Unchained - 2 Lawyers on How the U.S. Can Finally Regulate DeFi - Ep. 604
Episode Date: February 6, 2024Listen to the episode on Apple Podcasts, Spotify, Fountain, Overcast, Podcast Addict, Pocket Casts, Pandora, Google Podcasts, Amazon Music, or on your favorite podcast platform. Trying to regulate De...Fi is a huge challenge because in a truly decentralized system, there should be no centralized actors to make and enforce rules for. This could make combating illicit finance challenging since traditionally, regulation has been targeted at centralized intermediaries. Yet Rebecca Rettig, Chief Legal and Policy Officer at Polygon Labs; Michael Mosier, the co-founder of boutique law firm Arktouros; and Katja Gilman, senior lead for public policy at Polygon Labs, published a paper last week that proposes to do just that. Rebecca and Michael join Unchained to discuss what prompted them to write the paper, what the difference is between "onchain CeFi" and "genuine DeFi," how targeting high-risk wallets can be one part of the solution, how critical communications transmitters (CCTs) are another piece of the puzzle, and what next steps they are pursuing. Show highlights: The motivations behind their paper and Michael and Rebecca’s legal backgrounds Why Michael views the Bank Secrecy Act as outdated in the context of DeFi How critical KYC and AML compliance is for the integrity of DeFi What Rebecca identifies as the principal risks in the DeFi sector Why their proposal targets the protocol layer for effective DeFi regulation How "onchain CeFi" differs fundamentally from "genuine DeFi" Whether a decentralized protocol can be effectively regulated when controlled by a DAO How if DeFi were to be classified as critical infrastructure by the Cyber and Information Security Agency (CISA), it would impact the sector Whether the critical components of blockchain networks, such as RPCs, can be regulated effectively How categorizing wallets based on risk can be one part of the solution to fighting illicit finance Why Rebecca considers Tornado Cash a prime example of “genuine DeFi” What steps Rebecca and Michael plan to take next following the publication of their paper Thank you to our sponsors! Popcorn Network Polkadot Guest: Rebecca Rettig, Chief Legal and Policy Officer at Polygon Labs Previous appearances on Unchained: Just a Coincidence? Coinbase and Polygon Lawyers See Bad Omens in SEC Crackdown Kik’s Surprising Move in Its Lawsuit With the SEC Michael Mosier, cofounder of Arktouros PLLC Links Previous coverage of Unchained on the topic: Could the Bank Secrecy Act Harm Crypto? Coin Center Thinks So Full paper: Genuine DeFi as Critical Infrastructure: A Conceptual Framework for Combating Illicit Finance Activity in Decentralized Finance Rebecca’s thread Coin Center: Broad, Ambiguous, or Delegated: Constitutional Infirmities of the Bank Secrecy Act Tornado Cash Unchained: Given the Sanctions on Tornado Cash, Is Ethereum Censorship Resistant? Illicit funds in crypto: Unchained: How Much Money Are Terrorists Actually Raising in Crypto? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
And one of the hallmarks are critical pieces for us in doing this analysis was that we both
believe, I think, that the base layer needs to remain critically neutral and permissionless.
And so this was really thinking about where you would actually have a very effective regime
for financial integrity or combating illicit finance.
And if, you know, 80% of transactions go through these RPC nodes as a service, then you
actually have a really interesting gateway or, you know, place to look at whether anything could be
done without really turning them into a financial institution that would have to comply with the
BSA.
Hi, everyone. Welcome to Unchained. You're no-hyped resource for all things crypto. I'm your host,
Laura Shin, author of The Cryptopians. I started covering crypto eight years ago, and as a senior
editor of Forbes was the first Metriam Reader reporter to cover cryptocurrency full-time. This is
the February 6th, 2024 episode of Unchanged.
Pocodot is a leading layer zero blockchain with over 2,000 developers, and the Pocodot 2.0 upgrade
will be a massive accelerator for the ecosystem, making it faster, more secure, and adaptable.
Perfect for GameFi and DFI to build, grow, and scale.
Join the community at Pocodot.network slash ecosystem slash community.
Streamline your DFI with VaultCraft, the ultimate on-chain toolkit for deploying.
