In 2019, the Financial Action Task Force (FATF) published FATF Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (the FATF Guidance) updating a set of standards in relation to cryptocurrency (virtual assets) and virtual asset service providers (VASPs) to address money laundering and terrorist financing and further clarify how national authorities should implement these standards.
The FATF Guidance deals mainly with VASPs, a category which, among others, includes crypto exchanges. In the FATF Guidance, crypto exchanges are conceived as legal entities or individuals who as a business conduct for or on behalf of another person exchange of both crypto-to-crypto and crypto-to-fiat assets. This definition covers centralized custodial crypto exchanges; however, it leaves some room for ambiguity in relation to decentralized exchanges (DEXs), which by design are not operated by any responsible person.
Before considering the FATF Guidance’s applicability to DEXs, let’s have a general understanding of what principles crypto exchanges should be in line with. According to the FATF Guidance, national authorities have to impose Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) requirements on crypto exchanges applying a risk-based approach to their activities (e.g., taking into account their size and nature). It should be noted that the FATF Guidance is a set of standards that forms the basis for coordinated international actions and has no force of law. While applying them, countries may derogate from or alter these standards based on the specificities in their legal systems. For instance, crypto-to-crypto exchanges covered by the FATF Guidance, currently do not fall under the EU’s Fifth Anti-Money Laundering Directive (‘the 5AMLD’) provisions (the latter regulates only crypto-to-fiat exchanges).
General AML/CFT compliance rules for crypto exchanges
Generally, key aspects that should be ensured for AML/CFT purposes from an international perspective are:
1. Crypto exchanges should be licensed or registered by designated authorities in the jurisdictions where they are created and/or operate and/or where they offer services to their customers (unless they are already licensed as financial institutions which are in compliance with the FATF standards and are permitted to operate with cryptocurrencies) .
2. Crypto exchanges should effectively implement the relevant FATF Recommendations and have them in place before the registration. All 40 FATF recommendations apply to crypto exchanges (some are general, others were revised to make them specific to crypto exchanges and other VASPs) . Thus, crypto exchanges should develop and apply end-to-end AML/CFT control procedures which include preventive measures such as checking on potential customers before being onboarded (Customer Due Diligence), record-keeping, suspicious transaction reporting, a designation of a compliance officer, training of staff, and, if necessary, taking freezing actions or prohibition of suspicious transactions.
Particular attention needs to be paid to the so-called ‘Travel Rule’ . Under this Rule, crypto exchanges and other VASPs are required to gather, hold and to exchange amongst themselves information about an originator (e.g., customer’s name, address, wallet address, national identity number) and a beneficiary (customer’s name and wallet address) when conducting a transaction of USD/EUR 1,000 or higher . If required, exchanges should also provide such information to the competent authorities. The FATF Guidance specifies that countries may adopt their own a de minimis threshold. For instance, in the USA under Bank Secrecy Act, the threshold on reporting (including cryptocurrency transactions) is $3,000 ; however, a proposal for lowering the threshold to $250 for transfers that go outside the USA is currently under consideration. In the EU, the 5AMLD does not regulate integrations between crypto exchanges (it provides only for record-keeping and data submission to financial intelligence units upon request). Meanwhile, some EU countries, like Switzerland, brought their AML regulations in line with the FATF’s Travel Rule having determined a transaction threshold of $1,000.
It is worth noting that operations with privacy coins fall under the same AML procedures as with any other cryptocurrency. According to the commentary to Cointelegraph, given by Reuben Yap, chief operations officer at Zcoin, a coin’s privacy features do not affect an exchange’s obligation to comply with the Travel Rule “since a VASP can always give information of its transactions with other VASPs since it already has the customer’s identity and KYC.”
Nevertheless, despite the progress in introducing the Travel Rule by some jurisdictions (15 countries as of June 2020 ), universal implementation of this rule might be challenging. For instance, VASPs may experience difficulties identifying their counterparties, especially while interacting with unregistered DEXs or unhosted wallets. As a possible solution to this issue, the FATF suggests the creation of a ‘global list of VASPs’ maintained in a centralized (a central database) or decentralized manner (smart contracts connect to each jurisdiction’s list) .
3. Crypto exchanges are subject to supervision or monitoring for AML/CFT compliance conducted by national authorities. Depending on the jurisdiction, these measures may include offsite and onsite examinations, disciplinary and financial sanctions (among other things suspension or cancellation of an exchange’s license), freezing, seizure, and confiscation of the proceeds of crime with crypto exchanges’ activities .
Difficulties while applying the AML/CFT rules to DEXs
Returning to the issue of imposing AML/CFT requirements to DEXs, further, we will identify possible hurdles that can be encountered by the regulators in this regard:
- There may be no obvious jurisdiction in which a DEX is based because its infrastructure (servers) is spread across different countries with no central operating system. This can become an obstacle for registration and identification of appropriate supervisors for such an exchange.
- As no central authority or administrator can be identified in a DEX, there could be no one to regulate. So, no responsible person is in charge to verify its users asking to provide KYC documents and extract the users’ information from databases upon authority’s request.
