New white paper proposes framework for combating illicit finance while preserving DeFi’s permissionless, neutral character

A trio of experienced crypto lawyers, among them former acting director of FinCEN and former CTO of Chainalysis Michael Mosier, have proposed a novel approach to regulating decentralized finance (DeFi) “while preserving the technology as permissionless, neutral infrastructure.” Their paper – Genuine DeFi as Critical Infrastructure: A Conceptual Framework for Combating Illicit Finance Activity in Decentralized Finance – starts with the premise that DeFi’s decentralized character makes it a promising innovation that is difficult to regulate with traditional tools because there are no centralized actors. To accommodate DeFi, the authors propose that future regulations adopt a three-part approach.

Part one of the proposed framework offers a definition of “independent control” to help regulators identify when DeFi actors are performing effectively the same functions as traditional financial intermediaries and thus should be similarly regulated. According to the paper, “independent control,” in a blockchain-based protocol, should mean: 

the unilateral ability to—1. exercise operational authority over any third party’s value in the System or otherwise immediately affect any value within the System, including by ceasing operation from within the System, or 2. admit, permit, restrict, deny or modify—a. those who have had access to the System or b. the ways in which anyone has used or accessed the System for any reason or at any time in a way that substantially affects any third party’s value in the System.

Within the proposed framework, actors with independent control are considered “System Control Persons” who should bear the same regulatory responsibilities as traditional “financial institutions” under the Bank Secrecy Act, with some caveats. 

The paper argues that, first, because of the inherent transparency on public blockchains, System Control Persons might not be expected to comply with the same record-keeping and reporting requirements that apply to their traditional counterparts. Second, as with traditionally regulated entities, the paper encourages regulators to look at the “facts and circumstances” of each System Control Person to assess their degree of independent control. Thus, under the paper’s framework (and contrary to the status quo), a large holder of a protocol’s governance token would not be a System Control Person; nor would a governance model such as a DAO. Under the paper’s framework, the definition of independent control would permit regulators to separate true DeFi from what the paper terms “on-chain CeFi” which, depending on “facts and circumstances,” may need to be subject to traditional BSA-like regulations. 

The second step of the framework tackles risk mitigation with the goal of preserving access to DeFi and its continued innovation. Here the authors rely on a popular comparison of blockchain with telephone and Internet infrastructure. Even when these infrastructures are used to conduct and execute financial transactions, the authors note, they are not deemed financial institutions with regulatory requirements. Carrying this analogy to its conclusion, the paper advises treating genuine DeFi as “critical infrastructure” that should be supervised by the Department of Treasury’s Office of Cybersecurity and Critical Infrastructure (OCCIP). OCCIP does not have independent regulatory authority, but works with industry to “to enhance the security and resilience of financial services sector critical infrastructure and reduce operational risk” and “to share information about cybersecurity and physical threats and vulnerabilities, encourage the use of baseline protections and best practices, and respond to and recover from significant incidents.” The authors contend that applying this mandate to DeFi could foster a safer, more accessible and technologically driven financial system, without restrictive BSA requirements. Not all DeFi platforms would become critical infrastructure, however. The paper suggests developing threshold requirements for protocols to deemed critical infrastructure. 

Finally, the paper acknowledges that cooperation with OCCIP cannot be the sole solution to illicit finance in DeFi. Some DeFi actors have become critical sources of technical information about DeFi systems. The paper advises classifying these actors as a new type of regulated entity called “critical communications transmitters” (CCTs). 

CCTs would integrate with genuine DeFi systems and facilitate communications from users to the DeFi protocol, typically for a fee. CCTs could be required to implement risk management practices to combat illicit finance. But rather than apply BSA requirements to CCTs, the paper suggests a “narrowly tailored” financial integrity program featuring documentation, detection, and deterrence of illicit finance.  For instance, many DeFi businesses perform geo-blocking and screening for sanctioned addresses. Hypothetical CCT requirements could go further through tools such as wallet risk scoring, a feature that Chainalysis and others have already been developing. Interactions with high-risk wallets could then be compiled into reports for FinCEN but, the authors emphasize, without the personal identifying information found in Suspicious Activity Reports. The high volume, relative transparency, and easy accessibility of blockchain transactions mitigates the value of such additional data collection, instead offering near real time capacity to track, trace, and deter bad actors.

Though the paper’s authors acknowledge their framework would require new authority from Congress, it offers a fresh vision for how this rapidly changing industry and government can collaborate, without hampering innovation, in their shared goal of a safer, more resilient, and more accessible financial system. This vision addresses some of the key concerns raised in recent government publications concerning DeFi. It offers some actionable first steps towards achieving the core policy objectives from the CFTC’s Technology Advisory Committee report, while sharing some of that report’s optimism towards DeFi, (perhaps unsurprising given that Mosier served on the committee). The whitepaper also begins filling in regulatory gaps the Department of Treasury identified in its 2023 Illicit Finance Risk Assessment of Decentralized Finance.  Furthermore, the whitepaper suggests a measured alternative to the sweeping authority the Department of Treasury’s recently asked for in its letter to Congress. For more on DeFi and the Department of Treasury’s efforts to combat illicit finance, contact any of the authors of this Insight.