Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Ep: 14 The Ticking Timebomb of AML Compliance
64 Plays1 year ago
Explore the intersection of anti-money laundering (AML) policy and digital assets with Caroline Malcolm (Chainalysis), Monica Sah (Clifford Chance), Seema Khinda Johnson (Nuggets), and Isabella Chase (TRM Labs) as they discuss the evolving landscape of AML compliance in DeFi. Learn about the challenges of establishing a global framework, the risks of non-compliance, and insights into future regulatory directions and industry contributions to sensible rule-making.
Find out more in our explainers at owlexplains.com
Recommended
Transcript
Introduction and Event Overview
00:00:06
Speaker
Hello and welcome to this Owl Explains Hootenanny. I am Silvia Sanchez, Project Manager of Owl Explains, and I am super excited to share this special episode with you. This episode comes from one of the panels we recently hosted at the Avalanche Summit in Barcelona, our first in-person event as Owl Explains, in which we gathered many wise owls from all over the world, seeking to build a better internet. We hope you enjoy it as much as we did.
00:00:37
Speaker
a very timely topic for our crypto industry. My name is Olte Andoni. I'm General Counsel of Enclave Markets. I'm very happy to be here today, especially this panel of all females. Without any further ado, let's have them introduce yourselves.
Blockchain and Compliance Insights
00:00:54
Speaker
Okay, yes, I think we're on. Caroline Malcolm, I run the public policy team at Chainalysis. Many of you probably know Chainalysis is a data analytics firm working with the public and private sector to really understand what's happening on public blockchains and help people, whether it be in terms of investigations, compliance, supervision of compliance, and other exploration of other uses of the data that is available on Chain.
00:01:22
Speaker
Hi, I'm Monica Sa. I'm a partner at Clifford Chance, which is an international law firm. And I specialize in financial regulation and I'm based in London. Thank you. Hi, everyone. Great to be here, especially in Barcelona. I'm C. Mackinder-Johnson. I'm co-founder and COO of Nuggets. We are a decentralized identity and multi-rail payment platform. And I also sit on the Technical Advisory Committee of ID 2020.
00:01:52
Speaker
So great to be here. Thanks so much for having me. It's great to be here. My name is Isabella Chase. I'm a senior policy advisor at TRM Labs. TRM Labs is a blockchain intelligence company and we help crypto businesses, financial institutions and the public sector track and trace illicit finance and fraud across 28 different blockchains.
FTX Collapse Analysis
00:02:13
Speaker
Thank you. So the topic for our panel is AML compliance, the ticking time bomb for our industry. We have seen a lot of fallouts in our industry recently. So Monica, where do we go from here? And if you can summarize for our audience what happened quickly, that would be super helpful.
00:02:32
Speaker
OK, I'm going to start with FTX, which I think is probably one of the key sort of events this year. And effectively, it has been all over the papers, et cetera, obviously, and a big sort of trauma for the industry. But when you look at what happened, you see that there's two sort of core failings. One is the lack of understanding of
00:02:57
Speaker
of conflicts of interest. There was a lot of intra-entity affiliate transactions where you had a client of FTX which was an affiliate who was given margin loans from client assets by the exchange
00:03:13
Speaker
And the collateral was FTT, which is again, the exchange coin with an inflated price because of open market transactions. So there was a number of intra-field lit transactions and nobody really understood them. And as a result, there was an ability for allegedly, I use the word allegedly, the siphoning of client assets to the owners of the fund. So there was effectively a fraud.
00:03:43
Speaker
and alleged florals, I should say. And the other aspect is whether, you know, could there have been ways in which to prevent this from happening, for example, better client asset protection?
00:03:59
Speaker
In my view, I think there was a couple of failings. One, I think there was a regulatory failure because the regulator, ultimately, FTX was a regulated entity in Bahamas. It had a digital markets license, but the regulator didn't understand the failure of transactions, didn't monitor and supervise.
00:04:19
Speaker
And the question is whether or not you could have had better client asset protection rules, yes, but if there's a fraud, there's a fraud, and you see that in the traditional space as well.
