top of page

AML/CFT Part 1: Where Government Meets DeFi

There’s a lot of focus on decentralized finance (DeFi) in policy conversations these days. Lawmakers on Capitol Hill, in particular, have started showing increased interest in understanding what exactly DeFi is and learning how best to approach it. That’s evidenced by the many hearings with discussions of DeFi that have been held in recent months, especially last month’s hearing in the Senate Banking Committee.

But DeFi is complicated. Far too often, these nascent policy discussions in D.C. have quickly gotten mired in debates fueled by misinformation, partisanship, or a misunderstanding of the potential of new technology. Most concerning of all, some people don’t seem to be aware of how DeFi protocols can be in compliance with existing policies and regulations.

Digital Policy and Regulation

We want to help set the record straight. Over a series of blog posts, we’ll explore some of the ways that DeFi interacts with and is guided by the current set of financial regulations in the U.S. We’ll also provide background information on how decentralized financial markets work and what distinguishes them from traditional markets, while providing an overview of how law enforcement leverages the unique aspects of blockchains to counter illicit financial activity in the ecosystem.

To begin, we’ll start with a bit of a deep dive into how the federal government currently combats money laundering and other forms of illicit finance in decentralized markets. In later posts, we’ll explore more specific aspects of the interaction between the government, regulations, DeFi and traditional finance.

Part 1: Where Government Meets DeFi

When politicians and regulators first hear about DeFi, they often imagine the DeFi ecosystem is something like the “wild west” of finance: long on opportunity, promise, and risk, but short on law and order. In particular, many often imagine that DeFi protocols, like the outlaws of the wild west, openly, and in fact proudly, flout U.S. laws and regulations, operating in non-compliance with the rules that govern financial activity everywhere else.

While this might be a common perspective — one that is often repeated by crypto-critical voices on TV — it is a perspective that is completely inaccurate. That’s a problem because this perspective isn’t just a talking point for criticizing DeFi; it is creeping into official regulatory forums, as we saw in last December’s Senate Banking Committee hearing.

The truth is that DeFi protocols can and do comply with existing U.S. laws and regulations designed to combat illicit financial activity — including U.S. sanctions requirements.

So why is the perception of DeFi compliance so different from reality? Let’s take a step back to explain the situation more fully.

U.S. rules and regulations designed to combat illicit financial activity are part of the government’s anti-money laundering and countering the financing of terrorism (AML/CFT) policies. These policies are implemented by the Treasury Department’sFinancial Crimes Enforcement Network (FinCEN). And while most of the protocols that make up the DeFi ecosystem of today are just a few years old, FinCEN has been pursuing its AML/CFT objectives in crypto markets for much longer; FinCEN first issued a rule in 2011 (which it further clarified in 2013) that brought the then-nascent cryptocurrency ecosystem into its regulatory perimeter.

Since that first rule was issued, FinCEN has adopted numerous updates that have expanded on those early efforts. One of the more recent and impactful policy updates is the guidance that FinCEN released in May 2019 to describe the “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies.” This guidance clarifies how FinCEN applies its policies and pursues its AML/CFT objectives in decentralized markets.

But if FinCEN has been considering the application of its AML/CFT policies to decentralized markets for over 10 years, what exactly are the rules and regulations that it applies and how do they impact decentralized markets today?

The core set of policies applied by FinCEN fall under the Bank Secrecy Act (BSA) regulatory framework. Under the BSA framework, financial intermediaries are required to monitor their customers’ financial activity and report that information to the government. The kinds of financial intermediaries who fall under the BSA’s purview are generally so-called custodial intermediaries — third-parties that take control of (i.e., custody of) a customer’s financial assets in order to provide the customer a service. Think of a bank or a remittance service; when you deposit money in a bank account, the bank takes custody of it on your behalf. In so doing, the bank assumes certain financial surveillance responsibilities defined in the BSA.

Thus, one of the major ways that FinCEN pursues its AML/CFT objectives in the crypto ecosystem is by applying the BSA framework to custodial financial intermediaries for crypto assets. In the crypto ecosystem, these custodial financial intermediaries are generally classified as money transmitters, and money transmitters are subject to all the standard requirements of the BSA framework, such as customer due diligence (which requires intermediaries to collect identity information) and know your customer obligations (which involve verifying the identity of customers).

But not everything in the crypto ecosystem is an intermediary and classified as a money transmitter. In fact, non-custodial DeFi protocols are not subject to the BSA framework and its reporting requirements — a fact that has garnered them their reputation as “lawless” in the eyes of some misinformed policy makers and commentators.

This fact naturally raises some key questions: why are DeFi protocols not subject to the BSA? How does FinCEN know when and to whom to apply the BSA framework?

According to the May 2019 Guidance mentioned above, FinCEN’s regulations “define the term ‘money transmitter’ to include a ‘person that provides money transmission services,’ or ‘any other person engaged in the transfer of funds’… The term ‘money transmission services’ is defined to mean the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.’”

Put more simply: only those people or businesses that actually “accept” and “transmit” assets on behalf of another person are included. But the guidance further elaborates that “the regulatory interpretation of the BSA obligations of persons that act as intermediaries between the owner of the value and the value itself is not technology dependent. The regulatory treatment of such intermediaries depends on four criteria: a) who owns the value; b) where the value is stored; c)whether the owner interacts directly with the payment system where the CVC runs; and, d) whether the person acting as intermediary has total independent control over the value.”

In other words, whether someone is in fact “accepting” or “transmitting” money is not about the technology used in the transaction but about who maintains control of the assets and effectuates the transaction.

And that right there makes all the difference when it comes to DeFi protocols today. Whenever individual users interact with a DeFi protocol to conduct a financial activity, those users have custody and control over their assets, and they act on their own behalf.

In effect, DeFi protocols involve no third-party intermediary taking possession of the individuals’ assets in order to effectuate financial activities on their behalf; the BSA framework does not apply to DeFi protocols because there are no intermediaries to which it even could be applied. But that does not mean that DeFi protocols are against the law, or otherwise operate in defiance of existing financial regulations. DeFi protocols simply enable users to make peer-to-peer transactions that involve no third-party custodial intermediary.

What’s more, this does not mean that law enforcement has no way to prevent money laundering or other sorts of financial crimes from occurring in the DeFi ecosystem. In fact, the DeFi ecosystem actually empowers law enforcement to tackle financial crime in new and potentially vastly more effective ways. And law enforcement has already successfully developed new tactics for doing just that — tactics that we will address in our next blog post.

One last word before we conclude this first post, however. Another common misconception about DeFi is that DeFi market participants can circumvent U.S. sanctions. The truth is: they can’t. That’s because, unlike the BSA’s regulations, sanctions requirements don’t just apply to financial intermediaries. All U.S. persons are legally required to comply with U.S. sanctions, including any U.S. citizen participating in DeFi markets in any way. But we’ll discuss sanctions compliance in more detail in our next post as well.


bottom of page