In the past years, the crypto-asset ecosystem has seen an increase in products, services and business models, as well as the increased use of automation to perform a number of services. Decentralized Finance (“DeFi”), which is the term commonly used to describe the provision of financial services via software build on the blockchain or another distributed ledger (decentralized application or “DApp”), is among the key players leading this evolution, challenging the core characteristics of traditional finance as we know them.
This evolution has also given rise to concerns of money laundering, terrorist financing, fraud and market manipulation risks stemming from the decentralized nature of the transactions, the anonymity governing most of them and the operation of this sector taking place outside of a traditional regulated financial system.
To address the money laundering/terrorist financing risks on a European level, the European anti-money laundering/terrorist financing (“AML/CFT”) regulatory framework has expanded, and crypto-assets activities are already covered under the 5th AML Directive (the “AMLD5”), while a new EU AML/CFT package has already been proposed.
On a national level, the amended AML/CFT Law was published in the Official Gazette of the Republic on 23 February 2021. The Cyprus Securities and Exchange Commission (“CySEC”) is the supervisory authority responsible for overseeing the activities of service providers and their compliance with AML/CFT laws.
The applicability of the AML/CFT legal regime relies upon the identification of an obliged entity; in this context, the entity engaging in crypto-asset activity and/or providing crypto-asset services in accordance with the definition of Crypto-Asset Service Providers (“CASPs”) provided in the law, who will be the entity obliged to comply with the obligations imposed by the AML/CFT laws. The CASP definition will not be reproduced in the present article.
Depending on the activity carried out or services provided, a DeFi arrangement may qualify as a CASP, and consequently fall within the sphere of compliance with the AML/CFT law. In such case, determining the obliged entity can be a complicated task, due to the decentralized model on which these arrangements are based upon, and the use of automation on which they frequently rely to operate.
To aid in the interpretation and application of the AML/CFT framework on crypto-assets and CASPs, the Financial Action Task Force (“FATF”) has issued an updated guidance in October 2021 (the “FATF Guidelines”) and CySEC has encouraged interested parties to consult these when assessing the applicability of the AML/CFT obligations to their business model. It is noted that the terms ‘virtual asset’ and ‘virtual asset service provider’ are used in the FATF Guidelines; for present purposes the terms crypto-asset and CASP, respectively, are being used instead.
The FATF guidelines provide some general indicators which can be considered when assessing whether a provider is the person obliged to comply with AML/CFT obligations. These indicators include, but are not limited to, the following:
With regard to DeFi arrangements specifically, the FATF Guidelines recognize that a DeFi application, that is, the underlying software, is not a CASP in accordance with FATF standards, as these do not apply to software or technology. Despite this, it is possible for persons such as creators, owners and operators of such applications to qualify as a CASP, if they are found to be providing or actively facilitating CASP services. Their classification or not as the obliged entity for AML/CFT law purposes will be based on whether they maintain control or sufficient influence over the arrangement.
Owners or operators are often distinguished by their relationship to the activities undertaken by the arrangement. Control or sufficient influence may be exercised in a number of ways, for example, setting parameters, holding an administrative key, retaining access to the platform or collecting fees or realizing profit.
It is emphasized that a person may be found to be exercising sufficient control or influence over a DeFi arrangement even in instances where other parties are involved in the provision of the service, or where part of the process is automated.
The FATF Guidelines make it clear that the use of an automated process such as a smart contract to carry out the services does not relieve the parties of responsibility to comply with their AML/CFT obligations, as the determination of the applicability of the law needs to take into account the lifecycle of the product or service.
In practice, this means that, launching a product that will be providing CASP services, even if the services will proceed to function automatically in the future, does not relieve the provider of its obligations. This is especially the case where the provider will continue to maintain some sort of control or influence on the arrangement, in accordance with the indications listed above.
By extension, this provision applies to DeFi arrangements as well, since there may be control or sufficient influence exercised over assets or aspects of the operations of the application, as well as an ongoing relationship with contracting parties, exercised through smart contracts.
To illustrate the above, let us look at a simplified example of a DeFi arrangement that facilitates transfers of crypto assets from one person to another, a service that falls under the CASP definition. This can be in the form of providing payment services in crypto assets to other providers. The arrangement will function on a DApp that someone has developed. As it has already been stated, the mere fact that someone is a developer or owner of a DApp used to offer CASP services does not automatically result in them falling within the CASP definition.
The transfer of crypto assets in this example may take place automatically. In the event that the transfer takes place as part of the provision of payment services offered to another provider, there may be in place a smart contract between the provider and a third-party, which triggers the transfer of crypto assets in specific occasions (eg. a standing order has been set up to facilitate monthly payments from the third party to the provider for services offered, such as a monthly subscription).
In this scenario, the developer or owner appear to have no involvement in the provision of the service, as the DeFi arrangement is backed by decentralized software, and the transfers are automatically executed. So how can control or sufficient influence be established in this case? By referring back to the indicators outlined in the FATF Guidelines, it is possible that the owner/developer retains control of the arrangement by, for example, maintaining a central server through which keys are obtained to gain access to the DApp, and access is conditional on their approval. Other examples could include events where the owner/developer maintains a contractual relationship with the providers to which the service is offered, and collects fees for the provision of this service, or events where the owner/developer has the power to determine and alter the DeFi arrangements terms of operation, characteristics or parameters.
It is emphasized that the above indicators and examples are merely illustrative, and each individual business model is to be assessed on a case-by-case basis in order to evaluate the applicability of legal requirements.
The content of this article is valid as at the date of its first publication. It is intended to provide a general guide to the subject matter and does not constitute legal advice. We recommend that you seek professional advice on your specific matter before acting on any information provided. For further information or advice, please contact Christiana Constantinides, Associate, Limassol office, telephone number 25363685 or email Christiana.Constantinides@kyprianou.com.