- Another important aspect is that a DEX is a non-custodial software and does not hold or control users’ funds (unless it is done by smart contracts). Therefore, without access to the funds, they cannot freeze or refuse to accept them, or otherwise interfere in the p2p trading process.
Possible Interpretation of the FATF Guidance
According to the FATF Guidance, crypto exchanges can “exist in various forms and business models” . When identifying whether a crypto exchange falls under the category of a VASP and consequently under the AML/CFT regulations, the following can be taken into consideration :
- the financial activities that an exchange facilitates and nature of its functionality;
- if financial activities are facilitated actively as a business and on behalf of another person; and/or
- an exchange has a certain degree of custody or control of the virtual assets of customers.
The FATF Guidance raises the issue of ‘peer-to-peer trading platforms’ . It specifies that “Depending on a jurisdiction’s national legal framework, if a VA [virtual asset] trading platform only provides a forum where buyers and sellers of VAs can post their bids and offers (with or without automatic interaction of orders), and the parties themselves trade at an outside venue (either through individual wallets or other wallets not hosted by the trading platform…), then the platform may not constitute a VASP… However, where the platform facilitates the exchange, transfer, or other financial activity involving VAs…, including by purchasing VAs from a seller when transactions or bids and offers are matched on the trading platform and selling the VAs to a buyer, then the platform is a VASP conducting exchange and/or transfer activity as a business on behalf of its customers.”
Based on this understanding, when a DEX provides only communication services to support the exchange process (like a meeting place), it can be released from KYC reporting obligations. For example, Decred DEX presents itself as a ‘no KYC’ exchange. According to its documentation: “trades are performed directly between users through on-chain contracts with no actual reliance on DEX, though swap details must be reported both as a courtesy and to prove compliance with trading rules.” Market orders are routed from client-to-client through users’ full nodes (e.g., dcrd and btcd). The Decred DEX does not have any intermediary token, nor does it collect transaction fees (except a one-time registration fee).
At the same time, an exchange can be deemed as a VASP if it deals as an intermediate between customers by buying assets from one customer and selling them to the other. The question remains if an exchange can be considered as an intermediary facilitating the trading process while allowing trade on its platform only with wrapped tokens offered by the exchange. In the latter case, the wrapped tokens represent the customers’ crypto assets, while the real ones are stored on the exchange’s address. Besides, even if a DEX does not in a way control users’ funds, for AML purposes it is also essential to define whether an exchange is an actual crypto-trading business set up to facilitate trade for its users.
What DEXs can be referred to as a crypto-trading business?
Behind a DEX there is a team (founders, developers, etc.) who creates and maintains a trading platform and is interested in its project’s success. Supposedly, the possibility to identify team members as responsible actors for AML purposes may depend on the team’s ability to influence the operation of an exchange (a degree of a DEX’s decentralization) and whether their activities are business-oriented. This can take the form of:
- having access to a crypto exchange’s protocol by an individual or a small group who solely decides on project’s developments without seeking the community’s opinion, despite the declared decentralized nature of the exchange;
- accumulation of numerous tokens, usually through pre-mine, native to an exchange’s blockchain (which are created to enable cross-asset settlement and to be used for payment of transaction fees); or concentration of most masternodes in the hands of a few people.
Concerning this matter, it is interesting to note the position of the US Financial Crimes Enforcement Network (FinCEN), which requires crypto exchanges to be registered as a money transmitter since they transact with convertible virtual currencies. According to the FinCEN’s Guidance ‘Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,’ its regulations do not apply to a developer of a DApp (which do not have an identifiable administrator) in case of “the mere act of creating the application.” However, once the DApp is deployed, the developer can be qualified as a money transmitter if he/she uses the DApp to participate in money transmission . For example, as stated in section 4.4 of the said Guidance, if a DApp accepts and transmits value, including fees paid for the benefit of the operator in order to run the software, regardless of whether it operates for profit, such a DApp, its owners or operators may be subject to the money transmitter regulations and, therefore, be obliged to ensure AML compliance.
That being said, according to some US authorities, the fact that smart contract (code) developers merely created a DApp and that they are not in control of users’ actions with regard to the application (including the transfer of illicit funds) should not exempt the developers from the responsibility for AML compliance. In 2018, Commissioner Brian Quintenz, of the Commodities Futures Trading Commission (CFTC), expressed a view that these developers may be held accountable for illegal activity if they “could reasonably foresee, at the time they created the code, that it would likely be used by US persons in a manner violative of CFTC regulations.”
In this regard, Adam Cochran, a partner in Cinneamhain Ventures, made a good point, saying that “The only thing that matters is: Do you make it easier for criminals in the US to exchange monetary instruments without applying the US standards of KYC/AML?”
The FATF Guidance provides an approach similar to the FinCEN’s rules on DApps: “Generally, a DApp user must pay a fee to the DApp, which is commonly paid in virtual assets, for the ultimate benefit of the owner/operator in order to run the software. When DApps facilitate or conduct the exchange or transfer of value (whether in virtual assets or traditional fiat currency), the DApp, its owner/operator(s), or both may fall under the definition of a VASP.” 
With respect to the paragraph mentioned above, it should be noted the following.
