DeFi in 2023 & Beyond
Practical Solutions to Achieving Privacy and Compliance
The paradox of empowering user privacy in decentralized finance while adhering to regulatory requirements of identity verification is the defining challenge in moving into the next era of blockchain and crypto. Even such heavyweights as a16z and Chainlink recently opined on theoretical solutions that are incongruent with existing laws on how not to burden DeFi projects with holding identifying information of users, while verifiably abiding to the laws of the lands. There is a practical solution, beyond theories, that can be implemented today.
In the aftermath of users losing multiple billions of dollars on bridges from DeFi and unknown amounts of money laundering passing through those protocols, the wild west days of DeFi are over, and regulators in all major jurisdictions determined that DeFi must implement real compliance — not just a KYC front-end or an NFT that attests to a wallet not being involved in laundering money, DeFi projects need to Make or Buy a full suite of compliance tools, including policies, reporting, risk rating, and monitoring activities. This is a hard pill for many to swallow, but regulators are saying, planning and legislating that DeFi projects’ (DEXes specifically) activities will be regulated. Being blissfully ignorant to whether they are engaged in such activities, or not knowing if they should be registered or licensed, does not preclude DeFi players from having to adhere to these laws — it just means that regulators simply haven’t enforced nor prosecuted them — yet!
However, there is a solution for DeFi projects to adapt and evolve their models without compromising their DeFi tenets of user-control, pseudonymity, and not storing identity information.
If value transfer activities are happening, then by current law in Europe, US, Japan, Singapore and most other modern jurisdictions, the facilitating entity, whether traditional finance or DeFi, is obligated to implement a compliance regime. The need for compliance is a binary determination: “yes, needs compliance”, or “no, does not need compliance.” Simply put, either the entity is engaged in what regulators opine is a regulated transaction, or they are not. Pushing governance to hundreds of voters determine the fate of the protocol (i.e. a DAO), or even releasing immutable, non-upgradeable smart contracts onto public chains will not release one out of this obligation nor potential wrath of enforcement agencies. Decentralization of governance may or may not help a project’s “governance token” avoid being classified as a security or investment product, but it does not remove identity verification, AML, KYC, on-going monitoring, risk rating, etc. obligations. That is, moving everything into a DAO might create a small loophole for the Howie test, (usually an attempt to show that no management is in place upon which investors are relying for appreciation in the asset), but decentralization of governance does not remove the burden from ultimate beneficial owners (UBOs) or those who collect the profits from actually doing the compliance. Simply put, just because no one is in charge (i.e. the community/network), that doesn’t mean that no one is responsible. In the recent MiCA draft from the European parliament, DAO’s are considered “entities”, and even basic AML training makes reference to the concept that if no person owns over 25% of the entity, then UBOs, senior management or the person of highest influence is culpable for the entity’s behavior. So while the DAO may look to decentralize the decision making, regulators will still centralize compliance and enforcement to ensure transparency and accountability.
Human & Unique Identity Verification at The Core
The core of compliance is identity verification. Specifically, entities/DeFi players need to know which unique human being out of the 8 billion on the planet they are establishing a relationship with, and that this specific live, sentient piece of carbon has certain legal rights and obligations — not what credential, ZKP, or NFT that might represent in a myriad of wallets (ie: not simply that the user is not on a list, but rather they need to know it’s actually Marc Andreesen, living at “not going to dox him” in Malibu or Atherton). In addition to basic identity verification, identity requirements may include KYC, AML, CFT, PEP, sanctions, etc. That is, the existing world order, which follows FATF guidelines, mandates that transfer activities are open only to those who are not laundering money, funding terrorism, etc. Note that pseudonymity is permissible, but anonymity is not above certain thresholds; systems like Everest are coded to ensure anonymity below thresholds, coding laws into smart contracts. In sum, all of DeFi will need to answer regulators and partners that they know and have a relationship with the unique human person using the services. And that’s the tip of the iceberg for compliance. Since wallets are the primitives for transactions on chains in 99% of architectures, and wallets are not humans, nor identities, the market is in for a rude awakening.
In addition to the need for identity verification, the entity engaging/facilitating in value transfer activities, must also undertake the following:
· Ongoing monitoring of the user (not just their wallet, but monitoring the user’s usage of fiat and crypto)
· Risk rating of the user
· Risk rating of the transaction(s), especially over time
· Reporting on a regular basis
· Systems and policies to flag/catch suspicious transactions, and send to partners & regulators (STRs, SARs)
· BSA and account/wallet freezing capabilities
· Document and transaction record storage
· License or registration to conduct such activities, and likely insurance, cyber security & consumer protection policies, internal governance rules + audits, etc.