AML Compliance in DeFi
00:04:31
Speaker
Thank you. Caroline, we have seen a lot of more attention, of course, from the regulators regarding AML compliance. There have been some major recent developments both in the UK and the United States. Can you summarize them quickly for our audience?
00:04:48
Speaker
Yeah, so also this is really a continuation of what we saw beginning. I mean, this conversation about AML and this space really begins back in sort of 2014, 2015, gets formalized in the standard in 2019. 2021, we have some more clarification of the guidance on that, particularly around DeFi. It's probably specifically relevant to this audience.
00:05:10
Speaker
But now countries are getting a lot more serious about the actual implementation of those rules. And I guess the thing which an industry often gets the most attention is this travel. And of course, we've seen that coming into force in the UK. We're seeing this issue of AML compliance more generally get a lot of attention. And in the US, as you mentioned, we've just had Treasury release their industry assessment of illicit activity
00:05:38
Speaker
in the DeFi space. So looking specifically at this issue of how much listed activity is there in the DeFi space and how much compliance with obligations are there, including setting out their view of what those obligations actually are. And I think probably for many people what would be very surprising coming out of that Treasury paper
00:05:58
Speaker
is the assertion that the Bank Secrecy Act, the BSA, in fact already applies to DeFi. And I think that certainly when you look back at the international standard that FATF has written certainly goes further than that standard in the sense that the standard may clear that DeFi is not included except in certain cases where you have sufficient control.
00:06:18
Speaker
Now we have Treasury saying, and there is a consultation that's open for that, sort of say the BSA already applies. And so you can see that why I think industry sort of thought that, you know, you could focus on AML compliance when it came to centralized businesses. You can see that that regulatory perimeter is starting to shift and probably should be getting a lot more attention in industry than it currently.
00:06:45
Speaker
Thank you. Sima, I think this is a perfect segue into our next question. So ransomware attacks have been also at center of the attention. What are some reputational risks that we should be aware of?
00:06:59
Speaker
Look, I think that's a really great question. We've probably seen like a huge ransomware attack, right? Just very recently with a phenomenal team that did all the right things. They had huge amounts of smart contract reviews by all of the leading organizations and they're a hugely respected team. But I think when you do have a ransomware attack, I mean, the impact's huge and far reaching. When you think about from a financial perspective, we'll talk about that before reputational,
00:07:28
Speaker
financial is the ransom itself, the cost of recovery, the fact that your business as you knew it no longer almost exists.
Traditional Finance vs. DeFi
00:07:37
Speaker
You almost have to reset up an organization that's all about recovery and remedying that huge ransom issue. And then you've got, without even knowing to touch on something there around,
00:07:52
Speaker
that some of these things around the travel rule BSA actually have already started to apply to any transaction over $1,000, you know, that you have to share beneficiary data, originated data, which means that you also, if there's a ransomware, you may unwittingly
00:08:09
Speaker
exposed sensitive PII data and then you've got to look at that regulatory fine that has nothing to do almost with the financial regulator but with organizations you know around data regulation so that's just the financial piece which is
00:08:24
Speaker
you know, a huge impact, but also we probably all know that whether you're in DeFi or TranFi, you know, trust is a massive issue, you know, so whenever any of us transact, we access services online,
00:08:40
Speaker
we pay, we're open to fraud, privacy and security issues. So trust is hugely important. And when you lose that, I would say it's really hard to recover, not just with customers, but with your employees, whether they're your existing employees, external employees, and the businesses that actually help you support your products and services. So that's really tough because of that brand association as well. So yeah, God, it's really depressing.
00:09:08
Speaker
It is really depressing, unfortunately. Another depressing topic, I would say. But when we talk about the differences of AML compliance between TreadFi and DeFi, there is so much to discuss. I'm going to try my best to cover the main topics for this panel. But Isabella, would you walk us through the main differences between TreadFi and DeFi compliance? Sure.
