Treasury’s new DeFi risk assessment relies on ill-fitting frameworks and makes potentially unconstitutional recommendations

The report misunderstands self custody, smart contracts, and other key elements relevant to AML policy

Yesterday the Treasury Department released a “DeFi Illicit Finance Risk Assessment.” While the report does not announce any new or changed policy, and correctly acknowledges the much larger illicit finance threat posed by the traditional banking sector, it—nonetheless—engages at length in an unhelpful centralization-versus-decentralization analysis that is confusing and irrelevant to the actual legal questions at stake. Worryingly, the assessment appears to prejudge all DeFi applications as non-compliant with anti-money-laundering rules without ever explaining which actual activities performed by which DeFi-related actors do and do not trigger compliance obligations. The assessment assumes instead that AML rules always apply, or at the very least that they should always apply and that regulations should be expanded to the extent they don’t–even perhaps to cover the mere publication of software. Here’s the good, the bad, and the ugly of the Treasury Department’s DeFi risk assessment.

The Good

The assessment repeatedly indicates that obligations under the Bank Secrecy Act (BSA) are dependent on specific facts and circumstances, which has been well-known policy from the Treasury Department with regard to crypto going back to 2013. In other words, the assessment isn’t announcing a new standard that would cause all of DeFi to be regulated or anything like that. Troublingly, however, halfway through the assessment identifies a specific set of facts and circumstances that to date have been clearly outside the scope of BSA regulation as being inside scope, but we’ll come back to that later on in this analysis.

Also good is the fact that the assessment clearly states at the outset that it is not changing any laws or definitions, that it is merely a policy report, and that it is not new or updated guidance about whether someone is or is not a “financial institution” and therefore obligated to surveil their customers. This means that, at least for now, the 2019 FinCEN guidance (which we think is generally very good and appropriately constrained to custodial entities) is still the controlling law.

The assessment, while often pessimistic regarding the value of DeFi technologies, nonetheless acknowledges the small share of total crypto activity that DeFi represents (3%). This is good because it means that the Treasury Department is not blowing the issue out of proportion. Indeed at various points the assessment stresses that the larger realm of traditionally intermediated finance, as well as non-compliant international centralized crypto exchanges, pose a more significant money laundering threat. We agree.

Also heartening is the fact that the assessment explicitly says that it is not concerned with transfers between the holders of two “self-hosted” wallets. In other words, nothing in the assessment is about actual peer-to-peer usage of crypto, and the assessment is not calling for the application of the BSA’s surveillance regime to those personal activities, which would raise obvious and serious constitutional issues dealing with warrantless search and seizure.

However, this is where things start becoming complicated. The sentence dealing with “self-hosted wallets” and peer-to-peer transactions has a truck-sized carve out that must stem from ignorance or misunderstanding of the nature of DeFi. The assessment states that it is not concerned with peer-to-peer transactions if and only if those transactions “do not involve smart contracts.”

The negative implication of that claim is that the assessment is concerned with peer-to-peer transactions when those transactions do involve smart contracts. And that claim might be indicative of a mistaken belief that any and every transfer between “self-hosted wallets” that also involves a smart contract is no longer strictly a peer-to-peer transaction. The assessment doesn’t come out and say that, but a large portion of it is dedicated to outlining all the ways that smart contracts can and are often controlled by third parties, and it does not once affirm what is unambiguously true: that at least some smart contracts are merely software without any administrator or controller.

Indeed, the tone of the assessment is dismissive of the possibility that “self-custody” can be maintained while using DeFi. For example: “Some DeFi services purport to allow users to self-custody their virtual assets through their own digital wallets” and “[m]any DeFi services claim to be disintermediated by enabling automated P2P transactions without the need for an account or custodial relationship.” (Emphases added.) Every garden has weeds among the flowers, and throughout crypto there are plenty of disingenuous claims, claims made erroneously or by those who would happily lie to escape regulation. There are, however, also mathematical truths about the entirely non-custodial nature of many protocols and smart contracts that warrant at least some cursory mention in any report that is meant to be comprehensive and fair.

