​

[co-authors: Sam Tyfield and PJ Di Giammarino*]

CEP Magazine - March 2023

There has been a lot of discussion recently—across the globe—about how (or if) to regulate the decentralized finance (DeFi) industry. The term DeFi encompasses a broad range of activities and services, including, but not limited to:

• Minting and trading nonfungible tokens (NFTs) and other types of tokens, including derivative instruments with tokens as their underlying asset;

• Offering exchange-type facilities for NFTs and other tokens;

• New types of business structures offering more traditional products and services, such as decentralized autonomous organizations (DAOs); and

• Anti-money laundering and anti-fraud measures.

Some jurisdictions have made strides in the area. The European Union (EU) is close to launching its Markets in Cryptoassets Directive (MICA) —the DeFi equivalent of the securities and derivatives rules known as MiFID.^[1] The United Kingdom (UK) has its regime for “cryptoasset businesses,” which is based on the money-laundering rules and shortly will have a MICA-equivalent.^[2] And there have been regulatory advancements pursuant to which it is easier (but not simple) to categorize a token and determine whether it falls within a regulatory perimeter.^[3]

DeFi has produced a large range of product and service providers with business models that bear more than a striking resemblance to those seen in traditional finance (TradFi). Some of these businesses have become household names—more infamous than famous—such as Voyager, Celsius, 3 Arrows Capital, and FTX. This article focuses on FTX and its charismatic founder, Sam Bankman-Fried.

The breakdown of FTX

As readers may know, FTX comprised three businesses:

• The American (regulated) derivatives exchange.

• The non-United States (US) exchange.

• Alameda Research, its principal trading arm.

This article uses the term “exchange” loosely. An exchange was how FTX characterized itself, but it is important to remember that FTX was a broker–dealer operating a crossing network—not strictly an exchange. In the UK and the EU, it would be known as a “market operator,” and rules would apply to separate its activities qua “exchange” from its activities qua “broker–dealer.” In the US, one would think of it as an alternative trading system or crossing network.

While the full story has yet to emerge, the theory appears to be that FTX appropriated its customers’ deposits for its own proprietary trading activity (through Alameda Research), allowed Alameda Research to see its customers’ orders (thereby facilitating front-running), and permitted Alameda to accumulate enormous and unsustainable losses.^[4] When FTX’s customers attempted to withdraw their cash, FTX was unable to source sufficient funds to permit them to do so and (on the advice of external counsel) sought bankruptcy protection. There are many more salacious details and perhaps quite a lot more to discover. However, the story, in a nutshell, is one that has been seen many times previously and one we may see again in TradFi.

Bankman-Fried was active on social and traditional media (at least prior to his extradition); his defense (for want of a better word) was that the systems and controls which would have permitted him to avoid this outcome were not in place; they were young, idealistic, foolish, etc., and had he not been bamboozled into seeking bankruptcy protection, he could have fixed it all himself in short order. It remains to be seen whether that defense survives the testimony of those who have entered into plea deals already.

Even if the defense is correct, our assertion is that this is not exculpatory or, indeed, any way acceptable.

What’s in an audit?

Let’s take, for example, the widely held belief within DeFi that it is not possible or practicable to “audit” these businesses. In 2022—until the incumbent and preferred accounting firm withdrew from the market—much was made of “proofs of funds/reserves.” These are supposedly balance sheet-type snapshots of funds and assets. The details of the failings and inadequacies of these “proofs of funds/reserves” merit their own article. For present purposes, it suffices to say that it is possible to ensure a healthy-looking balance sheet at any time using funds that are not on the balance sheet for TradFi accounting purposes and that what constitutes “funds” often includes tokens issued by the firm itself to which a value is given by. . . we won’t quite say “plucking a number out of the air,” but hopefully the reader catches our drift.

What is there to prevent a DeFi firm from being audited? Similarly, what is there to prevent a DeFi firm from implementing systems and controls or policies and procedures familiar to those in TradFi?

One argument is the huge divergence between rules in various jurisdictions; which jurisdiction should one pick with which to be compliant? The short answer to that is “Yes, but TradFi rules diverge and TradFi manages its compliance.”

