Try   HackMD

Everybody needs Compliance

The recent trends in financial-regulation compliance of blockchain-based assets, such as cryptocurrencies, raise questions about the balance between privacy and compliance. While traditional financial services rely on trusted intermediaries to protect customer privacy, decentralized finance lacks such intermediaries. Additionally, cryptocurrency markets operate on transparent blockchains, raising concerns about privacy and cybersecurity. To address these challenges, the article proposes leveraging advances in cryptography and blockchain technology to create on-chain compliance solutions that protect customer privacy while enabling regulators to combat illicit financial activity. This approach aims to strike a balance between privacy and compliance in the crypto ecosystem, highlighting the importance of on-chain compliance for digital asset privacy.

Why Compliance now?

In October 2022, a bankruptcy filing by Celsius, a digital asset lending platform, revealed the names and transaction history of nearly half a million depositors, highlighting the privacy risks associated with blockchain transparency. To mitigate this risk, digital asset holders employ additional privacy-enhancing technologies. However, these technologies can also frustrate government investigations into malicious activity, as demonstrated by the US Treasury's sanction of the virtual currency mixer Tornado Cash. The clash between privacy and compliance can be overcome using technological advances that harness the power of blockchain to enforce compliance while sustaining financial confidentiality and consumer privacy.

Current Regulatory Landscape

The current regulatory approach for crypto compliance is based on replicating traditional anti-money laundering regulations. It stems from the Bank Secrecy Act (BSA) in the US, which requires financial intermediaries to collect customer information and report suspicious activities. However, this approach may not fully address illicit finance in decentralized environments like Web3, and a new approach may be needed.
Screenshot 2024-09-23 at 13.44.12

The current financial regulations target financial intermediaries responsible for performing critical functions on behalf of customers. Recently, the Financial Action Task Force (FATF) updated its Virtual Asset Guidance to include Virtual Asset Service Providers (VASPs) under AML/CFT regulations. The guidance aims to bring DeFi arrangements and developers under regulatory obligations. The FATF's approach expands the definition of intermediary entities to impose regulatory responsibilities in a decentralized world.

The Financial Action Task Force (FATF) published revised Virtual Asset Guidance in October 2021, following the original guidance from June 2019. The guidance aims to apply AML/CFT standards to Virtual Asset Service Providers (VASPs) and DeFi protocols. It defines VASPs and emphasizes the need for AML and countering the financing of terrorism obligations. The guidance also recommends that DeFi protocols conduct ML/TF risk assessments and suggests involving regulated VASPs in activities related to DeFi arrangements.

Regulating Crypto Efforts

Regulating the crypto space is a global effort. However, many jurisdictions are still in the process of defining their regulatory approach. As of July 2021, out of 128 jurisdictions that provided responses, only 58 reported having necessary legislation to implement R15/INR/15, with 35 reporting that their regime was operational. Only a few jurisdictions had conducted examinations, and even fewer had imposed any enforcement actions. 32 jurisdictions reported that they had not yet decided what approach to take for VASPs and therefore do not have an AML/CFT regime in place and have not commenced a legislative/regulatory process. Similarly, of the 52 jurisdictions which reported that they had established regulatory regimes permitting VASPs, 31 had established only registration regimes and only 17 licensing regimes.

Regarding the definition of intermediaries, some jurisdictions have followed the 2021 FATF Guidance, while others have sought to interpret, extend, or narrow the scope of the definition. For example, a 2022 discussion paper published by the Financial Services Regulatory Authority of Abu Dhabi Global Markets suggests defining "DeFi controllers" as those who can "update the software underlying the protocol" and proposes requiring the licensing of DeFi controllers to hold them accountable for regulatory obligations equivalent to traditional financial intermediaries.
94icup

In the EU, DeFi is generally out of scope under MiCA, but the definition of “Crypto Asset Service Provider” includes the “operation of a trading platform” and “reception and transmission of orders” for crypto-assets. This raises questions about the interpretation of DeFi and the extent to which the designer or developer of a protocol or decentralized operation will be brought within the scope of national authority.

In the UK, the registration requirements for VASP-related activity are covered by Regulation 14A of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). In simple terms, this regulation covers businesses that exchange cryptocurrencies for traditional money and vice versa, as well as those that provide custodian wallet services. The regulation also extends to businesses operating machines that automatically exchange cryptocurrencies for money, or money for cryptocurrencies. It's clear that the trend is to broaden the definitions of regulated entities in the crypto industry.

