FATF Guidance (Crypto vs. AML) and Maker

Six months ago, while I was still a lawyer working for the Maker Foundation, I published a forum post about the consultation paper by FATF, an intergovernmental body that creates global AML standards, about their new crypto guidance.

FATF has just published the final version of the guidance. It’s available here.

Crypto Twitter is full of useful analysis on how that will impact DeFi. Coin Center published a brief and accurate writeup (mainly from the US perspective).

Let me briefly provide some thoughts on how the new crypto guidance may impact Maker. It is just my opinion based on the first reading, and not legal advice for anyone.

General thoughts

Before we get to details, just a few general thoughts from me:

  • This is not law. FATF standards are usually followed and implemented by individual countries, but this is only a guidance.
  • The guidance is vague. It offers a lot of discussion on DeFi, but not that many concrete conclusions. The real fight will happen in individual jurisdictions.
  • This is an important development, but no need to spread FUD. Discussion on how to approach crypto, and particularly DeFi, from the AML perspective is advanced, but still ongoing. In my view Maker governance should tackle the challenge in the same way as it usually does: with no rush, after robust discussion, and based on facts.
  • The best long-term response will be more complex than the extreme options of going YOLO on one hand and adopting an overarching AML/KYC system on top of everything Maker does on the other. My opinion is that Maker will need both more decentralization and more responsibility of certain actors.

Who is a VASP?

The key considerations in the guidance are around the topic of who is a VASP (Virtual Asset Service Provider, subject to AML/KYC obligations) in the context of crypto and especially DeFi.

In short, it’s about looking for actors to put them under the AML obligations—completely in line with the overall logic of this regulatory framework, which is about regulating intermediaries.

I think that many commentators are missing one of the first statements made on this by FATF:

“A DeFi application (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology.”

This is great. My interpretation is that the Maker Protocol, as a set of autonomous smart contracts, is not a VASP by itself. That might be obvious for many, especially here, but it’s great to see it in the FATF’s guidance. FATF wants to see humans and their organizations as VASPs.

Now look at this:

“Where it has not been possible to identify a legal or natural person with control or sufficient influence over a DeFi arrangement, there may not be a central owner/operator that meets the definition of a VASP.”

That’s even better. FATF reluctantly admits that end of day there can be actually decentralized DeFi with no VASPs whatsoever (even though there are calling out decentralization theater of many projects). I think that this is very important for Maker with its strong focus on decentralization.

Of course, the overall tone is different. FATF included a lengthy discussion on who might constitute a VASP in DeFi, and there are many, many ideas. Here are a few examples (potentially relevant for Maker) on where their thinking is going in terms of who should be covered and subject to AML/KYC obligations:

  • “Creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services. (…) For example, there may be control or sufficient influence over assets or over aspects of the service’s protocol, and the existence of an ongoing business relationship between themselves and users, even if this is exercised through a smart contract or in some cases voting protocols. Countries may wish to consider other factors as well, such as whether any party profits from the service or has the ability to set or change parameters to identify the owner/operator of a DeFi arrangement.”

  • “A person that creates or sells a software application or a VA platform (i.e., a software developer) may therefore not constitute a VASP, when solely creating or selling the application or platform. Using the application or platform to engage in VASP functions, as a business on behalf of others, however, would change this determination. In addition, a party directing the creation and development of the software or platform, so that they can provide VASP services as a business for or on behalf of another person, likely also qualifies as a VASP, in particular if they retain control or sufficient influence over the assets, software, protocol, or platform or any ongoing business relationship with users of the software even if this is exercised through a smart contract.”

  • “In cases where a person can purchase governance tokens of a VASP, the VASP should retain the responsibility for satisfying AML/CFT obligations. An individual token holder in such a scenario does not have such responsibility if the holder does not exercise control or sufficient influence over the VASP activities undertaken as a business on behalf of others”

  • “Stablecoins can be more centralised or more decentralised. (…) Central governance bodies of stablecoins will, in general, be covered by the FATF standards either as a VASP or a FI. When a similar function is provided with a degree of decentralisation, it is expected that countries will take a functional approach to identify obliged entities (…) regardless of institutional design and names.”

