Those who know me well would describe me as a crypto optimist/realist. TY to TechCrunch for publishing my reflections on #crypto in 2023 & the challenges we need to take on in 2024 to bring the industry to its full, incredible potential. techcrunch.com/2024/01/04/cry…

KYC is going to need to be entirely cryptographic going forward. Bullish on blockchains

What crypto (besides ETH) will get an ETF next?

1/ Today, Michael Mosier Katja G & I are sharing a paper that begins a conversation around, & proposes a conceptual framework for, how to answer the "illicit finance" policy question as it relates to DeFi. A brief thread below, with links to the full paper + a summary document.

2/ Full paper here: papers.ssrn.com/sol3/papers.cf… Summary doc (2 pages!) here: uploads-ssl.webflow.com/637359c81e22b7…

3/ The paper sets the stage with a brief overview of the U.S. financial integrity laws--AML/CFT + sanctions--and the ways those laws are implemented by intermediaries, incl a special class of intermediaries known as "financial institutions" ("FIs") under the BSA. (Sec I.)

4/ We also explain what DeFi really is & is not, as well as the sources of illicit finance risk in DeFi which are very different than in traditional finance--cyber risk, system management risk & usage risk. (Sec II.) h/t Jarrod Watts for the DeFi graphic (incl in the paper)

5/ Section III provides a 3-part framework on how to think about combating illicit finance in DeFi. The goal is to keep permissionless systems permissionless while recognizing appropriate touchpoints for financial integrity set against the realities of the DeFi Transaction Flow.

6/ First, the framework sets out a definition of “independent control,” grounded in the 2019 FinCEN Guidance, in order to identify smart-contract based financial protocols w centralized intermediaries that may otherwise call themselves "DeFi."

7/ Tech systems w ppl who have "independent control" over them are "on-chain CeFi" as noted in an article by Schuler, Ann Sofie Cloots & Schar (link 👇). They likely regulation incl for illicit finance, but this requires examining "facts & circumstances". papers.ssrn.com/sol3/papers.cf…

8/ System Control Persons (those who have "independent control") are not necessarily financial institutions, and the definition of SCP is not intended to capture governance token holders, DAOs or third party, exogenous touchpoints like oracles.

9/ Second, we propose classifying genuine DeFi protocols--neutral, decentralized software--as “critical infrastructure,” subject to oversight & security coordination by the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection (“OCCIP”).

9/ The "critical infrastructure" framework is coordinated by CISA Cyber, which oversees network tech & physical architecture "critical" to U.S. national & economic security in 16 sectors, incl in financial services. CISA & its coordinating arms (incl OCCIP) are not regulators.

10/ Genuine DeFi Systems are technological infrastructure underpinning a new approach to conducting financial transactions & given the way in which they function, OCCIP could make meaningful contributions to the safe operation of genuine DeFi Systems.

11/ OCCIP doesn't have reg authority & does not oversee financial institutions, but works w industry bodies in the fin'l services sector “to enhance the security & resilience of financial services sector critical infrastructure & reduce operational risk” & share cyber info.

12/ Much of the same type of work that OCCIP does is being built in the DeFi sector--notably, for cyber-security frameworks and an ISAC (cryptoisac.org)--but the types of industry and regulatory coordination facilitated by OCCIP will further the robustness of this work.

13/ Finally, we propose that new laws could require certain biz that are (a) necessary to the transmittal of comms re DeFi tx's, (b) transmit a material portion of such comms & (c) offer this as a service to take on additional illicit finance risk management practices.

14/ We term this new category "critical communications transmitters." CCTs would not be FIs subject to the BSA; they do sit at a point in the DeFi Transaction Flow to potentially aid in meeting fin'l integrity objectives. RPC-node-as-a-service is one example of a CCT.

15/ Please read the paper, reach out, challenge the ideas and pose new ones. Constructive dialogue is the best way to move the industry forward, and we look forward to developing these concepts further w industry & government collaboration.

Our attempt to restart the convo on DeFi & reg/risk in substantive context. Recognizing DeFi as fundamentally cyber critical infrastructure underpinning financial elements + a natural alignment around accessible & resilient networks, without treating every bytecode as a bank.