TRM Talks: Regulation in the Age of DeFi

Over the last year, we have seen global policy makers build the beginnings of comprehensive legal frameworks for digital assets.

Just in the last two weeks, the United Kingdom, Australia and Dubai all released consultations and regulations that address the digital assets landscape. These frameworks all have two things in common.

First, they are all an attempt to provide guardrails for consumers and investors while at the same time attempting to foster innovation. Second, none of them address decentralized finance (DeFi).

Even as regulators and policymakers across the globe create rules for cryptocurrency exchanges and other centralized entities, the question of  what regulation will look like in a truly decentralized space remains.

To tackle this question, last month, TRM Talks was joined by Salman Banaei of Uniswap Labs, Chris Brummer of Georgetown University Law Center, Carole House of Terranet Labs, Michael Mosier of Espresso Labs, Kristin Smith of the Blockchain Association, Alex Levitov of K2 Integrity and Patrick South of TRM Labs.  TRM’s policy team has unpacked the key takeaways from this session.

A quick primer into what DeFi is

DeFi is an on-chain, peer-to-peer network of financial services allowing users to earn interest, buy insurance, trade derivatives and assets, borrow, lend and more, without requiring paperwork or third party involvement.

Like cryptocurrency, DeFi is global, peer-to-peer (meaning directly between two people, not routed through a centralized system) as well as pseudonymous and open to all. In DeFi, users typically engage with smart contracts, which are programs that are stored on a blockchain that run when predetermined conditions are met.

Are DeFi projects regulated entities for purposes of AML compliance?

The answer to this question is a resounding maybe.

For the most part, global regulators have not weighed in on the question. The Financial Action Task Force (FATF) – the global AML standard setting body – has opined that while smart contracts themselves are not virtual asset service providers (VASPS) and therefore do not need to implement compliance controls, many “DeFi” projects are not actually decentralized and, therefore, may be required to do compliance. FATF suggests an “owner/operator” test to determine whether or not a DeFi entity is actually decentralized or a “DINO” (decentralized in name only).

While only a few regulators have weighed in – Abu Dhabi’s Global Markets (ADGM) published a discussion paper last year – we are poised to see more activity in the next two years.

In this TRM Talks, former White House National Security Council (NSC) official, Carole House, echoed FATF’s concerns. “The reality is that a lot of entities that are currently claiming to be decentralized end up not being quite so.”

However, Ms. House then pivoted to another central issue in the DeFi ecosystem – the scourge of hacks and attacks particularly by nation state actors like North Korea. Ms. House explained that policy makers must address “issues around standards, expertise, compliance, consumer exploitation, market protections, illicit finance and sanctions regimes,” in order to stop attacks and maintain the integrity of the DeFi space.  

How are regulators engaging with the DeFi ecosystem?

During this TRM Talks discussion, there was consensus that we should expect regulators to start thinking in meaningful ways about the unique challenges and opportunities when it comes to regulation in a more decentralized space.

As Salman Banaei explained, “The conversation is getting more and more mature particularly outside the U.S.,” highlighting two specific initiatives.

First, Mr. Banaei pointed to Singapore’s “Project Guardian,” a collaborative initiative with the financial industry that seeks to test the feasibility of applications in asset tokenization and DeFi while managing risks to financial stability and integrity involving JP Morgan, Standard Chartered, UBS and others. Mr. Banaei also pointed to the Bank of International Settlements’ (BIS) “Project Mariana,” which is looking at leveraging an automated market maker protocol to support CBDC FX settlements.”

What are innovative solutions to compliance in the age of DeFi?

The panel of experts kept coming back to the idea of digital identity to address some of the unique challenges of a decentralized space.

A digital identity is a collection of information about a person that exists online that, when grouped together, can provide a digital representation of an individual. In addition, states and even private entities can issue a digital ID. Businesses can use that information to establish the identity of their customers. The idea is that digital identity can potentially be used to verify a DeFi user's identity playing a KYC-esque function in a decentralized space.

Former FinCEN Acting Director Michael Mosier explained that FinCEN has been thinking about the use of digital identity from both risk mitigation and privacy perspectives for some time. Mr. Mosier explained, “Particularly in this era of deep fakes, the idea that we're just going to take a snapshot of you next to your license and that's really all we need for KYC is really not going to work.” He continued,  “This creates vulnerabilities by creating honeypots of information.” Mr. Mosier opined that digital identity can help solve illicit finance risks through on-chain KYC, but could also help mitigate risks to individuals and their valuable personal identifiable information (PII).

