Is the lack of KYC in DeFi a feature or a bug? Pt. II

Looking for part one?

In part one, we explored how DeFi has evolved into a major sector of crypto without running KYC or AML checks on users. Part two will look at “Permissioned DeFi”—a collective effort to bring DeFi in line with financial industry-standard identity verification practices.

Enter permissioned DeFi.

If the activities of DeFi (lending, borrowing, trading, etc.) mirror traditional financial services, then the market opportunities might also mirror what we see in TradFi. If we wanted to map the opportunities presented by Permissioned DeFi onto a familiar model, it might look like this:

• B2B—Institutions using DeFi protocols

• B2C—End-users using DeFi protocols

• B2B2C—Institutions offering protocol-enabled services to end-users

Here’s how permissioned DeFi could unlock growth along each of these axes.

B2B—Institutions using DeFi protocols

If regulators haven’t joined the DeFi party yet, you won’t see compliance-minded institutional investors there either. At least not without a designated driver.

Enter Aave. The DeFi protocol launched what they call “the first permissioned decentralized liquidity protocol”—called Aave Arc—in January 2022. It’s a new pool, separate from Aave’s other products, that focuses on Bitcoin, Ethereum, the stablecoin USDC, and the Aave token. Currently, the protocol partners with digital asset specialists Fireblocks (although other partners are under consideration) to perform due diligence on institutions. Once an institution is whitelisted by Fireblocks, they’re authorized to use the Aave Arc liquidity pools.

By some measures, Aave hosts the most value of any DeFi protocol, potentially making them a natural first partner for institutions. But a single protocol with a single whitelisting partner isn’t necessarily in the spirit of DeFi. Aave Arc is a parallel, permissioned system for institutions, which is by design segregated from the rest of DeFi. Permissioning the broader existing DeFi landscape would require actually running checks on end users. So the real question might be: who should run those checks? And how would they be compensated for the effort?

B2C—Users using DeFi protocols

As it stands, DeFi isn’t short on volume. Remember how hot NFTs were last year? The NFT market saw total sales of $17.6 billion in 2021. By comparison, DEXs—the DeFi equivalent of exchanges—saw over $1 trillion in trading volume in the same year.

To 10x that $1T with haste (which would place global DeFi at roughly 25% of U.S. stock market volume), DeFi will need to maintain a positive footing with regulators. The SEC has taken action against crypto in the last year—fining crypto lending firm BlockFi for $100M, for example—and Uniswap, one of the biggest DeFi protocols, is allegedly facing an SEC probe. SEC Commissioner Caroline Crenshaw wrote in 2021:

A viable defense could be for DeFi protocols to add a KYC, AML, and identity layer to their existing products. But there are other mechanics at play. If Uniswap, for instance, added an identity layer, it’s likely that a significant portion of their user base would migrate to a competitor. And competition is fierce. In fact, Uniswap sought a business source license to keep copycats from forking its new V3 product, which marked a departure from most of DeFi (which is largely open-source).

Copyright controls are now on the table. So why not identity controls? It’s already happening in some places—Yuga Labs (of Bored Ape fame) required a KYC check for its latest NFT project. If regulatory scrutiny mounts, we could see the emergence of a KYC-compliant DeFi market for users in less crypto-friendly jurisdictions. Protocols want to keep growing, but don’t want to be caught offside in the event of a crackdown.

B2B2C—Institutions offering protocol-enabled services to users

What if there was a way to take advantage of institutional competency in KYC, AML and compliance while granting end users access to all of DeFi?

If individual protocols don't want to perform KYC checks on users, an identity layer could be introduced at the point of wallet creation. “Wallet” in this case refers to self-custody services like Metamask or Coinbase Wallet, which let users interact with the blockchain while keeping total control of their assets. Currently, wallet activity is transparent, but individual wallets are pseudonymous. In other words, anyone can see what a given wallet is doing, but no one can see who owns that wallet.

Curiously, Coinbase requires KYC for its brokerage product but not for Coinbase wallet (which we tested by spinning up a fresh one). A feature exists allowing users to link their brokerage account to their wallet, which presumably attaches the user’s brokerage credentials to the wallet they’re using. So a user who’s gone through this process is in effect using Permissioned DeFi.

Alternatively, institutions could follow the “CeFi” model pioneered by the likes of Celsius, BlockFi, and Crypto.com. These firms offer an easy-to-use frontend where users can deposit and earn interest on cryptocurrency. On the backend, the firms use those deposits to issue complex DeFi loans, which generate yield. For instance, a 10% yield (which is commonplace in DeFi) allows a firm to offer 6% interest to depositors with a ~4% margin. This is called net interest margin or NIM, and it’s how commercial banks make money.

In a nutshell: CeFi = Banks of DeFi.

And like banks, CeFi platforms require users to pass KYC and AML checks.

But If NIM is what commercial banks do best, why aren’t they jumping into CeFi? Simply put, regulators have been hawkish. In response to the SEC’s action against BlockFi in February 2022, CeFi providers were forced to halt onboarding new U.S.-based customers, and as of today, we have yet to see a regulated crypto yield product make it to market. It’ll take time for the regulatory dust to settle around these products, and until then, institutions have no way to assess the risk of offering them to users.

KYC and other identity controls could reshape DeFi as we know it by allowing regulated entities to participate, both directly and as intermediaries. If that’s what the space needs, then an identity layer may be the right solution.