DeFi 2.0. Is it different this time? Did we solve the issues?
The summer of DeFi was a blast and hard to keep up with the pace of innovation and experimentation. Taking a step back to the spring of 2021 when I wrote a blog asking the question whether regulatory compliance and crypto were fundamentally compatible? This was the deep question that was behind Tgrade and what was built to help businesses comply with regulations in the jurisdictions they operate in.
What happened in the intervening years? DeFi saw a meteoritic rise and an equally spectacular fall, although the fall was not DeFi eating itself rather a more sequenced series of external and industry events. At the end of 2022 I wrote It feels as we approach the end of 2022 that crypto is staggering, punch drunk, while the regulators’ circle, the many detractors indulging in an outpouring of schadenfreude, the DeFi maximalists repeat nothing to do with us, and the eternal optimists cry, “it’s time to build.
Zero Knowledge Proof (zkP) to the rescue?
With the noises from the regulators getting louder and louder even the DeFi maximalists could not ignore it and they has been growing excitement about zkP as a magic bullet for DeFi to solve the KYC and AML issue( the pseudo-anonymous addresses on a public blockchain make it very difficult to verify for the purposes of KYC and AML). This fix would then put DeFi back in the running and become the natural home to people and institutions who previously trusted Centralised Exchanges (which have suffered from reputational damage following the implosion of FTX).
Not so quickly. Outsourcing the KYC/AML screening and returning a proof is only part of the process. KYC and AML are often seen as onboarding exercises with a verification of an address, validate an identity and a look up to check a sanctions and politically exposed persons list and once complete the address is “verified”. Using zkP is a good solution to this as the DeFi protocol ensures the address is associated with a verifiable credential.
zkPs are a powerful piece in producing workable solutions but as I discussed in a previous blog there is a debate needed about the balance of transparency and the right to privacy on public blockchains.
The issue with just focusing on the onboarding is that the credentials need regular reviews to ensure the address is still current, the identity valid and are still not on sanction or PEP lists. This can be automated but who is responsible for ensuring this happens in DeFi? What would happen if the address is sanctioned? Would the assets be frozen (by what authority)?
What is also overlooked is that in finance, the purpose of KYC is also to assess the customers investment profile which includes their appetite for risk, investment timeframes and understanding of the markets, and it is best practice to review this regularly. The same with AML checks, it should not be a one off check to ask about the origin of funds but requires ongoing monitoring to flag suspicious activities and to be able to act on them. Public blockchains, as I have previously written, are well placed to make a big leap in how the proceeds of crime can be detected as the public ledger can be watched for patterns in the transactions made. The question is who does this? The regulators? The process could be automated in DeFi and automatic sanctions made, the only question would be which jurisdiction would this be reported to and how would any mistakes be rectified?
There is a risk that the DeFi implements zkP to demonstrate that the issues of KYC and AML are addressed and there is no dialog with the key regulators to find the best way forward. The other risk is that DeFi doubles down and makes it impossible to regulate, the only tool the regulators then have is to shut down the marketing, and fiat on/off ramp and effectively close it off to all but the hard-core enthuiasts.
We took a different approach in Tgrade, in a previous blog article I examined the combination of verifiable credentials with Trusted Circles as a powerful solution that embraces a public, decentralised infrastructure with control through the use of Trusted Circles and verifiable credentials.
An intermediary here, and intermediary there
One very easy action from the regulators is to introduce intermediaries to the decentralised world. The argument goes that the intermediaries are need to ensure they are registered in a country and that there are identifiable people responsible and accountable.
This is manifested in the discussions around qualified custodians, the broader custody discussions, establishing who is responsible for a smart contract, and the complex topic of AML.
Inserting “responsible” intermediaries into the blockchain might be the simplest way to bring crypto and blockchains into the fold under the “same risks, same rules” philosophy but it comes with the risks that it pulls up barriers to the benefits of the incumbents and stifles innovation.
Requiring parties to share information to combat the proceeds of crime is how it is done in the financial system. What if we used verifiable credentials which ensures that the checks are made without having to send a lot of potentially sensitive data around?
What if instead of mandating custodians we used smart contract wallets so that the private keys can be recovered by guardians?
This will need some work to ensure that technology can be used to its full while ensuring the safeguards are in place and resist the push to shape the crypto/blockchain world into the existing frameworks.
“On the blockchain”
It is technically possible to build an entire infrastructure that mimics the existing systems. We can design fund managers, order book exchanges, clearing and settlement using smart contracts to enforce T+2 all “done on the blockchain”, but there is no compelling reason to do so as the existing system works and the new one is fraught with risk as seen with the Australian Stock Exchange’s experiment to replace their clearing system with a permissioned blockchain.
We should be asking the fundamental questions such as; what is the role of a central counterparty? Do we need a central securities depository (CSD) for digital assets? Is there a role for qualified custodians? Do we need to do reporting?
The simple answers are the CSDs are in effect DLT, smart contracts can do the job of a central counterparty without introducing risks. Instead of reporting and the regulators re-assembling the data why not use the source?
These are all pillars of securities regulations and the law needs interpreting in light of what the blockchain technology can do to address the intent and not necessarily the exact implementation as is currently done.
Algorithms are reviewed before being deployed on an traditional exchange, why can’t the bots/algorithms, and MEV optimisers be reviewed too for best execution if they are trading on behalf of customers?
What is to be done?
There is work to be done in the industry, the user experience is horrible. The view that crypto works on the principle of caveat emptor is not good enough, are we really expecting participants to be fully fluent in the design of smart contracts? The pure market approach where there is full decentralisation and the algorithm decides everything is a nice idea but does not address key regulatory concerns.
Self custody, really? Asking people to secure a recovery phrase and double check everything just in case there has been a clipboard injection of a rogue address will continue to hamper adoption or further the centralised services which the technology aimed to disrupt?
The reliance on the on/off ramps to be the guardians of the ecosystem is lazy, each and every piece could step up and put in the checks and balances needed.
It is not all at the feet of the industry, the requirement for crypto to be “holier than thou” seems at odds with reality. We see Dubai which is on the FATCA grey list flourish, leading to questions about how much enhanced due diligence is done in practice?
More controversially should the DeFi protocols build in the cost of fines for breaching the regulations as the “price of doing business”? Afterall bankers rarely go to jail, their companies just pay the fines and say warm things about improving.
Back to first principles
Perhaps the best way to unravel what needs to be done is to take a step back and ask what is important?
There are two guiding principles for regulations namely consumer protection and market stability.
Consumer protection is a nice broad term and while the intent is good it is also used to exclude people from areas of finance. What DeFi has taught us is that retail and institutional participants can co-exist without causing any issues, and opening up participation in the automated market makers to the liquidity pools has shown that this works. Care must be taken to ensure consumers are protected and not excluded. Verifiable credentials are a promising area would facilitate consumer protection and incentivise protocols to categorise their products.
Market stability is essential to reassure people that the markets they participate in are fair and stable. In a pure market without rules, is it acceptable to run a pump and dump programme or use a flash loan in a lull in liquidity to push prices down to trigger auto liquidations? Where is the boundary in Miner Extractable Value (MEV)? What is “good” and “bad” MEV? When is it acceptable to front-run or sandwich a trade? Is a good chain MEV resistant? Will the institutions bring calm to the volatile markets?
Crossroads
We are at an important cross-roads and how blockchains and digital assets are regulated. We can follow either the “same risks, same rules” which will push the industry to the edges for years or find active pragmatism from the industry, policy makers and regulators to follow the right path.
I am optimistic that practical solutions will be found as the alternative is bleak for the industry and would set back finance as a force for innovation for a long time.
