Managing Financial Crime Risk in the “Wild West”

In our October 15, 2021, article titled “Managing Financial Crime Risk in the ‘Wild West,’” Guidehouse discussed the inherent risk when engaging in financial transactions through decentralized finance (DeFi) cryptocurrency protocols. Since that time, DeFi has been identified by both private firms and government regulators as increasingly being used for money laundering and sanctions evasion by illicit actors. While DeFi protocols have largely avoided direct regulatory enforcement, on September 16, 2022, the White House released a follow-up to Executive Order 14067 entitled “Comprehensive Framework for Responsible Development of Digital Assets,” indicating that DeFi protocols represent a significant risk for illicit finance and are a priority for potential enforcement/regulation by the Biden administration¹. This, coupled with the Treasury’s Office of Foreign Assets Control’s (OFAC) recent designation of DeFi cryptocurrency mixer Tornado Cash, and the subsequent arrest in the Netherlands of a suspected Tornado Cash developer on suspicion of “facilitating money laundering,” indicates that DeFi protocols, developers, and users may soon face unprecedented scrutiny from regulatory and criminal authorities. In this article, we continue our discussion of emerging risks connected to DeFi and propose practical measures stakeholders can implement to address risks and potential regulatory expectations.

Current State of Regulations

Despite criticism from some in the cryptocurrency community, regulators and anti-financial crime groups have signaled an intent to establish greater controls over DeFi. In 2019, the Financial Crimes Enforcement Network (FinCEN) indicated that decentralized finance applications (DApps) that accept and transmit value are money transmitters. Therefore, they are covered financial institutions under the Bank Secrecy Act (BSA) requiring the implementation of a risk-based anti-money laundering (AML) program². This was further articulated in Treasury’s Action Plan to Address Illicit Financing Risks of Digital Assets, where it reiterated that DeFi protocols may constitute Virtual Asset Service Providers (VASP)³ and thus have AML and Combating the Financing of Terrorism (CFT) obligations.

Before this regulation can be enforced, a pressing question remains: Who is the natural or legal person responsible for the implementation of AML controls if DeFi is truly decentralized? FinCEN and the Financial Action Task Force (FATF) both touched on this issue. In 2019 Guidance, FinCEN touched on several scenarios where certain parties to a DApp may be classified as a money transmitter under BSA/AML regulations. FATF also outlined considerations in assigning responsibility to those natural or legal persons with sufficient influence or control behind a DeFi protocol as VASPs. FATF indicated that “the use of an automated process such as a smart contract to carry out VASP functions does not relieve the part(ies) of responsibility for VASP obligations.” In addition, launching a service that will provide VASP services imposes VASP obligations (i.e., AML obligations), even if those functions will proceed automatically in the future.

Therefore, in considering the natural person or legal person who may have VASP obligations over a DApp, FATF advised stakeholders to examine whether a legal or natural person has control or sufficient influence over the protocol. In determining this, stakeholders should look to: (1) who profits from the use of the service or asset; (2) who established and can change the rules; (3) who can make decisions affecting operations; (4) who generated and drove the creation and launch of a product or service; (5) who maintains an ongoing business relationship with a contracting party or another person who possesses and controls the data on its operations; and (6) who could shut down the product or service.

Individuals who could subject themselves to regulatory scrutiny could be:

• Developers: Developers of DApps have already come under law enforcement scrutiny for their involvement with the protocols they create. As mentioned previously, Dutch authorities have arrested a Tornado Cash developer for allegedly facilitating money laundering. This arrest shows that law enforcement agencies are willing to hold developers responsible for how their DApps are used. While Tornado Cash may be a special case due to its use in high profile hacks by numerous bad actors, including North Korea’s Lazarus Group, developers: (1) may be classified as money transmitters under the BSA if the protocol is used or deployed to engage in money transmission, and (2) may  fall into several of FATF’s categories for determining control as they can establish rules, make decisions that affect operations, and clearly are the ones who generated the creation of the DApp.

• Material Holders⁴ of Governance Tokens and Active Voting Participants: Many DApps are affiliated with and governed by Decentralized Autonomous Organizations (DAOs). DAOs are online collectives of investors relying on smart-contract technology to make shared decisions. DAO members hold governance tokens, which allow the token holders to vote on proposals, such as updates to a DApps protocol, based on the number of tokens a user holds. While governance tokens are not perfectly analogous with traditional shares in a company (because they generally do not confer ownership rights), governance token holders can vote on making changes to a DApp’s protocols and procedures, and therefore material holders of governance tokens and active voting participants could fall within FATF’s definition of legal or natural persons who may have VASP obligations over a DApp⁵.

• Material Stakers⁶  to Liquidity Pools: While the case for material stakers to liquidity pools facing regulatory scrutiny is perhaps less direct than for developers and governance token holders, material stakers still could face risks. Not all types of DApps have liquidity pools and, therefore, not all will have stakers (notably, mixers such as Tornado Cash do not have liquidity pools). However, as we discussed in our previous article (referenced above), stakers in decentralized exchanges (DEXs) may unwittingly be the support that financially floats a DEX that is used by illicit actors to launder funds and evade sanctions at egregious levels. Additionally, material stakers fulfill FATF’s first point in determining material control by profiting from the services of DEXs by collecting fees. Stakers should be aware that FinCEN has also indicated that an investor or an owner/operator that uses or deploys a DApp to engage in money transmission may also qualify the investor or owner/operator as a money transmitter under the BSA.

