There’s much grumbling in the web3 world about what would happen if regulation comes to the sector. But regulation of decentralized finance, or DeFi for short, isn’t a matter of if, but when.
DeFi aims to enable lower-cost, more accessible financial transactions without the identity requirements of traditional financial institutions. By using smart-contract technology, DeFi avoids creating the centralized repositories that make bank depositors’ assets a target for identity theft and other attacks.
The good news is that DeFi organizations are in many ways better set up to cope with regulatory compliance than traditional finance organizations are. That’s because web3 developers have been using AI from the beginning and embrace its power to bring efficiency, lower costs, and better fraud detection.
That’s the ideal, anyway. In reality, DeFi has faced many security challenges and has been targeted for massive theft––a fact that has drawn increased attention from regulators and led to calls for more oversight. Nearly a half-billion in crypto was stolen from DeFi platforms in the first half of 2023 alone, a PeckShield analysis found.
DeFi also presents unique vulnerabilities for theft, including smart-contract flaws and attackers who use DeFi’s anonymity to execute exploits and then vanish. So DeFi organizations will also face compliance challenges that aren’t present in traditional finance.
DeFi regulation on the horizon
To this point, DeFi organizations have gone relatively unregulated compared to traditional banks. Several U.S. agencies are scrutinizing DeFi with an eye towards regulation:
- SEC–determining which tokens are securities
- Commodity Futures Trading Commission (CFTC)–for derivatives and other commodified forms of crypto trading
- Financial Crimes Enforcement Network (FinCEN)–oversees money service businesses. If defined as such, then DeFi must comply with the Bank Secrecy Act’s anti-money laundering (AML) and know your customer (KYC) rules.
The decentralized nature of DeFi has made it difficult for regulatory agencies to determine what jurisdiction a particular platform falls under and which country’s regulatory agencies should oversee it. But they’re working on defining who should oversee what.
Some regulators have long held the view that DeFi’s decentralization is illusory and that such organizations should be regulated much like banks. In September ‘23, the International Organization of Securities Commissions (IOSCO) issued a report recommending that regulators determine where DeFi project organizers are based so that the appropriate country can monitor compliance with its financial laws and rules. Despite the anonymity of some DeFi project founders, many supposed DeFi projects are in fact fairly centralized.
If a project is truly decentralized, it may find itself regulated by IOSCO. As long as large amounts of crypto continue to be stolen from DeFi projects, regulators are likely to seek a way to better protect consumers.
The bottom line: Growing calls for oversight presage a future where regulatory compliance will become a key function for DeFi organizations.
How can DeFi organizations adapt and thrive in the coming, more-regulated environment? AI can play a key role in their compliance efforts.
DeFi projects don’t have to figure out the best use cases for AI in compliance, either. Studying how traditional banks are implementing AI for compliance provides a road map DeFi can follow. There are also unique challenges to achieving compliance in DeFi––and we’ll discuss those below as well.
The compliance challenges of TradFi
Banks, credit unions, and other traditional financial institutions are among the most regulated types of businesses. Agencies that oversee them in the U.S. include the Office of the Comptroller of the Currency (OCC), Federal Reserve Board, and the Federal Deposit Insurance Corporation (FDIC). Other countries have their own regulatory agencies. More than 30 different laws and federal acts govern banking operations in the U.S.
The cost of compliance keeps going up. Nearly $57 billion was spent on compliance by institutions just in Canada and the U.S. in 2022, which represented a 13.6% increase over the previous year. Despite this, some $800 billion in laundered money makes its way through these upstanding institutions annually.
Regulations seeking to reduce money laundering and other financial fraud cover a broad spectrum, but key areas include Know Your Customer/Anti Money-Laundering provisions. Under KYC rules, banks must verify customers’ identities. AML provisions require institutions to monitor transactions to detect fraud and theft. The specifics of exactly how they must fulfill these imperatives are ever-evolving as new regulations come into use.
The rate of change in financial regulation has accelerated since the 2008 financial crisis and banks have been scrambling to catch up ever since. For instance, Citibank was assessed a $400 million fine in 2020 by the OCC for operational failures including compliance risk management. The hefty fine for weak controls came even though 15 percent of Citibank’s workforce, or roughly 30,000 employees, are classified as “risk, regulatory and compliance staff.”
Why is it so hard for banks to stay in compliance with banking laws? One big reason is the attitude toward tech of TradFi leaders. Let’s say they’re not exactly ‘tech-forward’ in how they allocate resources, tending to put off or deprioritize tech spending.
Historically, compliance professionals have treated technological innovation with skepticism. Rather than deploying new tech to streamline compliance, execs in this space tend to simply hire more compliance staff and continue doing compliance in the same human-focused, labor-intensive way.
Another obstacle lies in how banks store data. “Most bank data is either fragmented, locked in silos or source systems, or is in a highly aggregated form, making it difficult to use for AI,” a report from IT Business Edge noted.
In other words, banks often lack the underlying tech to implement the advanced AI tools that have emerged in the past year. Most are struggling to even use older, more basic forms of AI than the LLM-based tools we’ve seen emerge this year. For instance, just 25 percent of TradFi institutions have implemented basic machine learning in their fraud-detection operations, a McKinsey & Company study found.
