The Financial Action Task Force (FATF) is the international
body that coordinates the development of international standards on combating
money laundering and the financing of terrorism and weapons proliferation. FATF
implements these standards through a series of recommendations to national
governments, who are ultimately responsible for their implementation.
On March 19 2021, FATF published a draft of its upcoming
revised guidance (the draft guidance) on the recommended risk-based approach
applicable to entities engaging in activities involving virtual assets (VAs),
including traditional financial institutions, as well as entities considered
virtual asset service providers (VASPs). The proposed revised recommendations
in the draft guidance (the VA Recommendations) clarify FATF’s most current
recommendations contained in the final guidance on VAs and VASPs, which was
published in June 2019 (the 2019 guidance). The draft guidance is currently
open to public consultation and is expected to be published in final form in
June 2021.
The 2019 guidance explicitly placed anti-money laundering
and countering the financing of terrorism AML/CFT obligations on entities
considered VASPs. However, the
definition of VASP in the 2019 guidance was relatively narrow, focusing on
those entities, such as centralised digital asset exchanges, with a custodial
relationship with VAs on behalf of customers (i.e., knowledge of the private
keys needed to move the VAs from one blockchain address to another).
It was also generally
clear that providers of non-custodial software wallets (i.e., software that
allow a user to control their private keys and interact with others without
reliance on a third party), providers of multi-sig services (i.e., where a
third party may control a “1 of n” private key to provide added security to a
user), software based “decentralised
exchanges” (i.e., platforms that allow for the atomic or instantaneous
exchange of one VA for another without the use of a third party), and other
non-custodial services, were not considered VASPs.
The draft guidance significantly expands on the 2019
guidance in a number of ways, including:
- Providing
guidance on how the VA Recommendations apply to what FATF refer to as
“so-called stablecoins” (an intended swipe at the marketing of certain VAs); - Providing
additional guidance on the risks and potential risk mitigants for peer-to-peer
transactions; - Providing
updated guidance on the licensing and registration of VASPs; - Providing
additional guidance for the public and private sectors on the implementation of
the travel rule; - Including
principles of information-sharing and cooperation amongst VASP supervisors.
However, the most important aspect of the draft guidance is
likely that it broadens the definition of VA and clarifies that the definition
of VASP extends well beyond that suggested in the 2019 guidance. In particular,
the draft guidance clarifies that both of these definitions are intended to be
read expansively by national AML/KYC regulators and that there should not be a
case under national financial regulations where a financial asset is not
covered by the FATF Standards, either as a VA or as a traditional financial
asset.
Decentralised finance
Squarely in the sights of the draft guidance is the rapidly
growing area of decentralised finance (DeFi).
The term DeFi is used to refer to financial tools built on open
(permissionless) blockchain-based networks, most notably Ethereum. These tools
utilise VAs, such as bitcoin, ether, and other digital assets compatible with
the ERC-20 standard, and do not involve the “custodying” of these assets by any
individual or business. Instead, the relevant VAs are sent to the address of a
smart contract (computer code stored on the relevant blockchain network) where
the VAs will remain locked until a user or the relevant code sends the assets
elsewhere.
See also: Interoperability a key challenge for central bank digital
currencies
Accordingly, scale in DeFi is usually measured by total
value locked (TVL) – the total value (usually expressed in terms of US dollars)
of all the VAs locked in smart contracts at any given time. As of a recent date, almost $50 billion in VAs
were locked in DeFi smart contracts.
Unsurprisingly, DeFi platforms are generally promoted as
being decentralised, although what is meant by this term in this context is
open to debate. What can be said is that almost all DeFi products and services
are automated, meaning that once a transaction is initiated by a user, smart
contracts will carry out the transaction transparently and deterministically
without the use of intermediary entities. Anyone with access to the internet
can confirm the outcome of the transaction (although parties are identified
only pseudonymously through the blockchain addresses used to execute the
transaction).
