Part 2: Recognising key challenges
Smart contracts are only as good as the data that feeds them – and a lot of that data resides, already, on the centralised side. Centralised oracles are needed to validate that data so that it is received in a meaningful form, whether KYC/AML or other forms of data that feed smart contracts. Of course, whether traditional or digital data sources, the ‘garbage in, garbage out’ adage always applies.
While there is general consensus that there simply isn’t enough data around decentralised processing, there remains a lack of clarity on exactly what data needs to be captured, and how. The challenge is that it requires a mix of technology and policy. In the digital age – where governance of specific digital assets may be encoded – the lines get blurry and it’s not entirely clear how policy makers will insert themselves into the process.
With respect to FATF guidelines, initial concerns centred on client activity (KYC) and cross-border (intra-jurisdictional) transactions. Virtual Asset Service Providers (VASPs) are now included in FATF travel rule guidelines alongside financial institutions and as such have to maintain (and share) required information for all transactions in excess of $1,000.
A key DeFi challenge is that noncustodial wallets and smart contracts manage all of the activity in the transaction lifecycle intrinsically – there are no single counterparties. Regulators in a number of jurisdictions are pushing back on this point, asserting that even in a decentralised transaction, there will be developers and/or a governance structure that point at a single entity, set of entities or individuals.
While the need for a more regulated DeFi environment is a given, until such time as regulation exists there will be non-regulated DeFi pools for which some form of protection is needed. Institutions must look at how they interact with certain counterparties and be able to validate that the ‘what’ they’re interacting with is legit.
While Banks have the Federal Deposit Insurance Corporation (FDIC), DeFi and CeFi participants on the sell-side need a similar safety net to l protect depositors against hacks or fraud and allow this nascent industry a chance to grow. Similarly, on the buyside, market participants may be keen to access potentially very attractive, high-yielding opportunities, directly and in terms of funds management. But as regulated entities, they need to know, with certainty, ‘who’ is on the other side of any transaction, and with what they’re interacting.
While regulators in many jurisdictions (UAE, UK, Europe, US, Asia) contemplate appropriate and proportionate regulatory action, there is also a need for a degree of self-regulation in this space. The Chicago DeFi Alliance is one example of a group of organisations coming together as ‘good actors’ to look at self-regulation.
A multi-pronged approach, from self-regulation to security, facilitates pre-emptive action to fill gaps in our understanding of where a lot of illicit fund movement is taking place – and where it originates – before it hits an exchange (centralised or decentralised).
As with traditional assets under management (AUM), managing the DeFi equivalent – total value locked to a blockchain – requires automation of threat identification and response, and investigations, processes.
A lot of fuss is made about KYC and AML with respect to validation of ‘digital identity’, but it’s not a case of having to reinvent the wheel. Product issuers must, however, consider how to continually apply – and comply with – FATF and OFAC obligations, not as an afterthought or in response to an event, but as a seamless, integrated activity. In terms of ongoing validation, those institutions reluctant to move assets on-chain could keep them sitting with custodians, with initial validations reflected as upstream credits to be utilised across a broad range of ‘valid’ venues and participants. In the B2B environment, this ‘many to many’ utility approach to KYC/AML is integral to the digital identity validation process. Illustrating this approach, Pyctor, incubated under ING Labs and now part of the GMEX group, has developed a distributed, open-source model for FATF compliance and AML validation, driven by a layer-two blockchain. (This is also an example of CeFi/DeFi convergence).
While some banks remain reticent to touch crypto assets, even on the fiat leg of transactions, the fact is that most KYC/AML systems are centralised utilities that manage sanctioned entity blacklists and Politically Exposed Persons (PEPs). As such, the same validations and calls could be part of the process of onboarding.