Everyone agrees that money laundering laws apply to DeFi. The question is: how to apply them?
DeFi, or decentralized finance, is an emerging segment of the broader financial industry that delivers traditional financial services, say like trading or lending, using a novel type of database—blockchains.
These blockchains allow people to create financial robots, or bots, that the public can engage with in order to get financial services. And not just any sort of bot. These are autonomous, unstoppable, non-upgradeable financial bots. They operate independently of humans; once its creator sets it free, the bot never needs the intervention of its creator—or anyone else—ever again. The bot is unstoppable; once its code is live, it can't be erased, upgraded, or altered. The bot is incapable of deviating from its original code; it is forever locked in place.
(Most financial services provided on blockchains don't quite meet the strict standard described above. These "fake" DeFi bots are upgradeable and are driven by a human operator or team behind the scenes. The application of money laundering laws to fake DeFi bots is straight-forward. What I'm addressing in this post is the true DeFi bots, the ones that are autonomous, unstoppable, and non-upgradeable.)
Historically we haven't received our financial services from autonomous, unstoppable non-upgradeable agents. We've always gotten them from brick and mortar institutions like banks and brokerages. These institutions are run by human executives and employees who rely on a fairly malleable set of machine aids, like websites and Excel spreadsheets and SQL databases.
The application of money laundering law to banks and other financial institutions is well understood. If a bank consciously allows dirty money onto its platform, we punish the bank and the folks who run it. This follows from 18 U.S. Code § 1956, which says that anyone who knowingly conducts a transaction involving dirty money, and does so in a way to conceal its origin or disguise its control, can be punished with up to twenty years in jail for money laundering.
Here's the question: when financial services are provided through the mediation of autonomous, unstoppable, non-upgradeable bots, and not human-operated banks and brokerages, who does society punish when dirty funds are processed? What DeFi party is liable under 18 U.S. Code § 1956?
The bot itself is nonpunishable. It simply keeps on ticking. It's not a human and can't learn from punishment. So that's a dead-end.
There is no human operator or governor to punish (at least, not in the case of pure DeFi bots). The bot is 100% autonomous, operating without the aid of a human behind the scenes.
What about the creator? I've argued in a previous post on a particular DeFi bot, Tornado Cash, that it makes a lot of sense to hold the creators of unstoppable non-upgradeable financial bots accountable for money laundering, even if those creators are no longer involved with the bot in any way. To protect themselves from being charged with money laundering, creators will choose at the very outset to equip their financial bots with a means for screening out dirty funds, thus complying with the law. I'll let you read that post yourself.
There's another option. In a recent exchange with a member of congress, a DeFi lobbyist suggests that the users of unstoppable non-upgradeable financial bots—not the creators—be held liable for their own bad conduct. Here's the clip:
This is an interesting solution. Let's work out how money laundering law spreads into DeFi if a user-pays-the-price strategy is adopted.How should money laundering laws apply to DeFi? If users—not developers—are liable, as the clip suggests, that renders DeFi radioactive, since any user that commingles their licit funds in a tool along with criminal funds is now a potential money launderer. https://t.co/rbhtrQyi9h
— John Paul Koning (@jp_koning) September 11, 2024
Say that criminals regularly place dirty funds with a certain DeFi bot, perhaps a decentralized exchange (like Uniswap), in order to clean them, and this is a widely-known fact. Next, let's look at what happens when a user with licit crypto submits their funds to the same bot. By consciously allowing their clean funds to be commingled with dirty funds and swapped for them, these licit users have themselves become bad actors. After all, helping criminally-derived funds make a getaway is a crime: we call it money laundering.
Under this user-pays-the-price scenario, DeFi becomes radioactive. Anyone interacting with an unstoppable, non-upgradeable financial bot is playing with fire, since a potential money laundering charge is just around the corner.
In an effort to reduce the odds that they face a money laundering charge, users may try to shop around for bots that have been coded with filters for screening out bad actors. Creators may try to compete with each other to attract users by providing genuinely compliant bots.
The upshot is that whether society decides to makes creators of financial bots liable for money laundering, or users liable, the end result may very well be the same. Bots will be built with anti-crime devices, thus falling in line with society's money laundering laws. That's a good result.
However, for pragmatic reasons my preference is to hold creators liable rather than users. My mental model of a prototypical retail user of financial services is a frazzled individual who doesn't have the bandwidth or knowledge to grasp exactly what they are doing with their money, because their time is divided between their family, jobs, education, church, hobbies, and other important things. What an awful burden to put on these people: "Oh, by the way, be careful where you get your financial services online, because you might be caught laundering money for the mob." Indeed, one of the advantages of dealing with a traditional bank is that a licit user needn't worry about this hazard.
Creators, on the other hand, are far fewer in number than users, are likely to be financially savvy, and probably have far more time to devote to the intricacies of financial law. And so the creator class will be better able to bear the burden of being targeted with the burden of a potential money laundering charge, and instigating the necessary compliance.
So if we had to choose who to be liable for the bad conduct flowing through unstoppable non-upgradeable financial bots, I say target creators, if possible, and not users. We all agree that money laundering laws apply to DeFi—the end goal being bots that exclude criminals—but placing the liability on users is an an inefficient and unfair way of extracting compliance.
