The U.S. Treasury recently came out with its 2023 DeFi Illicit Finance Risk Assessment, which outlined the need for the decentralized finance industry to comply with anti-money laundering (AML) requirements. This is to prevent bad actors, such as cybercriminals, ransomware attackers, scammers and agents of sanctioned governments, from laundering funds through decentralized finance. First, it’s worth noting that far more illicit finance occurs in traditional financial systems compared to DeFi, but with the help of zero-knowledge (ZK) technology, it’s also very feasible for DeFi applications to comply with AML laws while retaining user data privacy.
Crimes smear the whole industry
The implosion of centralized finance lending platforms like Celsius in 2022 followed by the FTX disaster did not do crypto any favors in terms of its public perception. In the United States, the Biden administration seems intent on quashing any and all crypto innovation through what has been termed Operation Chokepoint 2.0. Harsh regulations like this have proven difficult to enforce and can do more harm than good — driving talent, money and tech innovation outside of the U.S.
While crypto’s reputation as a playground for criminals and scammers is very much a misrepresentation, with illicit transactions accounting for just 1% of all crypto activity last year, it doesn’t mean we still shouldn’t be concerned about crypto crimes. In 2022, illicit transaction volume hit an all-time high of US$20.1 billion — no small number — with 44% of these illicit transactions originating from sanctions evasions. Despite this, most mainstream blockchains are inherently less opaque and more transparent than most existing financial networks today, actually making it more difficult to hide illegal activity. As shown by the below chart from Chainalysis, sanctions, scams and stolen funds accounted for the top three crypto crimes in terms of value.
This was due, in large part, to the Office of Foreign Asset Control (OFAC) making decisions that were difficult to enforce, such as the blacklisting of cryptocurrency mixer Tornado Cash and the Russian-based exchange Garantex.
Where regulations and crypto meet
It’s important for the crypto community to be reminded that the purpose of regulations is to protect people and businesses against scams and create strong enforcement deterrents against crimes like the financing of terrorism. The challenge is that regulators are accustomed to a certain modus operandi in the realm of traditional finance, which relies on systems that sometimes conflict with the core values of crypto and its underlying thesis that people — not government or banks — should own and control their own data and value.
In the United States, the Bank Secrecy Act (BSA), created by the Office of the Comptroller of the Currency (OCC) is meant to prevent money laundering by requiring banks and other registered money service businesses to share details about the transactors when the value being transferred exceeds US$10,000 cumulatively for a given day.
At the global level, the international money laundering watchdog the Financial Action Task Force (FATF) instituted guidelines suggesting that for digital asset businesses, any amount exceeding US$3,000 needs to be reported to the appropriate regulatory agency. There is, of course, a whole other discussion to be had about whether the lower threshold for cryptocurrency transactions is fair or biased, but regardless, these guidelines do exist and are increasingly being implemented and upheld by various jurisdictions around the globe. In the U.S. the BSA took it a step further and proposed lowering the threshold from US$3,000 to US$250 for international transfers, but this has yet to be implemented.
Advent of ZK for compliance
Whether the minimum threshold for businesses and decentralized apps to share transactor data is US$10,000 or US$250, there is a way to meet regulatory requirements while also staying true to the ethos of crypto: zero-knowledge (ZK) technology.
Zero knowledge is a mathematical concept that can be encoded to enable an entity to demonstrate the validity of information to another party without revealing the information itself. For example, with the help of ZK, users can prove they are not on international sanctions lists without sharing their personal details like their legal name, address or passport. This can also be applied to proving a user is know-your-customer (KYC) or AML compliant. In this way, ZK is a key element to enabling institutional adoption of crypto and blockchain technology, given the need for traditional finance players to demonstrate abidance with regulatory standards.
This use case for zero knowledge is already gaining attention. In February, the European Union’s Research and Energy Committee announced it would be incorporating ZK into its framework for digital identity. According to its press release, “It would also give users full control of their data and let them decide what information to share and with whom.” Identity is an essential spoke within the traditional financial system, as a verified ID, whether for an individual or business, is what gives permission to open a bank account, take out a loan or make investments.
DeFi is much more accessible with fewer baseline requirements to invest or benefit from interest-generating opportunities, but at certain transaction amounts, per the FATF standards, regulatory requirements kick in. This is where ZK can make a big difference: It allows for decentralized apps to be compliant while remaining true to crypto ideals and collecting personal information about their users. Instead, users can simply provide a zero-knowledge generated proof (ZKP) demonstrating that they are eligible to use the platform (i.e., have passed KYC/AML, or are not on sanctions lists) without making themselves vulnerable to scams and hacks through the sharing of personally identifiable information.
Vitalik Buterin himself posted in October 2022 on Twitter, “ZKPs offer lots of new opportunities to satisfy reg policy goals and preserve privacy at the same time, and we should take advantage of this!”
We have the tools. Now regulators and innovators need to communicate about implementations that satisfy each party’s objectives, which are not as far apart as they seem. Regulators and crypto insiders want the crypto industry to be a safe place for users and businesses. ZK can be leveraged to make this shared goal a reality.