Proponents of DeFi seek to create decentralised alternatives
to nearly every traditional financial service, including lending, retail
payments, deposit and savings accounts, swaps, options, and derivatives
transactions, insurance, and asset trading, exchange, and management.
How does all this magic occur? DeFi is able to function
without intermediaries because of a number of unique features. First, all DeFi
transactions are either prefunded by the user or overcollateralised by the
borrower. Second, due to the automation built into the various protocols,
remedial actions (such as margin calls or default enforcement) can occur
without the use of any time-consuming and costly legal process (and, of course,
without regard to any traditional rights parties may otherwise have under any
bankruptcy, reorganisation, or similar laws).
Third, many different digital assets have developed
extremely high levels of liquidity (at least most of the time), meaning that
pledged assets can be disposed of automatically and almost instantaneously
without needing to relay on human intervention to find a buyer.
See also: Coinbase IPO will be a turning point
Most importantly, these platforms seek to distinguish
between the smart contract code that is readily available to anyone interested
to copy and, perhaps, improve upon and the individuals and legal entities they
have formed to exploit and benefit from these various codebases. The former, it
is argued, are the equivalent of public utilities while the latter are
legitimate businesses that seek to benefit from these utilities in the same way
that any other business may choose to do. Complicating matters, many DeFi
platforms have issued digital assets (known as governance tokens) that allow
the owner of the token to vote on certain governance matters and, potentially,
receive a portion of the fees paid by users of the platform (generally, in the
form of an in-kind distribution of portions of the digital assets borrowed or
traded on the platform).
FATF’s response
Things move very quickly in the world of blockchain. When
the 2019 guidance was put in place, DeFi was bare a blip on the radar. Most VAs
were transferred between centralised digital asset exchanges or in privately
negotiated transactions from one wallet to another (known as the OTC market).
At that time, financial regulators around the world seemed content to focus on
ensuring that these centralised entities implemented rigorous KYC/AML
compliance programs and left it there.
However, things changed dramatically in the summer of 2020
(which came to be known as DeFi Summer). A confluence of factors led to an
explosion in the use of these protocols and a virtuous cycle (which some might
call a bubble) of demand for, and interest in, DeFi protocols. These factors
included the successful deployment and maturing of a number of DeFi protocols,
including Compound (which recently became the first DeFi protocol to exceed US$10 billion in TVL), Uniswap, and
Aave; the introduction of rewards in the form of governance tokens and other new
VAs being distributed to those who made their existing VAs available for
liquidity for trading by others (known as liquidity farming); increasing prices
of “base assets” (bitcoin and ether) allowing more investors to feel bullish
about experimenting with DeFi, and the Covid-19 pandemic causing more people to
find themselves indoors with time on their hands. This activity fuelled
across-the-board asset price increases and in turn only created greater
enthusiasm among users.
See also: Cryptocurrencies and US securities laws beyond bitcoin and
ether
This rapid growth in VA activity through the use of DeFi
protocols without a readily identifiable intermediary to be subject to AML/KYC
compliance obligations may have caught FATF off guard. DeFi protocols generally
operate in as frictionless a manner as possible and very few of these protocols
are programmed to provide any sort of automated KYC/AML compliance checks. In
fact, it is the opposite – most of these protocols allow users to interact with
the protocols without any checks or identification whatsoever.
This raised a critical question for FATF: what would become
of financial compliance if significant financial activity shifted to
decentralised finance?
The draft guidance provides a simple answer: there is no
such thing as “decentralised finance”. Introducing FATF’s revised position, the
draft guidance states: “Where customers can access a financial service, it
stands to reason that some party has provided that financial service, even if
the act of providing it was temporary or shared among multiple parties.” The
draft guidance then expounds on this idea in greater detail:
The FATF’s position here amounts to a very dramatic shot
across the bow to the DeFi community. If you are building the codebase for a
DeFi protocol you intend to exploit or if you are otherwise directly or
indirectly economically benefiting from that codebase, then, if the draft
guidance is finalised in largely its current form and then adopted at the
national level, you likely will be considered a VASP. Once you are considered a
VASP, you would then be subject to the full range of compliance obligations that
a centralised entity, be it a traditional financial institution such as a bank
or broker-dealer, or a centralised digital asset exchange or custodian, would
have.
