After the spectacular crash of Sam Bankman-Fried’s FTX and its associated organizations, financial regulators worldwide have to keep their attention on two places at once. As one eye stays firmly on precluding terrorism funding, the other is glued on the fallout among FTX retail investors and its knock-on effects throughout the greater financial landscape.

There will certainly be moments of crossed eyes as litigators introduce new and evolving legal frameworks, and even more when fintech companies have to comply. Regardless of whether it’s still a speck on the horizon or looming large, this legislation is inevitable, but what shape will it take?

Rising temperatures

Long before US$8 billion in FTX deposits seemingly disappeared, some regions had legislators drawing up plans to turn up the heat on retail crypto operators. Indeed, one of the major regions whose legislation won’t be affected by the Alameda Research/FTX fallout is the European Union, where the Market in Crypto-Assets (MiCA) regulation, designed to protect consumers in such an incident, was already written and signed. It’s not yet implemented, though. More on MiCA later. 

Of course, major exchanges like Binance US and Coinbase were already under intense scrutiny to adhere to know-your-customer (KYC) and anti-money laundering (AML) regulations, so they were used to a little heat. Compliance teams were accustomed to legal language that understands both the need for a low-friction user experience, as well as the challenges involved with some aspects of AML enforcement. That language has lured some companies towards the laxer side of due diligence. As Coinbase was recently fined US$100 million by New York regulators for AML noncompliance, at least when MiCA-like regulations come down, that company will probably be better prepared — half of that US$100 million should be invested in bolstering internal compliance routines.

For decentralized finance (DeFi) companies that aren’t being forced into fixing the leaks in their ship, an obvious challenge is being presented: protect your customers or get used to more inclement legal weather, even if you’re still getting used to the AML climate.

Initial drizzle

As of the end of a turbulent 2022, the regulatory frameworks of most major markets were still coalescing. Like a bit of rain that promises high winds and torrential downpours, we can look to these to get an idea of what might come later this year. 

A few regions, like Singapore, had already implemented moderate control mechanisms, largely concerned with adhering to Financial Action Task Force’s AML guidelines, and avoiding sanctions. Meanwhile, India ratified a 30% tax on all virtual asset gains in April of 2022.

However, for retail customer protection against predation, fraud and embezzlement, almost nothing is currently being enforced with crypto-specific language.   

MiCA will be one of the first major implementations and was initially proposed in November 2020 in the European Union Parliament, to provide legal confidence in a notoriously volatile space. Though it was signed into law in October 2022, it likely will not require businesses to be fully compliant until mid-2024.

At a glance, MiCA will:

  • Establish one definition for a “crypto-asset” in the European Union.
  • Define what blockchain verticals fall outside this jurisdiction — such as insurance and pension providers.
  • Create four categories for assets to fall under: asset reference tokens, e-money tokens, utility tokens and everything else.
  • Establish enforceable mandates for how stablecoins and non-stablecoins are brought to markets and then the public, including disclosure laws modeled on the E.U. Prospectus Regulation.
  • Regulate how crypto-asset services are authorized to carry out business as usual, modeled on MiFiD (Markets in Financial Instruments Directive).

Similarly, the aforementioned Singaporean regulation was being careful about which digital payment token service providers (DPTSPs) they could trust with licenses to operate in the country. Only recently, the Monetary Authority of Singapore made proposals to enforce customer safety and anti-corruption protocols among the licensees.

The proposed Singaporean regimes include particulars that are more suitable for their size and culture, but establish good benchmarks for other regions to potentially follow:

  • DPTSPs should conduct risk awareness assessments for customers.
  • DPTSPs should not offer incentives to retail investors (like an online casino might).
  • Retail customers should be prevented from borrowing money to invest in DeFi assets.
  • DPTSPs should guarantee that investor funds are kept separate from company funds.
  • Self-detection and reporting of any internal conflicts of interest.
  • Transparency for crypto firms when it comes to how they invest in new assets.
  • Adequate customer service infrastructure.
  • Mandated emergency backups for vital operating systems.

As other regions scramble to sew consumer safety into their security blankets, it seems likely that these will serve as the models for many. 

