Direct legal regulation is not the most efficient primary tool for regulating DEX protocols. Code is. When DEX protocol’s architecture falls short is when the law should step in to supplement code in order to shape behavior to ensure maximum public value for minimum public cost.
Centralized financial exchanges originally existed as physical locations where people could come to make trades. Interested parties acted through brokers who took custody of their assets and made trades on their behalf. These exchanges experienced an evolution when face-to-face interactions gave way to new technologies, beginning with the establishment of the Depository Trust Company in 1973, which allowed for automated record-keeping of securities balances, and later in the 1990’s with the rising popularity of electronic trading. I say evolution and not transformation because the underlying activity remained unchanged—exchanges were still maintained by people facilitating the trades through order book matching; computers were simply a tool for facilitating these activities. The advent of decentralized exchange (“DEX”) software over the past two years has been neither an evolution nor progression. It is something entirely different. The software is no longer a tool to be used by the people running the exchange; the software is the exchange. Software sets the prices, and software transfers assets automatically between buyers and sellers. Algorithmic pricing and smart contracts remove the need for any humans to run a centralized exchange. Just as we use the Hypertext Transfer Protocol (“HTTP”) to exchange information over the internet without a newspaper editor or television station, we can now use DEX open-source software protocols to exchange assets without a centralized exchange.
This technological development is likely to have profound implications for the way we interact and exchange assets across all sectors of the economy. As of January 2021, the volume trading on DEXs surpassed $50 billion.1 This volume will only grow as the technology becomes better understood. DEX protocols can be used to trade tokens representing anything people want to exchange, from commodities and derivatives, to art or even socks.2 DEXs provide an opportunity for people who cannot participate in the centralized financial system to exchange assets as simply as they exchange cash. Centralized exchanges have some obvious financial barriers to entry—they require bank accounts even though 6.5% of US households are unbanked and 18.7% are underbanked.3 Centralized exchanges also have broker fees, settlement middlemen, payment-for-order-flow, and limited hours. DEXs have no such limitations. Moreover, those who can afford traditional banking services may prefer to cut out intermediaries whose purpose is to verify transactions in lieu of smart contracts and blockchain technology that obviates the need for verification by providing secure, transparent, and trustless platforms.
If DEXs are software protocols that allow us to exchange all kinds of assets instantaneously, transparently, and in a self-custodied manner, they provide considerable benefits. But how should we regulate them to promote their benefits and counteract potential harms? This paper will analyze two major areas of law that might apply to this software development: securities law and financial surveillance.4 In analyzing the application of these bodies of law to DEXs, I will apply an efficiency-based framework grounded in Professor Lawrence Lessig’s New Chicago School Theory. The New Chicago School Theory builds on the Chicago School’s emphasis on law and markets, but puts forward four governing forces: law, markets, norms, and architecture/code (the structural realities that govern physical or virtual space). As with the Chicago School’s approach, the theory posits that the proper approach to regulation is to consider the desired goal and then consider which force, or combination of forces and in what proportion, is best suited to solve the problem for the least cost.5
Thus, in asking how we ought to regulate the increasingly important DEXs, I answer that we ought to do so in the way that most efficiently achieves the longtime goals of the current financial regulatory regime once you remove that regime’s assumption of centralized and custodial intermediaries. By “most efficient,” I mean the way that maximizes value to the public at the least cost to the public.
In the first section of this paper, I analyze one proposed approach contemplated by the regulatory regime—to simply take existing regulations for securities exchanges and apply them to DEX protocols. This approach would have securities regulation apply to DEXs if they were considered “exchanges” under the Securities Exchange Act of 1934 or if someone used a DEX protocol to sell securities.
I explain that this line of argument is misguided from a legal and policy perspective. DEXs are simply not “exchanges” under the relevant statutory definition of “exchange.” Nor do DEXs share the risks created by custodial exchanges that securities regulations are designed to address. Even if people do misuse DEXs to trade tokens that represent securities, securities regulation ought not apply to protocols because the law should not hold software liable for users’ misuse. The SEC has historically supported this view by holding that the use of internet bulletin boards for trading securities did not require the websites to register as securities exchanges.6
DEXs are just software protocols. They can be used, or misused, in whatever way consumers choose. If regulators believe consumer protection requires that tokens they consider securities not be traded through DEX protocols, then they should utilize law as a supplement to code to achieve this outcome for the least cost. I suggest a system that considers DEX protocol liability in the same light as online service provider liability under the safe harbor of Section 512 of the Digital Millennium Copyright Act (“DMCA”) and uses a process parallel to Notice and Takedown to identify and remove tokens the SEC thinks threaten consumers.7
Second, I analyze another line of arguments—that of the financial surveillance regime bodies such as the Financial Crimes Enforcement Network (“FinCEN”)8 and the Financial Action Task Force (“FATF”) that have drafted guidance to impose extensive anti-money laundering (“AML”) and know your customer (“KYC”) regulations designed for centralized financial systems onto DEXs.