Global Trend : "Know Your Transaction"

Regulators and policymakers have expressed concerns about the increased risk of illegal financial activity associated with unhosted wallets and DeFi protocols. In decentralized finance, people can hold their assets in "unhosted wallets" without needing a third party to hold the funds. This means that the owner has full control over their assets, similar to physical cash.

Many countries are working on ways to regulate transactions involving unhosted wallets. For example, the United States Treasury proposed a rule in December 2020 that would require banks and money service businesses to collect identifying information for transactions involving unhosted wallets.

Another concern is the application of the "Travel Rule" to the crypto industry, which requires financial intermediaries to pass along information identifying the originator and beneficiary for every payment transaction, even when the destination address is an unhosted wallet.

Regulators are also considering bringing unhosted wallets within the scope of the travel rule in Europe, which would require crypto-assets service providers to collect information on unhosted wallets and apply a risk-based approach to determine further measures.

Bringing unhosted wallets under regulatory requirements raises challenges in accurately validating the owner of the wallet and potential privacy and cybersecurity concerns.

In response to these concerns, the UK proposed that crypto asset businesses will only be expected to collect beneficiary and originator information for transactions identified as posing an elevated risk of illicit finance. The factors to determine the risk will be set out in legislation.

Web3: Lucid Dream of Decentralization

The decentralized crypto eco-system, or Web3, has some flaws when it comes to forcing an intermediary-based approach on distributed computing systems. The first issue is that this approach assumes the existence of reliable entities that can collect and report information to law enforcement and safeguard it from cyber attacks. However, in decentralized settings, many of these intermediaries may not be trustworthy and might lack the ability to protect sensitive personal and commercial information. For example, requiring record-keeping from these parties increases the risk of data theft and harm to law-abiding citizens.

When blockchain-based assets are used for payments, such as through stablecoins, current crypto regulation could result in significant cybersecurity vulnerabilities. Expanding the definition of intermediaries could lead to merchants needing to collect personal information from all customers making payments using an unhosted wallet, which could pose risks to customers' privacy and security.

The search for intermediaries and the imposition of anti-money laundering (AML) obligations on small entities in the decentralized ecosystem may also conflict with the Regulatory Flexibility Act. Small entities may not have the capabilities to collect and store highly-sensitive information, and the costs of compliance could be burdensome.

The cost of compliance (and non-compliance) is well-documented in the financial sector: firms reportedly spend about 4% of their revenue complying with regulations (Duff & Phelps 2018)7, and banks, for instance, paid $320bn (just under 1% of revenue) in fines from 2007 to 2016 (BCG 2017).& Economy-wide estimates are more difficult to compile, but the United States Council of Economic Advisors have estimated the direct and indirect costs of regulation at ca 12% of US GDP in 2012°, while estimates of the cost of the stock of regulation in the United Kingdom have historically exceeded 10% of GDP.10

Furthermore, the potential for consumer harm is significant in the event of a data breach or misuse that exposes the physical address of a self-hosted wallet’s owner and connects it to the balance in that wallet. Even minor data leaks can cause disproportionate privacy harm to customers, as even a small amount of wallet identifying data can often be combined with public ledger data to recover a user’s entire transaction history.

Achilles heel of DeFi

The development of blockchain technology has led to innovations aimed at improving efficiency and scalability. Some of these innovations aim to enhance privacy and undermine the transparency of the blockchain, making blockchain analytics less effective. As the crypto ecosystem moves towards decentralization, complex smart contracts are increasingly used to support decentralized finance, often mixing funds. Enforcement actions against decentralized protocols like Tornado Cash present methodological difficulties. The US Department of the Treasury published an assessment in April 2023, emphasizing that DeFi services not complying with existing AML/CFT regulations pose significant illicit finance risks.
Screenshot 2024-09-24 at 12.47.21

Right to be Private

Privacy is non-negotiable. The right to privacy is important for protecting individual freedoms and human relationships. In the US, several state laws protect privacy rights, such as the California Consumer Privacy Act and the Virginia Consumer Data Protection Act. The Colorado Privacy Act also provides similar rights. Federally, the Right to Financial Privacy Act of 1978 safeguards personal financial records from disclosure to government agencies without the individual's consent.

In the EU, the General Data Protection Regulation (GDPR) grants individuals the right to demand the cessation of their data processing and the right to object to the processing of their personal data.

