Saturday, September 14, 2024

How should money laundering laws apply to DeFi?


Everyone agrees that money laundering laws apply to DeFi. The question is: how to apply them?

DeFi, or decentralized finance, is an emerging segment of the broader financial industry that delivers traditional financial services, say like trading or lending, using a novel type of databaseblockchains.

These blockchains allow people to create financial robots, or bots, that the public can engage with in order to get financial services. And not just any sort of bot. These are autonomous, unstoppable, non-upgradeable financial bots. They operate independently of humans; once its creator sets it free, the bot never needs the intervention of its creatoror anyone elseever again. The bot is unstoppable; once its code is live, it can't be erased, upgraded, or altered. The bot is incapable of deviating from its original code; it is forever locked in place.

(Most financial services provided on blockchains don't quite meet the strict standard described above. These "fake" DeFi bots are upgradeable and are driven by a human operator or team behind the scenes. The application of money laundering laws to fake DeFi bots is straight-forward. What I'm addressing in this post is the true DeFi bots, the ones that are autonomous, unstoppable, and non-upgradeable.)

Historically we haven't received our financial services from autonomous, unstoppable non-upgradeable agents. We've always gotten them from brick and mortar institutions like banks and brokerages. These institutions are run by human executives and employees who rely on a fairly malleable set of machine aids, like websites and Excel spreadsheets and SQL databases.

The application of money laundering law to banks and other financial institutions is well understood. If a bank consciously allows dirty money onto its platform, we punish the bank and the folks who run it. This follows from 18 U.S. Code § 1956, which says that anyone who knowingly conducts a transaction involving dirty money, and does so in a way to conceal its origin or disguise its control, can be punished with up to twenty years in jail for money laundering.

Here's the question: when financial services are provided through the mediation of autonomous, unstoppable, non-upgradeable bots, and not human-operated banks and brokerages, who does society punish when dirty funds are processed? What DeFi party is liable under 18 U.S. Code § 1956?

The bot itself is nonpunishable. It simply keeps on ticking. It's not a human and can't learn from punishment. So that's a dead-end.

There is no human operator or governor to punish (at least, not in the case of pure DeFi bots). The bot is 100% autonomous, operating without the aid of a human behind the scenes.

What about the creator? I've argued in a previous post on a particular DeFi bot, Tornado Cash, that it makes a lot of sense to hold the creators of unstoppable non-upgradeable financial bots accountable for money laundering, even if those creators are no longer involved with the bot in any way. To protect themselves from being charged with money laundering, creators will choose at the very outset to equip their financial bots with a means for screening out dirty funds, thus complying with the law. I'll let you read that post yourself.

There's another option. In a recent exchange with a member of congress, a DeFi lobbyist suggests that the users of unstoppable non-upgradeable financial botsnot the creatorsbe held liable for their own bad conduct. Here's the clip:

This is an interesting solution. Let's work out how money laundering law spreads into DeFi if a user-pays-the-price strategy is adopted.

Say that criminals regularly place dirty funds with a certain DeFi bot, perhaps a decentralized exchange (like Uniswap), in order to clean them, and this is a widely-known fact. Next, let's look at what happens when a user with licit crypto submits their funds to the same bot. By consciously allowing their clean funds to be commingled with dirty funds and swapped for them, these licit users have themselves become bad actors. After all, helping criminally-derived funds make a getaway is a crime: we call it money laundering.

Under this user-pays-the-price scenario, DeFi becomes radioactive. Anyone interacting with an unstoppable, non-upgradeable financial bot is playing with fire, since a potential money laundering charge is just around the corner.

In an effort to reduce the odds that they face a money laundering charge, users may try to shop around for bots that have been coded with filters for screening out bad actors. Creators may try to compete with each other to attract users by providing genuinely compliant bots.

The upshot is that whether society decides to makes creators of financial bots liable for money laundering, or users liable, the end result may very well be the same. Bots will be built with anti-crime devices, thus falling in line with society's money laundering laws. That's a good result.

However, for pragmatic reasons my preference is to hold creators liable rather than users. My mental model of a prototypical retail user of financial services is a frazzled individual who doesn't have the bandwidth or knowledge to grasp exactly what they are doing with their money, because their time is divided between their family, jobs, education, church, hobbies, and other important things. What an awful burden to put on these people: "Oh, by the way, be careful where you get your financial services online, because you might be caught laundering money for the mob." Indeed, one of the advantages of dealing with a traditional bank is that a licit user needn't worry about this hazard.

Creators, on the other hand, are far fewer in number than users, are likely to be financially savvy, and probably have far more time to devote to the intricacies of financial law. And so the creator class will be better able to bear the burden of being targeted with the burden of a potential money laundering charge, and instigating the necessary compliance.