These efforts are misguided because the technology of DEXs is so different from the legacy technology for which these laws were created. Because the nature of blockchain technology is transparent, and therefore traceable, the DEX software itself enables law enforcement to track and fight illicit activity. This supports a competitive market of software solutions that allow regulators to monitor suspicious activity. Further, there are in fact benefits to society for privacy and private transactions. The question of how much privacy is the optimal amount is an important one, though not the subject of this paper, and lawyers, courts, law enforcement, and civil liberties activists will all be involved in finding an answer. The subject of this paper is to suggest that we take advantage of the architecture as well as the market’s offerings and use direct law in the way that is most efficient. The question then becomes one of burden allocation. This paper weighs the pros and cons of having DEXs contract these services and report activity to regulators or having regulators contract the services directly, and determines that the latter is more efficient.
What is DeFi?
DeFi refers to software tools for financial services where there is no entity with central control over the system. Centralized finance relies on authorities and intermediaries such as banks to facilitate and verify financial transactions. DeFi features direct peer-to-peer interactions across the network. Anyone can use DeFi services, and upgrades are performed by their users through community governance.
DeFi runs on blockchain and smart contract technology. A blockchain is a system of open source, public recordkeeping that is highly secure, trustless, and immutable. Smart contracts refer to computer code written on protocols like the Ethereum protocol9 that automatically executes an agreement.10 A smart contract is self-executing code written in the “if x, then y” format, so that when x occurs the smart contract automatically, autonomously, and instantaneously completes y. This removes the opportunity for a party to default, therefore removing the need for parties to trust each other or give assets to a trusted third party.
What are DEXs?
Decentralized exchanges (DEXs) are software protocols that use blockchain technology, specifically smart contracts, for the exchange of DeFi tokens between entities. These exchanges occur on a peer-to-peer basis,11 meaning the transacting parties directly transfer assets without any other entity or person taking custody of them to facilitate the transaction. This is a key difference from centralized exchanges, where custody of both sets of tokens is taken by the exchange to facilitate the trade. Further, centralized exchanges use traditional order books to find parties seeking complementary trades. Most major DEXs do not use an order book. For example, EtherDelta would not fall into the category of DEXs discussed in this paper, as it relied on the order book method. Instead, the DEXs I reference use a form of market-making known as Automated Market Makers12 that permit consumers to participate in standing liquidity pools of paired tokens. A participant who deposits tokens and provides liquidity is rewarded with fees proportionate to the amount of liquidity provided.13 Other key innovations include open-source software and decentralized community governance through governance tokens. For the purposes of this paper, it is important to understand the following structural distinctions between the most popular DEXs and centralized exchanges: DEXs are protocols, the DEX never takes custody of consumer assets, there are no brokers involved with DEXs, and prices are automatically set by an algorithm.14
There exists a robust federal regulatory regime governing the exchange of securities in the United States. The Securities Act of 1933 requires registration of all securities offered for sale to the public unless the offering meets an exemption. Registration requires submission of extensive paperwork describing the company and the specific security (ownership share) being sold. Most of the exemptions permit sales of securities only in private sales and/or to financially sophisticated parties. The Securities Exchange Act of 1934 created the Securities and Exchange Commission (“SEC”) as a body to oversee the securities industry and securities exchanges. These regulations serve two purposes: to protect investors and to promote capital formation. To this end, there are extensive reporting, record-keeping, and disclosure requirements for the sale of securities.
