FATF wants governments to hold the people behind DeFi protocols accountable

After two years of back and forth with the industry, the global anti-money laundering watchdog has finalized its crypto guidance.

And while the final iteration includes welcome clarifications to certain controversial definitions, people close to the industry warn that the devil is in the implementation.

The Financial Action Task Force (FATF) first released its draft guidance for virtual assets in 2019, and since then has conducted comprehensive reviews and revisions. The main thrust of the project has been to develop guidelines to help member jurisdictions curb anonymity in crypto transactions — and to apply certain standards to the crypto industry that are already accepted in traditional finance.

Chief among these proposed standards: the so-called travel rule, which would require crypto exchanges and money transmitters, which FATF terms "virtual asset service providers" or VASPs, to share identifying information about the parties on each end of the transaction.

Throughout the two-year process, industry players complained that portions of the guidance were unclear, with two concerns topping the list. First, who exactly would count as a VASP? The original definition seemed like it could include software protocols, and it remained unclear how the standards could apply to smart contracts transmitting funds. And second, how will VASPs effectively and securely transmit the necessary information?

The task force delayed finalizing the guidance in order to address these concerns. The final version has extra sections breaking down the meat of those definitions and clarifying how the watchdog recommends applying them to less-easily-categorized areas like decentralized finance (DeFi).

Now the onus is on FATF’s members to implement those guidelines. The way that will look across the world is bound to vary, because despite the clarifications the guidelines remain open-ended, particularly for DeFi.

Still, FATF has made at least one thing clear: it wants jurisdictions to identify the faces behind the protocols and hold them accountable.

What's in the guidance

The finalized recommendations include additional pages clarifying the FATF's initial language and answering the industry's questions about how VASP definitions apply to DeFi. These pages break down the language of the definition phrase by phrase, explaining in detail each prong of the definition — including deep dives on words and phrases like "as a business" and "conducts."

But the meat of the clarification comes in its DeFi section, which explains what "exchange and transfer" entails. Here, the FATF gets at the heart of the DeFi problem: no matter how decentralized an entity, it wants those who have a business interest in the platform and have some degree of control over its operations held accountable for anti-money laundering compliance.

"It seems quite common for DeFi arrangements to call themselves decentralized when they actually include a person with control or sufficient influence, and jurisdictions should apply the VASP definition without respect to self-description," the guidance stated.

Many in the DeFi community complained about earlier versions of the guidance, arguing that the definition of a VASP seemed to include certain smart contracts. They said the policy was clumsy and perhaps even impossible. The updated language seeks to find a way around that. 

What the FATF did was clever, according to Joseph Weinberg, co-founder of Shyft, which has developed software that helps exchanges comply with the travel rule. It clarified its language to shift focus from smart contracts to the people behind them, leaving plenty of room for adjustments as the space iterates while still making it clear that projects need to be held accountable, he said.

"In their initial draft, what they were trying to say is this exact argument of we're not talking about smart contracts, we're talking about the people that are in control or in charge of moving funds on behalf of a smart contract, so whether that be builders, core teams, DAO key signers," said Weinberg.

Local regulators should be able to identify and hold a person of sufficient influence accountable, according to the guidance.

Still, it's up to individual jurisdictions to discern how they want to go about doing that and which operations they feel present money laundering risks. Under these clarifications, that could be anyone, save for users. "Basically, it reads to me that what they've done is any new project getting off the ground is inherently a VASP," said Weinberg.

This is because a project can't start decentralized, it has to be built by someone and migrated to a more decentralized entity over time. With this language, the process of building an open-source project seems to designate makers as VASPs, according to Weinberg.

"So if you're a startup team or you haven't deployed stuff yet, if you're raising capital on behalf of the project to get it off the ground, you're a money transmitter in effect," he said.

How FATF views implementation

Ultimately, FATF’s guidance leaves each of its clarifying cases open-ended, frequently reminding jurisdictions to consider DeFi “case by case.”

At this point, the FATF has effectively done its part. The standards have been set. Rick McDonell, former FATF executive secretary and current director of the Association of Certified Anti Money Laundering Specialists, said the watchdog is unlikely to issue new documents related to these issues any time soon.

"So the onus will now be on the private sector to meet all the requirements, including the travel rule, of course. And on the supervisors, the national supervisors, to ensure that that happens," he said.

However, FATF will continue its cycle of country evaluations, meaning local jurisdictions will have to show that they are taking the money laundering risks FATF has identified in the digital asset sector seriously. Those who fail to live up to FATF standards could end up on its grey list, the jurisdictions for which it recommends "increased monitoring."

While firms like Shyft are working on deploying products for complying with the travel rule, McDonell said there seems to be an understanding from the FATF that compliance will take more time.

"I would expect that this is going to take quite some time, a year or two in my view, to get all of the moving parts in place by most of the virtual asset service providers who don't yet have those tools in existence," said McDonell.