00:09:34
Speaker
I mean, users are depressing. I think it's a huge opportunity. But I genuinely do. And just to start off, I'm really excited to answer this question because just yesterday at TRM, we published a big white paper looking at what does effective compliance... Oh, sorry. What does effective compliance look like in the crypto space with lots of examples for DeFi?
00:09:57
Speaker
But just look at some of the top line areas where we see that difference between TriadFi and DeFi. Well, in the TriadFi world, AML compliance really revolves around the concept of knowing your customer. And why do traditional institutions need to know their customer? Well, because all they can see when it comes to establishing risk is who their customer is and the transactions that their customer performs.
00:10:25
Speaker
within the walls of their institutions. They can't see anything else. So if you're trying to establish financial crime risk, you actually have very few data points to work with. You can control who you give services to, and then you can control the limits on those services to try and minimize risk. But with DeFi, we flip that completely on its head. We might not know who our customer is. There are permissioned projects where you would have normal KYC, but on
00:10:54
Speaker
on average, you're permissionless. You don't know who your customers are, but you have total visibility over every transaction that's taking place. And this is huge, because if you can layer on top of that risk information, illicit finance typologies, you get this huge amount of contextual data to put the transactions that you're responsible for in, which is really like it just changes as a paradigm shift in how we can think about effectiveness.
00:11:24
Speaker
One thing I would say though, and as Caroline touched on,
00:11:27
Speaker
Are the regulations there for us to know who has the responsibility to be controlling that risk? To what extent should it be controlled? No. And the space is evolving and compliance in the space is also evolving. But I don't think it's depressing. I think it's a big opportunity. Thankfully. But I mean, going back to the compliance aspect, especially for DeFi protocols and front ends, Caroline, how do you think or what should DeFi protocols do to meet those
00:11:56
Speaker
expectations from the regulators? Look, I think we're still pretty early on in terms of the different what I might call sort of regulated DeFi models that are available. Here with Avalanche you have one particular model of sort of permissioned DeFi using subnets which gives people
00:12:20
Speaker
a particular avenue of options. You've got solutions like Aave's Arc, which is a different solution to that issue. You've got some interesting experiments going on, for example, with the Monetary Authority of Singapore looking at more white-listed type models similar to Aave's Arc.
00:12:44
Speaker
I do think there's still a lot more work to be done. And as Bella mentioned, there's not necessarily that regulators are coming with solutions to say this is what regulated DeFi should look like.
00:13:01
Speaker
They are waiting for industry. They're saying, you need to get here. We're telling you the goal. You need to build for that goal. And it's become increasingly clear and increasingly explicit that just saying, well, but I'm decentralized isn't an answer to the issue. They're much less interested in this idea of a spectrum of decentralization.
00:13:25
Speaker
than they are interested in the activities that you're carrying out. And if you're carrying out those certain activities, you are going to be expected to meet that threshold. And that onus is on use. That onus is firmly on industry to now come up with some of the solutions.
Global AML Challenges and Tech Solutions
00:13:41
Speaker
And I think industry is part of the way there. But I think there's also just a more general awakening that is going on to sort of say,
00:13:48
Speaker
That is, in the world of regulation, that is very much the future. There is not a future in which regulators are not interested in DeFi or which they turn around and say, oh, well, you're so decentralized, don't worry about it. That future doesn't exist in a regulator's mind. So I think recognizing that writing on the world and on the wall and building for that future is something where a lot more attention is going to be focused in the coming really months.
00:14:19
Speaker
Thank you. And as this panel is part of our AUL campaign, which is super, super important for our industry. So we're very proud of our AUL explain. Monica, one of the branches of our AUL explain is think global. Do you think that this sort of global compliance or working globally with regulators is even doable when it comes to AML compliance?
00:14:47
Speaker
So I think this is the heart of the question actually and Caroline has sort of mentioned a couple of things and Seema and Isabelle and I think the point is even when you're looking at traditional finance there's not a global framework.