DEXs are not securities exchanges
DEX protocols are not exchanges under the Securities Act of 1934. The Act defines an “exchange” as “any organization, association, or group of persons…which constitutes, maintains, or provides a marketplace or facilities for bringing together purchasers and sellers of securities.”15 Whereas centralized exchanges are entities run by an “organization, association, or group of persons” that takes custody of assets and facilitates matching through the orderbook method, DEXs are just software like HTTP. The software protocol never has custody of consumer assets, there are no brokers involved, and prices are determined algorithmically. There is no organization, association, or group of persons that constitutes, maintains, or provides a marketplace or facilities. There is only code. The protocol is not like Facebook Messenger, which is created and updated by a company, and running on that company’s servers; it is more like SMTP, the Simple Mail Transfer Protocol underlying email. It is not like the software run by Nasdaq, but rather like the bitcoin software available to anyone to run.
DEXs are not liable for users’ misuse
Even if the SEC recognizes that DEXs are not securities exchanges, they may still apply securities regulation to DEXs if people create tokens representing securities and use DEX protocols to trade them. I argue against the application of the entirety of the federal securities regulatory regime to DEX protocols in this context. Instead, we should apply regulation only insofar as it is needed to supplement code in protecting consumers from purchasing unregistered securities at least cost to the public.
The Securities Act of 1933 defines a security as:
[A]ny note, stock, treasury stock, security future, security-based swap, bond, debenture, evidence of indebtedness, certificate of interest or participation in any profit-sharing agreement, collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, fractional undivided interest in oil, gas, or other mineral rights, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or, in general, any interest or instrument commonly known as a "security", or any certificate of interest or participation in, temporary or interim certificate for, receipt for, guarantee of, or warrant or right to subscribe to or purchase, any of the foregoing.16
An “investment contract” is one of the many kinds of securities included in this long list of examples and has become a catch-all, providing the SEC with a vague mandate. The relevant test for determining whether something is an investment contract is the “Howey Test,”17 based on a 75-year-old case, SEC v. Howey. The test requires: (1) an investment of money, (2) in a common enterprise, (3) with the expectation of profit, (4) to be derived from the efforts of others.18
When it comes to DeFi tokens, the Howey Test does not provide sufficient ex-ante clarity, a situation which is both unfair and inefficient. This is the subject of Rutgers Law School Professor Yuliya Guseva’s article, and she has noted: “I am worried about the dynamic inconsistencies in the recent SEC enforcement actions. Together with the broad reach of the Howey test, the inconsistencies in enforcement may exacerbate uncertainty and fail to provide market participants with a clear ex ante understanding of the securities laws.”19 Rather than subject DEXs to this ambiguity, the SEC ought to provide clear guidance so that anyone using a DEX protocol can take steps to exclude unregistered securities.
Regulation Designed For DEXs
I argue that the SEC should provide clear guidance regarding which tokens they consider to be securities, and then allow the network to respond. This would achieve the securities regime’s goal of protecting investors in an efficient manner, and would do so without undermining the role DEXs play in capital formation. If the government were to provide a blacklist of tokens, the DEXs could code infrastructure to report them and allow the network itself to serve as monitor. This would maximize efficiency by allowing tasks to fall to those with the highest institutional capacity at least cost. We ought to leave each actor to that which they are best suited to—the SEC to classification, DEXs to coding infrastructure, and the network of consumers to engaging with their network to ensure its viability and safety. Professor Lessig supports this theory: “I think that sounds right, if you imagine the government having a standard API for listing what things are securities and the DEX referencing that for the purpose of flagging or at least highlighting… it would put people on notice.”20 In fact, the government need not even create an API. Any sort of published list or functionally practicable standard of securities tokens would suffice.
While it is tempting to look to centralized financial institutions and take the regulation designed for them as the starting point, the correct analogs to DEXs are not centralized exchanges, but online service providers. DEXs are general purpose open-source software for public use. What occurs on that protocol is in the hands of the users. Per the DMCA Sec. 512 safe harbor, online service providers are not responsible for the actions of their users, instead simply existing as platforms for users to interact. What users do there is the responsibility of the users. Like platforms such as YouTube, DEX protocols exist as spaces for users to interact. However, DEX protocols play no further role in curating or suggesting interactions, therefore taking on even less of a participatory role than platforms like YouTube. So why hold DEXs to a higher standard of liability?
DMCA 512 and Notice and Takedown
With this framework in mind, I posit that the relevant regulation to supplement code should be modeled after DMCA 512 and Notice and Takedown rather than centralized financial regulation. We ought to hold decentralized protocols to the same standards of liability as online service providers and to address securities tokens in the same way we approach copyright violations through Notice and Takedown.