Make vs Buy Compliance
DEXes, for example, will need to adhere to the above, and be forced into a Make vs. Buy decision for a full compliance suite. If they “make”, they’ll not only need a plethora of disparate capabilities that 99% of them currently do not possess, but they will also be in the awkward position of holding user identity data; a position they really don’t want to be in. This is not a viable solution for DeFi players, as it is costly and breaks the fundamental social contract with users.
The alternative is to “buy”, solving the problem of DeFi not storing user identity data, or even knowing anything at all about the user. However, there are limited choices in the market, as outsourcing a full compliance set of activities requires that the compliance-as-a-service supplier be and deliver the following:
( a ) be subject to the same laws, regulations, reporting, protections and storage as the DEX (i.e., a software vendor will not suffice; it must be a regulated/licensed entity),
( b ) run an ongoing monitoring and risk rating program,
( c ) have a bonafide, signed contract in place that includes data storage in-line with GDPR and regional jurisdictional requirements on transactions, remedies, SLAs, and SOP on regulator responses, reporting, etc.
Again, a16z and Chainlink outlined theoretical architectures on how this can be achieved, but both theories require a “trusted 3rd party” that the government/regulator authorizes to be the custodian of such identity data and/or keys. Specifically, within the Chainlink proposal, the government would hold keys, and engage with the theoretical 3rd party with a valid request, and with the combination of keys be able to view the user’s data. Presently, all governments push obligations and costs of compliance to licensed & regulated entities. They are not interested in, nor planning on holding keys to check some mythical 3rd party identity custodian and compliance supplier. Governments/regulators do not necessarily trust regulated entities, which is why tier-one jurisdictions enforce 3rd party audits, checks & balances and other measures to ensure, for example, users’ identity data is not exposed. Since these licensed and regulated entities must comply with the compliance rules and are subject to the same laws as DeFi projects, then the ideal candidate to be this mythical, theorized entity is a licensed crypto custodian. However, almost all crypto custodians are exchanges and trading desks who have zero interest in taking on the liability of compliance for potential competitors. Additionally, the market requires a licensed custodian who is GDPR (or equivalent) compliant to safeguard users’ data, who can process the minimum of legally required identity verification, and who holds such data on the DeFi players’ behalf — only passing the project or DEX a ZKP (not the user’s data) that proves the wallet is approved for various services, thus preserving users’ privacy. This licensed custodian takes on the burden of transaction risk rating, user risk rating, screening, reporting, BSA, storing, etc. on behalf of the DeFi project. In this scenario, the DeFi project offloads the burdens of cost, time, hassle, knowledge of users, etc. of compliance and focuses on its core business, while staying true to its users and ethos.
The solution is Everest, a licensed crypto custodian that attaches unique human identity to wallet addresses, is compliant with GDPR and MLD5, and implemented a configurable risk rating, reporting, and automated ongoing monitoring of both crypto & fiat solutions……all while allowing users to granularly share (or not) various claims and credentials, including KYC status. With Everest, users can have anonymous wallets for non-regulated services, other wallets with reputation for gaming & social, others for voting, and still other wallets with KYC for regulated services. In this paradigm, wallets work as pseudonymous personas, or anonymous in the case of connected wallets. Additionally, Everest secured fiat accounts around the world and is able to onboard users globally with integrated screening, empowering DeFi projects to stay compliant and allow their users to buy/sell with fiat or crypto — with whatever level of compliance the jurisdiction requires. Also, Everest was the first to launch an interactive ZKP for KYC status, enabling DeFi providers to receive INFO tokens (721s) with nothing more than a confirmation/check mark (yet still anchored on a unique human identity); if the DeFi wants more info from the user, they can request it, allowing the user to share the doc or data, or not. And when a suspicious transaction report or BSA policy needs implementing, Everest assumes that responsibility on behalf of its DeFi partners.
As we move into the next era of DeFi, the sector will require critical solutions that solve the paradox of preserving user privacy while maintaining compliance. Everest’s solution is uniquely positioned to lead DeFi to this next stage of mass market adoption.
Learn more about Everest at https://www.everest.org/
