Why DeFi applications should already be looking at KYC compliance

If there is a possibility that Iran, North Korea, or Al Qaeda are liquidity providers in the decentralized finance space then regulation is inevitable - and soon. 

But is DeFi just 'software' and therefore impractical to police by traditional methods? What are the main barriers to compliance and how can we overcome them?

Fourthline Forrester TEI thumbnailBy The Fourthline Team

DeFi: a quick overview

Decentralized finance, or DeFi, allows users to perform financial transactions without an intermediary or third party. While traditional financial services rely on a central organization, such as a bank, exchange, or broker, to execute and control the transaction, the DeFi marketplace offers direct access to these services using open-source software connected to the blockchain.

Transactions are verified and executed by pieces of code (a smart contract), an automated liquidity pool allows anyone to become a market maker, and a public blockchain (primarily the Ethereum network) records the transaction.

The DeFi market has exploded - the total value locked in DeFi products and services rose from around $1 billion in the first half of 2020 to more than $250 billion in December 2021, according to DeFi data aggregator DefiLlama.

The rapid growth of the DeFi marketplace

DeFi Graph

The reasons for this growth are easy to understand. By removing the ‘middle-man’, DeFi platforms can deliver greater efficiency, faster settlement, and lower transaction costs, especially in cross-border payments.

They promise users:

- Transparency

- Immutability: use of cryptography means it is practically impossible to alter any record on the blockchain network (and smart contracts execute automatically when predefined conditions are met)

- Greater ownership of their finances

- Access to innovative products that are not available in the traditional space.

It is these features, however, that create security problems by increasing the scope for financial fraud. Trading directly on DeFi protocols, such as UniSwap or SushiSwap, offers complete anonymity, with no need to provide any personal identity information. So, although the transaction chain might appear to be more transparent when it comes to the origin and ownership of the funds you are in the dark.

There are no KYC requirements, no age or geographic restrictions. You are essentially interacting with pure code - you could be dealing with anyone, explains Fourthline’s Co-founder and CEO, Krik Gunning.

What are the challenges facing DeFi projects?

The DeFi market is still in relative infancy and although its democratized nature has engendered fast-paced innovation, its lack of ‘ownership’ has left it open to scams, hacks, and other fraudulent activity. Until these issues can be overcome, the industry will continue to face strong headwinds from policymakers.

The core challenges are:

Regulatory murkiness

The legal status of DeFi projects is vague and their structures vary. Many use decentralized autonomous organizations (DAOs) to replace the traditional intermediary system. DAOs issue digital governance tokens, which are shared among the community, team members, and investors. These tokens allow key stakeholders to suggest, approve (by vote) and implement any upgrades to the protocol.

While cryptocurrency providers (Virtual Asset Service Providers or VASPs) and exchanges have recently come under closer regulatory control, there are currently no official regulations for DAOs, and debate continues as to whether authorities can effectively exert such controls over this open-source software and its developers.

The user takes all the risk

Users might appreciate the benefits of a democratized system but with greater control comes greater responsibility. The potential risks of trading on DeFi are high and when something goes wrong there is no organization to hold accountable.

DeFi projects do not take responsibility for any mistakes. Instead,users take full custody of their digital assets – if they are the victim of fraud, misplace a passcode, or even mis-key a code, they risk losing everything.

It’s not always as decentralized as it seems

Decision-making in DAOs is a collective process, designed to ensure that a project cannot be manipulated by a particular entity. Ultimately, however, the development team has control over the codes that make up the smart contract and, as a result, can determine what is or is not implemented by them.

A lot of the products that offer ‘decentralized finance tools’ are not necessarily decentralized themselves,” says Krik Gunning. “There is always a company or a group of founders in charge – even if it’s open-source – somewhere there is someone who is working on that.

The SushiSwap exit scam is a case in point. In 2020, the DeFi project’s pseudonymous founder Chef Nomi converted all his Sushi tokens into Ethereum (ETH), sending the value plummeting. Although he apologized for his actions and returned the funds shortly afterward, it was a stark reminder that a single point of failure is still possible even in a decentralized world.

There are also many centralized exchanges that offer DeFi products and services - Coinbase, one of the biggest crypto exchanges, for example. Is DeFi still decentralized when it is managed by a single institution?

If you used Ethereum you could say, yes, it is decentralized,” says Krik Gunning. “But if you use a new DeFi protocol and this protocol is just an old school app, you’re interacting with a piece of code. They probably don’t have tokens distributed to people – perhaps they plan to in the future but for now they just swap a bunch of airdrops to the community – how decentralized are they in reality?

In the same way, some crypto coins are more centralized than others. Stable coins, for example, are issued by centralized exchanges and pegged to the US dollar while DeFi coins, like DAI), are controlled purely by code.

On-chain fraud detection is not sufficient

A multitude of analysis firms, such as US-based Chainalysis, detect illicit activity using data from the public blockchain. But these tools are better suited to uncovering native crimes (those that have taken place on the blockchains themselves, such as thefts, scams, and ransomware attacks) rather than tracking financial crimes that have been committed elsewhere and laundered via the crypto markets.

The latter is the crux of the problem, and it is much harder to identify because there are no illicit addresses to track on the blockchain – these criminals move into cryptocurrency directly from fiat, showing no trace of the original funds’ source.

On and off-ramp protocols are the gatekeepers

Although its raison d'être was to take control away from intermediaries, DeFi is still reliant on crypto service providers to be the gatekeepers when government-issued money (fiat) is exchanged for cryptocurrency and vice versa. These fiat on and off-ramps are the choke points where KYC and AML processes - put in place by regulated exchanges, brokers, and banks - can form the first line of defense.