For example, the Tornado Cash contracts (the sanctioning of which we are challenging in our lawsuit against OFAC) are entirely non-custodial. No person, DAO, or entity, whether sanctioned, foreign or domestic, can in any way move money out of the Tornado Cash core contracts unless they can provide a valid note proving that they are the entity that deposited funds into that contract.

Indeed this weeds-only characterization belies a more significant misunderstanding about the nature of so-called “self-hosted wallets.” Crypto doesn’t exist within people’s wallets; it exists on a blockchain at any given address, and exists literally nowhere else. A wallet (self-hosted or otherwise) merely holds keys (not coins), and those keys control…. you guessed it, smart contracts. Smart contracts are simply rules encoded in software for how and when amounts of crypto can be transferred. The simplest smart contract is a rule that transactions moving crypto from the source address must be signed by the private key that corresponds to that address (and this is what Treasury is referring to when they say “self-hosted wallet”). That is to say, any and all cryptocurrency locked in an address for which the direct beneficiary and owner has full control must therefore reside within a form of smart contract. So the statement, “Funds transfers between the holders of two unhosted wallets that do not involve smart contracts fall outside the scope of DeFi services for the purpose of this report,” is incoherent because there’s no such thing as a transfer between the holders of two unhosted wallets that “does not involve smart contracts.”

Lest you think we’re being overly pedantic, it’s worth noting that the dominant mode of making a “self-hosted” multisig transaction on Ethereum is to use a type of smart contract called a Gnosis Safe. The authors of the technical specification for Gnosis Safe smart contracts have a website, and there is an incorporated foundation and a DAO-based governance mechanism for coordinating research and development of the technical standards upon which these contracts are ultimately built. None of that means that individual instances of these smart contracts are somehow controlled by any of these researchers or groups. That’s akin to arguing that Master Lock, Inc. controls every bike locked with its padlock, or that Schlage, Inc. controls every home whose door sports their deadbolt. Or, for that matter, that the W3C (the main international standards organization for the World Wide Web) controls this blog post and the Coin Center website.

We end up in this semantic hole because the assessment refuses to acknowledge that some smart contracts have no third party operator while simultaneously acknowledging that mere person-to-person transactions are outside of the discussion. And this may not be just incompleteness, it may be strategic from a constitutional law perspective.

The fact is, a peer-to-peer transaction likely cannot be subject to the relevant reporting and KYC requirements specified in the Bank Secrecy Act because those requirements only apply to “financial institutions” as defined in the Act and associated regulations. Defining an individual paying another individual as a financial institution is absurd, and also unconstitutional. Financial institutions are obliged to engage in warrantless data collection about their customers under the BSA and the only reason that such surveillance activities are constitutional is because the third-party doctrine excludes searches made by third parties from Fourth Amendment protections. A peer-to-peer transaction has, definitionally, no third party and therefore cannot be subject to a warrantless reporting regime. So if the assessment had admitted the mathematical truth that some DeFi smart contracts are truly peer-to-peer, it would also be stating a legal truth that those activities are outside of the constitutionally cabined authority of the government to surveil without a warrant.

This confusion over “self-hosted wallets” not being themselves smart contracts, sadly, is only the beginning of the troubling misunderstanding of the relevant factors of the technology evidenced by the assessment. Let’s move from the good to the bad.

The Bad

The assessment as a whole unhelpfully focuses on a rhetorical dichotomy between centralized vs. decentralized tools and protocols, rather than focusing rightly on the activities that trigger regulation, and specifically the relevant question for BSA application: are you performing an activity that qualifies as a regulated financial service? The crypto ecosystem may be partially to blame for that confusion given how often advocates who are not well-educated about the law erroneously claim that they can’t be regulated because they are “decentralized.” But the Treasury Department is not a crypto advocate ignorant of the law; it’s the Treasury Department. Therefore the choice to focus on centralization vs. decentralization rather than specific activities-based triggers for regulation is confusing at best.