Following custom automated DFI products on any EVM chain.
Join Valkraft's referral program, unite with the community, and supercharge your crypto.
Details on Valkraft.io.
Bet mode activated.
The scorebed app here with trusted stats and real-time sports news.
Yeah, hey, who should I take in the Boston game?
Well, statistically speaking.
Nah, no more statistically speaking.
I want hot takes.
I want knee-jerk reactions.
That's not really what I do.
Is that because you don't have any knees?
Or...
The score bet.
Trusted sports content, seamless sports betting.
Download today.
19 plus, Ontario only.
If you have questions or concerns about your gambling or the gambling of someone close to you,
please go to conicsonterio.ca.
With Amex Platinum, you have access to over 1,400 airport lounges worldwide.
So your experience before takeoff is a taste of what's to come.
That's the powerful backing of Amex.
Conditions apply.
Today's topic is the regulation of,
of Defi and a new proposal to do it.
Here to discuss a Rebecca Reddick,
chief legal and policy officer at Polygon Labs,
and Michael Mozier, co-founder of Arc Turos.
Welcome, Rebecca and Michael.
Thanks, Laura.
So you two recently published this paper
with Katia Gilman on how to combat
illicit finance in Defi,
or generally just how to catch bad actors in Defi.
And obviously, this has been a huge topic in crypto for years now,
and it's popped up repeatedly.
I feel like the FATF rule was kind of one of the initial ones.
I don't even remember what year that was.
There was the infrastructure bill, the tornado cash sanctions, obviously recently,
the Hamas crypto terrorist financing issue.
And all of this to my mind, and you know, you can reframe it if I'm incorrect here,
but it centers on this dilemma that regulators have historically targeted regulations
at intermediaries.
And then blockchain technology obviously has this potential to create systems that don't even use
intermediaries.
So can you just talk a little bit more about the problem that you were trying to solve with this paper or, you know, what the inspiration was for this paper?
I think it was twofold. And I think you put it really well, Laura, which was that this issue has plagued regulators for a very long time, including dating back, you know, a number of years with BATIF, other global regulators and also in the United States more recently.
and as Michael can probably speak to a little bit more in depth as well, the current financial
integrity regime in the United States is, and elsewhere around the world, is really geared towards
intermediaries and those who have the tools to stop bad actors. And those same tools as the
Financial Stability Board and the International Monetary Fund have recognized in a paper they
put out together don't work in the same way in these peer-to-peer intermediary-less systems.
So I think that, of course, was one of the impetus is for doing it.
But I think given the rise of concern about AML or illicit finance and crypto more generally
and also seeing a number of proposals come out at the end of last year about how to propose bills,
and then the deputy treasury secretary also put out some proposed options.
I think Michael and I felt that it was really time to think deeply about these issues,
both from a legal and a tech perspective and try to come out with something that we thought would be
really effective and also very realistic when put against the law and the tech.
So talk also a little bit about your backgrounds and how they inform this paper.
So I've been a lawyer in this space for quite a long time. I started out as a traditional
litigator and regulatory enforcement lawyer doing both financial services and then also some early
tech cases. I worked on one of the very early peer-to-peer file sharing cases in the music industry.
So I've been thinking about how laws apply to novel systems for quite a while. And then I left
sort of my big law firm many years ago and started taking on crypto clients and really
dedicated a lot of my time to advising software developers about how to think about ways, not
necessarily to comply with law, because we, you know, I think we've all talked a lot that many of these
laws don't necessarily apply wholesale or you can't map them one to one, but how to think about
meeting policy goals given the technology and some of the differences. And so I've been in
a house for a long time, but because I spent a long time learning about the tech, I just organically
started talking to regulators probably a number of years ago about this and trying to sort of
educate about defy how it works and thinking about the laws as well. So I really am digging in on the
tech side to think about where and how the laws may apply. I'm sort of the law librarian,
not quite as tech savvy here, but spent a lot of time in public service around a lot of these
issues on the policy side. So I was at the Department of Justice. It was a federal prosecutor
in the money laundering section where I was a deputy chief there. Part of that work was
standing up an early kleptocracy unit that looked at that foreign kleptocrats that were
stealing from their own people and how to get it back to them. And then was at OFAC, which is the
Office of Foreign Assets Control at Treasury, which administers sanctions programs and was in charge
of policy there, including exemptions that we would set up to sort of limit collateral impact
from sanctions programs, such as general licenses to allow VPNs to be used provided for people in
Iran who were trying to do pro-democracy work and humanitarian aid to get into Iran and Syria and
other places like that, as well as on the enforcement and compliance side where I was the head of
that. And then was at FinCEN, which is the Financial Crimes Enforcement Network, that's the
financial intelligence unit for the U.S., also part of Treasury. And it's also the administrator
of the Bank Secrecy Act across the federal government. And when I was there, I was part of
developing the 2019 guidance on sort of cryptocurrency. And also thinking through as part of that,
what are the things that we want to proactively say we're not covering as financial institutions?