To trade on centralized exchanges, users must transfer their cryptocurrencies into wallets that are owned and controlled by the exchange. On decentralized exchanges, users can trade directly from their own (non-custodial) wallets or by depositing tokens into smart contracts.

For most new cryptocurrency traders, the first step to transferring fiat money into crypto would necessitate KYC via a regulated exchange. For instance, to swap on UniSwap a typical retail customer would go through the following basic process:

  1. Open an account with Coinbase, for instance, and go through its KYC process

  2. Upload funds into the Coinbase account

  3. Buy crypto with fiat money

  4. Open a wallet, such as Coinbase, Argent, or Metamask, and receive a 12-24 randomized

    recovery phrase

    (seed phrase).

  5. Transfer the Ethereum you have in your Coinbase account to your wallet (in order to do so you will either receive a QR code or a unique string of numbers).

  6. Go to a decentralized cryptocurrency exchange such as UniSwap website and connect to the Uniswap app – make a transaction or become a liquidity provider.

The complex nature of the trading process often limits current use to more seasoned crypto users, with greater knowledge of the space, healthy risk appetites, and the necessary resources to experiment.

For these seasoned crypto holders, it is much easier to connect directly to DeFi platforms because they have had many years to build up their funds.

It could be that a terrorist organization has had crypto wallets full of BitCoin since 2014. They don’t have access to normal financial transactions, so they invest in those. A stash that was worth a million back then could now be worth $2 billion,” says Krik Gunning. “They could have had Ethereum since 2017 with their own private wallet connecting directly to UniSwap. The problem with that is that UniSwap has no KYC and so zero idea who they are.

Any entity could be a liquidity provider to a DeFi platform, he adds, providing $100 million to UniSwap, SushiSwap, or BlockFi for example. “They could be interacting with UniSwap all day and UniSwap has no idea.”

What are regulators saying?

Regulators have cracked down on the crypto trade over recent years bringing VASPs under tighter control but the focus has been on the digital assets themselves and the centralized exchanges that support them.

Meanwhile, innovation in the underpinning blockchain technology has continued at pace, making it near-impossible for policymakers who are already struggling to monitor the risks from this fast-evolving sector. There are two core challenges to overcome:

Accountability – do DeFi projects have an ‘owner’?

A big question for regulators is who has accountability? Because DeFi protocols do not have custody of the users’ money and are not governed by a single institution (rather a multitude of users who bring liquidity via smart contracts) they have – so far – been able to circumvent regulations that their centralized peers have had to tackle. But the net is closing in.

In October last year, the Financial Action Task Force (FATF) updated its virtual assets and VASPs guidance to clarify its definition of the two, highlighting that its scope was expansive. In identifying owner/operators of a DeFi arrangement, authorities should assess whether there are people who retain control or influence over the decentralized app (Dapp), profit from the service, or have the ability to set or change parameters, it said. Projects with these characteristics – although they may appear decentralized - can be considered as VASPs, and therefore subject to regulation.

The U.S. Securities and Exchange Commission (SEC) Chair Gary Gensler takes the same tack, saying that classifying DeFi as just software put out to the web is a misnomer. Features such as governance mechanisms, fee models and incentive systems (users receive a portion of the transaction fee if they bring liquidity) bring centralization to a project, he added. He likened it to the peer-to-peer lending business that developed in the earlier part of the century, which took three to five years to bring under investor protection laws.

Definitions – Is crypto an asset or is it money?

This links to an ongoing debate about how a crypto token is assessed - is it a utility token, and therefore subject to the regulation of digital assets (VASPs), or is it a security token that is governed by financial law?

It is still unclear under the EU Markets in Crypto Assets regulation package (MiCa), which financial regulator should take the lead when it comes to supervising crypto companies.

The Council believes that the European Banking Authority (EBA) should become the crypto watchdog. The Parliament, meanwhile, is convinced the European Securities and Markets Authority (ESMA) would be best suited for the job. The disagreement comes from fundamentally different views of what a crypto asset is.

MiCa has now entered a phase of discussions called "trilogue" between the Commission, Parliament, and Council. While this disagreement could still bog the process, European legislators are under political pressure to wrap MiCa up before France hands over the EU presidency in July 2022.

The need for a solution becomes ever-more critical

As rapid growth continues in the crypto market, concerns are mounting about its volatility, particularly given its increased overlap with the regulated financial system. In December last year, the International Monetary Fund called for more consistency and coordination in global regulation to limit crypto’s potential impact on the wider financial system. This was echoed in the UK by Deputy Bank of England governor Sir Jon Cunliffe: "We really need to roll our sleeves up and get on with it, so that by the time this becomes a much bigger issue, we've actually got the regulatory framework to contain the risks."

Momentum has picked up considerably since then, with March 2022 a particularly active month. US President Joe Biden issued an executive order on the responsible development of digital assets while the Organization for Economic Cooperation and Development (OECD) released a public consultation document on Crypto-Asset Report Framework (CARF) and amendments to the Common Reporting Standards (CRS). The latter seeks to ensure that the OECD’s 38 member countries collect KYC and AML information on all transactions involving digital assets - its scope is broad, covering any ‘intermediaries facilitating exchanges between crypto-assets, as well as between crypto-assets and fiat currencies’ and including ‘decentralized exchanges and decentralized finance more broadly’.

It is realistic to assume that it is only a matter of time before all entities that deal in crypto assets will be subject to the same strict compliance rules that govern other financial institutions, wherever they are based.

For DeFi developers and service providers, this means remaining responsive to developments and working as transparently as possible to minimize regulatory risk.

Gabriele Rosati
Want to learn more? Talk to our experts

Get in touch with Gabriele Rosati, who brings years of financial industry expertise at Fourthline.