing illicit finance vulnerabilities in the financial system.
Resourcing efforts should focus on where money laundering is occurring in the ecosystem, Mr. Ramaswamy continued, which means targeting on- and off-ramps, and the strategies that have already proved most successful. For example, Mr. Ramaswamy explained, “In most money laundering cases – particularly those occurring in offshore jurisdictions – prosecuting individuals is becoming increasingly difficult.” Instead, the interdiction model – disrupting illicit money flows via asset forfeiture – “has become a far more powerful tool in this ecosystem than it can be in traditional finance, because all you have to do … is identify proceeds with criminal activity.”
According to the discussion, extending the regulatory perimeter could also pose a number of legal concerns linked to data privacy and security that warrant careful attention. It will be important to balance civil liberties with the need for security as more and more people transact in an open and decentralized financial system.
Public-private sector collaboration is essential - both for mitigating DeFi risks beyond the reach of the BSA and for stemming broader AML/CFT non-compliance
In terms of boosting BSA compliance in the DeFi space, Mr. Mosier emphasized that positive engagement with industry - that is, government working with and not against the DeFi sector - will be crucial. First, for seeking “natural alignment” on the extent to which DeFi falls within the BSA, and second for reminding industry players of their regulatory obligations.
In terms of broader DeFi risk mitigation, Mr. Ramaswamy highlighted that there are structures within Treasury that have been working on this area for some time - including the Office of Cybersecurity and Critical Infrastructure Protection (OCCIP). The private sector is similarly active in this space - with companies such as TRM sharing risk indicators independently of regulatory authorities. A big part of furthering Treasury’s work in this area will come from creating appropriate environments - similar to OCCIP - for information-sharing.
Mr. Ramaswamy noted that it’s possible that a Self-Regulatory Organization (SRO) model will start to emerge. An important aspect of its effectiveness hinges on cross-border information sharing, which is becoming easier with blockchain-based activity – due to the removal of much of the red tape and time constraints associated with traditional international information-sharing. Mr. Mosier pointed to Chainabuse, a community site for crowd sourced scams and fraud in crypto, as an example of industry leadership and collaboration.
According to Ms. Rettig, industry has an opportunity to lead the way on shaping broader risk mitigation in the DeFi space, and should not be passive in waiting for legislation to emerge.
The DeFi regulation debate does not stop here: other factors - including future blockchain use cases - should also be taken into consideration
The Risk Assessment poses a number of salient questions for industry to consider. Yet there are myriad other factors that should also be included in the conversation.
For one thing, with DeFi usage still in its infancy, the exploration of its future potential could help inform the future legislative landscape, so that the regulatory environment benefits society in the long-run and does not undermine the positive future impact of DeFi. To this end, Ms. Rettig and Polygon Labs are currently exploring the value proposition for blockchains across a range of use cases - spanning finance, social media, art, sustainability initiatives and others - via TheValueProp, a database.
Other relevant considerations include the potential impact on data privacy and security, both from a potential extension of the regulatory perimeter and of increased international and public-private sector information-sharing. Despite the many benefits of the latter in the fight against illicit finance, society at large needs to think about the consequences of a “default public world” and the security pitfalls associated with offering up further cybersecurity vulnerabilities for bad state actors to exploit.
From this engaging and wide-ranging discussion, one thing is clear: Treasury’s Risk Assessment has provided rich food for thought and identified a number of focal areas for professionals to consider as the DeFi regulation debate moves forward into its next phase.
About the guests
Rebecca Rettig is the Chief Legal & Policy Officer at Polygon Labs, where she both oversees the global legal team and works on international policy issues to ensure that the web3 community’s interests are represented with policymakers and regulators across the globe. Previously, Rebecca served as General Counsel of the Aave Companies where she oversaw the legal and compliance functions, coordinating across numerous web3 software protocols and other potential product lines and across all departments within the company. Prior to her time at the Aave Companies, Rebecca was a partner at various large law firms, including Manatt Phelps & Phillips LLP, representing software development and other companies in the blockchain and crypto space for many years. She spent many years of her career at Cravath, Swaine & Moore LLP, as a litigator and regulatory enforcement lawyer.
Michael Mosier is a co-founder of Arktouros PLLC. He has twice been the first in-house counsel at emergent technology companies: Chainalysis (blockchain analytics/investigations) and Espresso Systems (cross-chain composability & configurable privacy). He has served as an independent board director and chair of the Government Security Committee for an artificial intelligence and autonomous vehicle systems public company operating under a Committee on Foreign Investment in the United States (CFIUS) National Security Agreement.
In public service, Michael was Acting Director, Deputy Director, and the first Digital Innovation Officer of the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), where he worked closely with federal, state, and international counterparts on the development and implementation of policy and regulation, as well as launching digital identity and privacy-enhancing technology initiatives to advance personal sovereignty and opportunity. He also was Counselor (Cybersecurity & Emerging Technology) to the Deputy Secretary of the Treasury.
Previously, Michael served as Associate Director and Acting Deputy Director of Treasury’s Office of Foreign Assets Control (OFAC), leading the Office of Compliance & Enforcement and Office of Sanctions Policy & Implementation.
Before Treasury, Michael was a Deputy Chief in the Department of Justice’s Money Laundering Section, where he created and led the Special Financial Investigations Unit. He also served at the White House National Security Council as Director for Transnational Organized Crime.
Michael has been an adjunct professor (Advanced Evidence for Trial) at Georgetown University Law Center and began his public service as a prosecutor with the Manhattan District Attorney’s Office.
Michael is also an investor with ex/ante, an early-stage venture fund investing in technology that advances human agency and democratic resilience.
Jai currently oversees the legal, compliance, and government affairs functions at Andreessen Horowitz as Chief Legal Officer. He was previously the Chief Risk & Compliance Officer at cLabs, working on Celo, a mobile-first platform that makes financial dApps and crypto payments accessible to anyone with a mobile phone. Jai also spent several years in the financial services industry as the Head of Enterprise Risk Management at Capital One and the Global Head of AML Compliance Risk Management at Bank of America/Merrill Lynch. Before joining the private sector, he served for over a decade at the Justice Department, as a white collar crime prosecutor in the Southern District of New York, at headquarters in the Computer Crime and Intellectual Property Section, and later as Chief of the Asset Forfeiture and Money Laundering Section — a role in which he oversaw the prosecutions of BNP Paribas and HSBC for Bank Secrecy Act, Patriot Act and sanctions violations. Jai has an undergraduate degree in government and economics from Harvard University, a law degree from the University of Pennsylvania Law School and a doctorate in social and political science from Cambridge University, U.K.
More TRM Talks
Subscribe to TRM Talks
Subscribe to be the first to hear about new episodes, and to stay in the know about all things blockchain technology and crypto policy.