Balancing privacy rights with law enforcement needs is crucial, as privacy can conflict with the necessity for law enforcement to prevent crimes and ensure national security. However, it's essential to differentiate between legitimate privacy needs and those that hinder law enforcement efforts.

In traditional finance, privacy rights are balanced with law enforcement needs through financial intermediaries. However, in decentralized finance and crypto markets, the lack of effective intermediaries means that law enforcement relies on blockchain traceability and transparency, making privacy and financial confidentiality obsolete in this space.

It's important to note that privacy tools like Tornado Cash can be used for legitimate privacy protection, such as safeguarding personal security during transactions or concealing asset balance in a wallet. Abandoning privacy altogether due to law enforcement constraints may overturn legal foundations. Emerging technologies for on-chain compliance could become a critical tool for future regulators of financial markets, enabling decentralized and privacy-preserving enforcement of compliance without intermediaries and reliance on blockchain analytics.

Why we need Onchain Compliance?

Blockchain technology can be used to enforce compliance and ensure privacy. This technology allows for the creation of compliant versions of blockchains, decentralized protocols, and virtual assets, which can enforce jurisdictional policies while preserving economic value and technological capabilities. By using advanced cryptographic techniques, such as zero-knowledge proofs and verifiable encryption, compliance policies can be programmed to enforce rules for digital transactions, ensuring privacy-preserving enforcement similar to traditional finance. This approach ensures that each transaction is compliant with specified policies and carries the associated identity credentials, regardless of whether the transaction was conducted through custodial or self-hosted wallets.
Screenshot 2024-09-11 at 15.38.10

Financial Confidentiality and Privacy

Cryptocurrency users' financial privacy and security can be maintained while ensuring on-chain compliance. Identity information recorded on the blockchain ledger can be cryptographically protected and not publicly visible. Sensitive personal information would only be visible to authorized parties, based on predetermined policies. On-chain compliance does not rely on centralized storage or privileged access.

The policy could specify which parties within a jurisdiction have special privileges, such as visibility of information or the authority to issue alert lists and sanction lists, and the conditions for exercising these privileges. It could also define constraints and reporting requirements on fund movements across jurisdictional policies. On-chain compliance can robustly protect confidential identifying information and never expose it to third parties, except as dictated by the policy. Similar to traditional finance, on-chain compliance robustly protects privacy and financial confidentiality, with visibility available only for those authorized under law and policy. On-chain compliance opens windows of selective visibility, while defaulting to robust privacy protection. Data and deductions from it are revealed only to authorized parties. The integrity of the data and mandated actions such as reports is cryptographically ensured, without reliance on centralized, high-risk repositories of sensitive information. Rather than requiring a repository of sensitive data, on-chain compliance could allow regulators to see and focus on the information they need.

Make the DeFi great again

Instead of applying traditional financial rules to a decentralized financial system, on-chain compliance uses blockchain technology to enforce stronger regulations that work with Web3 infrastructure. An example of the need for this approach is in DeFi. DeFi is different from traditional financial systems in several ways. Assets in DeFi are usually held directly by users in "unhosted" wallets or through smart contract-based escrow, rather than by a centralized service provider. Transactions are carried out by software (smart contracts) instead of financial intermediaries. DeFi protocols are governed by open-source code, without relying on a centralized service provider.

In the absence of a traditional intermediary, on-chain compliance could regulate and enforce compliance in DeFi through smart contracts. For example, on-chain compliance can work with unhosted wallets, without relying on a third party to control the funds. Once unhosted users are identified and verified, on-chain compliance can monitor transactions and generate reports automatically, without any intermediary involvement. Even complex compliance reports such as SARs can be programmed into an on-chain policy to ensure compliance with regulations.

The U.S. Treasury's assessment of decentralized finance recommends integrating cryptographic Zero-Knowledge proofs into smart contract code to enhance compliance mechanisms. The report also suggests that the U.S. government should engage with developers to promote innovation that addresses the illicit finance risks of DeFi services. Policymakers and regulators are urged to consider necessary changes in regulations to support these developments.

In traditional finance, transaction details are visible only to the counterparties and their intermediaries, as well as to law enforcement, while being private to the general public. Intermediaries are responsible for protecting the information security and privacy of their customers' financial data and enforcing compliance. In blockchain today, transactions are visible in pseudonymous form to the general public, and partially to law enforcement as well, depending on the transaction source. On-chain compliance brings crypto to par level with traditional finance by offering windows of visibility for law enforcement and counterparties, while robustly enforcing privacy and financial confidentiality for all others.