00:15:05
Speaker
Global frameworks don't exist. You have to go jurisdiction by jurisdiction. It's a patchwork. Even in the EU, where you think you have an EU standard, much of those EU standards are implemented
00:15:20
Speaker
locally by jurisdiction so you need to look at a patchwork. Now the question is whether AML can have a global framework and you know you've got the asset fatter guidance and Caroline mentioned the travel rule and you've got the new obviously before the travel rule was through the amended guidelines we had the
00:15:43
Speaker
extension of the AML requirements to virtual asset service providers, both the registration and the client to diligence requirements. Now, those were global standards, everybody agrees with them, everybody agrees that you can't just sort of say DeFi is because it's DeFi, it's out of scope, or
00:16:02
Speaker
you know as a matter of course. The question is even though there's global standards you have to look at how things are implemented or are they implemented locally and so you've got a lot of friction in creating you're not going to have a global AML platform for any product so and that you don't have that in the trad space that are on the DeFi space.
00:16:26
Speaker
So you need to look at the friction points. So in some friction points are, for example, what is a virtual asset implemented at the FATF level was implemented differently. So what is caught within the perimeter is different in Europe under the
00:16:42
Speaker
money laundering regimes, which is a narrow virtual currency definition, while under the UK implementation of ML money laundering directive, it's a much broader crypto asset. So what are we talking about is different in different jurisdictions. The speed at which
00:17:00
Speaker
the laws are implemented are different, so you've got different levels of compliance or requirements in different jurisdictions, even if you have the same definition. So there's a lot of friction in creating a global platform. Thank you. Sima, would you like to add anything about the global compliance and if it's even achievable? Oh, sorry. Yeah, I think I would.
00:17:29
Speaker
There's this whole thing around DeFi. You know, the promise of DeFi is that it's decentralized. It's, you know, you've got the autonomy. It's totally private. And then when you think about compliance, obviously you're thinking about centralized checks like KYC.
00:17:44
Speaker
AML, you're thinking about traceability and all of those sorts of things, and that lends itself to being centralised. And we did some work actually with the UK regulator, the UK Financial Conduct Authority, and there is this notion of a global sandbox as well called GFIN, where a number of regulators essentially globally came together to look at what does the
00:18:08
Speaker
Does retention, when you think about AML data, does that mean for five years, seven years that you have to print that data off, stick it in a brown folder under your desk for five, seven years, or stick it on a centralized server somewhere? And actually what we found was retention
00:18:26
Speaker
could mean it's decentralized and it could be encrypted to a relying parties or a DeFi project or protocols private key. So I'm really, really excited about advances in technology and the way the regulators or some of them are thinking about how they can satisfy the needs of DeFi, but ensure that there's a level of compliance around KYC and AML. So I just wanted to add that.
00:18:52
Speaker
Thank you, and a perfect segue into our next question. Maybe just going a little bit outside the AML compliance. From a regulatory perspective, Isabella, what are some other areas that DeFi protocols should be aware of in our industry? Sure. And as you say, I think it's really important to look beyond the AML horizons where the conversation has been for a long time. But there are other risk areas that need to be borne in mind.
00:19:20
Speaker
much to Monica's point, I think a lot of those have been driven by recent real world events. I think FDX highlighted issues across the crypto ecosystem around governance and the need to have maybe not global rules, but standards around governance may be adopted from some to some extent from traditional finance. SVB really highlighted issues to do with contagion and entanglement risk. And I think a lot of people are now thinking about
00:19:49
Speaker
Okay, so what is that the bridge? If something happens in CFI, what's the impact on DFI and vice versa? And is that something that I need to be really worried about from a market integrity perspective?
00:20:00
Speaker
And then finally, we haven't talked really much about market manipulation, but mango markets last year was a really big story that made a lot of people think, how are we protecting these projects from manipulation? Are they even breaking the law? Is everything just a highly profitable trading strategy? And so these wider questions around, okay,
00:20:21
Speaker
Well, AML not sorted, but that conversation is getting going. But market integrity, financial stability, investor protection, consumer protection, the list goes on. But all of those regulatory conversations are really kicking off. We will see a lot of work this year by IOSCO in their DeFi working group on some of these issues. The FSB will start thinking about them as well. We see work at the G20 and also IMF level. So, plenty more to do.
