Tracer and AML/CTF requirements

*In the process of writing this post, 2 big AML/CTF publications dropped: the Senate AFTC inquiry’s third and final report, and FATF’s updated VASP guidance. I thought about incorporating them before posting, but decided to post this before reading either to see how well my antennae are attuned to the relevant issues: I’ll try and update if there’s anything I’ve missed on review.

Hello Tracer community!

I thought I’d try and kick off a discussion on how Tracer DAO can accommodate Anti-Money Laundering/Counter-Terrorism Financing (AML/CTF) considerations into its design. As a loose outline, I’ll:

• Set out the underlying objective of AML/CTF requirements;
• Go through any relevant exemptions;
• how it maps onto Tracer services and products specifically; and
• AML/CTF and privacy.

Before I do so, I want to preface this post by saying that the concern around DeFi being especially prone to being exploited for nefarious activities is more a problem of perception, rather than reality. According to the figures bandied around in this space, the actual incidence of cryptoassets in money laundering is low, and falling. The popular concern around cryptocurrency seems to motivated by its potential (rather than actual) use to obscure identifies to bypass AML/CTF regulation (although even that isn’t seem unassailable, if the rumours around Poly network are true…).

That being so, the main challenge will be to persuade regulators to give DeFi an opportunity to develop a technological solution to comply with AML/CTF requirements, without baking in the redundancies associated with regulating centralised finance. Whether or not it is possible to leverage technology to comply with AML/CTF obligation is vey much beyond my ken (the little I’ve seen seems to suggest so), so feel free to educate me on this point!

What’s the underlying purpose of AML/KYC?

The broad thrust of AML/CTF regulation (as with most key pieces in financial regulation) is set by an intentional consensus: while there are variations in the laws giving effect to AML/CTF regulation between countries, the objective those laws serve remains consistent. A working definition of AML/CTF’s common purpose (very oosely adapted from the international standard-setter FATF’s guidance) could therefore be to prevent the financial system from being used to finance criminal and terrorist activities.

The operative word here is ‘finance’: what governments are principally worried about are criminal/terrorist elements exploiting the financial system to finance their activities. The extent to which that worry is a live concern obviously depends the nature of the specific protocol in question. DeFi protocols that elevate any variation of the following attributes are at a heightened risk of being found in an AML/CTF regulator’s crosshairs:

• highly liquid;
• fungible; and/or
• and anonymity.

So far, it’s the ability for crypto-currencies to mask user identity that has garnered the most attention. However, the point I want to make is that the ability to pseudonymise/anonymise identities on the internet only materialises into an AML/CTF concern, when it is combined with the ability to financially transact with other people on the internet . So it’s no surprise that the DeFi protocols that have received the most attention from an AML/CTF perspective, have been DEXes and tokens of currency/stablecoins: Bitmex, Binance and Tether, to name a couple of examples.

Exemption from AML/CTF regulation

Now, not all parts of the financial sector fall within AML/CTF’s core focus on liquidity, fungibility and anonymity. This is recognised (at least locally in Australia, although I suspect analogues will exist in other jurisdictions) by the fact that some financial services are carved out from having to comply with AML/CTF.

For our purposes, there are 2 relevant exemptions:

• An exemption to cover buyers and sellers trading securities or derivatives traded on exchange (Ch21 AUSTRAC Rules). The explanation provided is that orders placed on exchange prevent the counterparties from knowing who is ultimately taking the other side of the trade;
• An exemption for electricity and gas producers/retailers trading in OTC derivatives (Ch22 AUSTRAC Rules). Carve-outs from financial services regulation for energy markets participants are fairly common (they’re not really part of the financial sector, after all), but you could also justify this exemption upon the logic articulated above I think still holds: namely, that the derivatives in question are not fungible in nature (i.e. OTC derivatives are crafted specifically to the needs of the counterparties to that transaction).

