Diving into DeFi - How Does the FATF View DeFi?
Mary Beth Buchanan
Decentralized Finance (DeFi) is pegged to be the next frontier of fintech innovation. Though the future of DeFi looks promising, it faces some significant regulatory hurdles. Merkle Science recently published “Diving into DeFi: Fundamentals from the Financial Frontier” — a comprehensive primer of the current DeFi landscape that includes a look into the Financial Action Task Force’s (FATF) potential approach toward the space based on its latest draft updated guidance for virtual assets (VAs) and virtual asset service providers (VASPs).
The FATF’s draft updated guidance has garnered a lot of attention from the industry as it broadens the scope of the definition of VASPs from the original guidance and includes even those service providers that were previously not under the FATF’s purview such as non-custodial software wallets, multi-sig services, and software-based decentralized exchanges.
Below are several highlights from the Merkle Science report on the draft guidance and potential implications, a full list of which can be found in our report.
FATF Guidance Related to DeFi
Published in March 2021, the drafted updated guidance drastically expands the scope of VASPs beyond custodial financial intermediaries to include those entities that may have (a) limited or more indirect role in DeFi service provisions (b) no traditional financial counterparties, and (c) may not make any direct gains or profit.
This is problematic due to three reasons. Firstly, owing to the decentralized nature of DeFi, the regulators may find it difficult to identify specific entities that now fall within the definition of VASPs and will be held responsible for implementing AM/LCFT guidelines. Secondly, certain newly designated VASPs such as web developers, neither have access to a vast amount of resources nor do they have the same level of control over a protocol that a custodial financial intermediary does and they may, therefore, not be able to ensure AML/CFT compliance. For instance, unlike the custodial intermediaries, Defi platforms do not have possession of their users’ assets as their users retain independent control over their assets. This means that DeFi platforms won’t be able to comply with certain recommendations, such as the one requiring them to freeze user assets.
The implementation challenges faced by centralized VASPs, such as Travel Rule, will also apply to DeFi. It will be significantly more difficult for DeFi platforms to overcome these challenges as the recommendations in the original guidance were not drafted keeping the DeFi ecosystem in mind.
The draft updated guidance reflects the FATF’s belief that no technology should be completely decentralized. It states that “where customers can access a financial service, it stands to reason that some party has provided that financial service.” Therefore, the entities that are involved in creating, launching, setting parameters, holding an administrative key will now fall under the definition of VASPs. Further, though the FATF claims to be technology-neutral and states that it does not seek to regulate technology, it fails to take into account the self-governing nature of DeFi. For example, smart contracts, due to their self-executory nature, facilitate financial transactions without requiring assistance from any centralized agency. In this situation, it is unclear which VASPs, if any, would be required to implement compliance obligations.
To meet the AML/CFT requirements outlined in the guidance, VASPs will have to maintain large stores of personal data of their users. Chances of data breaches increase if the VASPs conduct privacy compliance through rapidly assembled automation tools without robustly testing them.
To ensure privacy and avoid data breaches jurisdictions will have to enact laws that ensure that AML/KYC compliance is not achieved at the expense of user privacy. Therefore, these laws should enable the identification of those parties that will be responsible for ensuring data protection compliance, specifically regarding the collection and storage of personal data, and will be held accountable in case of a data breach.
FATF Extends the Publication of Revised Guidance on Virtual Assets and VASPs
The Second 12 Month review of the revised standards on VAs and VASPs sheds light on the feedback from the public consultation. The feedback highlighted that many projects do not have a central counterparty and that the developers of such protocols should not be considered VASPs.
Accordingly, the FATF will review its draft guidance to ensure that it is providing a clear message regarding the application of its standards to decentralized structures, particularly which activities do and do not fall within the scope of the definition of a VASP after taking into account the risks, limitations, and size of this sector. The FATF extended the deadline for the finalization of the FATF’s revised draft updated guidance to November 2021.