Is the lack of KYC in DeFi a feature or a bug? Pt. I

Over the past two years, Decentralized Finance (or DeFi) has grown from an Ethereum-based experiment with less than $1B in liquidity into a full-blown ecosystem supporting $200B+ of value across dozens of blockchains. During this time, market participants have traded, lent, borrowed, staked, and farmed thousands of different tokens freely, with no KYC, AML, or even CIP information required to engage in financial activities ranging from basic swaps to complex, multi-step transactions. What could go wrong?

Meanwhile, institutional investors have begun to show real interest in the space. This has led to efforts toward Permissioned DeFi—a world of decentralized financial services (much like the existing one) but with a layer of KYC, AML and other compliance measures on top. This could allow institutions to enter DeFi securely and with reduced compliance risk. It could also open the DeFi floodgates by granting regulated institutions the ability to legally offer DeFi products to end-users—potentially injecting a trillion dollars into DeFi in the process.

Does the future of DeFi depend on KYC? No one’s really in a position to answer that yet. However we are here to ask (and potentially answer): would KYC requirements lead to a safer, more compliant DeFi? Or is the conspicuous lack of KYC in this space actually part of the magic? Note: this is part one of a two-part series.

Why do we need KYC in the first place?

It’s a fair question! The first thing to note is that by law, financial institutions operating in the U.S. must follow KYC and AML guidelines. Those found to be out of compliance face fines potentially amounting to hundreds of millions of dollars. Regulators aren’t shy about imposing these fines, either—so from a risk standpoint, staying in compliance is a no-brainer for regulated FIs.

It's also important to note: KYC and AML regulations exist for a reason. In the wake of 9/11, it was decided that existing KYC regulations (first passed in the ‘90s) should be bolstered to improve their effectiveness against terrorism financing. Title III of the Patriot Act was designed for this purpose, and in effect demands that institutions keep a closer eye on the individuals, organizations, and accounts they do business with.

Do these regulations actually work? The answer to this depends on a number of factors. But assuming the rules function as intended, it stands to reason that stricter requirements do disrupt bad actors’ efforts to launder money and fund crime. Conversely, absent KYC and AML regulations, anyone—terrorists and criminals included—enjoys a free hand to open accounts and move money as they wish.

How has DeFi gotten this far without KYC?

Thus far, the brief wondrous life of DeFi has unfolded with little regard for the kinds of KYC and AML requirements that apply to regulated financial institutions. But essentially, DeFi consists of the same financial activities that take place in the traditional finance world. According to the Ethereum foundation, DeFi allows users to:

• Transfer money

• Borrow money

• Lend money

• Save funds and earn interest

• Trade

• Purchase insurance

• And more.

Sound familiar?

Although these activities mirror much of the action in traditional finance, DeFi is built to be self-directed. Instead of giving their funds to a depository institution (like a bank), users possess a “seed phrase” (like a password) which they use, in combination with a wallet (like an interface) to interact with the blockchain where their account balance is actually recorded. When a user engages with a DeFi protocol, there’s no institution acting on their behalf—the funds simply move from one place on the blockchain to another according to the user’s instructions.

In other words, the intermediary party (who would traditionally be responsible for KYCing users) is, by design, disintermediated.

DeFi isn’t a total black box, however. Blockchains are immutable ledgers, meaning that every transaction, once executed, is recorded for all to see and cannot be changed. So if an individual’s wallet address is known, anyone can see past transactions and monitor ongoing activity.

In theory, this built-in transparency should act as a check on fraud. If every account and every transaction is visible, clear as day, doesn’t that mean we can see who the bad actors are? Not quite. Remember: it’s a pseudonymous system without KYC, so while we can look up individual wallets along with all their past activity, there’s no identity attached. Attaching a real identity to a crypto wallet can require some combination of luck, carelessness, and someone being motivated to go digging:

So: without a formal KYC process, activity on the blockchain is traceable, but in most cases not attributable to any person or group. A KYC mechanism could attach real identities to wallets, thereby deterring fraud and making it easier to punish bad actors. But this begs further questions: who should do the punishing? And exactly which laws should apply against which infractions? As of now, DeFi and the on-chain world more broadly don’t offer clear answers. But a new paradigm could be on deck—equipped with permissions and mainstream potential.

This new paradigm, known as Permissioned DeFi, is the subject of part two in this series.

Read part two