Six months ago, while I was still a lawyer working for the Maker Foundation, I published a forum post about the consultation paper by FATF, an intergovernmental body that creates global AML standards, about their new crypto guidance.
FATF has just published the final version of the guidance. It’s available here.
Crypto Twitter is full of useful analysis on how that will impact DeFi. Coin Center published a brief and accurate writeup (mainly from the US perspective).
Let me briefly provide some thoughts on how the new crypto guidance may impact Maker. It is just my opinion based on the first reading, and not legal advice for anyone.
Before we get to details, just a few general thoughts from me:
- This is not law. FATF standards are usually followed and implemented by individual countries, but this is only a guidance.
- The guidance is vague. It offers a lot of discussion on DeFi, but not that many concrete conclusions. The real fight will happen in individual jurisdictions.
- This is an important development, but no need to spread FUD. Discussion on how to approach crypto, and particularly DeFi, from the AML perspective is advanced, but still ongoing. In my view Maker governance should tackle the challenge in the same way as it usually does: with no rush, after robust discussion, and based on facts.
- The best long-term response will be more complex than the extreme options of going YOLO on one hand and adopting an overarching AML/KYC system on top of everything Maker does on the other. My opinion is that Maker will need both more decentralization and more responsibility of certain actors.
Who is a VASP?
The key considerations in the guidance are around the topic of who is a VASP (Virtual Asset Service Provider, subject to AML/KYC obligations) in the context of crypto and especially DeFi.
In short, it’s about looking for actors to put them under the AML obligations—completely in line with the overall logic of this regulatory framework, which is about regulating intermediaries.
I think that many commentators are missing one of the first statements made on this by FATF:
“A DeFi application (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology.”
This is great. My interpretation is that the Maker Protocol, as a set of autonomous smart contracts, is not a VASP by itself. That might be obvious for many, especially here, but it’s great to see it in the FATF’s guidance. FATF wants to see humans and their organizations as VASPs.
Now look at this:
“Where it has not been possible to identify a legal or natural person with control or sufficient influence over a DeFi arrangement, there may not be a central owner/operator that meets the definition of a VASP.”
That’s even better. FATF reluctantly admits that end of day there can be actually decentralized DeFi with no VASPs whatsoever (even though there are calling out decentralization theater of many projects). I think that this is very important for Maker with its strong focus on decentralization.
Of course, the overall tone is different. FATF included a lengthy discussion on who might constitute a VASP in DeFi, and there are many, many ideas. Here are a few examples (potentially relevant for Maker) on where their thinking is going in terms of who should be covered and subject to AML/KYC obligations:
“Creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services. (…) For example, there may be control or sufficient influence over assets or over aspects of the service’s protocol, and the existence of an ongoing business relationship between themselves and users, even if this is exercised through a smart contract or in some cases voting protocols. Countries may wish to consider other factors as well, such as whether any party profits from the service or has the ability to set or change parameters to identify the owner/operator of a DeFi arrangement.”
“A person that creates or sells a software application or a VA platform (i.e., a software developer) may therefore not constitute a VASP, when solely creating or selling the application or platform. Using the application or platform to engage in VASP functions, as a business on behalf of others, however, would change this determination. In addition, a party directing the creation and development of the software or platform, so that they can provide VASP services as a business for or on behalf of another person, likely also qualifies as a VASP, in particular if they retain control or sufficient influence over the assets, software, protocol, or platform or any ongoing business relationship with users of the software even if this is exercised through a smart contract.”
“In cases where a person can purchase governance tokens of a VASP, the VASP should retain the responsibility for satisfying AML/CFT obligations. An individual token holder in such a scenario does not have such responsibility if the holder does not exercise control or sufficient influence over the VASP activities undertaken as a business on behalf of others”
“Stablecoins can be more centralised or more decentralised. (…) Central governance bodies of stablecoins will, in general, be covered by the FATF standards either as a VASP or a FI. When a similar function is provided with a degree of decentralisation, it is expected that countries will take a functional approach to identify obliged entities (…) regardless of institutional design and names.”
In general, the FATF thinks that
“When there is a need to assess a particular entity to determine whether it is a VASP or evaluate a business model where VASP status is unclear, a few general questions can help guide the answer. Among these would be who profits from the use of the service or asset, who established and can change the rules, who can make decisions affecting operations, who generated and drove the creation and launch of a product or service, who maintains an ongoing business relationship with a contracting party or another person who possesses and controls the data on its operations, and who could shut down the product or service. Individual situations will vary and this list is not definitive and offers only some examples.”
You can see that while FATF can imagine fully decentralized DeFi, in practice the idea is to look very closely for persons / entities who could qualify as VASPs. The above broad language can be very concerning, but look how imprecise it is. The central theme is that anyone with “control or sufficient influence” over a DeFi product can be deemed a VASP, but those terms are not defined at all. It is a guidance for individual jurisdictions on how to think about applying AML to DeFi, but this general thinking will need to operationalized in order to stand as law.
As we could have learned from forum and discord earlier today, SES is on top of the topic and will release a grant to receive a much more in-depth analysis—which is great. That’s just my opinion, but in general I am hopeful that end of day Maker will be able to keep the core protocol permissionless, and adjust to requirements like those above by adjusting the edges.