In general, the FATF thinks that

“When there is a need to assess a particular entity to determine whether it is a VASP or evaluate a business model where VASP status is unclear, a few general questions can help guide the answer. Among these would be who profits from the use of the service or asset, who established and can change the rules, who can make decisions affecting operations, who generated and drove the creation and launch of a product or service, who maintains an ongoing business relationship with a contracting party or another person who possesses and controls the data on its operations, and who could shut down the product or service. Individual situations will vary and this list is not definitive and offers only some examples.”

You can see that while FATF can imagine fully decentralized DeFi, in practice the idea is to look very closely for persons / entities who could qualify as VASPs. The above broad language can be very concerning, but look how imprecise it is. The central theme is that anyone with “control or sufficient influence” over a DeFi product can be deemed a VASP, but those terms are not defined at all. It is a guidance for individual jurisdictions on how to think about applying AML to DeFi, but this general thinking will need to operationalized in order to stand as law.

Next steps

As we could have learned from forum and discord earlier today, SES is on top of the topic and will release a grant to receive a much more in-depth analysis—which is great. That’s just my opinion, but in general I am hopeful that end of day Maker will be able to keep the core protocol permissionless, and adjust to requirements like those above by adjusting the edges.


In the short term, I think the question Maker should think about is how to deal with coming legal fragmentation. Some jurisdictions (perhaps Switzerland or some developing countries) have a tendency to implement recommendations such as these very quickly, while the US may be slower. (In particular, I have hope the US will not implement these soon or literally, as FinCEN has been a regulator that has been fairly even handed, and their current digital asset lead appears to be both educated and fair at first glance)

But it is worth thinking now about solutions other than geoblocking when we turn around a year from now to find a handful of markets have taken these recommendations and implemented them. Our workforce is and will continue to be distributed, and it seems a nightmare to me to figure out constantly how to thread that needle so CUs and members are not saddled with being a VASP in a jurisdiction they live in, have assets, or wish to travel to.

I don’t have a well-developed idea about how to do that, and encourage people to brainstorm both legal and technological ways to deal with increased global legal fragmentation without impacting the permissionlessness of DAI usage.

I suspect simply tracking this kind of thing will provide a decent amount of work to the upcoming Compliance CU.

I will also say on the political front, the responses to this showed a willingness by crypto political groups and voices to throw DeFi under the bus. There was a lot of “it’s not that bad” — which is true for crypto generally. But these recommendations are quite devastating to DeFi if implemented in any important jurisdictions. This highlights the need to build out DeFi-specific political infrastructure. I’ve said in the past if Coin Center or Blockchain Association have 5 minutes with someone important, they won’t be talking DeFi, since there are deeper pockets and DeFi is just one niche in crypto. Particularly in the EU and US, we should explore supporting organizations that specifically represent decentralized finance interests.

1 Like

Fully support @jacek 's general appreciations. The text is far from ideal and contains problematic, vague language (“i.e. sufficient control”). Important for us is to have a AML/KYC strategy in place. Our strategy starts with an analysis of the impact and applicability of these recommendations to the Maker protocol, including an AML / compliance risk analysis. This will be conducted by an industry expert, supported by @SES-Core-Unit , to be announced shortly. This study will also include the trial of technological tools that permit us adapt to these regulations without sacrificing the permissionlessness of core features of the protocol. We will need the input of the community to come up with smart solutions. And this study should be the seed of a future Compliance CU for MakerDAO.


While it is not clear how this would be interpreted and implemented in key jurisdictions, I think we can add

“Launching a service that will provide VASP services, for instance, imposes VASP obligations, even if those functions will proceed automatically in the future, especially if the provider will maintain some measure of control or sufficient influence, by, for example, setting parameters, holding an administrative key, retaining access to the platform or collecting fees or realizing profit” (emphasis mine)

to the growing list of things @layerzero should be thinking about for shielding members/CUs from, especially as compliance burden may be larger/smaller across different jurisdictions, and thus unfairly distribute exposure to risks and costs associated with a VASP designation.

