Cyber fraud and money laundering involving Decentralised Finance (DeFi) is on the rise. Here Marcus Rickard looks at the risks DeFi creates for AML compliance, the consequences of those risks for AML compliance officers, how the risks can be mitigated, and the potential benefits DeFi brings

What is Decentralised Finance (DeFi)?

When I buy a coffee with my credit card, financial institutions traditionally sit between me and the vendor.

This middleman or gatekeeper is an “intermediary” that has control over the transaction. These intermediaries are the powerhouses in our financial markets and play a key role which attracts a level of accountability and with it liability

Decentralised Finance (DeFi) refers to monetary systems where that “intermediary” has been removed. This means there is no centralised authority or financial institution running the ‘process’ involved in the transaction.

Instead, it allows for financial services to take place directly between the parties through automated processes. This removes a tier of accountability and liability that previous law makers envisaged would be an integral part of the transaction chain until the end of time. DeFi changes that outdated traditional transaction structure and so the question is how will this affect those transactions?

To what extent is DeFi a risk for AML compliance?

 AML rules and associated Know Your Customer procedures were traditionally designed according to the premise that the “intermediary” acts as a gatekeeper institution.

These centralised institutions have the resources, expertise, incentives and experience to comply with these regulations… as DeFi projects are new kids on the block the perception is that they will often want to avoid such controls and the associated costs if they can get away with it.

First, a particular risk of DeFi for AML compliance is the perceived anonymity that comes with peer-to-peer situations. Commonly, cryptocurrencies used in DeFi projects have no names or other customer identification. Bitcoin, for example, doesn’t require or provide identification or verification of participants. It also doesn’t generate historical records of transactions that are associated with real world identities thus reducing traceability. This is questionable practice when considering general corporate governance and the need for global tax compliance.

 Nevertheless this anonymity makes it difficult for law enforcement since they can’t target one central location or entity for investigative or seizure purposes. It is therefore unsurprising that criminals have made use of DeFi services to launder their money.

 Second, the global reach of DeFi creates further risks of enforcement for global AML compliance. DeFi projects can be accessed via the internet from anywhere in the world, by anyone, and can be used to make cross-border payments.

 The consumer’s direct use of DeFi services for cross-border payments and the execution of financial activities without a clear geographic location undermine AML compliance efforts. This is exacerbated by decisions such as the recent case in wich the UK’s Supreme Court held that a notice issued by the Serious Fraud Office unde the Criminal Justice Act cannot compel a foreign company to produce material held overseas.

Third, by removing the intermediary, DeFi allows consumers to side-step the enforcement of AML measures.

For example, loans are traditionally subject to significant regulatory restrictions. You will often need to have a proper credit score or banking record to prove your eligibility. DeFi, however, connects the lender straight to the borrower, which means you may no longer need to satisfy AML rules.

Hence, whileDeFi improves connectivity, it reduces the opportunity for AML checks to be carried out as the recognisable “intermediaries” are no longer playing that part.

So, what do the risks of DeFi mean for AML compliance officers?

Tim Swanson, the Director of research at Post Oak Labs said that, “regulators will increasingly learn about how in many cases DeFi is often non-compliant with AML”.

This paints a stark picture for AML compliance officers.

However, recent developments in regulatory frameworks could provide compliance officers with the necessary tools to mitigate these risks.

How can the risks associated with DeFi be mitigated?

There are already examples of regulatory instruments that can be adopted that deal with the risks of DeFi. The EU has proposed the Markets in Crypto Assets, which is a regulation to ban decentralised exchanges from trading with EU citizens if they’re not incorporated as a legal entity but have their registered office in a Member State.

Notwithstanding the actions of local and regional authorities, it is plausible to expect that DeFi projects could fall under the scope of global regulators such as the Financial Action Task Force (“FATF”).

In their 2020 report, the FATF provided guidance to help companies develop AML programmes. It lists a number of red flags that AML compliance officers should be aware of. These include if the user is using technological features that increase anonymity, an assessment of the jurisdiction money is being transferred to, and the transaction size and frequency.

There is some hope that GDPR could be an unlikely ally for the compliance officers as there is a seemingly genuine global acceptance that compliance with acceptable levels of data protection (such as GDPR) is needed and this could theoretically further require some level of accountability via record keeping which may help counter the drive for anonymity by DeFi.

Innovative new solutions that take account of the technology used in DeFi might also provide an answer to tackling the risks posed to AML.

For example, some DeFi services allow users to deposit cryptocurrency in exchange for tokens. These tokens can be used as payment for goods and services. The smart contracts that govern these exchanges could be programmed to require AML checks prior to the execution of transactions.

Does the emergence of DeFi have any benefits for AML?

The rate of technological improvements in traditional financial systems has been outstripped by the increasing sophistication of cybercrime.

Security risks are therefore persistent in traditional financial systems.

DeFi presents an opportunity to design AML measures that work alongside the advances in financial services, whilst moving away from the centralised infrastructure that is of course always been vulnerable to human error and cyber hacks.

Marcus Rickard, barrister, Red Lion Chambers