A few days after the July 4 holiday in the US, a 37-year-old entrepreneur in Denver named Erik Voorhees issued his own declaration of independence. He said the company he had founded seven years earlier to help people exchange cryptocurrencies without making their names available to the government or anyone else would disappear from the face of the Earth — even as its services remained available to those who wanted them.
ShapeShift, as the enterprise is known, would become a “decentralised autonomous organisation”, or DAO, over time, he declared. Its corporate structure would fade away. Control of its open-source software for exchanging cryptocurrencies would “gradually migrate” to holders of ShapeShift’s FOX digital token, which had been distributed to employees, investors and customers. Voorhees will receive the biggest share, a little more than 5 per cent of the maximum total supply, he added.
“ShapeShift’s vision is the establishment of an immutable, borderless financial system,” Voorhees wrote on Twitter, where he has nearly 525,000 followers. “Let’s be direct: money and finance shall not be operated by coercive government among free people. They shall — like language, mathematics, and love — emerge voluntarily and without central rule.”
Voorhees’s July 14 proclamation has since become a hot topic of conversation in US regulatory circles, where it has been seen by some officials as heralding a new phase in the battle to prevent money laundering on blockchains — the digital ledgers of cryptocurrency transactions.
Regulators have long worried that the secrecy of the crypto trade — in which coins are controlled by the holder of a “private key”, a form of cryptographical password — creates opportunities to disguise the origin and ownership of funds. Now, they fear that new blockchain technologies will make it easier for criminals and kleptocrats — who are believed to launder hundreds of billions of dollars a year — to move money around the global financial system.
These anxieties are being fuelled by the growth of what has become known as decentralised finance or DeFi — a business with assets now measured in the tens of billions of dollars. Operating under names like Uniswap, Sushiswap and Pancakeswap, DeFi platforms seek to replace financial intermediaries such as banks or brokers with software known as smart contracts, commonly run on the ethereum blockchain, that would automate market activity. Although their legal status is hazy and their structures vary, DAOs are a way to put control of DeFi platforms into the hands of a community of stakeholders, often entrusted with governance tokens granting voting rights, rather than a centralised company.
The appeal of DeFi platforms is that they would lower costs and speed up trading, using digital assets. The worry among regulators is they would replace the very entities that governments turn to for help in enforcing the laws against money laundering — bankers, brokers and money transmitters that stand between people and markets.
Of particular concern is the fate of a key pillar of the anti-money laundering regime — the requirement on financial companies to “know your customer”. The KYC obligation means intermediaries are supposed to know their users’ names, monitor their transactions and report activities that raise money-laundering suspicions to the authorities.
Voorhees and his crypto allies have never really wanted to know their customers — and they now believe that DeFi innovations of recent months will enable them to break free of such obligations. As a company, ShapeShift gave in to regulatory pressure in 2018 and began to collect user details. As a DAO, ShapeShift no longer sees a requirement to do KYC checks, it says.
“The company is not providing any regulated services,” said Veronica McGregor, chief legal officer, in a statement. “At present, there are no official regulators of DAOs. ShapeShift is not an exchange, is not a financial intermediary and is not holding custody of any funds. It’s simply an open-source interface for users to interact with their own digital assets.”
The most likely result of these developments will be legal conflict, industry executives say. On one side of the battle are software developers — motivated by both libertarian ideals and commercial considerations — who are looking to turn the financial services industry on its head. On the other are regulators wondering what is going to be left to regulate in the years to come.
“DeFi is using loopholes in regulation because they don’t actually hold the customer’s money, unlike a broker,” says David Jevans, chief executive of CipherTrace, a cryptocurrency intelligence company started in 2015 with funding from the US Department of Homeland Security to help prevent financial crime. “This has allowed a nice wave of innovation, which is great. But it also allows a wave of innovation by people trying to launder money through the system.”
The question facing US officials is “how does a person who writes some software get regulated” by the Treasury or the Securities and Exchange Commission, he adds, estimating it could take two years for the resulting legal challenges to unfold. “We will see how it shakes out.”
‘The most private payment system’
Money launderers do not need cryptocurrencies to be successful. Most do just fine with traditional methods — such as mixing illicit funds into trade flows or ploughing them into assets such as property or art. But while the extent of money laundering in the crypto markets is difficult to calculate, the official concern is undeniable. Janet Yellen, US Treasury secretary, in February described “the misuse” of cryptocurrencies as a “growing problem”. A month earlier Christine Lagarde, European Central Bank president, linked digital assets to “totally reprehensible money-laundering activity”.
“Criminals of all types are increasingly using cryptocurrency to launder their illicit proceeds,” the US justice department’s cyber-digital task force said in a report last year. “Transnational criminal organisations, including drug cartels, may find cryptocurrency especially useful to hide financial activities and to move vast sums of money efficiently across borders without detection.”
A bevy of analytical firms has emerged to help detect illicit activity in the industry. But their tools are better suited to spotting crimes taking place on blockchains themselves — such as thefts, scams and ransomware payments — than in quantifying the amount of money from crimes committed elsewhere that finds its way on to crypto markets.
These watchdogs take advantage of the fact that blockchain transactions are public and gather data to identify suspicious patterns of activity or addresses. Focusing on this kind of “cryptocurrency native” crime — meaning it is “practically dependent on cryptocurrency or inherently intertwined with it” — Chainalysis, a leading crypto forensics firm, estimates illicit activity represented 0.34 per cent of cryptocurrency transaction volume in 2020, down from 2.1 per cent in 2019, as the overall level of crypto activity increased last year.