So if we had to choose who to be liable for the bad conduct flowing through unstoppable non-upgradeable financial bots, I say target creators, if possible, and not users. We all agree that money laundering laws apply to DeFithe end goal being bots that exclude criminalsbut placing the liability on users is an an inefficient and unfair way of extracting compliance.

22 comments:

  1. I don't know enough about DeFi and crypto. As such, I don't understand how going after creators is a good long term plan. If the bot is unstoppable, how often are you going to go after the creators?

    ReplyDelete
    Replies
    1. The bots are unstoppable, but if law enforcement charges a few creators at the outset, going forward the upstanding ones will program their unstoppable bots with anti-money laundering defences, thus reducing the amount of bots that must be pursued to a narrower group created by non-compliant bad actors.

      Delete
    2. Laws criminalizing establishment of DeFi without appropriate protections would have to be similar internationally or the activity would just move to a nation in which it is not enforced. This could be done using pressure applied by FATF.

      Delete
    3. US and probably some other countries I don't know much about actually charge ML offences. Canada though (rightly or wrongly) has used the ML data collection provisions and intelligence disclosures to strengthen charges against a predicate offence (e.g., fraud). FINTRAC (and law enforcement) is hoping for better reporting of suspicious transactions and threshold reports. Nobody actually gets convicted of ML in Canada, if they even get charged.

      Delete
  2. Yep, retail bank customers serving as money mules is a similar problem. Issuing warnings is probably a good idea, then at some point follow it up with legal action.

    ReplyDelete
  3. Or money laundering laws will just stop existing. Encryption was also illegal before, then it got unenforceable, then it became legal.

    ReplyDelete
    Replies
    1. How exactly would money laundering laws stop existing? You're suggesting that there will be a defacto decriminalization of money laundering thanks to DeFi, but I think there are some big assumptions behind that claim.

      Delete
  4. It's interesting that you're tackling this problem head-on because DeFi was precisely designed from the beginning to be resistant to this kind of attack.

    But it seems, alas, that you don't know your history. The solution to criminalize users/consumers was proposed to solve this kind of problem already numerous times. I will let you check how it went, but a quick summary.

    TradFi is Napster, DeFi is the BitTorrent protocol and The Pirate Bay. Look into the history of Napster & the Pirate Bay, and it will give you everything you need to know about the chances of success for a strategy that involves attacking DeFi users.

    The creators of The Pirate Bay were indeed arrested, but The Pirate Bay itself is completely unstoppable, just like the BitTorrent protocol, and today it is very easy to find clones of The Pirate Bay and use them to download millions of movies and games and songs completely illegally, even though the service was launched in 2003, and that governments have had ample time to try and stop it..

    In some cases, The Pirate bay users themselves have been taken to court. Some countries, such as France, have even set up extensive surveillance of their Internet to combat this mass piracy, with fines and other swift sanctions to follow.

    But look what happened: none of this stopped mass piracy.

    Ask yourself why governments aren't cracking down on drug users, when it's obvious that the main reason the War on Drugs is failing is that as long as there's a demand, there'll be someone to replace a dealer who's just been arrested.

    Look at the attempt to punish drinkers during Prohibition, and ask yourself why the mighty American state decided to throw in the towel. And why it's the only amendment to the American constitution to have been abandoned.

    Etc. etc.

    ReplyDelete
    Replies
    1. As for attacking the creators of Defi solutions, the solution to this problem is so easy it's laughable: create the Defi solutions anonymously.

      It's not for nothing that Satoshi Nakamoto remained anonymous. It's not for nothing that he's never been arrested. The same goes for the creators of Monero.

      There are more than enough of these types of individuals on Earth to ensure that Defi will continue on its merry way, come what may.

      Delete
    2. I wrote an extensive article on this : https://disruptive-horizons.com/p/internet-makes-governments-impotant-bottlenecks

      Delete
    3. Olivier, you bring up some good points.

      I don't think the analogy of DeFi to pirated music is entirely convincing, though. DeFi doesn't offer free goods that would otherwise have a high cost; it just provides an alternative venue for the public to purchase traditional financial services at a cost, these services (trading, payments, etc) already being offered for the most part by the regular financial system. So the choice confronting users isn't as starkly different, with most people likely to remain indifferent between DeFi and non-DeFi.

      Given this indifference, it's much easier for the government to nudge DeFi towards a certain ending point.

      You also bring up the loophole of creating DeFi tools anonymously. Yes, that's an option. Mind you, that limitation reduces the range of creators willing to make DeFi tools, since anonymous production has a high cost. Also, I grant you the point that there will always be at least some pockets of DeFi that don't comply with money laundering laws and "continue on its merry way." But I do think that most of DeFi would fall into line.

      Delete
  5. I was going to spend some time writing a detailed rebuttal to this blogpost here.

    But as the hearsay goes, everybody knows that the posts arguments are made with fallacies and in bad faith. So there is that!

