On October 23, 2023, CoinDesk gathered a group of industry leaders for an intensive private roundtable on how crypto can address fraud. The 30 participants, seated at four tables, represented a range of perspectives from different disciplines, from lawyers with TradFi backgrounds to academic cryptographers to entrepreneurs. At each table, a member of the law firm Perkins Coie facilitated the discussion. Delphi attended to listen to the conversation.
To level-set, fraud is a crime of deception and under federal law (18 U.S.C. § 1001), it is defined as when a person “knowingly and willfully—
(1) falsifies, conceals, or covers up by any trick, scheme, or device a material fact;
(2) makes any materially false, fictitious, or fraudulent statement or representation; or
(3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry.”
Prefacing this summary, while the conversation sometimes drifted from fraud to crime and evil acts more broadly, we will try to limit the scope for our purposes to actual fraud (and not hacks and other harmful acts that might draw DeFi more fully into the conversation). In terms of fraud, to frame this issue better, it tends to manifest itself in (i) centralized actors in custodial positions of trust committing fraud and bad acts (think FTX lying and stealing customer money; alleged wrongdoing at Celsius, etc); (ii) scam coins/rug pulls and pump and dumps; (iii) as well as industry-agnostic run of the mill scammers – the type of people going after your grandma, and the intended focus of the discussion.
As is true of most policy debates in crypto, while there were several discernable themes, the areas of actionable consensus were few. Having been deeply involved in fighting for sensible policy, we view these conversations (not to be overly dramatic) as a battle for the soul of this space. We can either double down on trustless solutions that leverage the technology and reflect crypto’s ethos or respond to pressure on various issues by building out the social layer and reintroducing intermediation. If we choose the latter, we will find it is a slippery slope — proving true regulatory calls that “there is nothing new here” would mandate the creation of new regulatory envelopes.
Below, we summarize the themes from the debate and add some of our own commentary.
Q1 – Should the Industry Address Fraud?
A point of consensus was the basic agreement that the “industry” should address fraud, but there was general disagreement on “how far the industry should go” and whom the burden should be placed on (with some referencing that this was a CEX issue).
This feels like a good time to remind the audience that the “industry” is not monolithic. As a result, never is it more apparent than in policy debates – where competing interests are jockeying for acceptable/desirable regulatory outcomes for themselves – that what may be good or sensible for one special-interest goose might be poison for the gander. In crypto, a range of centralized actors and tech exists within a space built around decentralized tech. Policy involves trade-offs that might be easy for some and catastrophic for others. Similarly, the solutions each group might want or need to implement should differ if we hope to keep these camps separate.
The conversation talked about the role of government vis-a-vis addressing fraud and conversations around the responsibility of centralized actors. Another timely reminder here is that the underlying regulatory environment matters — namely, it creates incentive schemes. Separately, the government has a core role in punishing and deterring fraud at the prosecutorial and enforcement level.
Centralized Actors. Among centralized actors, the policy conversation as it relates to the role of government should be a key focus. Government should create policy frameworks that, at a minimum, effectively punish bad actors. We would also expect incentives for compliance (including a viable path to comply), but we currently live in a world of regulation by enforcement. Absent a compliant pathway, we would expect enforcement to focus on bad acts such as fraud. This is not the case. In fact, many “good” actors are pursued proactively and just as vigorously as fraudsters and criminals. Hence, any demand that “industry” be expected to unilaterally solve fraud and bad acts against a backdrop of policymaker-imposed misaligned incentives is a bit unhinged. How can we, on a societal level, rationally expect effective self-policing by good actors when they don’t even have regulatory certainty for themselves? Delegating the responsibility for addressing these bad actors, and doing so in a policy vacuum where the rule of law has been degraded, is doomed to fail.
For centralized actors, there was a lot of conversation about whether CEXs should do more to protect users against fraud. This brings up a couple of themes. In doing “more,” we would caution CEXs to take tech-based approaches versus social layer approaches — meaning when looking at “doing more,” the discussion regarding ad hoc remedies such as freezing accounts and/or unilaterally blocking transactions is a dangerous proposition. It brings to mind the deep disagreements around rough social consensus being a remedy based on mob rule — or, in this case, market-based discretion of service provider(s) acting in unpredictable ways under broad powers they have entrusted to themselves in their terms of service, which are “take it or leave it” style contracts of adhesion. The answer to this problem is undoubtedly not for CEXs to, vigilante-style, become crime fighters. In terms of addressing fraud (not AML/KYC style violations) but “crime” and, more generally, harm to users inflicted by third parties, we can focus on many immediately actionable steps, including:
- In terms of policing users and account activity, follow best practices in what is required of financial institutions regarding suspicious activity. CEXes are already doing a lot of work and have staffed a lot of compliance personnel to cooperate with law enforcement and narc on users. We aren’t convinced additional efforts are necessary or could be considered beneficial to users on this front.