DMCA 512 refers to Section 512(c) of Title 17 of the US code.21 DMCA 512 is commonly known as the “safe harbor” provision because it provides immunity for online service providers for copyright violations. In order to be eligible for 512 immunity, (1) the provider must not have the requisite level of knowledge of the infringing activity, (2) if the provider has the right and ability to control the infringing activity, it must not receive a financial benefit directly attributable to the infringing activity, and (3) upon receiving proper notification of claimed infringement, the provider must expeditiously take down or block access to the material.22 For purposes of this paper, DMCA 512 provides online service providers with immunity as long as they meet the 512 requirements, like expeditiously removing reported infringements and terminating repeat infringers.
DMCA 512 was crafted in the context where “the nascent online service industry faced potentially crippling liability for acts of infringement committed by their users as a result of the strict nature of copyright infringement liability.”23 The stated policy goals behind DMCA 512 were “dual purpose: (1) to enable copyright owners to effectively address the infringement of their works online and (2) to facilitate the development of internet-based platforms by clarifying the obligations and limiting the liability of OSPs with respect to infringement committed by third-party users of their systems.”24 The same holds true for DEXs today. They form a nascent service industry faced with potentially crippling liability for acts of securities violations committed by their users as a result of the strict nature of securities regulations liability.
The proper policy therefore needs to both effectively address securities registration violations and facilitate the development of blockchain-based DEX protocols. This policy must, like 512, incentivize developers to regulate platforms rather than avoid doing so for fear of liability. Whereas DMCA 512 conditions access to the safe harbor on expeditiously removing harmful content, current securities regulation applied to DEXs would mean that developers removing securities tokens would make DEXs vulnerable to classification as an exchange or bolster the argument that tokens listed on DEXs are securities. Either of these determinations would increase liability for DEXs, holding the protocol accountable for the actions of the users. This policy creates perverse incentives, encouraging providers not to remove unlawful content for fear of being held responsible for the content their users created.
As discussed, the definition of “exchange” here hinges on there being persons who constitute, maintain, or provide the marketplace.25 Engineers intervening to remove unwanted tokens from DEXs could arguably be “maintaining” the marketplace, therefore opening DEXs to liability as an exchange. Similarly, the fourth prong of the investment contract definition requires that profit be derived from the efforts of others.26 Application of this definition further incentivizes DEXs to avoid expeditiously removing unregistered securities for fear that could be understood as “efforts of others” that if relied on by users purchasing tokens expecting to profit might subject DEXs to liability.
Dr. Tonya Evans, Professor at Penn State Dickinson Law, discussed the impact on engineers of applying centralized securities regulation to decentralized spaces:
They have some really concerning regulations coming down the pipe where they are trying to reach beyond the decentralized nature of protocols to actually hold, among others, coders responsible for the consequences of misuse of code . . . it’s broad and general and really concerning. I think the way that it’s written feels unconstitutional.27
These perverse incentives must be removed in order to allow engineers to step in to protect the public without fear of punishment, so that we may achieve the securities regime’s goal of consumer protection without sacrificing efficiency (or capital formation).
Notice and Takedown
Notice and Takedown refers to the process by which content on online service providers violating the Online Copyright Infringement Liability Limitation Act28 (passed as part of the Digital Millennium Copyright Act) can be reported by users and taken down by hosts. Instead of incentivizing the engineers who code DEXs to avoid self-regulation for fear of classification as an exchange, we should think of decentralized protocols as a parallel to online service providers. We should shield decentralized protocols from liability so that they can remove securities in the same way online service providers can remove copyright-infringing content.
When someone posts a YouTube video that includes music for which they do not own the copyright, we do not sue YouTube in federal court. We allow other YouTube users to report the copyright violation so that YouTube may remove it. This is the Notice and Takedown system at work, and it is well suited to its purpose. A similar system for DeFi tokens would be the efficient form of regulation for DEXs. If someone noticed a token that had been blacklisted by the SEC, they could report it and the DEX’s engineers could remove it. This idea of allowing the network to self-regulate has been championed by Andreas Antonopoulos, blockchain advocate and author, who refers to it as “de-reg.” Per his keynote speech at the Harvard Law School Blockchain and FinTech Initiative Spring 2021 Conference:
Trying to apply centralized solutions to decentralized problems fails. It fails to scale, and it fails to achieve any of the stated goals. Although, it does push the decentralized platforms to try to innovate elsewhere . . . The answer is really simple. If you want to solve decentralized problems, solve them with decentralized solutions. You crowdsource reputation against fraudsters. Crowdsource enforcement . . . innovate a completely new de-reg, decentralized regulation that is run by the network, not by a committee.29
DEXs are far more similar to online service providers than they are to centralized exchanges; therefore holding them accountable accordingly would allow the public to enjoy a valuable resource, protect consumers, and prevent harmful activity from moving to bespoke or unregulated transactions. Once again, this maximizes efficiency by letting each actor focus on the task for which she is best suited and avoids unnecessary cost.