The idea of modernising anti-money laundering (AML) rules using blockchain technology is gaining momentum. This approach, as on-chain compliance, could streamline AML processes by utilizing consensus rules on a blockchain. Instead of struggling to align KYC practices or exposing the financial system to a centralized surveillance system, on-chain crypto compliance offers a way for financial institutions to rely on attestations from other institutions for risk management without sharing sensitive user information. Sanctions could be enforced on-chain in real time, preventing non-compliant transactions. Off-chain reports could also be generated automatically, saving time and giving law enforcement better tools to prevent financial crimes. This approach would reduce the burden of duplicate KYC checks for financial institutions, improve the customer experience, and set the stage for compatibility with stablecoin and CBDC payments in the future. This decentralized financial utility would modernize AML rules and provide a resilient, secure system that minimizes the transfer of personal information.

When it comes to crypto compliance, it's important to consider whether rules or standards are more effective for financial regulation in Web3 environments. Rules are forward-looking norms that set a standard for behavior before it occurs, allowing individuals to plan their actions accordingly. On the other hand, standards are applied after the fact, requiring individual interpretation and adaptation by regulators. In the context of Web3, certainty, uniformity, and stability are crucial, while flexibility and open-endedness are less valuable.

In Web3, open-source technology allows users and developers to understand the framework before getting involved. Rules can allocate discretion to the rule maker, freeing users and developers from the costs and uncertainties associated with standard interpretation. This is particularly valuable in Web3, where uncertainty can hinder innovation and progress.

Furthermore, emerging technologies in Web3 allow blockchains to enforce policies in advance, providing normative boundaries for their use. This approach could enhance predictability and legal certainty, aligning with the needs and ethos of Web3 and promoting the growth of this innovative sector of the economy.

Conclusion

The current conflict between privacy and compliance in traditional financial services will be challenged as cryptocurrency markets grow and become more widely adopted. The current regulatory methods, which rely on financial intermediaries and blockchain analysis based on the unchangeable and transparent nature of the blockchain, will face limitations in this evolving ecosystem. Trying to impose the regulatory model on decentralized and peer-to-peer transactions will affect innocent behavior and hinder innovation. In this post we higlight onchain compliance as an alternative solution that can use cryptography and programmable policies using legal smart contrats to go beyond the simple choice between compliance and privacy.

If you’ve read this far, you’re clearly someone who values both privacy and compliance. But don’t stop here — take action! We’re building Own Protocol, an on-chain compliance protocol for Digital Asset Privacy that uses zero-knowledge proofs. This groundbreaking technology empowers you while ensuring compliance with both DeFi platforms and traditional finance. Join us in shaping a future of finance where privacy and compliance coexist.

Follow us on X @theownprotocol and Own Protocol at Linkedin and stay tuned for more exciting updates!

References:

1. The Case for On-Chain Privacy and Compliance: https://stanford-jblp.pubpub.org/pub/onchain-privacy-compliance/release/1
2. Privacy-Protecting Regulatory Solutions Using Zero-Knowledge Proofs: Full Paper https://a16zcrypto.com/posts/article/privacy-protecting-regulatory-solutions-using-zero-knowledge-proofs-full-paper/
3. The Global RegTech Industry Benchmark Report https://www.jbs.cam.ac.uk/faculty-research/centres/alternative-finance/publications/the-global-regtech-industry-benchmark-report/
4. SoK: Programmable Privacy in Distributed Systems: https://eprint.iacr.org/2024/982

Last changed by 
D Karli
Founder of Sirius Quantum
2
85

Read more

Foundation of Quantum Machine Learning / Module 1

Motivation

Feb 23, 2025
The Year of the Quantum x AI 2025

History of verification of information

Feb 5, 2025
Programmable Privacy is the key to Freedom of Transaction

What is Privacy really?

Jul 16, 2024
Building a Public Good: Quantum Randomness Beacons

Quantum random number generators (QRNGs) are a promising solution for generating unbiased and secure numbers. They harness the inherent unpredictability of quantum processes and have a wide range of applications, including cryptography, simulation, telecommunications, and finance.

Nov 16, 2023
Read more from D Karli
Published on HackMD