DeFi & the FATF: Is It Regulated? KYC & AML

As the decentralized finance (DeFi) sector continues to gain momentum, global regulatory authorities are grappling with effectively overseeing this new frontier in financial services. The Financial Action Task Force (FATF) and the European Union (EU) are formulating their respective approaches to DeFi regulation, focusing on a broad interpretation of the definitions provided in the FATF’s standards and shifting towards an activity-based regulatory approach. The challenge lies in determining which entities within the DeFi ecosystem qualify as virtual asset service providers (VASPs) and how to apply anti-money laundering (AML) and counter-terrorism financing(CFT) obligations to them.

In other posts, we covered the FATF’s and the EU’s regulatory stances on non-fungible tokens (NFTs) and stablecoins. This article, taken from our 2023 State of Crypto Travel Rule Compliance Report, compares their regulatory stances on DeFi.

‍

What is DeFi?

DeFi eliminates intermediaries in financial services by executing transactions via code on blockchains. In 2022, DeFi protocols and applications continued their unprecedented growth, with major asset managers offering DeFi exposure to institutional investors. Retail users continued to flock to DeFi, although there were risks along the way- liquidations surpassed $8.7 million on February 23, and DeFi exploits across blockchains worldwide totaled $3.64 billion in 2022, a rise of 47.4% compared to 2021.

Timeline: DeFi Legal & Regulatory Spotlight in 2022

Protocol-level sanction action reared its head in 2022. In August 2022, Tornado Cash, an Ethereum-based mixer, was blacklisted by the Office of Foreign Assets Control (OFAC) for its alleged links to the Lazarus hacker group from North Korea. This incident indicates that DeFi protocols will have to comply with sanctions in the future. Additionally, financial regulators released papers highlighting the challenges surrounding DeFi regulation. Below we highlight relevant DeFi events in 2022:

N.B. Dates accompanied by a clipboard icon 📋 indicate a document that a regulator produced.

• ‍June 8, 2021 📋 - DeFi Policy Maker Toolkit | The World Economic Forum takes the stance that “an effective regulatory response to DeFi is likely to involve a combination of existing regulation, retrofitted regulation, and new, bespoke regulation.” (p.21)
• ‍January 5, 2022 - Aave Arc, designed to help institutions develop new products and services utilizing digital assets, attracted 30 financial institutions to its whitelist.‍
• April 2, 2022 📋 - European Financial Stability and Integration Review 2022 | The European Commission acknowledged that copying traditional regulatory approaches in a decentralized environment may not be an option. It notes, "Possibly, even more emphasis would need to be put on activity-based regulation as opposed to entity-based one.” 
• ‍April 4, 2022 - Uniswap user forms a class action lawsuit alleging that Uniswap Labs and its investors are culpable for her losses due to a failure to comply with securities laws.
• ‍April 13, 2022 📋 - Policy Considerations for Decentralized Finance | Abu Dhabi Global Market expresses the view that “Given that DeFi does not change the underlying nature of financial services, we believe that similar requirements should be placed on DeFi participants as on TradFi participants. (...) However, we recognise that since DeFi changes how financial services are delivered, we may need to impose different obligations on a DeFi activity to achieve the same outcomes as those obligations placed on a TradFi operator.” (p.16-17)
• ‍August 8, 2022 - U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash
• ‍August 10, 2022 - MakerDAO makes contingency plans to execute an emergency shutdown should core contracts underpinning DAI, its stablecoin, be sanctioned.
  
  

Crypto Travel Rule and DeFi

In this section, we will delve into the general stance of the FATF and the EU towards DeFi, examining whether DeFi is currently regulated and the measures being taken to continuously monitor and assess developments in the sector.

‍

FATF vs. EU: General Stance on DeFi

F‍ATF: The FATF expects countries to determine whether an identifiable person is a VASP within the DeFi arrangement on a case-by-case basis, according to a broad interpretation of the definitions provided in the FATF’s standards.

