The decentralized finance, or DeFi, space exploded over the last year, with a total value locked in DeFi of around $90 billion, according to DeBank. The DeFi ecosystem includes projects like Maker, Aave, Compound, Uniswap and more, with new ones rapidly emerging. DeFi is a broad concept to describe an emerging area of finance built using decentralized technological tools and characterized by being open, permissionless, disintermediated and with no single point of failure.
The spectrum of DeFi is broad, and the exact degree and mixture of various technological and governance features determine how decentralized a particular DeFi project is, or whether it is a DeFi at all. DeFi currently includes services like lending and borrowing, derivatives, margin trading, payments, asset management and nonfungible tokens, and it will expand and diversify in the future.
Rapidly expanding, the DeFi market has not escaped the attention of authorities — the Financial Action Task Force, or FATF, being one of them. The FATF is the intergovernmental policy-making body that monitors and sets international standards for Anti-Money Laundering and Counter-Terrorism Financing rules through its recommendations to governments. In March, the FATF issued a draft of revised guidance for a risk-based approach to virtual assets and virtual assets service providers, or VASPs, on which it was seeking comments from stakeholders until late April. The final revised guidance is due to be published in June.
The FATF first introduced a virtual asset and a VASP to its glossary in 2018 and explicitly clarified that FATF standards and recommendations apply to them. In June 2019, the FATF issued further guidance for a risk-based approach to virtual assets and VASPs, helping authorities respond to virtual asset activities and VASPs. Furthermore, it also helped private actors engaging in virtual asset activities understand their AML/CTF compliance obligations.
The forthcoming guidance focuses on six areas: 1) clarification of virtual asset and VASP definitions; 2) stablecoins; 3) the risks and potential risk mitigants for peer-to-peer transactions; 4) licensing and registration of VASPs; 5) implementation of the Travel Rule; and 6) principles of information-sharing and cooperation among VASP supervisors.
Some of the more intensely debated issues concern an expansive approach to the definition of a VASP, as FATF recommendations require that all VASPs are regulated for AML/CTF purposes, licensed or registered, and subject to monitoring or supervision. They will also be subject to the Travel Rule. It is therefore crucial for all participants in virtual asset-related activities to have clarity on whether they fall within the scope of a VASP definition.
DApps and VASPs
A VASP is defined as any natural or legal person who conducts, for or on behalf of another person (i.e., as an intermediary), certain activities or operations, including exchange — either between virtual assets and fiat currencies or between virtual assets — or transfer of virtual assets.
The FATF recognizes that VASP activities, the exchange or transfer of virtual assets, may also take place through decentralized exchanges. These are software programs that are decentralized or distributed applications, or DApps, that operate on a peer-to-peer network of computers running a blockchain protocol. A DApp itself is not considered a VASP since the FATF maintains that it does not seek to regulate the technology and its standards are meant to be technologically neutral.
However, the FATF makes it clear that it takes an expansive view on virtual asset and VASP definitions, and that most existing arrangements have some party involved that would qualify as a VASP, either at the development or launch stage of the project. Draft guidance specifies that DApps usually have a “central party” involved in creating and launching an asset, setting parameters, holding an administrative key or collecting fees, and such entities involved with the DApp may qualify as VASPs.
Which DeFi participants could be the potential new VASPs?
Similarly as stated in its 2019 FATF guidance, owner/operator(s) are mentioned, but this time, they not only may fall under a VASP definition but they likely fall within it since they are conducting VASP activities as a business on behalf of their customers. This would apply even if other parties have a role to play or the process is automated. In addition, any person involved in business development activities for DApps could qualify as a VASP, provided they engage in VASP activities as a business and on behalf of others (i.e., as intermediaries).
In addition, draft guidance specifies that anyone directing the creation, development or launching of the software to provide VASP services for profit is likely to be a VASP as well. A provider that launches a service would remain subject to VASP regulations in the future, even if the platform becomes fully automated and the provider is no longer involved. This is specifically the case when the provider could continue to benefit either directly, or indirectly, through fee collection or realizing a profit in some other ways. This could potentially apply to those developers that could benefit from an increase in the price of tokens, and the FATF specifically indicates that a party that profits from the use of a virtual asset could be a VASP. It is also not clear how holders of governance tokens would be treated, as the FATF explains that a decision-making entity that controls the terms of the financial service provided is likely to be a VASP as well.
The FATF is clear that launching an infrastructure is equivalent to offering its services, and commissioning others to build it is equivalent to actually building it. The whole lifecycle of a product or a service is relevant, and the decentralization of any individual element of operations does not affect qualification as a VASP and does not relieve such VASP of its obligations. The FATF also vaguely says that some kinds of matching or finding services could also qualify as VASPs even if not interposed in the transaction, despite stating that a pure-matching service platform that does not undertake VASP services would not be a VASP.
One of the implications of being caught within VASP definition would be an application of the Travel Rule, when VASPs will be required to perform extensive Know Your Customer and Anti-Money Laundering checks for the originator and beneficiary of transactions. Such requirements imposed on DeFi participants raise many concerns, not least of which are privacy and data protection issues.
DeFi is currently operating with no or minimal regulation, compared with traditional, centralized finance. It is becoming clear that some form of regulatory compliance for DeFi is inevitable. However, FATF draft guidance raises some questions. Under the current proposal, all kinds of parties considered central parties, entities involved or providers could face a high compliance burden of a VASP, even if their role in a DeFi project is limited, either in time or on merits.
Lacking further clarity as to exactly who and when would be caught within a VASP definition could prompt individual countries to adopt a broad regulatory scope and overregulate. It is also not clear how VASP obligations could even be applied in practice to DeFi or fulfilled across DeFi protocols, autonomous software and unhosted wallets.
DeFi is a new paradigm of finance, characterized by being open, permissionless and disintermediated. This multidimensional and dynamically evolving phenomenon is going through an experimental phase. It might be considered premature to impose stringent regulatory compliance obligations that were originally designed for centralized organizational structures, to an emerging DeFi ecosystem. It is as important to mitigate the risks as it is to not drive DeFi innovation underground, since this would achieve the opposite effect and could bring obscurity instead of transparency, and uncertainty instead of clarity.
Although the FATF’s guidance is not legally binding, it is expected to be followed. Countries that fail to do so risk being added to the so-called FATF “grey list” of jurisdictions under increased monitoring or “black list” of high-risk jurisdictions subject to a call for action. The stakeholders have provided their feedback, and now it is the FATF’s turn to issue the final guidance, which might determine the next chapter for DeFi.
This article is for general information purposes and is not intended to be and should not be taken as legal advice.
Agata Ferreira is an assistant professor at the Warsaw University of Technology and a guest professor at a number of other academic institutions. She studied law in four different jurisdictions, under common and civil law systems. Agata practiced law in the U.K. financial sector for over a decade in a leading law firm and in an investment bank. She is a member of a panel of experts at the EU Blockchain Observatory and Forum and a member of an advisory council for Blockchain for Europe.