Persons with "sufficient influence or control" over a DeFi application potentially should be responsible for the anti-money laundering ("AML") and controlling the financing of terrorisms ("CFT") obligations of a virtual asset service provider ("VASP" e.g., in the United States, a money service business or a state money transmitter), said the Financial Action Task Force in a report issued on October 28, 2021.

According to the FATF, while a DeFi application is not itself a VASP, "creators, owners and operators, or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services." This is the case, even where "...other parties play a role in the service or portions of the process are automated."

The FATF noted in its report that "[i]t seems quite common for DeFi arrangements to call themselves decentralized when they actually include a person with control or sufficient influence, and jurisdictions should apply the VASP definition without respect to self-description."

Importantly, continued the FATF, where persons can purchase governance tokens of a VASP, the VASP not the persons purchasing the governance tokens, should have the AML/CFT obligations of the VASP, unless the holder exercises control or sufficient influence.

In its report, the FATF, generally discusses what is a VASP, what are the AML/CFT obligations of VASPs, and how should VASPs be supervised by national regulators. Among other matters, FATF suggests that:

  • the "travel rule" (e.g., the obligation of initiating and receiving financial institutions to obtain, transmit and/or retain certain information regarding the originator and beneficiary of funds' transfers) should apply to all transactions involving virtual assets sent by a VASP to another VASP or financial institution, and also to non-regulated persons (although less information should be required of the transmitting VASP in such transfers);
  • self-regulatory organizations should not be responsible for the supervision of VASPs. SROs should solely assist national regulators in facilitating contact, information-sharing and outreach to their VASP members, says the FATF. (Curiously, in its report, however, the FATF acknowledges the role of the Japan Virtual Currency Exchange Association in monitoring AML/CFT compliance and implementing a travel rule by its members.); and
  • national regulators should not mandate the universal termination or restriction of relationships with a particular sector (e.g., require financial institutions to terminate relationships with all VASPs "regardless of the different risk among them"). Instead, each VASP should be assessed based on its own risk.

The FATF is an independent inter-governmental body that develops and promotes policies to protect the global financial systems from money laundering, terrorist financing and the financing of weapons of mass destruction. The FATF does not draft laws or regulations in any jurisdiction.

Although many proponents of DeFi applications argue against the application of traditional regulatory requirements to this sector, it appears that the FATF does not necessarily share this sentiment.