“Uptake is low,” IT Business Edge’s Kimara Kimachia noted.
Even if bank leaders want to implement AI, many banks are stuck using older, legacy tech systems that can’t easily integrate new-tech solutions such as advanced AI solutions. They would first have to win approval for updates to underlying systems or install entirely new basic tech to enable AI.
There’s terrific upside potential if they would: The McKinsey study estimated that AI could deliver $1 trillion in value annually to the sector, with roughly one-third of the gains in compliance. Yet the industry struggles to roll out AI solutions.
How could AI help traditional financial institutions save money as it also increases effectiveness in their compliance practices? Here’s a quick rundown of the top opportunities for AI-based compliance improvement:
Credit checks/customer identification
Financial services often need to assess the veracity of a customer’s credentials, particularly as they consider what to charge them in credit-card or loan interest. It’s a very labor-intensive process that AI could accelerate, verifying customer IDs against both internal and external sources at a much faster rate.
Monitor for regulatory updates
Natural language models such as ChatGPT can scan approved sources and provide updates for senior managers to review, rather than staff hand-gathering governance information. Changes may require new forms or reporting methods which AI could also track.
Reduce false positives
Human-led scans for possible fraud tend to produce a high number of false positives that must each then be investigated. By contrast, an AI model could learn to scan for multiple qualifying factors, enabling it to reduce the number of false positives and reduce investigative needs.
Eliminate human error
People make mistakes. They commit typos or forget to write things down. Employing AI and machine learning to scan for patterns of fraud could reduce human error and the attendant costs and time delays.
Write suspicious activity reports (SARs)
Every time fraud is suspected, an SAR must be written by investigators and filed with regulators. Backlogs of outstanding SARs are a prime target for regulatory fines. Today, most banks’ investigators write SARs at the rate of a few per day, the EY report noted.
Meanwhile, AI has already proved able to fill out many report types. If AI creates initial report drafts, investigators could review and file hundreds of forms in a day. This would reduce backlogs and resulting fines.
With its ability to scan data far faster than humans and to analyze multiple factors at once, AI could make transaction monitoring both more effective and efficient. By cross-referencing data from external sources, AI could detect less-obvious patterns to uncover nefarious activity that might escape human investigators’ notice, while also confirming false positives and removing them from scrutiny.
Pattern recognition and anomaly detection
The large volumes of data AI tools can parse enable them to detect patterns quickly–and spot anomalies that may be indicators of fraud or money-laundering activity.
Modeling future outcomes is a science with AI. Rather than relying on gut feelings, AI can analyze historical trends or combine internal and external data to predict future developments.
Applying an algorithm can help assess if a control failure is likely to occur again, and if so what the loss or reputational damage might be. AI analysis might also be able to predict whether an upcoming audit will find major issues or few problems, based on historical data.
Stopping DeFi theft with AI
Now that you understand AI’s potential to transform traditional finance–and the obstacles that are making it a slow rollout–let’s look at how DeFi organizations might deploy AI tools to help prevent theft. It’s a move that could improve the sector’s reputation, help drive mass adoption, and prepare the industry for likely coming regulations.
New tech is already baked into DeFi
While many banks are creaking along on legacy tech, DeFi is built on new tech. Some DeFi organizations already use machine learning and AI in their current operations. This means implementing AI for theft prevention should be much easier in DeFi than it is for traditional finance.
All the AI-enhanced anti-money laundering activities listed above as bringing speed, efficiency and cost savings to banks can be employed in DeFi. Better monitoring for fraud can only be good for the community, and AI makes the process easier and more executable for decentralized organizations.
With a road map from traditional finance for where AI tools can make compliance activities faster, cheaper, and more accurate, DeFi organizations can set priorities to implement AI to help fight theft and money laundering. Smart organizations will start looking at AI implementation steps now––before regulators force them to.
Can there be KYC in DeFi?
While using AI to aid the AML side of traditional finance rules is fairly straightforward for DeFi organizations, the Know Your Customer (KYC) side is more challenging.
One of DeFi’s founding principles is the ability to trade without disclosing your identity. You have a wallet address on the blockchain that doesn’t reveal your identity. This has been a key tenet of DeFi.
Some observers believe KYC and DeFi can be integrated without sacrificing a project’s decentralized structure. One possible solution is to employ a trusted third party verifier or decentralized identity solution to check wallet owners’ identities and keep that information secret, whitelisting verified wallets to build trust. Researchers have also looked to zero-knowledge proof technology to provide anonymity-preserving solutions.
No doubt a focus on KYC won’t please everyone. But if KYC can be achieved in DeFi in a way that verifies identity while still preserving anonymity for users, it could be a game-changer that brings many more users to the space.
Why DeFi should regulate itself
What if, instead of waiting for regulations to come down from a particular country or the international financial community, DeFi projects implemented AI tools to fight theft now? The sector has a playbook to work with from the traditional finance sector.
While banks struggle to update their tech, DeFi could leap ahead in implementing AI-enabled crime-fighting. Reducing theft would build consumer confidence and help grow the sector.
Then, whenever regulations come into play, compliance would be a less acute issue. DeFi efforts would already have strong anti-fraud controls in place, made efficient and affordable by AI.
Read more about AI in web3: Can ChatGPT4 Do Smart Contract Audits?