Regulations for Decentralised Finance (DeFi)

Does AML/KYC apply to DeFi projects?


  • Non-custodial software wallets, multi-sig services, and software-based decentralized exchanges are considered as VASPs (and therefore subject to AML/CFT requirements) based on the definition stated in March 2021, "engage as a business in facilitating or conducting the activities" in FATF's draft of updated guidance.

    Owner/operator test to determine if business is a VASP

    In the update released in Oct 2021, FATF introduced the owner/operator test and removed the term ‘facilitate’ for determining whether an entity/individual involved in a DeFi arrangement is a VASP. The FATF has stated that “creators, owners, and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements that seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services”.

    Examples (non-exhaustive) include exercising sufficient influence over the assets or service protocol and the existence of a business relationship between the owner/operator and the consumer (regardless of whether it is exercised through smart contract or voting protocols). Additionally, the FATF suggests that countries take into account other factors as well, such as considering whether the party can set or change parameters to identify the owner/operator of a DeFi arrangement and determining whether any entity or individual is profiting from the service being offered.

    DeFi applications (dApps) are not VASPs as the FATF standards do not apply to the underlying technology. Therefore, software developers creating or selling dApps on VA platforms will not be considered VASPs, unless they specifically use the dApp/platforms to engage in VASP functions, as a business on behalf of others.

    Further, the FATF guidance has also clarified that individual governance token holders would not fall under the definition of a VASPs and the AML/CFT obligations will lie with entities exercising control or sufficient influence over the Defi platform. However, if the individual token owners satisfy the owner/operator test they may be considered VASPs.

    The FATF has stated that even if a DeFi project has no owners or operators, countries may require that a regulated VASP be involved in the DeFi project’s related activities.

    According to King & Spalding (November 23, 2021):

    Despite the challenges in regulating cryptocurrency and DeFi, regulators are nonetheless quickly implementing rules. ... the United Kingdom’s Cryptoasset Task Force has issued guidance requiring that all digital asset businesses must comply with all existing AML regulations. The UK is also requiring that all entities engaged in “digital asset activity” register with the Financial Conduct Authority by March 31, 2022.

    In Singapore, crypto businesses are regulated based on their activity. The Payment Services Act (PSA) covers crypto exchanges.

    P2P transactions considered high risk

    Peer-to-peer (P2P) transactions, though not explicitly subjected to AML/CFT controls under the FATF standards, are also of concern as the FATF has restated that self-hosted wallets present higher AML/CFT risks.

    Travel rule applies even if there is not an originator or beneficiary institution. The beneficiary VASP must still collect the required information with respect to their customer and jurisdictions should consider requiring VASPs to treat such VA transfers as higher-risk transactions that require enhanced scrutiny.

    Quick links: High risk transactions compliance requirements in UK here and Singapore here.


    Co-written by Merkle Science & FinReg