There has been a lot of discussion about the DeFi industry becoming self-regulating because “TradFi rules do not fit the DeFi business model.” Self-regulation is something that various constituents of TradFi have attempted in the past and, without fail, it has led to formal regulation and benchmarking. There are two good examples: the algorithmic trading industry attempted that in the US, and we ended with early versions of Regulation Automated Trading (RegAT),^[5] which required lodging trading code with the regulator; and the algorithmic trading industry in the EU argues that it was providing liquidity to the markets which led to MiFID imposes liquidity obligations on it.^[6]

In any case, why seek self-regulation while at the same time telling regulators and politicians that “if only you had regulated us, this never would have happened”?

The prudent path is not always correct

For the compliance community—in TradFi or DeFi—we propose that the rule of thumb should be “if I were to do/not do this in securities, derivatives, or foreign exchange, would I be able to sleep at night, and would I be concerned that an offense had been committed?”

Of course, it is more complicated than that: cryptoassets are not (easily) segregated in the same way TradFi assets may be segregated between “customer” and “proprietary” accounts (the adage “not your keys, not your crypto” applies)^[7] ; and in order to comply with TradFi rules by analogy or extension, as compliance professionals, it may be the case that you find yourselves saying “no” more often than is necessary because the most prudent path is not necessarily the correct one.^[8]

Nonetheless, if the compliance industry takes a robust and prudent position, there is nothing in TradFi that cannot give a steer on how to act or not act in DeFi. Returning to our balance sheet example above: even if no funds held on deposit technically are “customer funds” anymore, as the firm has the keys, it is simple enough to say to oneself, “My customers’ free-and-clear account balances state holdings of 45,000 Bitcoin (BTC) and 9,000 Ether (ETH); therefore, at all times I should ensure I have 45,000 BTC and 9,000 ETH in a wallet somewhere which is not at risk.”

One point of interest in 2022 was how long it took for management of DeFi firms—which were in financial difficulties—to lose control of the firms to independent insolvency practitioners. FTX is actually the exception. In various discussions with insolvency practitioners involved in DeFi projects, the consensus seems to be that this is because regulators, insolvency practitioners, and management were cautious in forcing bankruptcy or insolvency proceedings on firms in the belief that (for some reason) DeFi firms were different to TradFi firms. And who knows? Perhaps it is the case that had existing management been exorcised from some of the insolvent firms earlier, creditor losses may not have been as significant. The speed with which FTX was taken into bankruptcy protection can be a sign that creditors, management, regulators, and advisers will act with ever-greater alacrity to prevent industry and market contagion.

Even DAOs may have been dragged kicking and screaming into the TradFi regulatory perimeter by a judge in the US ruling that a DAO was an unincorporated partnership where all members had unlimited liability.

Compliance professionals are at risk

Interestingly, an article on TABBForum by Martin Walker discusses how FTX and similar businesses talk about having “assets under management.”^[9] Let us be clear (and we’re unable to fathom how FTX and Bankman-Fried could not have been clear all along): a broker–dealer does not have assets under management and an exchange certainly should never proceed under the fallacy that it does. Walker’s article is forthright (“Big Crypto is run by people who are recklessly incompetent and/or criminal”): we fear to tread that line of thought. However, we will still use it to emphasize the point that, in DeFi, compliance professionals are as at risk—reputationally as well as regulatorily—as those in senior management for whose acts and omissions nominally they are accountable.

The trick (if one calls it that) may well be that compliance professionals have to make the same leap in skills that those in TradFi had to make in 2013–2014. Back in the day, Sam Tyfield gave a seminar at a conference entitled “Compliance 2.0,” where he advocated that compliance teams at algorithmic trading firms have at least one quantitative scientist, one infrastructure developer, and one software developer. It was not common then, but it is much more common now. It is more common because compliance teams need to understand the business for which they are responsible to fulfill their imperative.

What does a DeFi firm need from its compliance team? Perhaps a team with the same skills, but one must remember that even in TradFi, there is the additional issue of where in the business hierarchy this line of defense sits. If they are too close to the front office, they risk “going native,” but if they are too far into the middle or back office, they risk being isolated from, or unfamiliar with, what the front office does.