Ultimately, developers and financial backers need to consider the potential AML and regulatory risks, and the potential risk of personal liability, when building and or investing in DeFi to avoid crippling civil and criminal penalties. 

Mitigation Risk for Developers, Stakers, and Governance Controllers

Developers, stakers, and those with technical/voting control need to recognize that regulators, both within the US and globally, are unlikely to permit unfettered financial activity without some level of control. Further, Guidehouse continues to advise its clients that it is still a criminal offense to facilitate laundering the proceeds of crime, regardless of compliance program regulatory requirements. These parties may ultimately be responsible for ensuring compliance with BSA/AML regulations. Therefore, it is in the best interests of all parties with sufficient influence or control over a DApp to immediately start ensuring compliance with AML laws and regulations.

Mitigation Risk for Traditional Banks and Cryptocurrency Exchanges

DApps are not the only stakeholders that need to prepare. We have observed numerous clients engage with and, in some cases, onboard DApps through DAOs. The question remains: How do financial institutions onboard DApps through DAOs and maintain compliance with customer due diligence and screening requirements? For example, a DAO may approach an exchange through a representative; however, it is typically not clear what individuals truly own and control the DAO. This complicates the ability of FIs to comply with FinCEN’s Conduct Due Diligence (CDD) Rule, which requires identification and verification of beneficial owners and key controllers.

From a beneficial ownership perspective, banks and cryptocurrency exchanges may be able to rely on FinCEN’s pooled investment vehicle (PIV) exemption. Simply, PIVs are exempted from Ultimate Beneficial Ownership (UBO) requirements because ownership of a PIV fluctuates—it would be impractical for covered financial institutions to collect and verify ownership identity for this type of entity. DAOs also exhibit this level of fluctuation and thus there may be a similar level of impracticality in identifying beneficial owners. Nevertheless, FIs are still ultimately required to identify and verify a key controller of a PIV and are likely expected to identify the key controller of a DAO. FATF’s sufficient control or influence tests may be a logical approach. 

Finally, banks and exchanges onboarding a DApp through a DAO will still need to ensure that a DApp has established a risk-based AML program. Currently, many DApps lack compliant AML programs. This may ultimately prevent most exchanges and banks from engaging in any direct account relationship with a DApp, barring additional regulatory guidance. Those banks or cryptocurrency exchanges that choose to onboard these clients should ensure that they have robust controls in place to mitigate risks involving a DApp as a client, including limiting a DApp’s activity through their financial institution.

How Guidehouse Can Help

Guidehouse can help its clients assess their compliance programs to navigate these regulatory risks, including developing and implementing updates to operations, policies, procedures, controls, and technology. Its areas of relevant expertise include the following:

• AML and OFAC advisory
• AML and OFAC program management outsourcing
• Know-your-customer and enhanced due diligence
• Blockchain analytics, risk analysis, and tracing
• Strategic planning
• Risk management
• Vendor sourcing and governance
• Executive training

Guidehouse can review and assess your risk profile to identify gaps or weaknesses, evaluate your processes and procedures, and conduct training on related AML and OFAC compliance.

Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.

Special thanks for contributions from Nick Bohmann and Shelby Stimac.

^{1 Treasury will complete an illicit finance risk assessment on decentralized finance by the end of February 2023 and an assessment on non-fungible tokens by July 2023. Learn more here.
2 US Department of the Treasury, Action Plan to Address Illicit Financing Risks of Digital Assets. “DeFi services providers may have AML/CFT obligations if they operate wholly or in substantial part in the United States and offer money transmission services.”
3 Any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: (1) exchange between virtual assets and fiat currencies; (2) exchange between one or more forms of virtual assets; (3) transfer of virtual assets; (4) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and (5) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
4 A “material holder” is an individual who holds a large percentage of a governance token.
5 On September 22, 2022, the Commodities Futures Trading Commission (CFTC) charged Ooki DAO with “Offering Illegal, Off-Exchange Digital-Asset Trading, Registration Violations, and Failing to Comply with Bank Secrecy Act.” In the complaint against the DAO, the CFTC described the DAO as an “unincorporated association comprised of holders of Ooki Tokens who have voted those tokens to govern (e.g., to modify, operate, market, and take other actions with respect to) the Ooki protocol.” This could signal that the CFTC considers active voting participants as liable for the actions of a DAO. See CFTC press release.
6 DeFi stakers are individuals who lock up crypto assets into a smart contract in exchange for rewards and generating passive income. A 'material' staker is an individual who stakes a large percentage of a particular token.
7 Guidehouse recognizes that cryptocurrency exchanges as Money Transmitters/Money Services Businesses are not covered financial institutions under the CDD Rule (See fn.3). Nevertheless, cryptocurrency exchanges are required to establish risk-based AML programs and, therefore, many have already implemented the CDD rule to mitigate their AML and sanctions risk and avoid potential regulatory scrutiny.}