So have spent time in all of this thinking through what are the things we want to cover,
but also what is it important to say both at OFAC and FinCEN.
This is not something we mean to collaterally impact.
We actually want to make sure that we're promoting and also people in these authoritarian regimes
that need equipment for resilience.
And so when I left FinCEN have worked in the configurable asset privacy space
with a project called Dispressive Systems, but then
co-founded a small legal boutique called Octoros with other former public servants working in this
space, also helping whistleblowers and humanitarian aid workers, as well as became a partner
at Ex-ante, which is an early stage fund that's focused entirely on agentic tech that's
advancing democratic and personal values very much in this space as well.
Oh, interesting. Yeah. So if you were part of FinCEN at the time that FinCEN issue,
with that 2019 guidance. So then now you're kind of on the other side and like seeing how all this
plays out. So why don't we just actually now talk about some of these existing regulations
that are coming to bear at the moment in Defi? So one of the ones in your paper that you both
mentioned is the Bank Secrecy Act. And then what you call it's progeny. So, you know,
for listeners, like what's kind of the background regarding that that you think would be
important for them to understand in terms of how it applies to Defi?
Well, I think the biggest thing that people should keep in mind with the Bank Secrecy Act going back to the 70s when it started was it was really fundamentally about addressing the fact that in the traditional finance sector, there's a lot of siloed information that's purely within a bank.
Nobody else can see it.
And at the time, there was a lot of organized crime and people would take their money, send it to Switzerland, avoid taxes.
Actually, a lot of it rose out of money laundering, but money laundering related to.
the tax evasion for organized crime.
And so the FBI might go to a bank and say, what's going on?
Some of this money looks like it either came or went from Switzerland.
And the bank would say, I don't know.
I don't have any information.
And so part of this was like, well, actually, you need to understand your customers better.
And I'm compressing decades of Delam in here.
But you need to understand your customers better.
You need to understand where their money's going when it leaves.
And you need to keep these records so that they're accessible.
And that's, it really started with record keeping requirements so that when law enforcement
had an investigation and needed to go to the bank, they knew that you would have the information
they needed. Over time, it developed into record keeping and reporting so that people were
sort of proactively sending suspicious activity reports or SARS to what became FinCEN
in the Financial Intelligence Unit when they determined that there was suspicious activity going on.
And that as well was sort of overcoming the fact that, okay, first they weren't recording it, then they weren't keeping it, then they also weren't making it accessible because it's so siloed.
So all of that are sort of in ways not quite applicable to the decentralized finance world where you have these public ledgers.
Everybody out there can see what's happening in some level to see these flows.
And so part of that is there isn't the need for the sort of accessibility because the data.
is accessible, but there's also not all these intermediaries that are in the middle of it that
you can go to for these records. And so how do we sort of manage that sort of risk in a space
that's largely in the way that we're addressing it infrastructure? I think the other thing to
add onto it, Michael, was saying, is that the Bank Secrecy Act only applies to a finite set
of what are known as financial institutions. They're a special set of intermediaries that we think
of in the TradFi world. So banks and broker dealers and casinos and all sorts of those types of
entities that really have the ability to control value or otherwise, you know, take in or have
custody of user funds, although it's not only based on custody. And so it's the type of institutions
that can take on these very high level, very costly types of requirements that come under the BSA.
I think the other part that we call out in the paper is that the BSA does not have a concept of know your customer or KYC.
