Why DeFi Startups Need to Implement AML


What is DeFi?

DeFi is an acronym for Decentralised Finance, a concept representing the shift away from intermediaries within financial product offerings to direct peer-to-peer interactions.

To get rid of intermediaries, DeFi protocol developers involve the use of smart contracts – programmable financial instruments launched on accommodating blockchains and made available to everyone on the internet. 

In addition to its programmability and ease of availability, the DeFi system is characterised by other certain attributes:

  • Immutability: Thanks to the blockchain, the DeFi system remains tamper-proof. Stored data remains uniform and smart contracts are not changeable.
  • Interoperability: Most blockchains, especially Ethereum, the main chain DeFi applications are built on, exist on open-source code with the community offering a stack of software to protocol developers. These don’t just help with integrating new DeFi protocols with the blockchain but also makes integrating with other existing protocols, applications, and infrastructure easier. 
  • Transparency: Most blockchains are also publicly hosted, with every user possessing ledgers and every transaction available to view. Although addresses are pseudo-anonymous within these public networks, transparency in this form means network activities are available to all users and in-depth analysis of the entire blockchain’s transaction volume is made easier. This transparency is an improvement for financial systems and a founding principle of Bitcoin itself.
  • Permissionless:  Unlike in legacy fiat systems, engaging in DeFi smart contracts typically requires no permission from any centralised intermediary. Everyone on the internet and possessing a crypto wallet has the freedom to engage with them, regardless of geographical location or, sometimes, in waiver of a need to have a minimum amount of digital assets to use as collateral.

DeFi and AML Policies

With crypto-assets locked within DeFi smart contracts at one point exceeding a total of USD 240 billion in 2021, it is clear that the crypto subsector is quickly gaining ground across the globe.

DeFi’s proponents propose many applications to the real world. Incorporating assets like real estate, intellectual property rights, and fiat currencies, among others, seems to be the next step in the development and further expansion of the DeFi system.

When it comes to AML/CFT measures, the idea of the mass adoption of DeFi poses as many risks as it does benefits. The global AML recommendations by the FATF are based on the five core principles of anti-money laundering. 

The five principles of AML include:

  • Assignment of a Compliance Officer
  • Internal AML Control Policies and Procedures 
  • Constant Employee Training
  • Independent Review
  • Customer Due Diligence

Given the decentralised nature of the DeFi system and the absence of any administrative intermediary, determining the entity responsible for applying these principles has become a problem. If left wholly unregulated without these AML principles this creates an opening that money launderers, terrorism financiers and other criminals will exploit.

It is harder for FIUs to identify the physical entities to target for investigations or seizure of assets in DeFi. Additionally, the global reach of DeFi services means it could be accessed from anywhere in the world and territorial jurisdictions and regulations are a hurdle to proper investigations into illegal activities. Where money laundering activities are run cross-border between territories with weak AML compliance, regulatory and strict law enforcement jurisdictions become exceptionally hard. 

The principle of internal control policies involves implementing a Know Your Customer (KYC) AML policy, requiring the identification of individuals wishing to interact with DeFi.

It also involves identifying risk models based on customer information and maintaining constant monitoring of suspicious transactions from individuals with risky profiles. DeFi makes this more difficult due to the ubiquitous use of unhosted wallets. However, the forced application of the Travel Rule minimises this risk.

Identified pitfalls in the DeFi system have attracted criminal entities looking to exploit it, with 2021 seeing a major influx of them. The value of these thefts amounted to over USD 10 billion in 2021, an 137% increase YoY. Notable DeFi hacks during the year 2021 include the hacks of Poly Market, Cream Finance and DAO Maker among many others. DeFi’s innovations have led to unique hacking cases such as the exploits of stablecoin pegs tied to the strength of a token (algorithmic stablecoins), i.e., Iron Finance’s TITAN token and its intrinsically-linked stablecoin IRON.

FATF’s AML Policy Guidelines for Adopting DeFi

With an increasing interest in Decentralised Finance by retail and institutions alike, the FATF has developed appropriate guidelines. 