Georgetown Professor Chris Brummer also pointed out the possibilities that DeFi offers for the regulatory space. While we tend to think of DeFi in terms of financial services, Professor Brummer pointed out that “even regulators themselves may be pleasantly surprised by blockchain-based solutions that harness the power of blockchain technology for market integrity, to combat money laundering, illicit finance and other risks.”

Uniswap’s Salman Banaei provided data to support Professor Brummer’s assertion, explaining, “In contrast to the traditional financial system, the DeFi ecosystem actually compares quite favorably when it comes to the percentage of illicit activity, [which is] about 0.1 or 0.2%, depending on the most recent data sets. And then there's seizure rates. So we're seeing seizure rates towards  26-27% of illicit activity on public open permissionless blockchains, versus less than 1%, citing World Economic Forum (WEF) data.”

Throughout the discussion, there was consensus  around the fact that when it comes to illicit finance risks, much of the illicit activity today is occurring at off ramps where cryptocurrency can be converted to fiat and, therefore, there are significantly greater risks in the centralized crypto ecosystem than in the DeFi space. In other words, much of the illicit activity today occurs at conversion points.

When might we see a legal framework for DeFi in the United States?

Despite the promise of the technology, and even the possibility of self-regulation, according to Blockchain Association Executive Director Kristin Smith, we are not likely to see legislation in the U.S. anytime soon. Unlike issues such as stablecoins and regulating exchanges, around which we have seen robust discussion, DeFi is a nascent space.

Ms. Smith explained, “I think our goal right now at Blockchain Association is to decouple centralized exchange or centralized platform regulation from any sort of DeFi regulation.” Ms. Smith continued to explain that the key is education when it comes to DeFi, harkening back to 2019 when policy makers first learned about stablecoins in the wake of the launch of Facebook’s failed Libra project. We are only now reaching some consensus on dollar-backed stablecoins – a relatively simple issue compared to DeFi’s challenges and opportunities.

And, education will likely take some time. As TRM’s Patrick South explained, if there is a silver lining in the collapse of FTX, it is that policy makers have started to make a distinction between centralized crypto, which operates more like traditional financial institutions, and DeFi, where users engage with smart contracts. Mr. South explained that events like FTX and 3 Arrows Capital “were really driven by off-chain liabilities,” and the “DeFi landscape remained relatively unscathed.” This was, according to Mr. South, due to “the true underlying virtues of DeFi,” data that is transparent, traceable, public, permanent, private, and programmable, which can enable safety layers and risk management.

How are financial institutions engaging with DeFi today?

While we are still not sure whether or not certain DeFi projects will be regulated entities, we do know that regulated entities with risk-based AML compliance programs such as cryptocurrency businesses and traditional financial institutions are looking to engage with decentralized finance today. So, how can these businesses engage safely with DeFi in the confines of a risk-based AML approach?

K2 Integrity's Alex Levitov explained that many financial institutions are apprehensive to engage with DeFi – for example, funding  a liquidity pool– because of a lack of regulatory clarity. Financial institutions, in order to engage with DeFi, will seek to understand issues such as beneficial ownership for a decentralized and autonomous entity.

According to Mr. Levitov, at present, financial institutions tend to look to enforcement actions and other indicators  of how regulators are thinking using OFAC’s sanctions against decentralized mixer Tornado Cash as an example.

What role can technology play for risk management in a DeFi world?

Technology has a significant role to play in a DeFi world.

Advanced blockchain intelligence software can generate real-time risk scores for smart contract addresses, monitor exposure to sanctioned entities, money laundering, fraud, financial crime and other illicit activities such as scams, hacks and ransomware attacks. These tools can identify and screen against risk exposure in liquidity pools that can range from sanctions, terrorist financing, ransomware, to child sexual abuse materials. In addition, they  can help businesses decide whether they should engage or continue to engage with that pool, essentially facilitating a risk based approach.

At its core, risk management is not a binary world, so every approach will be slightly different. In general, when a compliance professional is alerted to risk from a DeFi protocol, they will assess the next steps within their organization’s risk management framework. This can mean further investigation, filing a SAR, alerting law enforcement or disengaging with the platform.

Additionally, if a regulated entity is engaging with DeFi, it should likely be performing continuous monitoring on that pool to mitigate the risk of exposure to high-risk categories. If a new risk occurs, compliance teams must have a plan in place to mitigate that risk by investigating and reporting the suspicious activity

‍What will the future bring for DeFi regulation?‍

As we look to the future, we are likely to see a move toward an increasingly  decentralized world where users will be engaging with on-chain peer-to-peer financial services. That new world will come with great challenges, such as a continued litany of hacks on the DeFi ecosystem, but  will also present tremendous opportunities to harness the native power of blockchains.