And we're all really focused on that when we talk about AML at the crypto world and where's the KYC going to be and our front end's going to KYC and those kinds of things.
And I think we wanted to make clear that that is one way that financial institutions implement the requirements under the BSA.
but it is not sort of part and parcel of doing any money laundering and sanctions in the United States.
And so you outline also some of the main risks in DFI that you think need to be accounted for.
So why don't we just discuss those and then we can dive into like the meat of the proposal?
The reason that we wanted to dive into what where the risks are is because the risks of illicit finance in the DFI world are very different where from where the risks come.
from in the TradFi world. So as Michael's saying earlier, there's a siloing of information
and sort of these honeypots of data. And then there's also subjective judgment that goes into
setting up these financial institutions and systems. And so that's where a lot of the bad acts
can happen and take place. But that's very different in the defy world. We lay out three primary
vectors of illicit finance risk. One is cyber risk, right? Where either the code has been programmed
improperly or not audited correctly, and one where there's a loophole that was not expected,
the protocols otherwise functioning as intended, but some bad actor figured out a way to hack or exploit
the protocol. The second type is what we call system management risk. It's where you say something's
decentralized, but everyone's holding all of the admin keys or something like that. It happens a lot
in Web 2, the system management risk. It's for things like where you're able to,
exploit one person who has control over the system or some facet of the system to otherwise
engage in illicit financial activity, things like social engineering and the like. Again,
happens a lot in the Web 2 world. And the last part is what we call usage risk. And it's more
what I think regulators really identify as using different types of Defi protocols to engage in
the same type of structuring, layering, and some integration activity that they see in tradembourg.
So breaking up your transactions from, you know, a hacker and exploit into lots of different wallets and moving them around.
So it's very hard to trace the money.
We're using privacy preserving technology to make it harder to trace where the illicit funds go and things like that.
So those are the three primary sources of risk, but very different than where you see them in that triadfai institutions or the Tradfi world.
So now let's talk about the meat of your proposal, which begins with the term you introduce called independent control.
What is that?
And how do you determine whether a blockchain system has?
has that. This proposal really isn't about blockchain systems or front ends. It's really just about
looking at the protocol layer and defy in particular. So it's not really meant to hit anything else.
But the independent control concept comes a little bit because I think we've heard from regulators
and even from people in industry like, well, you say it's decentralized, but it's not really.
We've seen even enforcement actions calling, you know, decentralized and name only. And so I really
think that Michael and I wanted to get at something where we could say, okay, well, is, what's the
litmus test for where we may be able to think about regulation? And as part of our larger
literature review of what else is out there on DFI, including things that were put out by regulators,
there's this great academic article by Katrin Schuller and Anne Sophie Clutes and Fabian Schar,
all of whom are academics and have worked in a space for a long time, where they talk, it's called
on defy and on chain C-Pi.
And so they really find this way to distinguish between, you know,
decentralized protocol systems that may have a control person.
They don't use that term, but some form of control.
And they call this on-chain C-Fi.
So blockchain-based systems that look a little bit like C-Pi.
And then they say they call it genuine D-Fi, which is like neutral infrastructure.
And so we wanted to find a way to really work with those distinctions
because it's a really well-done paper.
And so in order to think about what is on chain C-Pi,
we looked at independent control
about where the value really gets controlled
and ways that you can control people's value in the system.
And that really comes from the 2019 FinCEN guidance
and a lot of what's behind that as well,
which I think Michael can speak to a little bit.
Yeah, so I think part of what we want to do
is with a lot of this was tie back
that even though there's a feeling
at times in the regulatory space, like we need new laws.
We need, this is so new that we need something drastic or we need to massively expand
the way we've defined financial institution to capture far, far more activity than we did before
at the infrastructure level.
Part of this was looking back at the 2019 guidance from FinCEN and saying they've already
spoken to a lot of this, including on the control piece.
So we're not introducing this new concept that it's going to be strange to anybody,
is like creating some major carve out in any way.
In fact, we're largely adopting the way FinCent approached independent control,
which there was total independent control.