Firstly, many enablers used by DEXs can significantly simplify crypto swap procedures; but does it mean that they come under the category of exchange facilitation? For instance, Komodo’s DEX facilitates exchange by providing their users with access to the servers, which store cryptocurrencies’ ledgers. Without it, in order to trade crypto assets, users have to launch on their computers full nodes/wallets for the coins they want to swap, as well as to download and store the entire blockchain’s history (the latter needs to be done to use the Decred DEX). This will require much computer memory and user’s time to update blockchain data.
Secondly, an entity or an individual that makes a profit out of the exchange operation (e.g., transaction fees) may be seen as in charge of meeting AML requirements. Transaction fees usually go to DEX’s masternodes running a DEX’s software by matching orders and/or broadcasting settled transactions in the network. However, it is unclear whether the ‘operators’ in the quoted paragraph refer to masternode operators, the number of which can reach thousands in some blockchains. While a truly DEX is run on all masternode operators’ organized efforts, on their own, these operators do not seem to be able to meet the DEX’s regulatory obligations as all decisions related to the exchange is usually taken by the majority of their votes. Besides, a masternode operator can sell rewards received from transaction fees and, therefore, refrain from DEX management.
In many blockchain projects, the governance is handed over to holders of tokens native to their protocols. By voting the token holders can launch initiatives and implement proposals of the community. For example, it can be a designation of an entity that would deal with KYC/AML issues on behalf of a DEX. Nevertheless, token holders are presently not legally bound to vote or otherwise stay up to date with DEX’s activities. Notably, Uniswap, which currently runs no KYC/AML procedures, covers all possible scenarios stating in its blog that “UNI holders are responsible for ensuring that governance decisions are made in compliance with applicable laws and regulations.”
Many questions and speculation remain concerning the terms contained in the FATF Guidance (as ‘operators,’ ‘to facilitate the exchange,’ ‘transfer of value,’ etc.) and the possibility to apply them to DEXs’ activities. DEXs themselves and the related legal framework are still in their infancy. In the long run, it can be anticipated that countries will determine KYC/AML rules for the crypto industry (and perhaps particularly for DEXs) operating under their jurisdictions. However, due to some uncertainty in the legal environment, in order to avoid risks, some DEXs have already imposed different levels of KYC procedures.
DEXs imposed KYC to play it safe
In light of the regulators’ approach that DEXs can be subject to the existing laws applicable to CEXs and fines for non-compliance, some DEXs responded by implementing KYC/AML procedures to comply with these requirements — a movement which in media was indicated as ‘anticipatory compliance.’
For example, in 2018, IDEXs, a non-custodial crypto exchange with an off-chain order book introduced KYC policies explaining in its blog that: “Decentralization exists on a spectrum, and unless your system or application lacks any centralized parts it can be subject to regulation.”
Earlier that year, a crypto swap platform, Shapeshift also adopted the KYC model. By way of comment, its founder Erik Voorhees said that KYC was not imposed “as a result of any enforcement action, but rather as a proactive step to de-risk the company amid uncertain and changing global regulations.”
Another example — Komodo’s AtomicDEX. AtomicDEX was initially launched as permissionless; however, in 2020, Komodo’s team informed about the forthcoming integration of KYC/AML compliance into the platform. The decision was based on changes in compliance laws and regulations in the EU and the USA, as well as recent legal actions against the developers associated with some crypto exchanges (e.g., BitMEX case). But at the same time, the source code of AtomicDEX is an open source software (OSS) and is designed to be publicly accessible, so anyone can see, modify, distribute and use it as they see fit.
To sum up, nowadays there is no uniform or widely accepted approach to the application of AML/CFT regulations to DEXs and whether a DEX can be fully exempted from these regulations. This situation is further complicated by the fact that there is no clear definition that would define what properties a true DEX should have. Actually, it is arguable whether despite the name a DEX really exists and whether it is possible to eliminate all centralized elements from a platform’s operations (including to ensure fee-free transactions). In fact, most non-custodial crypto exchanges represent themselves as decentralized, while exercising control over the trading process and the listing of crypto assets on their platforms. Many of these DEXs observe AML/CFT regulations and already have KYC standards in place similar to centralized exchanges. Others did not introduce KYC procedures as it could cast doubt on their decentralized nature and ward off many users resulting in a reduction of liquidity which in many order-book DEXs is poor even without it.
In view of the development of financial crime prevention regulations for the crypto industry taking place worldwide and growing cases of penalties for failures to comply with these regulations imposed in some jurisdictions (including in relation to DEXs such as Etherdelta), it can be concluded that in the not-too-distant future DEXs of any type may be subject to KYC procedures in one way or another. Particularly as in the market, it has already appeared some automated solutions, known as oracles, executed by smart contracts and tailored to enable DEXs to comply with aspects of the AML/CFT requirements. For example, the AMLT Oracle developed by Coinfirm is designed to provide a DEX platform with an AML risk score for a transaction or wallet. This model also implies addressing the issues by “a centralized repository of checked addresses with connected KYC information” and freezing illicit funds, preparing suspicious activity reports, and submitting relative information to the regulators. It remains to be seen whether such solutions prove effective in practice.