Coin Center has long advocated for an activities-based framing of important questions like “Am I a money services business that needs to register and surveil my customers?” rather than any vague “decentralization”-based inquiry. Basically, If “activity X” has always been defined as a regulated activity and you do “activity X,” then you will be regulated even if you do activity X using crypto or through a “decentralized” organization. And similarly, if you don’t do “activity X” then you aren’t regulated regardless of whether you do it as part of a DAO or as a natural person. In practice this means that if you are (a) writing software that people use to move or secure their own money, then you are not regulated regardless of whether you write and publish that software yourself or alongside DAO members. However if you are (b) maintaining custody or control of someone’s funds, then you are regulated regardless of whether you do it yourself or alongside fellow DAO members.

To be fair, the assessment does end up saying this at page seven: “The nature of the activities in which a person engages is the key factor in determining whether and how that person must register” and “[t]he degree to which a service is decentralized has no bearing on these obligations so long as the service meets this definition.” And yet when it comes time to actually discuss the definition of a highly consequential activity upon which the application of regulation hinges (i.e. custody), the assessment spends a single paragraph arguing that most “purported” self-custody is bogus. Meanwhile many pages are inexplicably spent exploring the irrelevant question of centralization versus decentralization.

Before we move on from the bad to the ugly, it’s also worth pointing out another strange passage. Also at page seven the assessment suggests that “[i]ndustry claims there is insufficient regulatory clarity” regarding AML/CFT obligations. No support is given for this claim. For what it’s worth, Coin Center, at least, has often said the opposite: we have repeatedly applauded FinCEN and other regulators for taking a technology-neutral and activities-based approach to their interpretation of the BSA.

The Ugly

The assessment’s focus on decentralization rather than activities-based regulation is most problematic within the sections of the assessment intended to outline the division of BSA authority between the several regulators in this space. The Treasury Department, SEC, CFTC, and the several banking regulators all share and divide that authority for BSA supervision. The particular trigger for whether you are BSA regulated lies in whether you meet any of the particular (activities-based) definitions in the various federal statutes relevant to each agency, e.g. whether you are a Futures Commission Merchant (FCM) if you are doing commodities derivatives trading according to the Commodities Exchange Act, or whether you are a Money Services Business (MSB) if you are accepting and transmitting currency or currency substitutes according to the Bank Secrecy Act and the implementing regulations issued by FinCEN. If this seems complex, that’s because it is, which is all the more reason for a report on the topic to offer a clear picture of how that authority is divided and which definitions are the relevant triggers for regulation by each agency.

Though it is never clearly stated in the assessment, these activities have very different definitions and standards. Persons in the DeFi ecosystem might be doing some but not others, and some persons are doing none, but rather than discuss exactly what each standard describes and whether any particular type of DeFi actor fits into that category (something that FinCEN’s 2019 guidance did extremely well), the assessment prefers to generalize that all of these persons in DeFi are failing to do any BSA compliance (irrespective of whether they are actually obligated to do so under the activities-based definitions): “DeFi services at present often do not implement AML/CFT controls or other processes to identify customers, allowing layering of proceeds to take place instantaneously and pseudonymously.” The implication is that everyone is non-compliant, and perhaps criminally so, even though one can only be non-compliant if one is actually obligated to comply.

The only time the assessment offers specific examples of non-compliance is with regard to the Ookie Dao (née bZeroX) enforcement action by the CFTC. Rather than investigate or describe why the particular activities of those DAO members rise to the level of BSA obligations under the relevant definitions in the Commodities Exchange Act, the assessment focuses on whether it can be sued as an entity given its claimed decentralization. It can, but that is of little surprise (to us, at least), and that discussion ignores the more interesting and critical factual inquiry about what exactly those DAO members did that triggered (or didn’t trigger) BSA obligations. That inquiry would have been helpful to people building DeFi tools who want to know when they are legally obligated to comply, and it would also have been helpful for Coin Center to know if the regulations are being applied reasonably or in a way that contravenes our constitutional rights.

