Peer-to-peer payments enabled by cryptocurrency continue to increase participation in the global economy for millions of people who do not have access to traditional banking services. The rise of decentralized finance (DeFi) promises to broaden access to financial services such as savings, lending, derivatives, asset management, and insurance.
This financial inclusion-enabling innovation should be allowed to thrive in a regulated environment in which individuals and institutions are protected and suspicious activity is identified and reported. But how can these decentralized products be regulated without completely removing the core characteristics of financial inclusion and decentralization?
Know Your Customer (KYC) procedures are an important function for risk assessment and a legal requirement to comply with Anti-Money Laundering (AML) laws that vary by jurisdiction. Most AML laws are put in place for good reasons: to deter criminals by making it more difficult for them to launder money obtained through illegal activities (e.g., human or drug trafficking, terrorism, etc.). Financial institutions are required by AML regulations to know their customers’ true identities, monitor transactions, and report on suspicious financial activity.
Why are regulators concerned about DeFi?
Because decentralized applications (DApps) lack a centralized controlling entity, it is unclear who is responsible for ensuring that DApps, including DeFi applications, comply with existing laws and regulatory requirements. Assume a ransomware attacker uses a decentralized exchange (DEX) to launder his or her stolen funds. Who is in charge of reporting their transactions? Who is imprisoned or fined for failing to report? Who are the members of the decentralized autonomous organization (DAO) in charge of the DApp? Who were the programmers who created the code?
Though most of these questions remain unanswered, the Financial Action Task Force (FATF), a global money-laundering watchdog, recently proposed guidelines stating that “the owner/operator(s) of the DApp likely fall under the definition of a VASP [virtual asset service provider] […] even if other parties play a role in the service or portions of the process are automated.” […] If the elements of any part of the VASP definition remain in place, decentralization of any individual element of operations does not eliminate VASP coverage.”
This implies that DApps (DEXs and other DeFi applications) will be held accountable for adhering to country-specific laws enforcing FATF, AML, and Counter-Terrorist Financing (CTF) standards.
As an example, consider the Bitcoin Mercantile Exchange (BitMEX): Despite the fact that BitMEX is a centralized exchange, the enforcement actions taken by the Commodity Futures Trading Commission (CFTC) and the United States Department of Justice (DOJ) against the platform’s founders have implications for DeFi. The CFTC charged the operators with violating anti-money laundering laws, while the DOJ accused the founders of violating the Bank Secrecy Act (BSA). As a result, DeFi platforms that offer financial products to US residents would be required to register for appropriate operating licenses, with failure to do so potentially leading to enforcement action against identifiable founders/creators or operators.
Is there really a conflict between regulation and privacy?
Keep in mind that regulations are currently geared toward businesses rather than individuals. So, unless you’ve laundered millions of dollars in cryptocurrencies and are funneling them through a crypto platform’s payment network, your peer-to-peer transactions aren’t a big deal to regulators. At that point, the exchange would be required to flag the transaction as suspicious and notify the relevant regulatory body.
If law enforcement requests personally identifiable information (PII) related to the transaction during this elevated stage of the investigation, the exchange is required to provide it. This is why centralized exchanges require users to complete KYC — so that they have this PII available if it is requested. However, the vast majority of DEXs lack fully compliant processes. To meet evolving compliance standards, do DEXs need to dismantle the liberties of our decentralized revolution?
Putting users in charge
We can empower users with the ability to selectively share PII when required and offer DApps a built-in identity layer that will help them achieve compliance goals by leveraging the same values of user control and privacy that drew millions of people to crypto in the first place. Though compliance is undoubtedly more difficult in a decentralized environment, using digital identity effectively to enable permissioned access to DApps is how we ensure the long-term viability of the larger crypto economy and financial inclusion for millions.