Mapping onto Tracer

So where does this leave Tracer? As I see it, Tracer can essentially be broken down into 2 components for the purposes of determining AML/CTF risk:

• A repository of contract templates (i.e. the Tracer factory) that can be used to develop a derivatives product;
• Tokens produced by Tracer, or in conjunction with derivatives based off its contract templates: this would include the TCR governance token and the Perp Pools tokens, currently.

In regards to the Tracer factory’s permissionless contract templates, there’s a threshold question as to who’s responsible for complying with AML/CTF regulation: Tracer DAO, or the person who’s deployed the template? I’ve discussed this a little more here, but I think there’s a solid rationale for attributing responsibility to the entity who’s deployed the contract template to issue a derivative contract, rather than Tracer DAO (to the extent the two are different entities – I entirely envision Tracer DAO to continue to issue its own derivatives products).

However, even if it was responsible for complying with AML/CTF requirements, Tracer could moderate the level of AML/CTF risk it took on by developing products that either fell within one of the stated exemptions, or kept the products underlying fungibility, liquidity and/or anonymity to minimum levels. Trading securities based on a Tracer template on an exchange? Likely covered by the Ch21 exemption (and in the case of a DEX, a further question as to what proportion of responsibility the DEX should bear). Alternatively, Tracer could restrict its product issuances to sophisticated institutions wishing to hedge bespoke risks in the context of transacting with each other on a bilateral/OTC basis.

What about Tracer tokens? Well, tokenisation itself brings with it an inherent level of liquidity and fungibility which will likely raise the meter of AML/CTF concern – for that reason, it’ll be interesting to see the extent to which NFTs get caught in AML/CTF crosshairs. However, even tokenised assets exhibit varying levels of liquidity and fungibility: one of the interesting things about the TCR token is it opens the discussion on the extent to which a governance-only token with no inherent financial benefit poses an AML/CTF risk.

Finally, given the topic of the last Tracer drop, it’d be remiss of me to not to point out the high incidence of AML/CTF risk that would attend the issuance of a Tracer stablecoin… hardly a reason not to go ahead with a project, but something worth considering.

AML/CTF versus privacy concerns

I’ve been careful about my usage of anonymisation throughout this post, because as just about everyone will tell you nowadays, there’s a limit to the anonymity you can expect on a platform based on Distributed Ledger Technology. As my earlier reference to Poly Network attests to, there’s a limit to which users will be able to rely on the pseudonymity inherent in blockchain technologies to mask their technologies, which is likely to dwindle as the number of participants increases.

This is already given rise a conversation around crypto-assets’ compatibility with people’s right to privacy, which is legally protected to varying degrees around the world. This deserves its own separate post, but it’s worth noting that the discussion around the tension between AML/CTF and privacy contained within crypto is quickly developing, with the conversation around this topic particularly developed in the EU.

As always, my 2 TCR!

You sir are a boss. You’re the greatest human alive. This is all extremely intelligent thought.

you are right … it all depends on the design. I’d note that with the new Ethereum address abstraction, and cheaper L2 computation some new options may be feasible

I’ve discussed the FAFT guidance with LexDAO members and the general view is that the guidance is not as bad as was the original stance (moving away from vague “facilitate” towards move legally objective “control”). But to me, this is saying a stab to stomach is not as bad as shotgun to head. The issues

1. tokens != cash, a lot of the edge cases are tokens that measure social capital, like convening rights, and many which whilst have a price, are non-financial. However, because of DEX liquidity, the attitude that any NFT / commodity can be converted elsewhere at will means they want everywhere to be monitored (think whack-a-mole).
2. a risk-based approach sounds principled but who is measuring the risk? Frankly the chance of getting superbug on a fed-resv-note are higher than your counter-party being a terrorist but nobody is banning physical cash (alas for 500€) so there’s budget bloat for high-impact but extremely low chance events vs committing public funds towards security standards (starting with not leaving cyberweapon vault open and leaving cipher-backdoors)
3. by attempting to say intermediatory XYZ must do this (eg include b4 deploy) risks regulating by prescription and not calculating the burden of such controls (coming in reduced revenue from fewer actors, compliance cost bloat and mis-allocated risk - eg privacy leaks).