Even more troubling is the specific example of non-compliance in the MSB rather than FCM context. The report argues that: “For instance, one VASP announced in 2021 that it would transition from a traditional corporate structure into a DAO for the purpose of ceasing to collect customer information for AML/CFT compliance, although in practice this would not have impacted the service’s BSA obligations.” This is both a highly inflammatory allegation given that, so far as we know, no such VASP has been charged with any violation, and this is also an unsupported statement of law. We know that being a DAO rather than a company has no bearing on whether one is accepting and transmitting funds, but the critical question is whether the members of this alleged DAO, once the transition had occurred, actually engaged in the regulated activity of accepting and transmitting customer funds. That’s a factual inquiry. If DAO members do not have any actual control over customer funds and are, in fact, merely publishing software to the Ethereum blockchain that allows other people to transmit funds, then they are not an MSB because they are not “accepting and transmitting” anything. No discussion of those relevant facts is presented and misconduct on the part of DAO members is presented as if it is a given.

Finally, there is the section on “disintermediation.” In this section the assessment concedes that some activities performed by persons in DeFi may not qualify as within any of the activities-based categories that trigger BSA application. Note that it does not concede that this may be because those activities are truly non-custodial (the assessment demeans that notion repeatedly) or merely the publication of software. It leaves the reader to suspect that these persons have found some insidiously clever loophole rather than merely gone and exercised constitutional rights to publish innovative research and software.

We believe that many DeFi projects are truly non-custodial and we also believe that many persons involved are doing nothing but publishing software. Those persons would not be MSBs under the “accept and transmit” definition in the BSA’s implementing regulations. The report characterizes this as a “gap” that should be filled. To clearly state Coin Center’s position on such gap-filling: (1) it can’t be done by guidance, (2) it can but should not be done by rulemaking, (3) it is a major question best left to Congress, and (4) in most cases it would be unconstitutional to do at all. Let’s expand on these points:

  1. It would not be legal for FinCEN to merely issue new guidance in order to fill these purported gaps in the MSB definition. The existing activity-based definition can’t be stretched through guidance to encompass non-custodial activities because the defined activity is all about custody itself (you either accept and transmit—e.g. have custody and control in between those actions—or you don’t).
  2. If there’s a desire to include certain non-custodial activities in the definition of “financial institution” it would at least need to happen via new notice-and-comment rulemaking rather than through mere guidance. 31 U.S.C. §5312(a)(2)(Y) empowers the Secretary of Treasury to identify any “activity which is similar to, related to, or a substitute for any” activities defined in the statute as performed by a “financial institution,” and §5312(a)(2)(Y) conditions that power on making these identifications “by regulation,” a phrase that triggers administrative procedure requirements such as notice and comment rulemaking.
  3. Even though the Treasury Department has this ostensible statutory authority under the BSA to redefine “financial institution” at will to include effectively any entity it wants, that authority is too broad to wield responsibly in all situations. A major question like whether thousands of software developers need to start registering with the Treasury Department in advance of publishing their software is, at the very least, a question best left for elected officials in Congress
  4. More to the point, if when policymakers go to define the activity, they cannot avoid including “publishing software that others use to move their own money” or something similar, then they cannot fill that purported “gap” without violating the Constitution. Both First Amendment rights to publish software without prior restraint and Fourth Amendment rights against warrantless surveillance of private (peer-to-peer) affairs would be implicated.

Treasury’s 40-page assessment never gets to this level of specificity. It does not clearly identify whether there is in fact a gap, and it does not characterize precisely which activities might fall into that gap (we think they would be speech activities). Nor does the assessment identify the lawful processes by which those purported gaps could be filled or the administrative and constitutional limits on that gap-filling exercise. To summarize, our constitutional rights to speech and privacy are not a gap in the money laundering laws. They are the supreme law of the land.