- Invest in technological solutions to detecting user attacks and checks and balances on the accounts (access; high-volume transactions) – make these opt-in.
- Improve customer service – from onboarding to user education to responsiveness in emergencies; this is a known weakness.
- Improve UI/UX for users – the people using centralized custodians are more likely to need hand-holding, and a primary role custodians should be playing is making the experience seamless, intuitive, and convenient for users.
Examples of helpful improvements that are top-of-mind are:
- Having a focus on stopping preventable errors like including a warning message if a user is in danger of:
- Sending to an address associated with a known fraud ring;
- Losing unsupported tokens (for example, an ERC-20 token not listed by the exchange) by sending them to or from an address on the platform;
- Sending transactions outside of CEX-associated wallets to encourage more vigilance in checking the address;
- Setting up more self-help remedies among CEXes, such as coordinating with each other to freeze stolen or missent funds, and having customer service play an actionable role in recovering misdirected transactions.
Of the types of fraud, addressing the vanilla old-people-scams type is low-hanging fruit. It isn’t specific to the space, but these bad actors prey on tech illiteracy, and addressing this type of fraud is key to widespread adoption.
There is another type of fraud (FTX, etc) to address, and it can be done by providing a path to oversight in the U.S. versus pushing things offshore. To be clear, fraud of all sorts is already illegal in the U.S. and punishable — it is the detection piece, and government and self-policing need to be leveraged. If the U.S. were to create a workable regulatory framework for CEXes and custodians, bad actors would stay offshore and the U.S. could focus on policing CEXes that interact with U.S. users. In terms of additional practical steps to detect fraud that the “industry” can leverage for centralized and regulated actors — let us remind you of another excellent use case for blockchain. The tech is quite literally designed in a manner that can be leveraged to detect accounting fraud and improve internal controls through triple-entry accounting. Instead of fighting against the tech, there are indeed golden opportunities to lean into it to improve things.
There are several promising steps forward happening in the exchange landscape and dovetail nicely with the event’s discussion. Today, several teams – Backpack and Cube – are building centralized exchanges that leverage centralized and decentralized aspects instead of implementing trustful solutions. While the technical details of such an approach are beyond the scope of this paper, it’s important to note that these exchanges are actually using (gasp!) blockchains – for the decentralized part of the exchange – to provide better security and transparency to users while still retaining the user-friendly UI/UX that makes centralized exchanges so popular.
The learning curve must be solved for more adoption, but we shouldn’t be in a “no-old-person left behind” race to the bottom toward reintermediation. Solving UI/UX issues goes a long way to “save everyone from themselves” because tech is complex. Still, regarding intermediation, we must strike the appropriate balance to preserve self-custody (and people can choose to opt in to custodial relationships). But where the intermediation crowd can amass more power and effectively kill the core value prop of the tech (let’s save this rant for another day), we should be sensitive to this balance.
Decentralized Actors. Many of the legal and compliance professionals at the discussion, particularly those with TradFi pedigrees, seemed unfamiliar with existing on-chain remedies and lacked a nuanced understanding of how tech works and the realm of potential technical solutions. Few seemed to understand what it’s like to transact on-chain — bringing back a conversation around the learning curve. There continues to be, within the “industry,” a dire need to step outside of functional knowledge silos — we need increased dialogue and interaction between policy personnel, lawyers, and the more technical actors in the space, such as developers, cryptographers, and mechanism designers. We have hope for this (as it is Delphi’s mission in our research to increase understanding and adoption) and it was nice to hear participants mention zero-knowledge proofs and Vitalik’s recent research around privacy pools in the conversation.
We believe there needs to be more of a focus and understanding of crypto-native remedies as well as tech-based solutions (aside from surveillance solutions, that is); we think we have a sizable amount of effort directed there as it stands) for the broader decentralized space to adopt as best practices to prevent and/or address harm. We see these efforts taking shape – for instance, with automated whitehats that scan a platform for vulnerabilities. However, more effort should be concentrated here beyond the scope of this discussion on fraud. In any scenario, this entails our policy proponents working together with technologists, using DeFi protocols (unlike SEC staff) and doing a deep dive on the tech to inform these solutions.
