Sanctions Tornado

What is certain? Death, taxes… and, IMO, regulatory efforts against crypto projects will not slow down. Although there is more uncertainty than certainty when it comes to what it means for DeFi and other crypto projects to show good faith adherence to applicable laws, two facts certain to me are 1) taxes and anti-fraud are important bellwether issues and 2) we are moving towards global alignment of expectations and enforcement.

If a project can develop and commit to a strategy that focuses on the knowns instead of the unknowns, they can avoid predictable surprises and mitigate risk and disruption.

What is known? If a project is fully and legally decentralized, they are operating with less regulatory risk. On the other hand, if a project aspires to become decentralized, they are in a risky posture. What I believe is also known, or certain, is that regulators will achieve their stated objectives indirectly if direct actions are not available or practical. For example, if regulators cannot rely on clear authority through laws, rules and regulations, as they have done in traditional finance, they will advocate standards through enforcement cases and informal guidance. This may be an unfair approach; however, there is precedent for this signaling strategy and it is not wholly unexpected after recent indications through speeches, proposed rules, investigations, and enforcement cases, particularly after Celsius and recent hacks that have been designated as national security and economic resiliency risks.

Rather than only lament about the need for a change or wait for regulatory authority to be certain, projects should also adopt smart risk-based controls to meet current expectations. Now is the time to consider which vendors can help you and how a project can collaborate and build its own risk program, so it can limit reliance on vendors and sharing information.  It is important to call attention to overreaching and inappropriate regulation by enforcement, but it is also important to plan for the new normal until there is formal legal certainty.

So what does this specifically mean for projects trying to manage risks? 

In addition to inventorying the knowns that are relevant for your project, I’d offer that you need:

  • To be agile, expect developments will continue.
  • To expect the pressure will increase, not go away.
  • Educate yourself and secure advisers that can help you build your own risk-based controls, like sanctions screening, that you’re comfortable with.

The Tornado Cash matter is not a total surprise for a number of reasons. In addition to regulation by enforcement, regulators target pressure points, such as mixers, in order to be efficient. Regardless of fairness or authority, in this case, they are sending a clear message that any entity that is facilitating fraud is fair game.

While most virtual currency activity is licit, it can be used for illicit activity…” 

They do not consider this action as simply banning and sanctioning open source code on the internet.

“Despite public assurances otherwise, Tornado Cash has repeatedly failed to impose effective controls designed to stop it from laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks” — OFAC Notorious press release

Industry pushback on scope, approach and authority should not be the only focus. Projects should also focus on fixing any unintended consequences of the recent addition to the sanctions list. Use of sanctions vendors should be audited, adjusted to adhere to requirements and eliminate false red flags such as blocking a wallet that was victim to dusting.  


How can projects adjust?

Consider these 4 takeaways:

  1. Vendor help is only step 1: A vendor only provides info. Projects make the decisions about use of the tool. Projects should review and check vendor rules. Vendors make mistakes or use standards that don’t fit every project. Users should manage the vendors.
  2. Investigate, instead of block, where possible: Projects can drift from blocking all wallets to investigating hits and only block wallets if it is blocked activity.
  3. Calibrate the approach. Be risk-based: Projects can use de minimus thresholds, when appropriate, before blocking and plan to calibrate the tools.
  4. Create an escalation and appeal process that quickly addresses false positives: When there is a new addition to a list or a new requirement, there will be implementation issues. If a beta or pilot isn’t possible – be prepared to address feedback.

To recap – the topic is complicated and elicits strong opinions and discourse. IMO projects should prioritize three next steps:

  • Decentralize further
  • Implement — Implement a governance, risk and compliance (GRC) program. Don’t wait for more certainty about explicit laws.
  • Commit to ‘Need to Know’ — Protect privacy of users, but don’t fight the current expectations to address sanctions and anti-fraud. There is a big gap between web2 data collection with use of data to grow a business and DeFi data collection of only data that is needed to reasonably protect contributors and follow applicable sanction laws. Limited collection and use still protects users’ privacy. We will need to smartly tackle how to address the practical implications of the conflict between protection of privacy and protection from fraud.