And a lot of the way that was presented in the 2019 guidance was we were specifically
trying to carve out from sort of the collateral impact and the reporting requirements
of the BSA, certain, including actually specifically security-related functions
and other operational functions
that really weren't about being a bank
or being control over someone's value
in the sense that you're an intermediary
that passes this value from here to there.
And so the example we gave there
was multi-signature wallets
where any given person in that
may have control in the sense that
if Laura refuses to sign,
use her key,
that can factor into the inability
to move as
in whatever form, but that doesn't mean that you are now suddenly a bank and a financial
institution just because you have some ability to have a measure of control. And so what we said
is you need total independent control in the sense that you can sort of deny that transaction
indefinitely from happening. And the other nuance that we wanted to work in here was the fact
that if you're sort of too orthodox in that, then theoretically AWS, which underpins a lot of
transactions happening ultimately in traditional finance and web two, web three, all of it.
When AWS goes down, they can stop value from moving, like across TradFi and across
defy, all kinds of places. But it doesn't mean that they have total independent control just
because they can stop it in some form. And so part of this was like, let's do this in a way
that creates that sort of, one, a very, it's basically the same test in many ways, but also
addresses the nuance here that we're going for. Yeah, I think the other piece of it is certain of the
legislative proposals that came out, tried to posit new ideas of control, things like, you know,
being able to control the software system as the way to determine whether an entity or a person
should be a financial institution subject to all of these BSA requirements. And I think we really
wanted to ground the idea of control back into what makes an entity a financial institution,
right, which is, as we said earlier, the ability to control a third party's value and why
you'd have to have certain obligations over it. And one thing I noticed was that you said that
even for these on-chain C-Fi systems, that you didn't think that BSA requirement should
automatically attach to people who have control of those systems.
So why not?
I mean, I think it goes to a little bit what Mike was saying before, which is you may be able to control it, but what you're doing may be super limited, right?
So very narrow multi-signature types of powers that are only used a certain time or combined only doing certain things.
You may definitionally fall under the independent control, but what you're doing day to day or the level of your activities may not rise to what financial institutions actually do.
The Schuller article that we rely on for this on-chain C-Fi versus neutral D-Fi distinction does say, you know, on-chain C-Fi is more likely to have regulation.
And I think from a broader sense, we agree with that.
But I don't think it necessarily makes you a financial institution out of the gate if you have control.
Yeah, because just to tag onto that, like, if you go back to the original siloing of information, that just isn't here.
Even on-chain C-Fi, there's an enormous amount of data that's very accessible to law enforcement.
And it's not hidden within a bank that you've got to go to that may or may not keep it.
And also, there are some of these control elements like the multi-sig that we talked about
where it may actually have quite a bit of control in the sense of it's a security override,
you know, when everything, it's like the full break on the train where the whole train stops.
It's like, okay, sure, that is a measure of what might feel like total independent control.
But it's not checking each transaction that's happening.
and in fact they may not have any ability to impact a specific, any one transaction.
It may be literally, we're stopping the chain and forking it, and that every validator
afterwards has to get on board with this new chain.
So we want to acknowledge that sort of nuance, one that one of the problems is missing
that Tradfai has, and the other is that there might be elements of control that feel quite
total, but are really not about value transfer.
And then how do you count for when Dow's have control of such a system or
when oracles are relied on, there's the infamous case of Uki-Dao where the CFTC tried to serve the
Uki-Dao members.
Yeah, the complaints.
So how would you account for that?
Yeah.
So I think that DAOs and oracles and governance tokens holdings and things like that have been
seen as these ability to control or these types of centralization and being really used against
DEPI in a way that I'm not sure actually, at least in the illicit finance or BSA context,
really makes sense. And so we do have a part where we really carve those out to say
independent control is not meant to capture these things because one of the elements in the
independent control test that we lay out is about immediately being able to affect value, right?