EU: The European Commission has expressed its view that traditional regulatory approaches may not be a suitable fit for the decentralized environment of DeFi platforms. Instead of relying on entity-based regulation, the Commission is considering a shift toward an activity-based regulatory approach, which may better align with the dynamic and decentralized nature of DeFi.

To implement this approach, the Commission proposes a few access points for DeFi regulation:

• regulating the connections between regulated entities and DeFi platforms
• regulating the features of smart contracts targeting the project team behind the specific DeFi application, and
• utilizing embedded supervision to capitalize on the inherent data transparency offered by public blockchains, making it easier to monitor and oversee DeFi activities.

‍

FATF vs. EU: Is DeFi Regulated?

‍

FATF: According to the FATF, a DeFi software application could not inherently qualify as a VASP. Instead, entities that maintain "control or sufficient influence" over a DeFi protocol should be subject to AML and CFT obligations if they provide or facilitate VASP services. This would apply to entities with an ongoing business relationship with DeFi protocol users, those profiting from the DeFi service, or those with the ability to set or change the parameters of the DeFi protocol.

However, the FATF recognizes that identifying entities with control or substantial influence over a DeFi arrangement can be challenging, and in some cases, a VASP might not even exist. They recommend that countries assess the risks posed by these activities and adopt appropriate risk mitigation measures. ^[1] This could include requiring regulated VASPs to be involved in the activities of the DeFi arrangement if deemed necessary. The FATF also clarifies that holding governance tokens of a DeFi protocol does not automatically qualify someone as a VASP, unless they can control or substantially influence the protocol’s governance.^[2]

EU: Under MiCA, crypto-asset services that are fully decentralized without any intermediary do not fall within the regulation’s scope. However, if there are natural, legal persons or other undertakings that provide or control, directly or indirectly, a regulated activity or service (i.e., service of exchange of crypto-assets for other crypto-assets or the operation of a trading platform for crypto-assets), even if the service or activity is performed in a decentralized way, it would be subject to the MiCA’s scope.^[3]

‍

FATF vs. EU: Continuous DeFi Monitoring and Assessment

FATF: In its Targeted Update, the FATF acknowledges that DeFi markets have grown significantly from 2021 to 2022 and promises to “continue to monitor developments in DeFi, particularly the emergence of truly decentralized DeFi entities, and to facilitate dialogue on common AML/CFT implementation challenges, risk assessment, and good practices.” ^[4]

EU: After consulting with the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA), the European Commission plans to deliver a series of reports to the European Parliament and Council on the latest crypto-asset developments. These reports, particularly concerning areas not yet covered by existing regulations, may inform potential new legislation.

Report on the latest developments in crypto-assets, expected by December 30, 2024, is due to include “an assessment of the development of decentralised-finance in markets in crypto-assets and of the appropriate regulatory treatment of decentralised crypto-asset systems without an issuer or crypto-asset service provider, including an assessment of the necessity and feasibility of regulating decentralised finance.” ^[5] 

Reports on the application of this Regulation, expected by June 30, 2027, shall include “an assessment of the development of decentralised finance in markets in crypto-assets and of the appropriate regulatory treatment of decentralised crypto-asset systems.” ^[6]
‍

As the DeFi sector continues to grow and evolve, regulatory authorities around the world are working to develop effective regulatory frameworks that can address the unique challenges posed by decentralized financial systems. The FATF and EU have proposed different approaches to regulating DeFi, with the FATF focusing on identifying VASPs within the DeFi ecosystem and the EU considering an activity-based regulatory approach. Both organizations will continue to monitor the DeFi sector and assess the risks associated with these activities. The rapid growth of the DeFi sector and the increasing interest from institutional and retail investors make it crucial for regulatory authorities to establish clear and effective regulatory frameworks to ensure the sector's continued growth and stability.

{{cta-learnmore6="/cta-components"}}