Today’s “Gensler for a Day” is Michale Shaulov, CEO of decentralized finance (DeFi) infrastructure and custody firm Fireblocks. Fireblocks occupies an extremely interesting position in the DeFi ecosystem: Late last month, it was proposed as the first “whitelister” for Aave Arc, a version of the Aave DeFi protocol aimed at serving institutions. That means higher regulatory compliance, including permissioned access to reduce or eliminate users’ risk of entanglement with money laundering or other malfeasance.
This interview is part of CoinDesk’s Policy Week, a forum for discussing how regulators are reckoning with crypto (and vice versa).
As a DeFi professional who’s very focused on compliance, what’s your wish list for DeFi regulation?
I would like to see basically four important areas addressed. The first one is around the legitimacy of [each] protocol and what it does. All the disclosures [should be] provided for users, in a way that they can understand. Right now, you have to go read the white paper, which can be very very technical. I think there’s a middle ground.
Second is the risk controls of the protocols. How much auditing is being done, what are the amounts that can be deposited based on different audit levels. Not to restrict people from developing and launching things – if someone has a clever idea, they can launch something without spending a lot on the audit. But there need to be some limits on the risk.
The third aspect is really around anti-money laundering (AML). I think it is very important, because we don’t want to see this thing leveraged by bad actors to do things that are objectively bad for humanity. The solution for that is a kind of “soft KYC [know-your-customer]” rule. Let’s say you have KYC with Binance and they give me a token that says I was KYC’d, you’re in this jurisdiction and you’re a high net worth individual. And then if I want to work with Aave, for example, they can query that token. They don’t know it’s Michael Shaulov, but they can get an attestation that I was certified, and they can certify some parameters about my identity.
Then the fourth element is around custody, the whole interaction with the protocol that I think right now is very limiting. Right now there isn’t a definition for institutional investors as to how you’re supposed to interact with it. I think there need to be technical regulations that establish the rails and protection.
Let’s go deeper on KYC/AML issues. One major feature of DeFi for some users is anonymity and privacy. Can we preserve individual user anonymity in any way as we move towards more regulated DeFi?
There are basically two approaches. One is [what you see with] with Aave Arc, which is where there is KYC on all participants. I think this is an overcorrection [that’s useful] for the time being.
I think what will happen over time is some form of soft KYC, where there is a token, or some sort of identification that the wallet has been screened. It [might] provide some sort of KYC score for that particular wallet. There will be some sort of rules in the DeFi protocols that represent regulatory constraints on what you can do with certain tokens.
An example might be with banks right now. If you do a transaction under [a certain threshold], nobody is going to be looking at that. There might be something similar that allows anonymity at very small amounts, but you would have to obtain a higher and higher level of scoring that would be provided by different KYC providers. And based on that you can do certain things.
See also: Self-Sovereign Identity Explained
I think it is important to maintain an open infrastructure. What’s happening right now from a KYC perspective in CeFi [centralized exchanges and services] is, if you open an account with Binance you have to provide them details, then do the same thing with Coinbase or Gemini.
It’s not just annoying from a user perspective, it increases [security] risks … Most of the data breaches in the crypto space are actually KYC and user information that’s stolen. There is [also] a relationship between KYC and new data regulations. Right now the KYC regulations around crypto are completely conflicting with [Europe’s] General Data Protection Regulation (GDPR).
While some will actively choose to be regulated, do you think other DeFi systems will choose to continue operating in an unregulated way?
I think it will eventually be hard. Right now, the problem is that there isn’t any applicable regulation. You don’t have some reasonable middle ground that was purpose built for the technology, for the use case. Right now, either you take regulation from the 1940s and try to interpret it for 2021, or you basically are saying it’s irrelevant, so there’s no regulation.
My view is that at the end of the day the regulators work on behalf of the people. If DeFi [becomes] a very important aspect of our day-to-day lives from a financial standpoint, the regulators will have to make an applicable framework that is reasonable and relevant. And by that I mean the service providers, DeFi protocols, will have to comply, but they won’t have to break the bank for five years to earn a license.
Clearly a lot of the rhetoric around DeFi has to do with democratizing and decentralizing governance. In the real world, though, there are pretty obviously small groups of individuals running most protocols. Where do we go from here in terms of who’s really in charge?
We’re currently going through a governance proposal with Aave Arc, and it’s a very interesting experience. I think that in many ways that will be the way to go – decentralized governance. I think there will be some regulation on that, because how do you actually [set standards], make sure the minority isn’t being abused?
Right now a lot of control lies with VCs [venture capital firms], and you can have some risk of manipulation. For example, if they go to the market and buy all the governance tokens to pass a resolution, that’s manipulation, and it should be illegal, in the same way they currently have rules against market manipulation in traditional markets.
But the advantage of decentralized governance is that it actually crowdsources the efforts of the regulators or enforcement. If there’s a regulation, people will start asking, “Why are [we] offering to do XYZ if it’s not in compliance with regulation?” They’re basically outsourcing the vetting process.
Centralized exchanges have used geofencing to comply with regulation, but that’s been shown to be very flawed. What role will geography have in DeFi regulation?
They’ll need to approach it the same way they approach the internet, because it’s effectively the same thing. Whether [traffic is] going to Web 3 or Facebook, you don’t know.
At the extreme side is China – with the Great Firewall, they can decide what to block and what not to block. I don’t think any of that is aligned with Western values. I don’t think that will be perceived as a reasonable practice in any Western jurisdiction. And it would require an investment in technology similar to the Great Firewall.
This is a really big challenge for regulators. Because it’s not only that money transmission laws are very local, it’s that they’re used by nations to enforce sanctions. Those regulations are built to be used as a political weapon. Once you lose that capability, it becomes a challenge, that’s pretty clear.
Who’s supposed to dictate for the majority of the Western world how the regulation looks? Is that some kind of multinational body, and then it boils down to specific laws in each country? It’s possible. It might not be different from some of the international laws you see around child pornography, where you have an international body that’s restricting that globally on the internet, and every country adopting some form of that.