For the latest news and views on fintech from the FT’s network of correspondents around the world, sign up to our weekly newsletter #fintechFT
Chainalysis says it knows that bad actors such as drug traffickers “are laundering their ill-gotten funds by converting them into cryptocurrency and sending them around the world”. But it adds that it is “harder to both investigate this activity in individual cases or to size it in the aggregate” because such funds move “into cryptocurrency directly from fiat [official currencies] rather than move from known illicit addresses” on blockchains, leaving no trace of how the money was originally made.
One of the ironies of the DeFi revolution is that for all the talk about supplanting banks and brokers, the crypto industry still relies on such regulated players as the first line of defence against money laundering. These firms — with their costly anti-money laundering programmes — are seen as guardians of the “on ramps” and “off ramps” connecting the fiat and cryptocurrency worlds. As in old western movies, the banks and the brokers are supposed to head off the bad guys at the pass.
“The ‘on ramps’ and the ‘off ramps’ into the blockchain, they have the traditional AML requirements,” says Michael Gronager, chief executive of Chainalysis. “So as soon as you bring in dollars into a shop, into a crypto exchange, into a broker, they are bound by the traditional rules . . . and they would catch that.”
Adding to the challenge for law enforcement is that some developers are working to make it harder to spot illicit activity. One example involves difficult to trace privacy coins — such as Monero, Zcash and Dash. The US justice department last year called their use an example of “a high-risk activity that is indicative of possible criminal conduct”.
Jevans of CipherTrace, which is being acquired by Mastercard, says privacy coins “are designed to avoid detection” through techniques including “ring signatures, meaning multiple parties are involved in signing a transaction so it is hard to tell which one actually initiated it”. He sees “room in the crypto ecosystem for privacy coins” but only if their developers add compliance features to make it possible to discern the address from which a token comes.
“You are talking about many PhDs in computer science and mathematics and cryptography who are contributing to this project,” Jevans says. “They are not bad guys, necessarily. They just want to build the most private payment system on planet Earth and they don’t really care who uses it. I get it from an intellectual perspective. If you want to build the most private system in the world, you should go build it. But bad guys actually use that stuff.”
Preferring not to ‘know your customer’
ShapeShift’s own history highlights the allure of such private systems. When Voorhees started the cryptocurrency exchange in 2014 — the same year he agreed to pay $50,000 to settle SEC allegations involving the sale of unregistered securities — ShapeShift did not ask customers for personal information. Voorhees, who sees KYC schemes as “unethical and dangerous”, argues that collecting that kind of data creates a “honeypot” for hackers specialising in identity theft.
By 2018, however, Voorhees said he came to fear that his exchange would be shut down if it failed to follow KYC rules and it began to seek personal information from its customers. Coupled with turbulence in crypto markets, the change in KYC policy devastated the company, forcing it to almost halve its staff from 135 people to about 70, he said in a video interview posted on ShapeShift’s website.
“It was a super-dark time,” he said in the interview. “The vast majority of our customers just went elsewhere, and I certainly can’t blame them. There were lots of other companies that weren’t nearly as worried about the regulatory system as we were at that point, and so the customers just went there . . . We suddenly became super unprofitable, and losing tons of money.”
The embrace of DeFi by opponents of KYC raises the possibility that the platforms are becoming the financial services equivalent of self-driving cars that can do just about everything but stop at red lights. Yet, applying the regulatory brakes could be tricky. There are questions over whether US officials have the legal authority to impose anti-money laundering rules on the software developers behind such protocols.
Crypto advocates are already arguing that regulators would be violating the US constitution if they try. “The writing and publishing of software is free speech under the first amendment,” says Miller Whitehouse-Levine, policy director at the DeFi Education Fund, an industry advocacy group. “How do you ex ante ask folks to change their speech essentially to comply with what the government thinks they should be doing?”
The more likely approach would be to find some corporate nub in the DeFi platforms to which legal obligations could be attached. Gary Gensler, SEC chair, hinted at such possibilities in a recent Financial Times interview in which he said DeFi platforms reminded him of the “peer-to-peer” lending businesses that developed in the earlier part of the century.
Just as there was “a company in the middle” of peer-to-peer lending, he said DeFi has “a fair amount of centralisation”, including governance mechanisms, fee models and incentive systems. “A lot of the developers want to suggest that they are not [doing anything] more than developing software,” he added. “It’s a misnomer to say they [DeFi platforms] are just software that is put out to the web.”
DeFi advocates say they recognise the difficulty the authorities face in fashioning regulatory mechanisms that would work without traditional financial intermediaries. But they warn that a precipitous response could drive DeFi innovation to other countries — and they have allies in Congress who share their concerns. A furore on Capitol Hill this summer over imposing tax reporting requirements on crypto “brokers” — which remains unresolved — showed that the industry has allies on both sides of the US political divide.
Ultimately, the crypto industry is asking that the DeFi platforms be given the room that they need to develop — and mature. The people who understand the platforms’ flaws well enough to fix them are the software developers who came up with the protocols in the first place, these advocates argue.
“DeFi poses all sorts of unique public policy questions. The crypto community has ideas on how to [respond],” says Kristin Smith, executive director of the Blockchain Association, an industry lobbying group. “Our ask of policymakers is, let’s take some time to learn about this.”