Q2 – Should there be more standards in crypto?
Again, there was generally a consensus of “yes” there should be standards, but beyond that, there is not a lot of consensus on what those standards look like:
- Which actors should bear the burden of adopting such standards?
- Do we mean “standards” as in regulations/bright-line requirements or best practices?
- Are they government-imposed or self-imposed through self-regulatory organizations (SROs)?
- If government-imposed, should there be international standards or jurisdiction-by-jurisdiction ones?
Global vs. Jurisdiction-by-Jurisdiction. Much of the conversation here was based on how regulation might develop and at what level consensus might be reached. Many participants considered global consensus impossible, while some even found granular efforts like New York’s famously onerous BitLicense to be a positive theme.
We share the belief that global standards are unlikely to develop soon but caution against cheering on the rise of micro-regulatory regimes because of the power vacuum created by a lack of coordinated strategy at the federal or international level. We see the rise of these micro regimes as especially troubling for permissionless technology – to the extent that they could pose an existential threat via death by a thousand cuts (add this to the running list).
Role of Government vs. Self-Help. The path forward here is undecided. Governments could have an enabling role if we reach a consensus on the features of the technology that are worthy of preserving and enshrining in any developed regulatory regime. Otherwise, if current trends prove lasting, government-imposed standards will be predicated on reintermediation. We can see this with the proposed SEC rules around qualified custodians — where, as a matter of law, RIA cryptoassets will need to be stored at banks and lockups enforced through wet ink escrow arrangements, whether or not the assets are actually safer as a result.
One thing, however, is clear — proactively kowtowing to regulators based on existing law is a path to destroying the value proposition of the space. At the same time, if we fail to address pain points like fraud, the government will do it for us. And we are not going to like what they come up with – so it is in the industry’s best interest to proactively address legitimate concerns around user safety — ideally in a tech-native way, but otherwise in the most surgical way possible that does the least amount of collateral damage. As we continue to see, regulators (absent a new policy framework) will apply existing law to our collective detriment and on the legislative side, more education is needed. Ultimately, the US government is only positioned to be able to pass policy reactively — meaning, after a catastrophe — and it will be a harmful knee-jerk reaction that is draconian and rushed rather than thought through. The goal of these efforts is to address political narratives (“tough on crime”) rather than addressing legitimate risks and push ahead for political points/motives (see Sen. Elizabeth Warren on terrorism funding).
Q3 – How to align incentives so crypto companies prioritize security?
The conversation focused on profit motive being the (only) driver for incentives and creating perverse incentives for the space. One example is surveillance firms’ data not being a public good because they are centralized businesses and can monetize proprietary data rather than share it. At the same time, free-riding on the efforts of others is pervasive – including with respect to public goods and infrastructure, as is the impulse to eschew best practices for faster, cheaper, more centralized solutions.
Many times, centralized trustful solutions are implemented to appease regulators. We think these are instances where the crypto space strays far from the path. We do a disservice to this space by cowing to pressure to implement trustful solutions and relying on traditional marketplace vendors.
We will remind the audience of some core tenets of this space — outside of the centralized for-profit businesses in the space, a key value proposition of blockchain is that it has inherent security qualities — security is a public good. The more we leverage the tech and rely on trustless solutions to issues, the safer we will be. We look at the regulatory conversations around DeFi, and if the structure behind the curtain is four guys sitting on a multisig and pulling all the strings, we should all pack it in.
So, while it is tempting to lean into the “social layer” (which in crypto is a much-discussed yet under-appreciated topic), we would suggest that we can find common ground in addressing issues like fraud by keeping true to our ethos and continuing to embrace trustless, tech-based improvements. This path aligns incentives across market actors – it is accretive to centralized actors and improves user experience by limiting surface area for harm. Solving for “grandma” is probably one of the most impactful steps on the policy front we can take, and it doesn’t force market actors to choose between profit motive and public goods motives — it is self-interested to remove barriers to user adoption and to generally make users safer. We can save larger, more coordinated efforts like SROs for when a more coherent policy envelope exists and these are actually viable ideas. In the interim, we, as the crypto policy community, can embrace good practices, promote them in the public square, and call out poorer practices that make users unsafe to improve accountability.
Special thanks to Marc Hochstein for his valuable feedback on this report and for hosting the CoinDesk roundtable event.
0 Comments