The US Department of Treasury recently released a report titled, ‘Illicit Finance Risk Assessment of Decentralised Finance.’

**With a host of developments in the regulatory arena, this report is a major step in the direction of regulation of crypto assets. The report reveals that illicit actors, including ransomware cybercriminals, thieves, scammers, and Democratic People’s Republic of Korea (DPRK) cyber actors, are using DeFi services in the process of transferring and laundering their illicit proceeds and attempts to pave the path to enforce requirements of the Bank Secrecy Act (BSA) to DeFi primitives as well.

DeFi or No DeFi, BSA Applies Eitherway

As per the report, the Bank Secrecy Act (BSA) imposes a host of obligations on a wide range of covered financial institutions. These obligations include:

1. Anti-Money Laundering (AML) Programs: Financial institutions must establish and maintain an AML program that includes policies, procedures, and internal controls to ensure compliance with the BSA. The program must be tailored to the institution's size, complexity, and nature of its operations.

2. Customer Identification Programs (CIP): Financial institutions must implement a CIP that includes procedures for verifying the identity of each customer opening an account.

3. Suspicious Activity Reporting (SAR): Financial institutions must file SARs with the Financial Crimes Enforcement Network (FinCEN) for any suspicious transactions that involve at least $5,000 and are conducted or attempted by, at, or through the institution.

4. Currency Transaction Reporting (CTR): Financial institutions must file CTRs with FinCEN for any transactions involving currency (cash or coins) that exceed $10,000 in a single day.

5. Recordkeeping: Financial institutions must maintain records of certain transactions and customer information, including CTRs, SARs, and information related to the CIP.

6. Compliance Officers: Each financial institution must designate a BSA Compliance Officer responsible for ensuring compliance with the BSA and related regulations.

7. Training: Financial institutions must provide ongoing training to employees regarding their responsibilities under the BSA.

Now determining whether an entity, including many DeFi services crypto natives use on a regular basis, are considered to be ‘covered’ financial institutions depends on specific facts and circumstances surrounding the financial activities. However, it also states that any DeFi service that functions as a financial institution as defined by the BSA, regardless of whether the service is centralized of decentralized, is required to comply with BSA obligations. A DeFi service’s claim that it is or plans to be “fully decentralized” does not impact its status as a financial institution under the BSA.

Wait a minute. What is the BSA?

The Bank Secrecy Act (BSA) is a United States federal law that requires financial institutions to assist the government in preventing money laundering and other financial crimes. The BSA applies to a wide range of financial institutions, including banks, credit unions, money services businesses, and other types of financial service providers. The BSA is enforced by the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury.

So what is the reaction of the crypto industry?

Here’s a gist of what Coin Center (a renowned, US based research and advocacy center focusing on crypto) has to say:

The good bits according to them are:

• The assessment is merely a policy report, and that it is not new or updated guidance about whether someone is or is not a “financial institution” and therefore obligated to surveil their customers.

• It acknowledges the small share of total crypto activity that DeFi represents (3%) and that the larger realm of traditionally intermediated finance, as well as non-compliant international centralized crypto exchanges, pose a more significant money laundering threat.

The bad bits are:

• The discussion ignores the more interesting and critical factual inquiry about what exactly DAO members did might trigger (or not trigger) BSA obligations.

• In the context of persons in the DeFi ecosystem, the report implies that everyone is non-compliant, and perhaps criminally so, even though one can only be non-compliant if one is actually obligated to comply.

• It fails to acknowledge that many DeFi projects are truly non-custodial and that many persons involved in DeFi are doing nothing but publishing software. Those persons would not be Money Services Business under the “accept and transmit” definition in the BSA’s implementing regulations.

Net net, as Coin Center summarises their reaction, they say that the Treasury’s 40-page assessment never gets to a desired level of specificity and it does not clearly identify whether there is in fact a gap; and if there is one, it does not characterise precisely which activities might fall into that gap. The assessment also fails to identify the lawful processes by which those purported gaps could be filled or the administrative and constitutional limits on that gap-filling exercise.

Is there an impact of regulations on DeFi Technologies?

Given the nature of decentralised technologies and their promise of a transparent, code-driven financial system that promises to function seamlessly without requiring intervention from entities and institutions, one wonders if regulations have any impact on such a network of transactions.

Turns out, they do. In a report from Chainalysis, the sanctions imposed on the decentralised, smart contract based mixing service, Tornado Cash have ensured a meaningful impact across the spectrum of categories with the most distinctive impact occurring to inflows from sanctioned counterparties.

So, how does this impact Web3 projects?

For Web3 projects this only means that firstly all the theatrics around DAOs and ‘sufficiently decentralised’ systems will not hold strong any more. The regulators will come hard and any incidence of a lack of true decentralisation is bound to be looked at extremely adversely. Which puts a vast majority of Web2 and Web3 projects that are looking to transition from semi-centralised solutions to decentralised at risk.

Unless, projects consider an activities based approach that imbibes the various aspects of true decentralisation in practice i.e. creation and deployment of software or code without touching any one else’s funds, directly or indirectly (via truly decentralised DAOs), they could be a covered financial institution and could have BSA obligations. The challenge is most decentralised projects tend to have multiple points of friction that hinder mass adoption. Therefore our philosophy at Panthera is to build for the entire spectrum of use-cases across centralised as well as decentralised paradigms. This is further driven by our unique MPC + Private Key based architecture that allows businesses to choose their own approach, yet build secure wallets that can help them onboard users seamlessly.

All this while there was a growing discussion around regulations for CeFi within crypto. With the US regulators now looking towards imposing regulations for DeFi as well, makes it clear that compliance will continue to remain a key buzzword for Web3 projects moving forward and it will be in the best interests of these projects to not just closely monitor developments in this space, but also scrutinise their own business models, understand their obligations and then build the right partnerships.