DeFi is an acronym for Decentralised Finance, a concept representing the shift away from intermediaries within financial product offerings to direct peer-to-peer interactions.
To get rid of intermediaries, DeFi protocol developers involve the use of smart contracts – programmable financial instruments launched on accommodating blockchains and made available to everyone on the internet.
In addition to its programmability and ease of availability, the DeFi system is characterised by other certain attributes:
With crypto-assets locked within DeFi smart contracts at one point exceeding a total of USD 240 billion in 2021, it is clear that the crypto subsector is quickly gaining ground across the globe.
DeFi’s proponents propose many applications to the real world. Incorporating assets like real estate, intellectual property rights, and fiat currencies, among others, seems to be the next step in the development and further expansion of the DeFi system.
When it comes to AML/CFT measures, the idea of the mass adoption of DeFi poses as many risks as it does benefits. The global AML program run by the FATF is based on the five core principles of anti-money laundering.
The five principles of AML include:
Given the decentralised nature of the DeFi system and the absence of any administrative intermediary, determining the entity responsible for applying these principles has become a problem. If left wholly unregulated without these AML principles this creates an opening that money launderers, terrorism financiers and other criminals will exploit.
It is harder for FIUs to identify the physical entities to target for investigations or seizure of assets in DeFi. Additionally, the global reach of DeFi services means it could be accessed from anywhere in the world and territorial jurisdictions and regulations are a hurdle to proper investigations into illegal activities. Where money laundering activities are run cross-border between territories with weak AML compliance, regulatory and strict law enforcement jurisdictions become exceptionally hard.
The principle of internal control policies involves implementing a Know Your Customer (KYC) AML policy, requiring the identification of individuals wishing to interact with DeFi.
It also involves identifying risk models based on customer information and maintaining constant monitoring of suspicious transactions from individuals with risky profiles. DeFi makes this more difficult due to the ubiquitous use of unhosted wallets. However, the forced application of the Travel Rule minimises this risk.
Identified pitfalls in the DeFi system have attracted criminal entities looking to exploit it, with 2021 seeing a major influx of them. The value of these thefts amounted to over USD 10 billion in 2021, an 137% increase YoY. Notable DeFi hacks during the year 2021 include the hacks of Poly Market, Cream Finance and DAO Maker among many others. DeFi’s innovations have led to unique hacking cases such as the exploits of stablecoin pegs tied to the strength of a token (algorithmic stablecoins), i.e., Iron Finance’s TITAN token and its intrinsically-linked stablecoin IRON.
With an increasing interest in Decentralised Finance by retail and institutions alike, the FATF has developed appropriate guidelines.
These guidelines are aimed at facilitating the coexistence of DeFi with current frameworks and the increased adoption of the technology whilst minimising its vulnerabilities.
It is argued that many DeFi platforms are not as entirely “decentralised” as they claimed to be, as the FATF says DeFi protocol developers undoubtedly have individuals that control and influence activities within them.
The FATF identifies DeFi protocol developers as Virtual Asset Service Providers (VASPs) in a bid to define them and bring them under regulations. It advises jurisdictions to define developers as VASPs and impose AML compliance on them.
In the Financial Action Task Force’s Updated Guidance on a risk-based approach to Virtual Assets and Virtual Asset Service Providers issued on 9th March 2021, decentralised exchanges (DEXes) and decentralised applications’ (DApps) owners or operators are identified as Virtual Asset Service Providers themselves.
Some DeFi platforms have been quick to embrace consumer protection in the face of inevitable in-coming regulatory crackdowns. On the 23rd of July 2021, Uniswap Labs announced the removal of certain ‘fake’ tokens from its company-controlled web interface (Coinfirm found in October 2021 that 44.73% of Uniswap V2 liquidity pools may have been rug pulls). This demonstrates actors do control decentralised finance applications and that the developers of them should be held to account for financial consumer protection.
Unhosted wallets have been seen as dangerous entities to deal with, considering they have the most autonomous existence in the DeFi space. The FATF advises a Risk-Based Approach to deal with them, with compliant VASPs either limiting transactions and their volumes or entirely banning interactions.
Blockchain analysis software programs are, however, important tools for assistance in the case that VASPs do not intend to apply an outright ban.
In the U.S., FinCEN’s proposed Self-Hosted Wallet Rule proposal, published on 15th January 2021, is a potential regulation seen as having a direct impact on DeFi. Users that wish to transfer cryptocurrencies from centralised exchanges to a private or ‘self-hosted’ wallet will be required to give personal information about the beneficiary of the wallet in question to the VASP if the value sent is greater than 10,000 USD in one day. VASPs will additionally be required to submit and store records involving unhosted wallets for transactions with a total value of over 10,000 USD in a given reporting period, or just maintain records for transactions over 3,000 USD.
And in Singapore and Switzerland, licensed and regulated exchanges dealing with crypto assets must already KYC-verify the ownership of unhosted wallets before sending funds to them to avoid AML and CFT risks.
The Travel Rule was recommended for adoption in 2019 for crypto asset-based businesses by the FATF, having the goal to encourage the transfer of information between VASPs.
Sadly, a vast majority of the compliant jurisdictions are yet to implement this directive, possibly due to the difficulty in identifying VASPs within their jurisdictions.
Unless VASPs willingly operate in a permissioned environment further bolstered by the adoption of the AML and KYC policies, applying the Travel Rule is made easier with partners such as Notabene.
One measure that proves effective in compliance is placing individuals or entities on sanction lists.
Sanction lists, such as those regularly updated by the U.S.’ Office of Foreign Assets Control (OFAC), are lists of entities flagged for illegality. This helps filter out the platforms VASPs deal with to protect all participants on their network.
VASPs operating in permissionless DeFi environments may be placed on these sanction lists, with compliant VASPs directed to blacklist them. An example of this was made last year in September when OFAC targeted SUEX OTC, S.R.O. (“SUEX”), a crypto exchange based in Russia, for its part in facilitating transactions for ransomware actors.
Alternatively, they may be directed by a Financial Investigative Unit (FIU) to establish a Risk-Based Approach in their transactions.
These options will help convince DeFi platforms and protocol developers to adopt AML and KYC policies as dealing with any sanctioned entity will in turn result in harsh penalties issued against the entity.
An abandonment of total anonymity within the DeFi framework is a concept that must be accepted by VASPs and users.
It may take some time before most national financial regulators, DeFi developers, and participants comfortably deal with one another in an AML-compliant manner.
Blockchain analysis tools are identified as the best resource in securing your existence within virtual DLT and blockchain-based frameworks.
One firm that comprehensively covers AML needs in DeFi is Coinfirm. Designed for exchanges and custody providers for cryptocurrencies, our various products offer our clients automated counterparty screening and analysis within your DeFi liquidity pool.
Some DEXes and DeFi platforms that offer exchange services alongside their primary offerings have begun to explore the issue of compliance. Through advanced data analysis, counterparties are scored and risky entities are identified, a solution needed to keep DeFi interactions as safe as possible. Compliance by DeFi platforms with many of these jurisdictions’ proposed and current legislations can be achieved by utilising regulatory technology oracles – such as the AMLT Oracle – that maintain the same high level of AML and CFT compliance as a centralised VASP.
The theft of funds doesn’t just affect participant users but places a cloud of doubt on the integrity and reliability of VASPs. Regulators have little to gain in banning DeFi, given the level of financial development it is delivering whilst DeFi developers gain little by allowing perpetrators to freely get away with stealing their clients’ funds and damaging the integrity of their platforms.