Future Regulatory Trends
00:20:48
Speaker
The list goes on. That's why we need your attorneys.
00:20:53
Speaker
I think we only have 10 minutes left. And I think my favorite part of panels is, you're crystal ball, predictions for our industry. Do we see more enforcement actions? Where do you go from here? I'm going to start with Caroline.
00:21:08
Speaker
Yeah, so I guess enforcement actions is something that always really comes up, particularly in the US, because the way I sort of think about the sort of policy cycle is you start with policymaking, and then you go into regulation, then you do supervision, and then you have some enforcement.
00:21:23
Speaker
Because of the challenges that the US has not restricted to crypto, but certainly affecting crypto on the policy and regulation piece due to blockages in Congress, a lot of activity actually happens over here in enforcement and much less over in these sort of first two or three parts. So I think certainly when we talk about the US, yes, we will continue to see significant amounts of enforcement action.
00:21:50
Speaker
including likely to continue to delve into this question of DeFi and who is liable? Because I think there's really sort of two questions in the DeFi space. One is around, well, what are potential models for regulated DeFi? And then the other question is, well, when something goes wrong,
00:22:10
Speaker
Who do you touch? Who do you make responsible? I think an exploration of that question is going to continue. And you know, you have front ends, you have voters, you have, you know, admins. Who do you sacrifice? Right there. And I think, well, I think if the industry, like, that's an opportunity, if the industry has a view, otherwise you can leave regulators to come up with their own view there.
00:22:39
Speaker
And then I think beyond the US, we're going to see a lot more on the implementation. So you've got a lot more happening in those first two spheres, policy and regulation, now really moving into implementation, so regulation through to supervision. And so you're going to sort of see the rubber hit the road. And I guess Europe is a good example of that with MICA over the next 12 months, slowly starting to come into force, first on stablecoins and then on the broader MICA regime. So I think
00:23:06
Speaker
You know, enforcement actions get so many headlines, but in terms of actually having a stable framework in which industry can build, people are really looking outside of the US and that's because you're starting to see those concrete regulations come into place and countries move into supervision.
Engagement with Regulators
00:23:25
Speaker
Monica? So I think there's three main trends. I think the first is obviously moving more into more implementing the existing frameworks that need to be implemented. So for example, as Caroline said, in the AML space and the travel rule, et cetera, just getting countries to implement those rules and the marketplace to respond to that implementation.
00:23:54
Speaker
The next piece is, as you said, the rolling out of a more comprehensive framework around the regulation of the crypto sector.
00:24:05
Speaker
And you're absolutely right. It's a question of focusing on the service providers in a centralized and CFI world. But what's exciting is that you're finally seeing a comprehensive framework coming out, for example, under Mika. And also in the UK, I think there's going to be a real burst of energy in the next year about bringing out UK rules on
00:24:33
Speaker
to create that comprehensive framework. And then last, it's about where is the other areas we need to expand to. So, for example, the UK rules don't apply to decentralized finance in the same way or to NFTs. And I think we're going to see how the regulators are going to be able to address and they will address and they will regulate these spaces.
00:25:02
Speaker
It's a question of how and that's what's the third trend. So I think from all of that we realise that regulation is probably inevitable. So I think I'm more interested in more than the how then, you know, how can we ensure that
00:25:18
Speaker
DeFi grows in the massive way that we want it to grow, attract that institutional investment that it needs to really realise its true potential and I think it can only come from having sensible levels of regulation but that don't compromise its fundamental tenants around decentralisation, autonomy and privacy and I'm really excited about solution providers as well providing those tools
00:25:43
Speaker
that mean that you know DeFi projects and protocols which are seen as maybe the relying party are not in hot water as the regulation landscape becomes clearer. Isabella.