And unilaterally being able to do it. And I would say even large governance token holders
or DAO's themselves typically don't have the ability to have such a unilateral and immediate
impact. So there are usually something like a time lock in defy systems, right?
before any changes to the system take place. So even if there's a large governance token holder and
they have an outsized influence in voting, there's likely a 24 to 72 hour time lock before any
changes implemented, which means that I have the ability to move my value out of the system before
anything happens to me. And so I do think we have to take the mechanisms through which all of
these technological systems work into account. And so the language of the independent control test
is very intentional for words like unilateral, immediate, and things like that, because it takes into
account how much, as Michael's really saying, how much control there is over somebody else's
value or not. All right. So now let's move on to the second part of your proposal, where you
have something that you call genuine defy and you want to label it what you call critical infrastructure,
or I think actually that's an existing term. So, you know, explain how you're defining genuine defy
and critical infrastructure.
I think genuine defy is something that really works autonomously.
It doesn't have any sort of form of true independent control
in the way that we're thinking about it.
So I would say maybe even something with a very, very narrow emergency multi-sig,
but otherwise is moving and is, you know, as Michael said,
the security break of all else fails,
you know, would still be in a genuine defy type of definition.
I think that something like uniswap, certainly would be the protocol itself,
would be genuine defy, and really these autonomous systems that are moving forward totally at
user's direction. The critical infrastructure piece, and this is something that Michael is great
at talking about, there is a organization or an agency within the United States that was, I think,
created in the late 1990s maybe. Yeah, late 1990s called the cyber and imprifice.
information security agency or SISA. It sits right now under the Department of Homeland Security
and it oversees 16 sectors of what they call critical infrastructure. I'll let Michael take it
because he's really good at talking about what SISA does. And then how OSIP, which is sort of a
collaborator, but the Office of Cybersecurity and Critical Infrastructure Protection, which is in the
Treasury Department, really fits into this framework as well. Yeah. So as Rebecca was saying and setting up
unreasonable expectations really to explain.
But CISA, so within CISA, there are 16 critical infrastructure sectors.
And it's very widely, but it fits, you know, when you go through them.
There's like a chemical sector.
There's a commercial facility sector.
Communications is one, critical manufacturing, including supply chain.
Dams is its own sector.
And defense industrial base, emergency services.
like if the telephone, if the phone grid goes down, you still need to be able to call ambulances
and there's all sorts of redundancies and resilience based into that, including, by the way,
the way that they have standards for testing these and doing, you know, penetration testing of all
of these, including the energy sector is one.
I won't go through all of them, but one of those.
Transportation is my favorite when you talk about the trains running or not running.
Oh, yeah.
There's a food and agriculture and a train, a train.
a train sector, again, with transportation so that they're testing these things at all times
and making sure that there's communication networks that can transmit very quickly threats and risks.
You need to know that there's a rail issue suddenly so that they don't have backups and things
like that.
So one of the 16 sectors is called the financial services sector for a lot of these, actually,
critical infrastructure sectors, including the financial services, they have information sharing
and analysis centers. And those centers are really what they say, which is it's ways to
share information in extremely real time that's critical to the functioning of this critical
infrastructure. And so they call them ISACs for information sharing and analysis centers.
But the FSISAC for financial services has like 4,600 members of it.
Some are financial institutions and some are not at all financial institutions because it's really about the infrastructure.
And so in order to interface with the FSISAC, which itself is a private sector, it's an entirely private sector organization that's voluntary, the Office of Cybersecurity and Critical Infrastructure Protection at Treasury, because it's the financial services sector, that interfaces with them to provide these sort of alerts.
like there's a law enforcement alert that Lazarus Group is going to attack the backbone of Goldman Sachs.
Ossip would reach out often to the FSISAC to say, we have critical information, let's share this,
people come in, there's no regulatory authority, there's no coercion to this.
When the FSISAC calls, it's everybody's excited to come because they're sharing.
That's certainly interested.
Actually, they're excited to prevent a hack.
They're genuinely excited to come.
I've been in these meetings at Treasury,
and they're pretty happy to come in and be told before it attack happens.
And so they come in, there's information sharing,
there's no, you need to send us a report,
there's no come in and register, there's a pathway.
It's really just, we're here to help you,
and let's have this information exchange.
And that happens really rapidly because you have people connected.
And it might be the chief information security officer at Goldman Sachs or somewhere,
but it also might be somebody in the Comcast network.
It could be someone in the RPC node for traditional finance,
which goes back to the 70s.
So it could be anywhere in there that they're seeing a vulnerability.
