Managing Financial Crime Risk in the “Wild West”

The proliferation of blockchain technology has the potential to fundamentally change the financial services industry. Within the broader universe of innovative blockchain applications, decentralized finance technology has witnessed outsized adoption and growth. Decentralized finance, or DeFi, refers to a class of technology platforms that can run autonomously, without the support of a central company, group, or person.

Within the DeFi ecosystem, decentralized exchanges (DEXs) have seen some of the most significant growth during this period as investors worldwide are pouring money into DEXs at a dramatic scale. For example, DEXs total value locked (TVL) on the Ethereum (ETH) blockchain, or assets deposited in DeFi protocols earning rewards or interest, has risen from approximately $6 billion in January 2021 to more than $30 billion in September 2021.

While this new technology is promising, its rapid rise has the potential of introducing significant risk if anti-financial crime controls are not built into DEXs’ protocols. Regulators are not blind to these realities and are taking stock of once-esoteric products that are quickly becoming more mainstream.

What are Decentralized Exchanges?

DEXs are DeFi applications (DApps)¹ that allow anonymous peer-to-peer exchange of digital assets without the use of an intermediary. DEXs are built using smart contract² protocols on the Ethereum (ETH) blockchain or other blockchains that support smart contracts. DEXs allow any individual, anywhere in the world, to exchange digital assets at any time.

Rather than using a traditional order book, most DEXs use mathematical formulas (generally the ratio of two digital assets equaling a constant value) to determine prices. These protocols are called Automated Market Makers (AMMs). Because there is no order book, an individual can “swap,” or trade, a digital asset without having a counterparty who wants to take the opposite position.

These swaps are often conducted using smart contracts called Liquidity Pools (LPs). LPs are large collections of two specific digital assets with which individuals can trade. For example, a user can deposit USD Coin (USDC) into a LP and receive its equivalent value in ETH based on the AMM formula.  LPs are created by individuals (called liquidity providers or “stakers”) providing funds to the pools for others to trade against. In return for providing liquidity to the LPs, stakers collect fees from each swap that occurs in the LP.

The two largest DEXs operating on the Ethereum blockchain are Uniswap and Sushiswap. As of September 2021, Uniswap has a 24-hour volume of over $1.5 billion, while Sushiswap has almost $500 million. Over the month of September 2021, Uniswap’s largest LP (USDC-ETH) has had a 24-hour trading volume ranging from about $260 million to more than $900 million. Even with a relatively low fee of 0.05%, the largest LPs can generate hundreds of thousands of dollars in fees for their stakers every day.

Financial Crime Risks of Engagement with DEXs

To understand the financial crime risk of engaging in activity with a DEX, it is first important to understand the current state of anti-money laundering (AML) regulation as applied to cryptocurrency exchanges. The 2011 Money Services Business (MSB) Final Rule clarified that persons accepting and transmitting value that substitutes for currency, such as virtual currency, are money transmitters. Persons accepting and transmitting convertible virtual currency (CVC) are required (like any money transmitter) to register with FinCEN as a MSB and comply with AML program, recordkeeping, monitoring, and reporting requirements (including the filing of Suspicious Activity Reports and Currency Transaction Reports). These requirements apply equally to domestic and foreign-located CVC money transmitters doing business in whole or in substantial part within the United States (US), even if the foreign-located entity has no physical presence in the US. 

FinCEN’s 2013 Virtual Currency Guidance further clarified that exchangers³ and administrators⁴ qualify as money transmitters under the Bank Secrecy Act (BSA), unless specifically exempt. In 2019, FinCEN addressed CVC money transmission services provided through DApps in its “Guidance on the Application of FinCEN’s Regulations to Certain Business Models Involving CVCs.” In the 2019 Guidance, FinCEN indicates the same regulatory interpretation that applies to mechanical agencies such as CVC kiosks applies to DApps that accept and transmit value, regardless of whether they operate for profit.  Accordingly, when DApps perform money transmission, the definition of money transmitter will apply to the DApp, the owners/operators of the DApp, or both. In its 2019 Guidance, FinCEN further indicated that decentralized exchanges can be money transmitters. When transactions are matched, if a trading platform purchases the CVC from the seller and sells it to the buyer, then the trading platform is acting as a CVC exchanger, and thus falls within the definition of money transmitter and its accompanying BSA obligations.

Unlike centralized cryptocurrency exchanges and other financial institutions, DEXs, by design, lack a centralized governing body. This makes the implementation of any BSA program and determining who in the DEX has accountability to comply with BSA difficult at best. In practice, few, if any DEXs conduct any form of Know-Your-Customer (KYC) due diligence, meaning that any party with an internet connection can participate. The same open access model that allows easy access to those traditionally marginalized by the financial system also allows easy access to drug and human traffickers, sanctioned entities, money launderers, and other criminals. Despite these challenges and while there is some disagreement as to how DEXs would be regulated, it is evident that many in the government, both regulators and politicians, are placing greater focus on the industry to combat illicit finance. Most notably, the US Securities and Exchange Commission recently announced it is investigating whether certain assets sold on DEXs qualify as securities, which would require a DEX to register as broker-dealer. Broker-dealers are also covered financial institutions under BSA.

Until the regulatory approach is clarified, users that engage with DEXs may be doing so at considerable individual risk. This risk is compounded by the design of DEXs and their use of LPs. Because LPs commingle deposited assets for users to trade against, stakers cannot select their counterparties. Once funds are deposited into a LP, these funds are then allocated by the AMM formula without regard to the source of funds or the destination. In effect, by swapping or staking digital assets to a LP, an individual has either direct or indirect exposure to every other individual swapping or staking digital assets to the same LP, including any bad actors involved. Therefore, without sufficient AML controls over DEXs and their users, individual users run the risk of engaging in financial transactions, either directly or indirectly, with persons engaged in criminal conduct.

Figure 1: Conceptual View of Financial Crime Risks associated with DEX Liquidity Pools 


Accordingly, for users, the paradox is that the difficulty in applying regulation to DEXs could mean that users will need to perform their own screening and due diligence on transactions to ensure they do not run afoul of US laws and regulations—a function that was traditionally the responsibility of centralized exchanges themselves. Users should be aware that it is a criminal offense to facilitate laundering the proceeds of crime, whether or not there is a regulatory requirement to have a compliance program. Therefore, users should consider implementing anti-financial crime controls, should they wish to continue to engage with DEXs with no financial crime oversight. This may in reality only be practical for users with sufficient resources to invest in the appropriate risk-mitigating tools. Blockchain analytics software, for example, can be used to conduct holistic financial crime risk assessments of a LP and in connection with individual trades. While this analysis can help an investor understand and identify many of the parties involved in a LP, it is not foolproof. Due to the lack of KYC controls among many DEXs and the anonymized nature of blockchain technology it may not be possible to definitively identify each and every counterparty to a LP, so engaging with DEXs is still a potentially risky endeavor.  

How Guidehouse Can Help

Guidehouse’s Cryptocurrency and Digital Asset Services Team is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to changing regulatory requirements. We can review and assess your compliance and risk program to determine whether it is sound, identify gaps or weaknesses, perform third-party vendor assessments, or conduct training on AML and Sanctions compliance, including blockchain tracing and analytics. 

As regulations and policies are created and amended, our team has the expertise to guide your organization through the regulatory and compliance environment and address the mounting complexities as cryptocurrencies are integrated into the finance mainstream.

Special thanks to Nick Bohmann for contributing to this article.