The likely counter to this argument is that DMCA 512 is about copyright infringement, not the exchange of assets, and therefore not appropriately applied to DEXs and the elevated levels of consumer protection they require. While consumers routinely exchange commodities and assets through online service providers, and do so with the risk of fraud or loss, the bigger problem with this argument is that it assumes that the threat to consumers is greater in decentralized spaces than it is in centralized ones. This concern for consumer protection in decentralized spaces extends beyond unregistered securities, which could be addressed quite easily through a combination of code and law. The fear that users who do not understand the technology will sustain losses is valid, and it is the reason we have heightened regulation for the sale of securities. But we do not have this kind of regulation for the sale of commodities. While it is true that users unfamiliar with the DeFi token market may make poor choices and sustain losses, the same can be said of any industry, and we do not regulate commodities the way we do securities despite that ever-present risk.
On this fixation with consumer protection in decentralized spaces, per David Yermack, Professor at NYU Stern School of Business: “It is remarkable how much time is spent relative to the money that is actually lost by a small minority of hopelessly naive people. We have a lot of clichés in finance about how smart money drives out the dumb money, and actually how it is important that this occurs.”30 While I do not think that those who lost money in decentralized markets are naïve or dumb by any means, the point is that it is not an efficient use of public resources to extend consumer protection to such a degree that it serves not to protect consumers from unfair practices or fraud, but from ordinary loss by punishing the tools they utilize. It is not done in the centralized world, and we ought not start doing so in the decentralized world. To do so would waste public resources and threaten a tool that serves the public good.
Furthermore, the assumption that there exists more fraud or danger to consumers from DEXs versus centralized exchanges is unfounded. Blockchain at large is an information-based regime. In many ways decentralized finance is far more accessible to the public than traditional centralized finance (by virtue of fewer capital barriers to entry, no required retention of brokers, etc.), but in other ways utilizing DEXs is more difficult. With DEXs, financial barriers are replaced with information barriers. Anyone can participate in DEXs, but users require a degree of familiarity and sophistication with DeFi at a minimum simply to navigate the complex environment and to possess a wallet. This structural barrier in some ways helps mitigate the risk of unsophisticated participants making exchanges for securities tokens or fraudulent tokens based on little or poor information.
The example of danger to consumers from DeFi commonly referenced by regulators is the Initial Coin Offering (“ICO”) boom of 2017. In this period, many young companies sold tokens in order to finance themselves and launch their services. The SEC responded by setting standards restricting some ICOs as unregistered securities offerings for fear that some of the token sales were high-risk or fraudulent.
While the notion that ICOs are high risk or fraudulent was popular in the media, it is highly contested by those in the crypto community. In fact, the opposite view is supported by many in the space. Professor Yermack, when asked about the potential threat to consumer protection and fraud posed by tokens sold during the ICO boom, stated:
The attempt to regulate ICOs has been shameful. There is vastly less fraud than the government has ever alleged. They view an entrepreneurial start up that doesn't work out as fraud when in reality 90% of startups fail because they are risky. All kinds of things can go wrong. Just because something goes bankrupt doesn't mean it's fraudulent. And you’ve had outcomes from the ICO market closely resembling venture capital, in terms of a relatively small number of successes but with huge returns. If you look at the ICO market overall three or four years downstream from the big issuance, there have been great rates of return for anyone who was a diversified investor. The SEC got it completely wrong. This was really a huge capital formation event where a lot of money was raised by startups, many of which turned out to be very successful, and the government spent the whole time screaming fraud instead of trying to enable the capital formation, which is part of the SEC’s mission . . . I look at these markets and I don't see huge problems with fraud. Maybe by number there are a lot of fraudulent promoters, but they attract very little business, and they disappear quickly.31
While the government depiction of risk in this space may be overblown, it is true that the architecture of DEXs cannot entirely eliminate threats to consumers from purchase of unregistered securities or fraudulent tokens. There remain some bad actors and thus there remains some risk. Thus, we ought to use the system described above wherein the SEC creates a blacklist of tokens and the network is mobilized to report them so engineers can remove them.