00:25:57
Speaker
Yeah, I mean, just to sort of build on kind of what everyone has said, I think this year is really going to be about having the conversation about the what, the where, and the who. So what is the activity? Where is it taking place? And who could be liable if something went wrong? I would disagree slightly with the fellow panelists. I don't think we'll see a bit like movement towards a framework this year. But what I think we will see is a year of engagement.
00:26:22
Speaker
So from the US, we have an open call for engagement on illicit finance issues. The French have put forward their
00:26:29
Speaker
proposals, but are very open to engagement in the UK as well. And I think what really needs to happen now is for the industry to galvanise to those open doors and come with solutions. And those solutions have to be informed by the people building these projects, as well as policy people who are all here today. But that will be really essential to ensure that, as Seema says, we get the solutions that are also respectful of the founding tenants of DeFi.
00:27:03
Speaker
going back to regulation and is there any way how we can collaborate with our regulators? What are we missing in our industry to not always be on the defensive side? I feel like as an industry, we're always on the defensive side. So how do we put our good word out there?
00:27:23
Speaker
Well, I think things like Alex Blains really helps. You're educating, giving the basic language that everyone can then use to communicate, but you have to be proactive. You need to take ideas, solutions, questions that you're struggling with as an industry to policymakers. They might be a bit difficult to get hold of at first, but once you're in the door, that line of communication is always open. So I think sometimes people are scared to approach governments and policymakers, regulators, but do. And yeah, we can help.
00:27:52
Speaker
Yeah, and I think practically that was one of the really big challenges that we had at Nuggets, which was we were building things that no one had really thought through from a regulation perspective. Did we need a money license? Do we hit on these regulations from an AML 5 and all of those?
00:28:10
Speaker
regulations and I think what we've been lucky with in the UK is actually the regulator's been really open and actually it hasn't been you know it actually want they want to collaborate even HMRC strangely on a taxation perspective so I think what I would really welcome is are these open globally set up type sandbox environments which means
00:28:32
Speaker
that projects and protocols can go in there with a, you know, let's work on this stuff together. But we've seen maybe the opposite of that in the US. So it'd be nice for more collaboration, I would say. You have been very lucky with your regulators in the UK. And I love to see everything that is happening there. Hopefully it's going to inspire our regulators here, not here, sorry, in the United States.
00:28:55
Speaker
Monica. So I think that regulatory engagement is a real, you know, alongside of the development of the regulatory framework, participants in and then she need to engage with regulators, undoubtedly.
00:29:12
Speaker
I think the difficulty is, and you see across the globe, that different regulators have different sort of risk appetite tolerance to the industry. And so you have the US, and I don't think people are going to leave necessarily US because the market is the US and you'll never be able to, but expanding in the US becomes very difficult if you have a regulator that's very hostile. Likewise, there's regulatory arbitrage in the US, so you just think which regulators are trying to, it's just very complicated.
00:29:42
Speaker
Likewise, in Singapore, the regulatory appetite has changed. It's become a lot more hostile. I mean, this has become much more hostile than it was, let's say, three years ago. While reverse in Hong Kong, regulators like opening the doors. And the UK and Europe is very interesting because you want the creation of the sandboxes, the creation of the
00:30:04
Speaker
the regulatory frameworks by legislature. So there's a real appetite to engage and see FinTech, I'm going to use that broadly, as a real generator for the economy.
00:30:22
Speaker
But the question is, and again, this comes down to bringing your regulator along for the ride, is making sure that you're positioning yourself as a respectable and compliance, sort of.
Conclusion and Resources
00:30:34
Speaker
Monica, I hope they're not going to cut my mic off because they did it last year. Sorry. But I would like to thank you. This was an amazing panel. I hope to see more female panels. Thank you so much for being here.
00:30:50
Speaker
We hope you enjoyed our Hootenanny. Thank you for listening. For more Hootful and hype-free resources, visit www.owlexplanes.com. There, you will find articles, quizzes, practical explainers, suggested reading materials, and lots more. Also, follow us on Twitter and LinkedIn to continue wising up on blockchain and Web3. That's all for now on Owl Explains. Until next time.