The AML/KYC Challenge in DeFi: Risk Mitigation Techniques

Introduction

Decentralized Finance, or DeFi, is pushing the boundaries of the traditional financial system. Through the use of smart contracts, it is now technologically possible to trade, lend, borrow and invest at scale, without any intermediaries. This creates opportunities to reduce transaction costs, remove barriers to entry and evolve the financial system. However, current gaps in regulation, infrastructure and understanding often hold back institutions from exploring this new frontier.

In this series, we examine four key challenges institutions face when interacting with DeFi, based on discussions with our clients and partners. We also share how some of our clients are overcoming these challenges in order to explore the DeFi frontier.

1. The AML/KYC Challenge in DeFi: Risk Mitigation Techniques 
2. Cybersecurity Challenges in DeFi: Addressing the Risks
3. Custody Challenges in DeFi: Navigating Compliance 
4. Technology Challenges and Knowledge Gaps in DeFi: Partnering for Success

The AML/KYC Challenge in DeFi: Risk Mitigation Techniques 

In part 1 of this series we examine DeFi’s AML/KYC problem – why it is difficult for institutions to fully comply with traditional AML/KYC requirements when interacting with DeFi, and how responsible institutions are using innovative solutions to achieve the intended objective of the requirements.

DeFi protocols were not designed to support AML/KYC

Just about every financial institution that transacts in the global financial system is subject to some form of anti-money laundering (AML) compliance and/or sanctions compliance. 

In the US, AML requirements apply to intermediaries, specifically “financial institutions” under the Bank Secrecy Act, with the goals of documenting, detecting, deterring and preventing illicit activity and threats to national security. In addition, sanctions screening requirements apply to all participants in the US financial system. The goal of the US sanctions program is to prevent US persons from transacting with  bad actors and nation states designated by the US government.

The general theory behind both AML and sanctions compliance is that by verifying the identity of parties to a financial transaction – often referred to as KYC (know your customer) or KYB (know your business) – institutions can help keep known bad actors from using the financial system. Illicit activities, such as terrorist financing and money laundering, should be more difficult for these bad actors as a result, as they can’t easily access the financial system. 

However, decentralized protocols are often created with efficiency and financial privacy top of mind rather thanAML/KYC. The decentralized and pseudonymous design of DeFi platforms complicates AML/KYC compliance in various ways. First, the decentralized and bilateral nature of DeFi transactions means there is no obvious intermediary to perform KYC verifications. In addition, the pseudonymous nature of bilateral blockchain transactions makes it nearly impossible to perform traditional AML or sanctions screening verification on the owner of an unhosted wallet. 

This creates a significant challenge: How can institutions avoid unintentionally transacting with bad actors in an ecosystem designed to promote financial privacy and efficiency?

Solutions for AML/KYC compliance in DeFi

Innovative, technology-driven solutions are emerging to help institutions achieve the goals of traditional AML/KYC requirements within DeFi’s decentralized architecture. We outline some approaches institutions are currently using to navigate the AML/KYC problem inherent to DeFi.

1. Wallet risk scoring 

The most commonly used solution among the institutions we work with is “wallet risk scoring”. Blockchain analytics companies have developed wallet risk scoring through software risk engines that assign each individual digital asset wallet a risk score based on a variety of factors, such as direct and indirect transactional proximity to illicit transactions or sanctioned wallet addresses, and prior engagement in or proximity to suspicious financial activity on blockchain networks. 

Risk scoring can be performed pre-trade, post-trade or both. Pre-trade wallet risk scoring allows institutions to filter out wallets based on risk scores before the transaction is executed. The application of risk scores can be expanded to filter out entire liquidity pools, if certain wallets in the pool engage in irregular patterns that signal risk, or if a single wallet in the pool has interacted with a blacklisted address. In both cases, the goal is to prevent risky transactions before they occur. However, if there is insufficient historical data associated with a particular wallet or pool of wallets, pre-trade risk scoring may be less effective. 

By contrast, post-trade wallet analysis occurs after the transaction is executed. Here, the goal is to monitor suspicious activity related to a wallet, which institutions may need to report to regulators. Many institutions perform post-trade wallet monitoring in addition to pre-trade risk scoring and may use different vendors to assist with each activity. 

While wallet risk scoring doesn’t fully solve the AML problem, it does reduce the risk of interacting with bad actors, and therefore promotes sanctions compliance. While there is currently little official guidance from the US government on the usage of wallet screening tools for sanctions compliance, general comments from the US government indicate that sanctions compliance programs require a risk-based approach (notwithstanding the strict liability standard for US persons engaged in sanctions violations). Thus, some institutions are making wallet risk scoring tools a key part of their compliance program for transacting in DeFi.

2. “Permissioned” protocols

Another solution gaining traction is “permissioned” protocols that restrict access to whitelisted participants consisting only of KYC’d counterparties. A key advantage of permissioned protocols is that they are built to comply with existing regulations applicable to centralized markets. 

In centralized markets, intermediaries such as financial institutions, are responsible for safeguarding the financial system and must take on gatekeeping functions such as performing KYC verification on customers and reporting suspicious transactions to regulators. Permissioned protocols function similarly by performing KYC verification before distributing tokens to a wallet. In addition, permissioned protocols can grant regulators specific permissions to access transaction data for purposes of investigating suspicious transactions.

A significant challenge with permissioned protocols is that they require mass adoption in order to obtain the liquidity and scale necessary to be effective. However, if that large scale is achieved, permissioned protocols can help open the door to the tokenization of real world assets, including real estate, bonds and equities. Some institutions we work with are actively exploring permissioned blockchains in order to capitalize on this opportunity. 

3. Other solutions

In addition, other, more ambitious solutions to DeFi’s AML/KYC problem are currently under development. These solutions include zero knowledge proofs, a cryptographic innovation that enables auditable security without undermining secret-keeping. Talos will keep its clients informed about their adoption by institutions as these solutions develop. 

Conclusion

While no single solution fully solves DeFi’s AML/KYC problem, these innovative approaches are mitigating some of the risks and enabling institutions to explore the potential of DeFi more responsibly. As the landscape continues to evolve, so do the strategies institutions employ to address DeFi’s unique compliance challenges. 

----- 

Talos has helped numerous institutions navigate DeFi’s complexities. Contact us to explore how we can support your institution in overcoming these challenges to unlock the potential of DeFi.

While the AML/KYC challenge is a major hurdle for institutions entering DeFi, it's just one piece of the puzzle. In the next installment of the series, we explore the unique cybersecurity risks institutions face when engaging with DeFi protocols.