Cryptocurrency brought us peer-to-peer payments that continue to elevate participation in the global economy for millions of people without access to traditional banking services. The rise of decentralized finance (DeFi) promises to further expand access to financial services, including savings, lending, derivatives, asset management and insurance products.
This innovation, which empowers financial inclusion, should be allowed to flourish in a regulated environment where individuals and institutions are protected and suspicious activity is identified and reported. But how do you regulate these decentralized products without completely removing the core attributes of financial inclusion and decentralization?
Know Your Customer (KYC) procedures are a critical function to assess risk and a legal requirement to comply with Anti-Money Laundering (AML) laws that vary by jurisdiction. Most of these AML laws are instituted for good reasons: to deter criminals by making it harder for them to launder money obtained through illegal activities (e.g., human or drug trafficking, terrorism, etc.). AML regulations require financial institutions to know the true identity of their customers, monitor transactions and report on suspicious financial activity.
Why regulators see DeFi as a major problem
Given that decentralized applications (DApps) have no central, controlling entity, there is little clarity around who is responsible for ensuring DApps, including DeFi applications, adhere to existing laws and regulatory requirements. Let’s say a ransomware attacker uses a decentralized exchange (DEX) to launder their stolen funds. Who is responsible for reporting their transactions? Who goes to jail or pays the fine for a failure to report? The members of the decentralized autonomous organization (DAO) who govern the DApp? The developers who developed the code?
Though these questions remain mostly unanswered, global money-laundering watchdog the Financial Action Task Force (FATF) recently proposed guidelines making it clear that “The owner/operator(s) of the DApp likely fall under the definition of a VASP [virtual asset service provider] […] even if other parties play a role in the service or portions of the process are automated. […] The decentralization of any individual element of operations does not eliminate VASP coverage if the elements of any part of the VASP definition remain in place.”
This suggests that DApps (DEXs and other DeFi applications) will be responsible for complying with country-specific laws enforcing FATF, AML, and Counter-Terrorism Financing (CTF) standards.
Related: FATF draft guidance targets DeFi with compliance
The Bitcoin Mercantile Exchange (BitMEX) serves as an example: Though BitMEX is a centralized exchange, the enforcement actions taken against the platform’s founders by the Commodity Futures Trading Commission (CFTC) and the U.S. Department of Justice (DOJ) have implications for DeFi. The CFTC charged the operators with violating AML laws while the DOJ charged the founders with violating the Bank Secrecy Act (BSA). As a result, DeFi platforms offering financial products to United States residents would be required to register for appropriate operating licenses, with a failure to do so leading to potential enforcement action against identifiable founders/creators or operators.
Regulation vs. privacy: Are they really at odds?
Remember that regulations are currently aimed at businesses rather than individuals. So, your peer-to-peer transactions are not of great concern to regulators, unless you’ve laundered millions of dollars in cryptocurrencies and are funneling them through a crypto platform’s payment network. At that point, the exchange would be required to identify the transaction as suspicious and alert the regulatory body in their jurisdiction.
At this elevated phase of the investigation, if law enforcement requests certain personally identifiable information (PII) correlated with the transaction, the exchange is required to provide it. This is why centralized exchanges need users to complete KYC — so that they have this PII if it is requested. But, the vast majority of DEXs do not have fully compliant processes. Do DEXs need to dismantle the freedoms of our decentralized revolution to meet evolving compliance standards?
Related: Will regulation adapt to crypto or crypto to regulation? Experts answer
Putting users in control
By leveraging those selfsame values of user control and privacy that drew millions of people to crypto in the first place, we can empower users with the ability to selectively share PII when required and offer DApps a built-in identity layer that will help them achieve compliance goals. Though compliance is certainly more complicated in a decentralized environment, the effective use of digital identity to enable permissioned access to DApps is how we ensure the long-term viability of the greater crypto economy and financial inclusion for millions.
The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Christopher Harding is the chief compliance officer of Civic. After spending a decade with leading accounting firm KPMG in various risk management roles worldwide, he joined digital banking firm Lending Club where he developed, formalized and implemented new risk governance structures and risk management processes.