    ReplyDelete
    Replies
    1. You've got the floor. Let's hear what gems you have to offer.

      Delete
    2. Punishing creators will never be viable, because there are countries that kidnap Americans, charge them with treason, and trade them for criminals that they sponsor. So punishing users needs a closer look, given that money laundering is a dibilitating attack on Western society.
      Pirating is not a good analogy, because the loss of revenue for arts creators, while tending to reduce motivation for artists, is only a minor issue for society.
      Drugs and alcohol are not good analogies, because large segments of society want them; so the laws are tyrannical, as well as ineffective and more damaging than the behaviors that they seek to extinguish.
      With educational campaigns, the public will be able to avoid bad actors in Defi. And if the law makes the business case for Defi invalid, so be it. Centralized payment systems, like the semiconductors that obliterated nascent fluidics, are a moving target.

      Delete
    3. "Punishing creators will never be viable, because there are countries that kidnap Americans, charge them with treason, and trade them for criminals that they sponsor."

      I don't quite get why this makes punishing creators non-viable. Not saying it's wrong, but you've got to walk me through it.

      Delete
    4. Russia has a clear interest in using Defi to enable misinformation campaigns and influence agents, as well as to evade sanctions. Russian sponsored Defi convicts will be exchanged, just like assassin Vadim Krasikov and arms dealer Victor Bout in the recent prisoner exchange.

      Delete
    5. I agree that Russia has an interest in using DeFi, but isn't that an argument against law in general? i.e. "The U.S. shouldn't punish *insert illegal activity* because if the perpetrators are Russian then innocent Americans will be kidnapped so that Russia can conduct prisoner swaps."

      Delete
    6. but there is an alternative - the user-pays-the-price strategy

      Delete
  6. I feel like there is a categorical error here. DeFi doesn't care about clean or dirty funds but instead clean or dirty accounts. The tokens are fungible! If funds are acquired illegally on-chain then they are traceable to that account and any subsequent account any funds move to. If they come from off-chain then this is no different. They dirty any account they move to. But because funds are not in themselves dirty, swapping them on uniswap (or even depositing them to let others swap with them and therefore earn money from them) doesn't dirty anyone else's funds because everyone gets what are essentially their own funds back.

    Now of course Tornado Cash is a different beast. It was made to launder funds, whether legal or not (that is what privacy is here). But uniswap or other immutable defi protocols don't provide tools to launder funds, even if they allow swapping, pooling, lending, margin, what-have-you.

    ReplyDelete
    Replies
    1. I disagree that Uniswap doesn't provide a means for laundering crypto. If a criminal has stolen $10 million Tether, it's important to quickly move out of USDt into an unfreezable coin like Dai, and Uniswap is a key venue for doing so. Or if they've stolen some Shiba Inu, and they need to use Tornado, they'll use Uniswap as an intermediary to get ETH, since Tornado can't mix Shiba Inu. The counterparties who facilitate these swaps on Uniswap by providing liquidity are potentially guilty of money laundering, because they're conducting transactions that help to conceal the ownership of proceeds of crime.

      Also, I'm not sure how the distinction between accounts and funds changes any of this.

      Delete
  7. > These blockchains allow people to create financial robots, or bots, that the public can engage with in order to get financial services. And not just any sort of bot. These are autonomous, unstoppable, non-upgradeable financial bots. They operate independently of humans; once its creator sets it free, the bot never needs the intervention of its creator—or anyone else—ever again. The bot is unstoppable; once its code is live, it can't be erased, upgraded, or altered. The bot is incapable of deviating from its original code; it is forever locked in place.

    This is not true. The smart contracts that DeFi runs on are run on computers. These computers are run by people called validators. Every block needs to be signed by 2/3s of the validators to be considered final. It would be trivial to for validators to refuse to sign blocks containing transactions going to certain contracts, or even to refuse to sign blocks containing transactions emanating from users for whom they do not have KYC information.

    Systems such as Ethereum were designed with the aspiration that they would one day be completely unstoppable, autonomous, and impartial, but this is not the reality. Lido and Coinbase, the two largest Ethereum validators, control 40% of the validation power. No block is finalized without their explicit approval. If they decided to only allow transactions meeting certain KYC/AML criteria, these are the only transactions that would appear on the Ethereum blockchain.

    ReplyDelete
    Replies
    1. Sure, fair enough. I abstracted away from the complexities of validation, as your comment suggests.

      I agree that it's possible to enforce AML at the validator level. In a previous post on Tornado Cash, for instance, I focused on the idea of imposing sanctions compliance on validators like Coinbase.

      https://jpkoning.blogspot.com/2023/12/the-long-arm-of-ofac-reaches-into.html

      I'm not entirely sure if I prefer AML/CFT and sanctions compliance to be imposed at the validator level or tool level (or both), but I suppose I've been leaning towards the tool level.

      Delete