This would mean that not only would an identifiable person
or entity be required to conduct AML/KYC checks on the person that controls
each blockchain address that interacts with the DeFi protocol, but also that
sanctions checks – a notoriously tricky exercise that frequently produces false
positives due to subtle differences in the spelling of individuals’ names –
would also need to be conducted.
A determination would need to be made for each transaction
as to whether a suspicious transaction report (or the equivalent) would need to
be created and submitted to the appropriate authority. A qualitative risk-based
customer due diligence exercise would need to be conducted on the persons using
the protocol and the protocol’s VASP would need to consider whether they are
dealing with other VASPs such that they have entered into the equivalent of a correspondent
banking relationship with that VASP (and then conduct a risk-based diligence
exercise on that other VASP).
The VASP for the DeFi protocol would also need to figure out
how to implement the travel rule (a requirement designed for wire transfers between
traditional financial institutions where information about the sender and
recipient is tracked by the financial institutions processing the transfer and
available to law enforcement and financial intelligence units, among others).
In the United States, these new VASPs would likely need to obtain money
transmission licenses in a large number of states.
Although some of these requirements could in theory – at
least to some extent – be provided in an automated manner consistent with the
draft guidance, there are (at least) three fundamental problems. First, large
stores of personal data about the actual persons or businesses conducting the
transactions will have to be stored somewhere, opening up the possibility of a
cure worse than the disease – a major breach of these data stores, a particular
risk if compliance is being implemented through the use of rapidly assembled
automation platforms that haven’t been robustly tested. Second, many of FATF’s recommendations, being
intended for centralised entities, have judgmental elements that are simply not
possible to implement with automation. Hence, the apparent death knell for
DeFi.
See also: UK ban on cryptocurrency derivatives may stifle innovation
Finally, as the draft guidance is framed, there could easily
be multiple non-affiliated persons or entities that would be considered a VASP
with respect to any given DeFi protocol. The draft guidance gives no clue about
how these multiple VASPs for the same protocol are meant to coordinate with
each other.
Impact on traditional and decentralised finance
Prior to the release of the draft guidance, there was a
reasonably clear correspondence between the responsibilities imposed on
traditional financial institutions and those imposed on centralised businesses
operating in the VA space. Although there are not insignificant costs involved
in developing and maintaining a compliance programme consistent with the
national implementations of FATF’s recommendations, there is no practical
reason why the FATF recommendations could not be adopted by VASPs that operate
on a centralised basis. Likewise, as traditional financial institutions
increase their engagement with VAs, it will be relatively straightforward for
these entities to complement their existing compliance programs with additional
elements designed specifically for their dealing in VAs.
The same is not true for the new class of inadvertent VASPs
that would be created by implementation of the draft guidelines. These are
individuals or businesses that helped to create DeFi protocols, who otherwise
benefit economically, or who effectively control these protocols, often through
the ownership of governance tokens. Whether an individual or a business, these
persons very likely do not have either the economic wherewithal or the needed
technical expertise to fulfil the obligations of VASP.
See also: SEC’s Peirce says it is time to reconsider US crypto approach
Moreover, there are many practical questions that
immediately arise when attempting to apply compliance requirements on these
otherwise unsuspecting persons. For
example, as noted above, there could be more than one VASP for any given DeFi
protocol (for example, any holder of governance tokens could be considered a
VASP under the draft guidance). How would the requirements apply to these
multiple entities? Might one or more of these inadvertent VASPs cease being a
VASP with respect to the protocol at some point? Would selling your governance tokens
mean that you were no longer a VASP? If you bought some or all of the tokens
back, would you become a VASP again? If so, what does all this mean for
recordkeeping and reporting by these inadvertent VASPs?