The financial surveillance regime, comprised of The Bank Secrecy Act, as amended by The Patriot Act,32 and FinCEN, “is designed to prevent, detect, and prosecute international money laundering and the financing of terrorism.”33 These regulations were designed for futures commission merchants and introducing brokers. They require them to create anti-money laundering (AML) programs, to monitor those programs, to conduct suspicious activity reports (SARs), and to verify customer identity and activity (KYC). A joint statement from the Commodities Futures Trading Commission (“CFTC”), FinCEN, and the SEC states that “persons engaged in activities involving digital assets have obligations under the BSA to meet AML and KYC standards.”34 FinCEN has, at the time of writing, created draft guidance that may apply to DEXs as Money Service Businesses (“MSBs”) to report additional AML and KYC information for transactions over $10,000.35 Though still in the draft stage and also not an official US regulation, FATF also released draft guidance on regulation of “Virtual Asset Service Providers” that could add more reporting and regulatory requirements for DEXs.36 The purpose of these AML and KYC regulations is to prevent criminal activity, particularly money laundering and the funding of terrorism.
To a large extent, the architecture of DEXs addresses these concerns. Blockchain is trustless and transparent. This makes illicit activity easier to trace in the decentralized realm versus fiat in the centralized financial realm. Ari Redbord, former Senior Advisor to the Under Secretary for Terrorism and Financial Intelligence and current head of Legal and Government Affairs at TRM Labs (one of the software companies for tracing illicit activity to fight money laundering and terrorism financing) describes centralized AML KYC as “this incredibly siloed system . . . whereas the beauty of crypto is that you have this beautiful open ledger that everyone can see, that everyone can look at.”37 He explains the ways in which blockchain technology makes it much easier to trace illicit activity (the goal of AML KYC regulation):
Nobody has any idea where the money in their pocket came from and never will…the open nature of the blockchain allows for software to identify, detect, and eventually report illicit activity. You can’t do that in fiat. You’re relying on intermediaries always. You’re relying on banks to report. Whereas a regulator in crypto is able to have that sort of bird’s eye view on all on-chain illicit activity. I always go back to that point when I talk about this because even if you are a DeFi protocol and you send your protocol out there and allow it to just do its thing, we still are able to monitor the entity if you wanted to, a regulator can view all transactions occurring on the blockchain. So, to me that allows for way more transparency than you could ever have in fiat . . . There’s no analytics, there’s no anti-money laundering software for cash or for fiat.38
Despite the transparent nature of blockchain, there still exists the possibility of money laundering and terrorism financing in DEXs, but the same is true of centralized exchanges. Ari Redbord explains:
There is always going to be illicit activity in any transaction in any currency. There is way more illicit activity in fiat than there is in crypto. I would go as far as to say there is more than there will ever be in crypto. Because we have this infrastructure and these tools that allow us to monitor activity in real time, on-chain in this kind of transparent way.39
Just as fiat currency provides a degree of anonymity, so too does blockchain and that that is attractive to certain bad actors.
As with any tool, there remains a risk that criminal actors will utilize DEX protocols for money laundering or terrorist financing activities. Code itself cannot eliminate this risk. However, blockchain technology provides for opportunities to mitigate risk that do not exist in the centralized world. Again, I emphasize that direct legal regulation is helpful, but only insofar as it is suited to decentralized spaces. We cannot simply take the existing AML KYC regime designed for centralized finance and apply it to DEX protocols, as is being pushed by bodies such as FinCEN40 and FATF41 in their draft guidance. To do so would result in spending excessive resources focusing on problems already solved by the underlying technology and also runs the grave risk of driving activity off of DEX protocols where it is traceable and into bespoke untraceable interactions. Instead, burdens should be delegated to those with highest institutional capacity for least cost.
Why Not Centralized AML KYC?