Applying the same logic, should a compliance team have a good mix of cryptocurrency holders/DeFi advocates and cynical spreaders of fear, uncertainty, and doubt? It will depend on the firm and its business, just as it does in TradFi.

Readers, as compliance professionals, understand how to get the best from the systems and controls (and personnel) you have. It may be a different set of criteria to apply to building a successful DeFi compliance team, but the same basic principles apply.

Takeaways

• Traditional finance (TradFi) solutions and rules apply to decentralized finance (DeFi)—if participants/players want them to do so before regulators insist—including formal audits.

• There is nothing intrinsically novel about DeFi other than market participants’ seeming belief that there is.

• DeFi firms may require compliance teams to learn more skills, but compliance teams have been doing this in TradFi since its inception.

• Regulators will become faster and more aggressive in applying TradFi rules, and compliance professionals will be at the sharp end of that enforcement.

• FTX itself is not unusual. It likely was a scam operated by scammers, and those scammers were not half as bright as they thought they were.

*Sam Tyfield, Partner at Shoosmiths in London, England, UK and PJ Di Giammarino, Independent financial services regulatory technology authority based in London, England, UK.

1 European Council, “Digital finance: agreement reached on European crypto-assets regulation (MiCA),” news release, June 30, 2022, https://www.consilium.europa.eu/en/press/press-releases/2022/06/30/digital-finance-agreement-reached-on-european-crypto-assets-regulation-mica/.

2 Financial Conduct Authority, “Cryptoassets: our work,” updated December 8, 2022, https://www.fca.org.uk/firms/cryptoassets.

3 United Kingdom Home Office, Her Majesty’s Treasury, Department for Business, Energy & Industrial Strategy, Serious Fraud Office, and Ministry of Justice, “How are cryptoassets regulated in the UK?” policy paper, updated November 8, 2022, https://www.gov.uk/government/publications/economic-crime-and-corporate-transparency-bill-2022-factsheets/fact-sheet-cryptoassets-technical#how-are-cryptoassets-regulated-in-the-uk; United States Commodity Futures Trading Commission, “Statement of Commissioner Dawn D. Stump on the CFTC’s Regulatory Authority Applicable to Digital Assets,” August 23, 2021, https://www.cftc.gov/PressRoom/SpeechesTestimony/stumpstatement082321.

4 Joe Miller, “Bankman-Fried associate admits to misuse of FTX customer funds,” Financial Times, December 23, 2022, https://www.ft.com/content/cc3c3402-785d-4441-9edf-743bb0596ea6.

5 Thomas Laser, “Regulation Automated Trading: CFTC Source Code Turnover Provision is Unnecessary and Dangerous to U.S. Markets,” John Marshall Global Markets Law Journal 4, No. 1 (Fall 2016), https://repository.law.uic.edu/cgi/viewcontent.cgi?article=1019&context=globalmarkets.

6 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (see in particular Article 17), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014L0065&from=EN.

7 On January 4, 2023, a federal bankruptcy judge ruled that customers of (the bankrupt) Celsius Network LLC’s interest-bearing "Earn" product had turned over control of their assets to the bankrupt crypto lender, meaning they are part of the company's bankruptcy estate, while customers that had deposited cryptocurrency in non-interest-bearing accounts did not form part of the bankruptcy estate. See: Memorandum opinion and order regarding ownership of earn account assets, In re: Celsius Network LLC, et al., Debtors, United States Bankruptcy Court, Case No. 22-10964 (S.D. N.Y. 2023), https://cases.stretto.com/public/x191/11749/PLEADINGS/1174901042380000000067.pdf.

8 The Celsius judgment was as unambiguous as it was due to the terms and conditions of the Earn Accounts containing the following: “ALL DIGITAL ASSETS TRANSFERRED TO CELSIUS AS PART OF THE SERVICES ARE OWNED AND HELD BY CELSIUS FOR ITS OWN ACCOUNT.” The takeaway here is that clear terms and conditions are difficult to deny in most conceivable circumstances, and that compliance should have a hand in them.

9 Martin Walker, “Return to Nothingness – Big Crypto’s Struggles with Basic Accounting and Economics,” TABBForum, December 27, 2022.

[View source.]