I wonder if there is some way to wrap the mere voting/administrative functions of the DAO in a legal structure, and then domicile that structure in a jurisdiction that is favorable with regards to this and other AML applications. Alternatively, perhaps there is a way to place some independent entity legal entity between the DAO and any users – similar to how the RWA Foundation stands between the DAO and outside “users” but is not actually part of the DAO. We should probably explore whether it is easier to mitigate these – and future – burdens from within the DAO or by placing an external layer between the DAO and any potential litigants/regulators.

Looking forward to seeing more from a nascent Compliance CU. I suspect this will be some of the most important work for Maker over the coming 12-18 months.

1 Like

There are technological tools worth to explore. Things like zero knowledge proofs, where you could check the eligibility of the user without revealing his identity. Or a “portable KYC” where a clearance in other place - such as a centralized exchange- can be used elsewhere. Or risk checks to addresses. This type of solutions will require conversations with national regulators under the principle of “functional equivalence”: This is the idea that through technology we can help them achieve policy objectives (such as prevention of money laundry), and thus are functional equivalent. Actually it can be much more efficient to use technology than regulations, which additionally can end up reintroducing intermediaries and killing privacy of users.


Yes, I think we need to engage with specialized DeFi Advocacy groups in key jurisdictions, and invest resources only where we can effectively generate a change. In the EU, we are in conversations with the EU Crypto Initiative Group https://euci.io/ initiative of the German and French advocacy groups leaders. They are leading the DeFi policy efforts in Europe, where we have other open front: the regulations of stable coins in MiCA (Markets in Crypto Assets). The current draft imposes heavy reporting and licensing requirements to stablecoin issuers. The purpose here is to negotiate exceptions for decentralized issuers, which by the way would give us a competitive advantage.


Definitely, I like the idea of wrapping functions in legal entities to isolate / transfer regulatory risk, we will explore this.


Fully agreed.

Perhaps Maker should build its own policy initiative?

For example, a16z has hired three or four serious policy experts for the crypto fund. One was a senior aide to senator Biden. They are engaging proactively with politicians and regulators and making sure their view is being heard.

To Paper’s point, centralized crypto isn’t going to help advocate the DeFi story…

Thanks for all of your comments! It’s great to see these initiatives emerging. One thing that not everyone may be aware of is that Maker has been leading on the policy front for years. The current reputation that MakerDAO has also stems from the fact that in the past Maker people have been interacting with multiple global regulators and policymakers, much before DeFi was even a thing.

Fully agreed that Maker has to double down on these efforts now that we are close to the regulatory momentum. We have to be strategic about that, and I like that the starting point is the actual analysis of the situation and developing the best path forward (in the context of AML/KYC that’s the work to be delivered by the SES grantee). Before MakerDAO engages in policy activities in a coordinated manner, we need to precisely know what our goals are.

I am actually planning to start some discussion on this here on forum.


I can confirm that I have run into former Foundation contacts on several occasions. Whatever conversations the Foundation folks had back then has definitely been helpful to date. MakerDAO needs to figure out how to systematically engage with actors at the state/provincial, national, and international level.

Add that to the long list of organizational capital we need to build up!


I was thinking about this in the sense of legal representation from a jurisdictional perspective. The idea to take key aspects of the DAO and to enact them in a legislative favorable jurisdiction is appealing. The point here is very much likened to ships on the open seas where each ship sailing basically carries with it the jurisdiction it homes in. I see something similar being applied to DAOs. Same thing is true of crews in such ships btw. They may have different countries their passport says they consider home, but they will have work permits issues by the country the ship operates from. In effect these people end up with a form of dual citizenship. But to be honest I have not analyzed the details of this perspective within different jurisdictions just as a general thought process.

Given the fully geographic decentralized nature of crypto and DEFI the most applicable jurisdictional criterion is one of operating in ‘international waters’.

When I rattled through legal analysis of DAOs each time I come to the idea that the DAO is a ship in international waters that needs a jurisdictional home.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.