These guidelines are aimed at facilitating the coexistence of DeFi with current frameworks and the increased adoption of the technology whilst minimising its vulnerabilities.

Identification of DeFi Protocol Developers as VASPs

It is argued that many DeFi platforms are not as entirely “decentralised” as they claimed to be, as the FATF says DeFi protocol developers undoubtedly have individuals that control and influence activities within them.

The FATF recommends that DeFi protocol developers may be identified as Virtual Asset Service Providers (VASPs) in a bid to define them and bring them under regulations. It advises jurisdictions to define developers as VASPs and impose AML compliance on them. 

In the Financial Action Task Force’s Updated Guidance on a risk-based approach to Virtual Assets and Virtual Asset Service Providers issued on 9th March 2021, decentralised exchanges (DEXes) and decentralised applications’ (DApps) owners or operators mey be identified as Virtual Asset Service Providers themselves. 

Some DeFi platforms have been quick to embrace consumer protection in the face of inevitable in-coming regulatory crackdowns. On the 23rd of July 2021, Uniswap Labs announced the removal of certain ‘fake’ tokens from its company-controlled web interface (Coinfirm found in October 2021 that 44.73% of Uniswap V2 liquidity pools may have been rug pulls). This demonstrates actors do control decentralised finance applications and that the developers of them may need to be held to account for financial consumer protection.

Limiting Interactions with Unhosted Wallets

Unhosted wallets have been seen as dangerous entities to deal with, considering they have the most autonomous existence in the DeFi space. The FATF advises a Risk-Based Approach to deal with them, with compliant VASPs either limiting transactions and their volumes or entirely banning interactions.

Blockchain analysis software programs are, however, important tools for assistance in the case that VASPs do not intend to apply an outright ban.

In the U.S., FinCEN’s proposed Self-Hosted Wallet Rule proposal, published on 15th January 2021, is a potential regulation seen as having a direct impact on DeFi. Users that wish to transfer cryptocurrencies from centralised exchanges to a private or ‘self-hosted’ wallet will be required to give personal information about the beneficiary of the wallet in question to the VASP if the value sent is greater than 10,000 USD in one day. VASPs will additionally be required to submit and store records involving unhosted wallets for transactions with a total value of over 10,000 USD in a given reporting period, or just maintain records for transactions over 3,000 USD.

Increased Implementation of the Travel Rule

The Travel Rule was recommended for adoption in 2019 for crypto asset-based businesses by the FATF, having the goal to encourage the transfer of information between VASPs. 

Sadly, a vast majority of the compliant jurisdictions are yet to implement this directive, possibly due to the difficulty in identifying VASPs within their jurisdictions.

Unless VASPs willingly operate in a permissioned environment further bolstered by the adoption of the AML and KYC policies, applying the Travel Rule is made easier with partners such as Notabene

AML Compliance as a Decentralised Finance Entity

An abandonment of total anonymity within the DeFi framework is a concept that must be accepted by VASPs and users.

It may take some time before most national financial regulators, DeFi developers, and participants comfortably deal with one another in an AML-compliant manner.

Blockchain analysis tools are identified as the best resource in securing your existence within virtual DLT and blockchain-based frameworks. 

One firm that comprehensively covers AML needs in DeFi is Coinfirm. Designed for exchanges and custody providers for cryptocurrencies, our various products offer our clients automated counterparty screening and analysis within your DeFi liquidity pool.

Some DEXes and DeFi platforms that offer exchange services alongside their primary offerings have begun to explore the issue of compliance. Through advanced data analysis, counterparties are scored and risky entities are identified, a solution needed to keep DeFi interactions as safe as possible. Compliance by DeFi platforms with many of these jurisdictions’ proposed and current legislations can be achieved by utilising regulatory technology oracles – such as the AML Oracle – that maintain AML and CFT compliance.

The theft of funds doesn’t just affect participant users but places a cloud of doubt on the integrity and reliability of VASPs. Regulators have little to gain in banning DeFi, given the level of financial development it is delivering whilst DeFi developers gain little by allowing perpetrators to freely get away with stealing their clients’ funds and damaging the integrity of their platforms.