In addition, FATF’s overall recommendations are clearly
intended to apply to institutions that are able to employ a chief compliance
officer, among many other things; how would a single individual comply? What penalties would apply to an individual
for failing to comply? Finally, what about DeFi protocols that have already
been created and are operational (but not otherwise in compliance and unlikely
to change that status) – would these be grandfathered in some way or would
there have to be a wave of look-back enforcement actions?
One might initially expect that the net result of the above
situation (which might broadly be categorised under “it’s a mess”) would be to
discourage the creation and maintenance of new DeFi protocols, full stop, and
ensure that most if not all activity with VAs eventually takes place using
centralized services. This would of course address the FATF’s concerns about
how to migrate their existing compliance framework originally designed for the
fiat financial system into the world of VAs. This outcome would likely also
suit traditional financial institutions, many of which initially steered wide
of permissionless blockchain networks and the digital assets they host, and
instead leaned into the much safer idea that the future of blockchain
technology was in permissioned networks and distributed ledger technology
(DLT). These institutions are now playing catch-up as they explore how to
provide services involving a wide range of digital assets.
However, the DeFi genie may not head back into the
traditional finance bottle quite so easily. The availability of interoperable,
composable and transparently deterministic decentralised finance protocols has
struck a major chord around the world. The interest in DeFi extends well past “crypto”
aficionados. Traders, bankers, and investors from the world of traditional
finance are daily discovering DeFi and abandoning traditional roles to help be
a part of the DeFi revolution.
Institutional funding is streaming into the space, funding
all manner of experimentation and research. Teams of only two or three skilled
developers can create innovative and popular new protocols in a mere manner of
months. Word of new protocols spreads virally among a devoted and well-informed
community without the need for traditional marketing budgets and external
advertising agencies.
Recognizing that DeFi is still in its infancy, participants
readily acknowledge the risks involved but maintain that more centralised
regulation is not the answer. Instead, proponents point to the remarkable level
of transparency inherent in DeFi protocols as a major advantage over
traditional financial services. Where regulators can watch the transactions
occurring on DeFi protocols in real time as they occur, supervision of traditional
finance is frequently a matter of “closing barn doors” – regulators generally
only get data after the underlying transactions have occurred.
Moreover, one of most significant apparent drawbacks of DeFi
– the fact that activity is extremely capital intensive due to the required
overcollateralization of most activity (especially when compared with the
equivalent activity in traditional finance) – has been addressed in a very DeFi
way. Demand for credit in DeFi has led to the development of a vibrant on-chain
lending market in which participants in DeFi transactions can borrow through
other DeFi protocols. Hedging platforms and even protocols that resemble
insurance are rapidly coming online.
The NFT wildcard
One almost completely unforeseen development over the last
several months has been the exponential increase in the awareness of, and
interest in, non-fungible tokens (NFTs). Popularity has grown significantly
among the general public – so much so that the widely distributed US television
programme, Saturday Night Live, recently featured a skit on NFTs.
NFTs are unique blockchain-based digital assets that can
reference artworks, video content (such as sports highlights), music files,
magazine covers or virtually anything else. NFTs allow the owner to assert a
special relationship with the underlying asset – much like having an
autographed sports card. However, because NFTs are built using composable smart
contract code, there is much more they can do, including changing the
underlying asset referenced upon transfer or reacting to the geolocation
associated with the wallet address in which the NFT is held. Although NFTs are
not inherently part of the DeFi landscape, their compatibility with the many
DeFi protocols already deployed and coming online means that they can be
implemented in many ways. Recently, the latest version of the Uniswap digital
asset exchange protocol (known as v3) implemented NFTs. Many other uses are
anticipated over the coming months.
