The rise of decentralised finance (DeFi), based on smart contract and peer to peer technologies, has highlighted reliance on existing centralized intermediaries in combating illicit financial activities including money laundering, terrorism financing and sanctions violations.
In their 2023 Synthesis Paper: Policies for Crypto-Assets, the Financial Stability Board (FSB) and the International Monetary Fund (IMF) stated:
In the case of DeFi…the lack of intermediaries means that the traditional approach…in which AML/CTF requirements are imposed on a private sector entity and compliance is monitored by supervisors, cannot be applied.
In an attempt to address this issue, and recognising the need to balance the benefits of open systems and tackling financial crime, Polygon Labs' Rebecca Rettig, Chief Legal and Policy Officer, and Katja Gilmanat, Senior Lead in Public Policy, together with Michael Mosier, a former Acting Director of the Financial Crimes Enforcement Network (FinCEN) have published a proposal for Combating Illicit Finance Activity in Decentralized Finance.
The paper adopts the concept of ‘Genuine DeFi’ and proposes a framework to address illicit financial activity. The term "Genuine DeFi" is defined as:
A technological System comprised only of open source software – typically smart contracts where:
1. Users engage in financial transactions in a self-directed manner without intermediaries;
2. Users always maintain independent control over their assets through maintenance of the “private key”; and
3. All elements of the transaction occur on a permissionless blockchain network.
The proposal seeks to address 3 primary issues:
Not all DeFi systems are entirely decentralised and may involve points of centralisation that warrant application of existing rules;
Existing legal frameworks depend on identifiable intermediary entities and are not fit for purpose in regulating Genuine DeFi;
The nature of the risks of illicit financial activity differ between TradFi and DeFi. Main sources of risk in DeFi include cyber risks, system management risk and usage risk.
It then goes on to formulate a three part proposal:
1. Identifying “independent control” in on-chain software systems that do not constitute DeFi
The paper suggests that where a subject is identified as performing functions similar to traditional financial intermediaries, existing regulations may appropriately be applied. However, this assessment must be made on a case-by-case basis, taking into account the unique facts and circumstances of the protocol. The proposed definition of ‘independent control’ is intentionally broad and technology neutral but excludes DAOs, third party software integrated in the protocol and individuals with significant governance token holdings from being identified as a subject with ‘independent control’ by reason of their identity alone.
2. DeFi as a ‘critical infrastructure’
Critical infrastructure is defined by the Cybersecurity and Infrastructure Security Agency (CISA) traditionally as:
systems and assets that are so vital that their incapacitation or destruction would have a debilitating effect on security, the economy, public health, public safety, or any combination thereof.
While the question of whether Genuine DeFi satisfies this standard at this time remains debatable, there are clear benefits of classifying Genuine DeFi as a Critical Infrastructure subject to oversight by the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), including response coordination, implementation of cybersecurity standards and information sharing across government agencies.
3. A multi-tiered approach
In addition to oversight from the OCCIP, the establishment of a new regulated entity named ‘critical communications transmitters’ (CCT) is proposed. The CCT definition does not include those solely involved in the development of the software but does include those providing a service communicating user information about a transaction, responsible for transmitting a material portion of the communications and where the service is offered as a business or for profit. However, it is expected that FinCEN will require new authority to regulate CCTs as existing regulations do not give the Treasury authority to establish risk programs for non-financial institutions. Under the proposal, these CCTs will be responsible for implementing risk management systems and procedures to mitigate illegal activity in DeFi. This may include a wallet risk scoring and blocking system which helps filter wallets with transactional proximity to illegal transactions, sanctioned addresses, historical engagement in suspicious activity and more.
The proposed framework identifies the absence of intermediaries in Genuine DeFi protocols and recognizes the distinctive risks stemming from the technology. A collective effort involving policymakers, industry stakeholders, and experts is imperative in order to ensure DeFi regulation addresses the unique risks and benefits of the technology. The authors' paper is a welcome contribution to the debate over how to mitigate the financial crime risks raised by DeFi which seeks to allow DeFi to flourish and avoid simply reimposing centralisation into open systems.
By S Pettigrove and K Kim