Fortunately 0xFA7F is only guidance, and not recommendation otherwise if you had to implement all the details, you’d probably need another chain just to store all the multiple data collection (both ends)

The fundamental problem is any Layer 2-3 dApp faces is that it is impossible to comply with 3 competing RegTech demands

1. CTF - which is an alienation rule, that actor XYZ is not allowed to participate in market activities. Leaving aside the identity of XYZ, one wonders who decides XYZ deserves to be sin-bin
2. privacy provisions - a property rule (cf quiet enjoyment of house from intrusion). Since every transaction is on a public ledger, with enough effort you can follow the economic footprints of anyone, which is probably why tax depts are letting the rope out for a meaty witchhunt later
3. democratic access to finance - arguable economic sanctions hurt the population (price inflation) and just annoy the elites (3% of normal banking is from criminal activities, apparently significantly more than DeFi). So the very people that low cost DeFi is supposed to help are locked out of improving their lives

So like the Kerberos of 3 headed hell hound, it becomes a no-win outcome, either you follow TradFi in which case you’re losing money in a nascent market which hates risk, or else you operate in the grey zone where vampire mine suck liquidity or flashbots manipulate your asset-swap-price curves.

Hello TracerDAO!

There are plenty of reasons why 2021 should be consigned to the dustbin of history, but I did say that I would update this thread with anything interesting to come out of the FATF guidance for Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs).

As a brief recap, in late 2021 FATF updated its guidance to countries on how to adapt AML/CTF principles to apply to ‘Virtual Assets’ (VAs) and ‘Virtual Asset Service Providers’ (VASPs).

AML/CTF risk factors

I’m going to take this opportunity to take a victory lap, because I thought I did a pretty good job of pre-empting FATF in this space. My core characteristics of liquidity, fungibility and anonymity align fairly nicely with the risk factors FATF mentioned as elevating the intrinsic AML/CTF risk of VAs and VASPs.

You can have a look at the full list here at pg 19-21 (with some slight differences between those for VAs and VASPs), but FATF’s guidance recommends the following areas for gauging the AML/CTF risk of a VA/VASP:

• Number and value of transfers;
• Connection with fiat-based currency;
• Number and value of transfers related to illicit activity;
• Use of anonymising techniques;
• Use of IP anonymisers; and
• Size of the business/ecosystem.

Stablecoins and fungibility

The focus the FATF guidance pays to stablecoins is a nice illustration of how highly liquid, fungible and anonymous VAs/VASPs are more likely to find themselves to find themselves in the crosshairs of an AML/CTF regulator, instead of flying under the radar. The regulators seem to have decided upon stablecoins as the poster child for the full range of concerns around crypto-assets, in addition to their susceptibility to be used in ML/TF. What I find interesting about the situation is the sheer weight of regulatory considerations accompanying stablecoins acting to constrain their fungibility.

See, no one can actually agree what a stablecoin is, at least from a regulatory perspective: options range from an unregulated crypto-currency in the UK, a derivative potentially in Australia and maybe constituting a commodity over in the US. A stablecoin’s fungibility – that is, the ability for one unit to be exchanged for another – is going to be hampered if the exchange happens across jurisdictions with different treatments for stablecoins. Something for all those projects attempting to create a crypto-world currency.

P2P

To end on a generally optimistic note, FATF has maintained some consistency by acknowledging that P2P transactions in crypto-assets remains beyond its remit to impose AML/CTF obligations on intermediaries. While FATF surrounds this acknowledgement with qualifications – regulators need to look to the substance of the transaction and ensure it isn’t passing through a central party, that P2P transactions should be subject to a future review for evidence of transactions funding ML/TF – it is nonetheless reassuring that overarching principles like tech neutrality are observed to a degree, something to keep in mind for future attempts to influence regulatory development.

My 2TCR!