Emerging global AML/KYC framework and DeFi (and Maker)

Hi there. Some of you may be interested in an important development within one of the key DeFi legal / regulatory areas.

FATF, an intergovernmental organization responsible for global AML coordination efforts, has just released a consultation paper related to the revision of their guidance on the “risk-based approach to virtual assets (VAs) and virtual asset service providers (VASPs)”:


It’s all about crypto, and many topics of their interest (Dapps, p2p transactions, etc.) are in practice all about DeFi.

This is important because FATF’s recommendations are usually implemented into legal systems of all major jurisdictions. The final revised guidance (to be adopted as a result of this consultation) will shape at least some of the key aspects of the global AML framework for DeFi.

Food for thought, especially for the future legal core unit.


Is there a definition of what they consider a “VASP”?

Yes. It’s available in the FATF Glossary:

Virtual asset service provider means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
* i. exchange between virtual assets and fiat currencies;
* ii. exchange between one or more forms of virtual assets;
* iii. transfer of virtual assets;
* iv. safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
* v. participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

Now, FATF does not propose to change this definition (adopted in 2019), but they want to amend the associated guidance instead.

For example, this is what they see as a general rule (VA = virtual asset) :

Despite the many and frequently changing marketing terms and innovative business models developed in this sector, the FATF envisions very few VA arrangements will form and operate without a VASP involved at some stage if countries apply the definition correctly.

Also, that’s what they write about exchange and transfer in the context of decentralized systems:

56. Exchange or transfer services may also occur through so-called decentralized exchanges or platforms. ... Dapp, for example, is a term that refers to a software program that operates on a P2P network of computers running a blockchain protocol ... Often, a DApp user must pay a fee to the DApp, which is commonly paid in VAs, for the ultimate benefit of the owner/operator/developer/community in order to develop/run/maintain the software. DApps can facilitate or conduct the exchange or transfer of VAs.

57. A DApp itself (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology (see below). However, entities involved with the DApp may be VASPs under the FATF definition. For example, the owner/operator(s) of the DApp likely fall under the definition of a VASP, as they are conducting the exchange or transfer of VAs as a business on behalf of a customer. The owner/operator is likely to be a VASP, even if other parties play a role in the service or portions of the process are automated. Likewise, a person that conducts business development for a DApp may be a VASP when they engage as a business in facilitating or conducting the activities previously described on behalf of another natural or legal person. The decentralization of any individual element of operations does not eliminate VASP coverage if the elements of any part of the VASP definition remain in place.

Remember, FATF provides a general framework and individual countries remain responsible for their own implementations. In some of them the new regulatory category of VASP was introduced in the past 2-3 years, in some others the conclusion is that the current regulatory regimes are sufficiently broad, in a few others the discussion is ongoing. However, whatever happens at the FATF level sets a general direction.

What the community should consider is: (1) monitoring the developments, (2) (perhaps) participating in the discussions with policymakers, (3) actively taking the developments into account when creating and adjusting its strategy and setup.


In your sole opinion, do you think the community should have a compliance team, or a legal core unit is sufficient?

1 Like

A capable legal core unit focused on key major jurisdictions is definitely a good starting point!


Thanks a lot for the heads up!

Hi, I think a compliance team is always best to have. Compliance is more knowledgeable when it comes to practicalities,in my opinion. Legal interprets the regulation while compliance implements it, usually. Ideally, the compliance team should also have a legal background.


Honestly, I would also want an advocacy core unit team that can look into working with the likes of Akin Gump, BGR, Holland & Knight, etc.

I’m totally into this if anybody is also interested in working on such—I’ve seen a few Telegram Groups groups talk about doing the same—with the profits being generated by DeFi protocols—we do have the ability to go out there and educate All.


Lobbying-DAO? Why not have the DAO apply to be a member in different trade associations that perform that function? Probably a better use of funds than hiring a singular law firm.


@jacek by the way the co-founder of Shyft Network, Joseph Weinberg posted this on TG with regards to the FATF recommendation:

“ TLDR, most developer teams are now likely VASPs, DAO’s & the people that are actual multisig Keysigners are all now likely VASPs. will send full notes on the proposed updates from FATF in the next few days, but buckle up, DEFI, non custodial, are all at compliance war now.”

I am thinking it would be best to deal directly with say, Akin Gump—on what the vision of MakerDAO is and what we strive for—but, yes—you’re right it is very expensive. Assuming the top players in DeFi unite (Compound, Uniswap, AAVE, Maker) would we all have the same drive/intentions? Hopefully.

1 Like

Out of the gate, I think it might be a challenge to get Akin (or a similarly statured shop) to work with a DAO as we’ve set out here. Perhaps if there were a specific government relations Core Unit that could interface with different associations, law firms, etc., we could get them comfortable with representing a “DAO” in practice.


While I do think that more cooperation within the space is much needed, I actually think that Maker has a unique potential to play a big role and be heard among policymakers and regulators. I am saying this as one of the people leading public policy & advocacy activities of the Foundation over the past years. The project is quite well-known and usually highly respected in policymaking circles (both internationally and in individual countries), and I am sure that this capital can be used also in the ongoing global discussion around AML.


“FED’s POWELL: Regulation Not Where It Needs To Be Yet On Global Stable Coins” -Walter Bloomberg via Twitter

@jacek in you own sole opinion, would it not be better for Core Units to NOT incorporate under an LLC, Inc., etc.? Reason I ask, it seems as if the FAFT guidelines definition of a VASP pertains to entities involved with DApps, such as operators/owners.

Also, can you please expand on the definition of “Proliferating Financing” Risk? In simple words, this is saying that VASPs should implement KYC/AML?

Not incorporating wouldn’t dodge the issue, it would just create unlimited liability for individuals as a general partnership. Not recommending one way or the other here, just saying that dodging the entity formation issue isn’t a solution.

This is a more general problem with DAOs also. Gabriel Shapiro is one of the thought leaders on this area and has some interesting tweet threads and articles.

If the community is serious about having someone put together concise and well written summaries on the risks of this guidance, I know two of the top 5 attorney thought leaders in this space when it comes to DAOs and defi. This is hard work though and giving legal advice opens them up to legal risk. A very rough estimate would be something like $25k for a writeup and continued advice as things develop over the next year or two.

1 Like

Who would you recommend as a thought leader?

Interesting takes from, Hester PeirceCommissioner, Securities and Exchange Commission

“DEX AMMs that are trading securities among other things, need to think about the security implications there.”

“Strategies that Mimic securities, or are doing things related to asset management fall under the purview of the SEC”

“to the CeFi world, don’t try to embolden regulation to stop DeFi from developing but look for ways to interact with it to the extend that it is valuable for you and then you can be part of the growth that is going on in that part of the economy”

Tough love from Hester. It’s like she loves you one day and then the next… :laughing:

1 Like

I think you are quoting from the BIS meeting CeFi to DeFi: can global finance be de/re-constructed? that had no speaker from DeFi at all.

When someone from MakerDAO will be at those meetings, that will be the new dawn.

1 Like

Indeed. But, it had Joe Lubin, he’s 1000% ETH/DeFi. I mean he might have acted as he is not all about DeFi-- but can you blame him… I thought it was a positive talk for DeFi

As I understand, facilitating some DeFi project (i.e. running a web site) without KYC could be illegal. Voting without KYC could be illegal. Having an admin key without KYC could be illegal. Do we implement KYC or try to find a loophole (assuming a rebellion does not help)?