Asking exchanges to identify users might seem like a minor inconvenience, but could it drive DeFi firms overseas, and would crypto users even care?
Cryptocurrencies were designed to be anonymous or pseudonymous, so there is an inherent tension when protocols come up against jurisdictional authorities.
In the United States, the blockchain and cryptocurrency sector has jousted with regulators over the need to comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) rules, and even over adherence to economic sanctions regimes.
Most recently, a top U.S. Commodity Futures Trading Commission (CFTC) official suggested in a speech that it behooves the industry to verify the digital identity of its users. The CFTC has historically been friendly to the crypto sector — at least when compared with other U.S. agencies like the Securities and Exchange Commission — so its views might be worth considering.
However, is it possible “for all crypto companies to distance themselves from [digital currency] mixers and anonymity-enhanced technology,” as CFTC commissioner Christy Goldsmith Romero urged in an April 25 speech?
What about decentralized exchanges? Romero said central parties maintain them, and they could do KYC and AML if they wanted to. But would forcing compliance risk driving decentralized finance (DeFi) innovation abroad?
“Sure, it’s possible for companies to distance themselves from anything they want — software does what we tell it to do,” Preston Byrne, a partner at the law firm Brown Rudnick, told Cointelegraph, adding:
“The real question is whether the United States, as a policy matter, wants to cut off its companies from DeFi when DeFi growth overseas is exploding.”
Whether crypto protocols have to comply with AML/KYC rules and other aspects of the U.S. Bank Secrecy Act (BSA) depends on whether they are “money transmitters” or “money services businesses” under the applicable state and federal laws, according to John Wagster, who heads the technology industry team at law firm Frost Brown Todd. But whether they can comply is another matter. He told Cointelegraph:
“Centralized protocols clearly have the ability to implement AML/KYC compliance, albeit at the risk of losing crypto idealists who will only use products that allow permissionless, anonymous access.”
What about DeFi projects? “Decentralized protocols can implement BSA compliance, but the individual steps must be approved by the protocol’s DAO — or another governance mechanism — and some aspect of the implementation will likely need to be performed by community members or service organizations authorized by the DAO,” Wagster added.
But the BSA isn’t the only potential challenge for crypto firms looking to set up business in the United States; it might not even be the most serious.
All companies must comply with the Office of Foreign Assets Control (OFAC) “to ensure their platforms are not being used by individuals from prohibited jurisdictions,” like North Korea and Iran, or by specially designated nationals, said Wagster. However, “some aspects of OFAC compliance can be implemented autonomously through the use of third parties like Chainalysis, which provides access to its OFAC API free of charge.”
In August 2022, OFAC sanctioned digital currency mixer Tornado Cash, which the agency accused of laundering more than $7 billion of digital currency since its creation in 2019. This included over $455 million stolen by a North Korean state-sponsored hacking group. Mixers like Tornado facilitate anonymous transactions “by obfuscating their origin, destination, and counterparties, with no attempt to determine their origin,” according to the U.S. Department of the Treasury. OFAC has since prohibited U.S. firms and individuals from doing business with Tornado Cash.
Some believe that decentralized exchanges can also shut out mixers if they set their mind to it. “When the whole Tornado Cash debacle happened, decentralized exchanges like Aave and dYdX actively blocked addresses that interacted with mixers,” Justin Hartzman, CEO and co-founder of Toronto-based cryptocurrency exchange CoinSmart, told Cointelegraph. As Hartzman further explained:
“While mixers do tend to protect user identity, it is fairly easy to tell which addresses have interacted with these protocols, thanks to blockchain’s transparency.”
Still, even if crypto firms can resist anonymity-enhanced technology, would that be beneficial? Perhaps preserving privacy coins and anonymous crypto is important globally as a counterweight to growing government surveillance.
“The answer to this question is in the eye of the beholder,” said Byrne, adding that the desirability of privacy-enhancing technology is a political question. “I think the point of crypto is to make this technology so commonplace that it ceases to be a political question because its existence must be assumed.”
Privacy coins and regulations ‘don’t gel’
“If you want widespread adoption, regulations are going to be crucial,” said Hartzman, adding that “privacy coins and regulations don’t gel.” While doubting privacy coins are going away, their usability will probably remain highly “niched” and restricted, he explained. “Blockchain was never anonymous, and it won’t be moving forward in my view.”