FATF nodded toward NFTs in the draft guidance, stating that:
Although this observation is not surprising – traditional
artworks have acted as a readily transferable store of value for many years and
have likewise been used as part of the financing illicit activities for equally
long, physical artworks must be handled by identifiable entities that may be
subject to the FATF recommendations. NFTs are another matter altogether. They are
highly liquid and can be easily transferred without intermediaries, demonstrating
the challenges of attempting to import the traditional anti-money laundering
framework into the realm of digital assets.
See also: Middle East crypto industry faces obstacles
NFTs move fluidly among owners (or decentralised protocols),
transferring value at one moment; looking like a simple collectible at another.
Because of their programmability, NFTs can even shapeshift depending on the
type of wallet in which they are stored. Imposing VASP status on anyone
operating an NFT platform simply because virtually all NFTs have an inherent
possibility of being used as a store of value may simply be a bridge too far
for financial regulators in terms of achieving acceptance from the general
public, yet failing to do so exposes an obvious exploitable loophole to
consistent financial regulatory policy.
A way forward?
Many FATF observers believe that, regardless of the input
received during the consultation period, the final version of the VASP
Recommendations will likely closely resemble the draft guidance. That will
leave it to national financial sector regulators to determine how best to
implement FATF’s recommendations in the context of their local regulatory
frameworks. In the United States, that brings attention to the Treasury
Department’s Financial Crimes Enforcement Network (FinCEN). The robust dialogue
between the major participants in the centralised digital asset space in the US
(particularly digital asset exchanges) and FinCEN will be joined by all those
interested in maintaining a viable DeFi ecosystem. It is harder to predict how
these implementation discussions will play out.
That said, there is hope that many in the public sector will
recognise the importance of allowing DeFi to grow and develop. Along with a
potential for being used for illicit activities, it also has advantages from a
regulatory perspective over the traditional financial system (which has
suffered many “black eyes” over the past several years as a result of failing
to prevent numerous significant cases of misuse in support of the financing of
illicit activity).
At the same time, many DeFi proponents recognise that wholly
unfettered DeFi protocols are invitations to abusive use by bad actors. The
fact that little problematic activity in DeFi is known to have occurred at any
significant scale so far may be attributed to the relative novelty of these
protocols and the many practical risks still involved using them (criminals
probably don’t like losing money through poorly audited smart contract code,
either). Now is the time to find appropriate compromises – before a major AML/CFT
incident on a DeFi platform occurs.
One possibility is for FATF (or national regulators) to accept
a more bifurcated approach to regulating the use of DeFi protocols. This could
mean recognition that companies that develop, manage and benefit from centralised
on-ramps (websites providing user-friendly interfaces for DeFi protocol
software) will be treated as VASPs (or perhaps a slimmed down version of VASP)
in order to facilitate the wider use of DeFi protocols, while still allowing
crypto-native sophisticates who do not need a slick user interface experience to
continue to access the command line smart contract code for DeFi protocols
without engaging with intermediaries or otherwise being considered a VASP.
Critically, in this approach FATF would also recognise that
simply owning governance tokens for a DeFi platform would not cause each holder
to potentially be considered a VASP with respect to the platform, even if the
governance token entitled the holder to a portion of the trading or other
revenue or fees generated by the protocol. At the same time, DeFi protocol developers
would be expected to implement the best available automated KYC software to
limit the potential for misuse.
In addition, in this model, individuals and businesses that
are acting on behalf of themselves on a proprietary basis (as opposed to
investing third-party funds) would not be subject to a penalty if they accessed
the underlying command line smart contract code for DeFi protocols, but anyone
managing money or other value for others would be required to go through a
VASP-operated on-ramp.
Like most compromises, such an outcome might not completely
satisfy either financial regulators or die-hard DeFi enthusiasts, but it might
just provide a possible alternative to the apparently untenable position
currently found in the draft guidance.
See also: How blockchain can help drive sustainable finance
© 2021 Euromoney Institutional Investor PLC. For help please see our FAQs.