Ominous clouds and risk of lightning

As the steps of 300 new hires can be heard stomping through the criminal division of the U.S. Internal Revenue Service, one wonders if their boots are weatherproofed against the coming storms. Alongside the apparently “hundreds” of cases being built by the IRS against crypto tax evaders, precedent-setting legal cases are waiting to drop the gavel on the crypto space. Depending on how they settle, many in the industry consider them to be pivotal when it comes to forming the shape of DeFi’s future. 

Until now, investing in decentralized currencies of any kind was an investment into an environment of less scrutiny, by definition. A privacy mindset — namely keeping “off the grid” — is par for the course when it comes to much of the DeFi community. As FTX asset holders know, though, this privacy comes at the cost of your deposits being unsecured.

While writing for Forkast, Michael Shing notes that this creates a knife’s-edge situation in terms of culpability. When nearly all your customers are connecting pseudonymously, but some of them are criminals, where does the legal punishment go? In the current legal framework, there’s nowhere to pass the buck but up, to the exchange operators and owners.

A hail of precedents

Currently roiling are three legal cases where this friction has resulted in electrical buildup, and then lightning strikes: FTX, Coinbase and Ripple.

In the cases where the lack of compliance controls allows operators to obfuscate their own dealings, which is likely the case in Sam Bankman-Fried’s FTX and Alameda Research, regulation to create a safe and more accountable space for everyday business dealings makes sense. SBF has made that obvious. 

In terms of how the customer will be affected by this, New York legislators have stated that Coinbase did only the bare minimum in terms of making their customers adhere to KYC mandates — a bare minimum that they determined was actually below acceptable. While some companies that are required to be KYC compliant use alternative data sourcing, such as social media credit scoring, with minimal friction for trustworthy users, Coinbase opted to only have the most low-friction onboarding processes in place, rather than the improved security of step-up or dynamic friction at registration. This US$100 million mistake will surely force Coinbase to reassess its risk appetite and onboarding processes, and probably pull some of the mainstream crypto market with it. Expect to see whatever customer due diligence (CDD) practices Coinbase implements now to be echoed around the world. 

Finally, many crypto experts are pinning the impending ruling of the U.S. Securities and Exchange Commission v. Ripple (XRP) lawsuit to the future of the entire crypto landscape. That case will decide if crypto assets are currencies or securities, with the latter falling inside a legal framework with much more regulation already on the books.

A perfect storm of legal complications

The coming calendar year may be the most tumultuous yet in terms of coming storms and how crypto businesses will keep themselves dry — and solvent. 

Legislators have a churning, boiling ocean to navigate, and their ships have been looking less-than-seaworthy of late, with many of their sailors not quite sure where they’re going or even what the water is, exactly. After all, these kinds of virtual financial products are complicated to understand, and the context around them includes:

  • The greed of SBF that (allegedly) tanked the greater DeFi ecosystem.
  • A sanctioned, aggressive Russia has invested heavily in crypto after the ruble tumbled in wartime, and has announced plans for a nationalized crypto exchange.
  • Businesses are increasingly pushed towards jurisdictions with lower, or at least solidified, scrutiny, making some nations lose out in taxes and economic boosts.
  • Many world governments planning to release their own central bank digital currencies (CBDCs).

Knowing this context makes some hesitancy on the part of the SEC and other ruling bodies understandable. Before hard lines can be drawn to shape the future of the crypto space, balances must be checked and calculations must be finalized. For crypto operators, however, it remains to be seen whether regulators will allow them to keep their heads above water with lighter regulations, or else sink everyone and worry about enforcement when they’ve all sunk to the bottom.

Conclusion

Creating a block of legislation that sets a perimeter around such a choppy ocean seems a monumental task. Bodies of governance are still discovering where they need to put their foot down, and how hard.

As the conversation rages around crypto regulation, and the most lascivious instances of crypto culture are put on media display, it is hard to say what side of the argument is making headway. Though it seems obvious that high customer-due-diligence scrutiny will lead to downturns in profit margins for exchanges, human greed is getting a lot more press these days, as are the calls for regulatory safety.

As financial legislators worldwide balance economic prosperity with not financing war and protecting their citizens, it seems likely that whatever conclusion they come to will require a step up in terms of due diligence. DeFi traders would be smart to either bring themselves into compliance or try to lobby for regulatory moderation. Otherwise, they may find themselves feeling rudderless in a sea of legal battles and sails slack, with oarsmen deciding to abandon ship and get other programming jobs.