Frost Brown Todd’s Wagster, for his part, agreed that there was a basic incompatibility at hand:
“Anonymizing technology and BSA compliance do not mix. If a protocol is required to be BSA compliant, that protocol cannot permit users to mask their identities.”
Protocols seeking high adoption by attracting institutional investors are “unlikely to defend the use of mixers because their institutional users are not going to get involved with a platform that is in danger of a government enforcement action,” continued Wagster. Meanwhile, DeFi lenders who permit anonymizers will just have to do business outside U.S. jurisdiction.
Are ‘mixers’ worth saving?
Is the verification of digital identity, as requested by the CFTC commissioner, really such a burden for crypto users, and is it worth the industry’s while to fight for “mixers” like Tornado Cash and Blender?
Anonymity is not a life and death matter for the vast majority of crypto users, in Hartzman’s view. “Most people are simply using crypto to make money and trade these radically different and exciting assets.” They aren’t using mixers either. “I would say that most don’t even know how to use these protocols.” Brown Rudnick’s Byrne added:
“Tornado Cash and Blender aren’t worth saving in my opinion, although I am sympathetic to the arguments […] that the Treasury Department probably doesn’t, or at least it shouldn’t have the power to sanction particular technologies.”
Wagster noted that BSA requirements like AML and KYC are enforced by the U.S. Treasury through the Financial Crimes Enforcement Network, “not by the SEC or CFTC.”
Many centralized crypto protocols will likely embrace AML/KYC/OFAC requirements because they are widely used in the traditional financial world and “because institutional money managers may have a fiduciary duty to use compliant providers.”
On the other hand, some crypto-native DeFi protocols may want to avoid BSA compliance, Wagster said, as “compliance runs against the ethos of crypto that favors privacy and monetary freedom over the government’s desire to prevent money laundering and terrorist financing.”
Mixers aren’t always used for nefarious purposes, either. People living under oppressive political regimes may use these tools to protect their wealth and freedom, CoinSmart’s Hartzman noted, but “the fact is that hackers are abusing these protocols to safely steal money from hardworking people.”
Compliance regimes can vary in importance too. KYC/AML compliance may be one thing, but sanctions evasion is arguably another. As the sad saga of Ethereum developer Virgil Griffith illustrated, it’s a surefire way to incur the wrath of U.S. authorities.
Still Day 2. They took us to a museum and proudly showed us exhibits of how they once captured a U.S. ship and forced the crew to sign grovelling documents. 19/15 pic.twitter.com/WmPdyVuAMY
— Ethan Lou (@Ethan_Lou) October 27, 2021
“Treasury has worked to expose components of the virtual currency ecosystem, like Tornado Cash and Blender.io, that cybercriminals use to obfuscate the proceeds from illicit cyber activity and other crimes,” declared the Treasury in August 2022.
While acknowledging that most digital currency activity is “licit,” the department said that cryptocurrencies “can be used for illicit activity, including sanctions evasion through mixers, peer-to-peer exchangers, darknet markets, and exchanges. This includes the facilitation of heists, ransomware schemes, fraud, and other cybercrimes.”
Give regulators what they want?
As a strategic matter, would it better suit the crypto sector to give U.S. regulators what they want, i.e., ID verification? Consumers have been doing it for years for other activities like opening a bank account, and if developers don’t like it, they can just set up shop outside U.S. jurisdiction.
“Ultimately, some DeFi providers will likely end up adopting AML/KYC procedures, whether they are required to or not, both to avoid unwanted government scrutiny and to attract institutional money,” predicted Wagster. “Others will hold true to their ideological preferences because that’s why they got into crypto in the first place.”
Hartzman, based in Toronto, cites the Canadian regulatory approach, which, in his view, has worked well. “All exchanges must register with the Ontario Securities Commission/Canadian Securities Administrators and undergo stringent regulatory processes and audits.”
What’s needed in the U.S., though, is a regulatory framework designed specifically for cryptocurrencies, Hartzman continued:
“It seems U.S. regulators have still not decided if cryptocurrencies are securities or commodities or something else. [SEC chair] Gary Gensler’s train-wreck of a hearing pretty much proved that these regulators are behind the eight-ball when it comes to the crypto industry.”
Byrne also suggested that U.S. regulators may arrive too late to the party to do anything forcible on the anonymity question. “While I can understand that U.S. regulators want to exercise regulatory control, I think that commercial reality outside our borders is going to start demonstrating the practical limits on their power sooner rather than later.”