Studies show that AML KYC regulations catch a very small portion of criminal activity and are extremely expensive.42 KYC laws also create vast inequities by preventing those without the requisite identification from participating. Furthermore, much of the criminal activity AML KYC laws are designed to prevent is perpetrated by centralized financial institutions themselves.43 Michael Morell, former acting director of the CIA, published a paper after conducting research with experts in crypto, financial services, global intelligence and security, financial regulation, and law enforcement.44 He found that “illicit activity among all cryptocurrencies as a percent of total cryptocurrency activity from 2017 to 2020 was less than 1 percent”45 as compared to illicit activity “conducted through traditional financial intermediaries and with traditional fiat currencies . . . on the order of 2 to 4 percent of global GDP.”46
Not only are there differences in type and scale of the problem across centralized and decentralized spaces, but AML KYC regulation’s impacts can also vary. Applying centralized regulation pushes illicit activity to innovate and become harder to track down. A simple cost-benefit analysis reveals KYC laws hurt more than they help. As Ari Redbord put it, “[B]ad guys are not gonna give you correct KYC anyway,”47 but overly burdensome AML KYC regulation will drive bad guys’ activity off traceable platforms.48 That is to say, “overregulation is going to send people underground in ways that are way harder to regulate.”49
Antonopoulos explains the ways in which AML KYC laws applied to decentralized spaces exacerbate the problems they were created to solve in centralized spaces:
For every category of problem, so far, we have considered the only way to solve them is to apply centralized pressure with a degree of moral authority that leads to hubris and disruption, in my opinion. We can instead look to decentralized solutions by empowering people to escape poverty and oppression and economic exclusion. A world in which 87% of humanity does not have access to the basic tools of financial empowerment and building their own future is a dangerous world. So, there’s two aspects to this. One is the fact that regulations as they exist for centralized systems do not achieve their stated goals. And that’s inescapable . . . every ten years it blows up in our face. You know, we discover Bernie Madoff was the head of the regulatory agency supposedly regulating Bernie Madoff . . . So not only do these things not achieve their stated goal, but they result in a poverty trap, economic inequality, and exclusion that has massive implications. The cost of doing KYC AML to have bourgeois feeling of safety in Columbus, Ohio is a trillion dollars in direct regulatory costs per year and six billion people not being allowed to trade their labor or money or the brilliant kid in Nigeria who just invented the new start up not being able to get funding because they don’t have sufficient documentation to be “authorized” or be an accredited investor. And that system is broken.50
The balancing of costs and benefits is common in regulation, and routinely occurs in the consumer protection realm, but makes regulators uncomfortable when it comes to illicit activity. In describing this double standard, Daniel Tarullo, Professor at Harvard Law School and former member of the Federal Reserve Board of Governors, stated of consumer protection regulation,
[I]f we really try to have zero incidents of harms there would probably be so many costs associated with it that a lot of people would be denied access . . . we can achieve a regulatory system that produces a tolerable level of harm . . . When it comes to money laundering and anti-terrorisms stuff the attitude of banking regulators tends to be, particularly with respect to terrorism, one failure is potentially unacceptable.51
This discomfort with cost-benefit analysis is understandable, even admirable, but it is not efficient and not in the public’s interest, however uncomfortable that may be to face. When asked about this perspective, Professor Yermack responded: “I as an economist just don't see it that way. You’ve probably read these studies about the gross over-investment in airline safety. If we spent that much on highway safety, we could save a hundred times as many lives and so forth.”52 He added:
I think this whole area has been an overreaction to what happened 20 years ago in the 9/11 terrorist attacks. The US implemented such draconian measures that have choked off remittances to the third world. You know it is very hard to send money to African charities today because they have to prove they are not terrorists. Many of the people on the other end are undocumented and so forth . . . the US has completely miscalculated this area and created even more enemies by choking off access to routine financial transactions in parts of the world where we wish to encourage it. So, I don't think there are that many terrorists in the world. Most people know who they are already. Far more of them are within the United States than abroad trying to get in.53
Regulation Designed for DEXs
The efficient solution is to utilize direct law regulation, not by applying pre-existing AML KYC law designed for the centralized financial system, but instead by simply requiring the use of suspicious activity monitoring systems supplied by private companies. No more, no less.
The goal of regulators is to ensure there is a system in place for reporting and surveillance. The most efficient mechanism for achieving that goal is the private market. In response to this argument, critics have expressed two concerns: first, that the technology does not account for the KYC component, and second, that the private market is merely a technology, but a regulator is still needed to ensure that the technology is being used and reports are being filed when needed.
