Today, Mike Mosier, Katja Gilman and I are sharing a paper that begins a conversation around, & proposes a conceptual framework for, how to answer the "illicit finance" policy question as it relates to DeFi. A brief discussion below, with links to the full paper + a summary document.
Full paper here: https://lnkd.in/eWRJhVGP (summary document in comments)
The paper sets the stage with a brief overview of the U.S. financial integrity laws--AML/CFT + sanctions--and the ways those laws are implemented by intermediaries, incl a special class of intermediaries known as "financial institutions" ("FIs") under the BSA. (Sec I.) We also explain what DeFi really is & is not, as well as the sources of illicit finance risk in DeFi which are very different than in traditional finance--cyber risk, system management risk & usage risk. (Sec II.) (Thanks to Jarrod Watts for the DeFi graphic which is also included in the paper.)
Section III provides a 3-part framework on how to think about combating illicit finance in DeFi. First, the framework sets out a definition of “independent control,” grounded in the 2019 FinCEN Guidance, in order to identify smart-contract based financial protocols w centralized intermediaries that may otherwise call themselves "DeFi." Tech systems w people who have "independent control" over them are "on-chain CeFi" as noted in an article by Katrin Schuler, Ann Sofie Cloots and Fabian Sch?r), and are more likely subject to regulation including for illicit finance, but this requires examining "facts & circumstances". System Control Persons (those who have "independent control") are not necessarily financial institutions, and the definition of SCP is not intended to capture governance token holders, DAOs or third party, exogenous touchpoints like oracles.
Second, we propose classifying genuine DeFi protocols--neutral, decentralized software--as “critical infrastructure,” subject to oversight & security coordination by the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection (“OCCIP”). The "critical infrastructure" framework is coordinated by CISA, which oversees network technology & physical architecture "critical" to U.S. national & economic security in 16 sectors, including in financial services. CISA & its coordinating arms (including OCCIP) are not regulators. Genuine DeFi Systems are technological infrastructure underpinning a new approach to conducting financial transactions & given the way in which they function, OCCIP could make meaningful contributions to the safe operation of genuine DeFi Systems. [thread continues in comments]