Regarding the KYC component, I would reiterate the above discussion and add that this discussion is largely theoretical. In practice, whether or not FATF or FinCEN impose KYC regulations on DEXs, all those who engage with DEXs will likely have already undergone KYC screening. The process of getting a wallet and obtaining tokens requires the use of platforms subject to KYC requirements. As Aave General Counsel Rebecca Rettig has written in response to FATF’s draft guidance, “These days, it is nearly impossible to use crypto without first having been KYC’ed by any number of platforms. In other words, DeFi is a ‘closed system’ because a user cannot enter or exit it without having undergone KYC.”54 Thus, regardless of whether we believe KYC ought to be applied to DEXs, the reality remains that KYC concerns are already addressed, and subjecting DEXs to an additional layer of KYC regulation is redundant. Not only is it redundant, it is dangerous. Professor Tarullo made this point, stating “To the degree that the FinCEN instinct is just to say, ‘Well we’ve got this exchange so we’re going to make them do a bunch of stuff’ . . . going after [DEXs] for the broader set of issues is self-defeating because you’ll just drive everything into the bespoke world.”55
As to the second point—that market solutions fulfill the monitoring and reporting elements required and the issue remaining is to ensure the use of that product—I agree. This is where law enforcement ought to come in to ensure the use of one of the available suspicious activity monitoring solutions and the reporting of suspicious activity when appropriate.
The question then becomes one of allocation. The software companies will perform the service, but who is going to pay for these software solutions to be applied to DEXs? Should we have the government contract directly with the software companies? Should DEXs solicit software company services and then pass information on to the government? The option that maximizes public value and minimizes public cost is for the government to obtain these services directly.
AML KYC laws require centralized financial institutions to implement their own monitoring programs. One option is to simply make DEXs pay for these software solutions the same way we make banks pay for their AML programs.56 This option is not efficient. It requires financial surveillance regulators to rely on software developers who created DEXs or open-source participants to act as third-parties in conducting the surveillance and submitting reports. Developers are not best suited to determine when a report is appropriate—and many of them may no longer be working on the software that remains publicly available or work only very part-time to contribute to the software. Software developers, fearing breaching compliance obligations, might file SARs when unnecessary, thus contributing to the massive backlog in reports.57 Government officials have expressed that over-reporting might undermine the value of the reporting system.58
Furthermore, the financial burden is not best absorbed by software developers who built and launched DEXs. Regulators must face the possibility that distributing the burden in this way may prove too much for the software developers who create these basic protocols. DEXs are not banks. They do not have the resources of centralized financial institutions, nor the security blanket of government intervention should they fail. Overburdening the software developers and contributors who build DEXs will drive illicit activity into untraceable environments.
The above solution, though potentially functional, is not the most efficient. Far more efficient would be for regulators to directly utilize the services of software solutions without relying on DEXs as intermediaries, as many regulators and law enforcement agents are already doing.59 Furthermore, from a burden-assignment perspective, centralized exchanges are actively responsible for the operation of the exchange, and therefore responsible for implementing AML regulations. DEXs, on the other hand, are autonomous protocols. Once the protocol is released, the engineers who created it are not responsible for operating the DEX and thus do not share the same responsibility to finance the monitoring of the DEX.
If the government wants these spaces monitored, if it believes this is a public good, the government ought to conduct that monitoring. Not through execution, as the government is not the actor with highest institutional capacity for monitoring illicit activity on the blockchain—the private market is—but through contracting out that monitoring. This option would cost public funds in the short term, but would benefit the public in the long term, as it would ensure AML compliance did not become so costly as to hamstring DEX protocols and drive transactions into untraceable environments where crime could proliferate without interference.
Direct legal regulation is not the most efficient primary tool for regulating DEX protocols. Code is. When DEX protocol’s architecture falls short is when the law ought to step in to supplement code in order to shape behavior to ensure maximum public value for minimum public cost.
Consumer protection is alleviated to a great degree by the transparent nature of blockchain technology, but some tokens on DEXs continue to be unregistered securities. Having the government create a blacklist of tokens and then utilizing the power of the network to flag blacklisted tokens for removal through a decentralized analog to DMCA 512 and Notice and Takedown lends each task to the actor with the highest institutional capacity to perform it for the least cost so that consumers are protected, and capital formation is encouraged.
Similarly, the transparent nature of blockchain makes interactions highly traceable and furthers the goals of the financial surveillance regime in monitoring illicit activity. However, the code itself cannot prevent bad actors from using DEX protocols for illicit purposes. The market provides multiple software solutions capable of tracing and fighting these activities. The use of such tools is a public good and would be most efficiently ensured by having regulators contract directly with service providers so as to protect the public and avoid overburdening DEXs so that they fail, and transactions move to untraceable platforms.