So it's not about being defined as a financial institution,
and it's not about sort of a coercive authority or doing KYC on everybody.
And this works extremely well because you have everybody sort of working together.
Yeah, and there was actually a push a few years ago about whether Sessa was going to actually become
a regulator and since it's a pushback and there's congressional testimony on it to say we actually
wouldn't be able to be as effective if people were afraid of us having regulatory teeth.
And to Michael's point, I guess they were saying everyone's super excited to work with us because
we are so collaborative and helpful and we are going to make sure that all of these sectors
sort of keep running at the best of their ability. And so it's a much more collaborative
agency than you necessarily have, or at least certainly than this industry feels like about
how they've experienced times with regulators.
Yeah, and one thing I just add on that is that, so while there isn't a requirement to do reporting, a critical function of the information sharing aspect of the ISAC is that people are sharing threat indication information with each other all the time because that's really how you maintain the resilience and security.
And that's in a loop with OSIP at Treasury as well, who's both getting that threat information and sort of aggregating it across the information,
coming in to create new trends and typologies of threats to get it right back out. So they have
this in much the way that FinCEN in receiving SARS and suspicious activity reports, they aggregate
it from the financial institutions and then they put out alerts and trends and typologies so that
everybody has the information. Basically, the ISAC is doing that with OSIP where they're reporting
this information in. There's no you need to do this or there's a penalty. Like everyone's doing it
because there's alignment, and it's getting those alerts back out to everybody in very much
the same way that FinCEN would.
All right.
So in a moment, we're going to talk about how it would look for genuine defy to be part of
critical infrastructure.
But first, a quick word from the sponsors who make this show possible.
Pocod is the largest layer zero blockchain with over 2,000 developers.
And the anticipated Pocodot 2.0 upgrade will be a massive accelerator for the ecosystem.
Upgrading the infrastructure with eight times higher transaction throughput and twice as
fast block times, perfectly tailored core time for the needs of every protocol, trustless bridges
internally and into Ethereum, Cosmos, Near, and Binance Smart Chain, revised tokenomics, and the
implementation of a token burn to reduce inflation.
Perfect for GameFi and DeFi to build, grow, and scale with one of the most active
crypto communities in the space.
Pocodot recently announced a partnership with mythical games, bringing top games like
NFT rivals with over 650,000 players, and 43 million transactions, to pay.
the way for GameFi and the PogoDOT ecosystem.
Get your Web3 ideas to market fast with economics that work for you.
Think big, build bigger with Pocateod.
Join the community at Pocodot.network slash ecosystem slash community.
Defy just got way easier with VaultCraft,
a blockchain infrastructure for building, deploying,
and monetizing non-custodial yield strategies in a few clicks.
Forget spending months of R&D, capital, and human resources
when you can now instantly launch your crypto fund with VaultCraft on any EVM chain.
From wallets and institutional service providers to Anon DefiDGens,
Volcraft supercharges your crypto assets by enabling instant cross-chain yield strategies
that you can deploy in one minute.
Now anyone can supercharge their crypto portfolios with custom tailored defy strategies.
Join VaultCraft's referral program, unite with the community, and supercharge your crypto.
Details on vaulkraft.io.
Local news is in decline across Canada,
and this is bad news for all of us.
With less local news, noise, rumors, and misinformation fill the void,
and it gets harder to separate truth from fiction.
That's why CBC News is putting more journalists in more places across Canada,
reporting on the ground from where you live,
telling the stories that matter to all of us,
because local news is big news.
Choose news, not noise.
CBC News.
At Medcan, we know that life's greatest moments are built on a foundation of good health,
from the big milestones to the quiet winds.
That's why our annual health assessment offers a physician-led, full-body checkup
that provides a clear picture of your health today,
and may uncover early signs of conditions like heart disease and cancer.
The healthier you means more moments to cherish.
Take control of your well-being and book an assessment today.
Medcan, live well for life.
Visit medcan.com slash moments to get started.
Back to my conversation with Rebecca and Michael.
So in your description, you know, I understand this is like much more collaborative.
It's like a very different kind of, you know, relationship that would exist.
But like I kind of can't picture.
So would there be any actors within these defy systems that would be regulated or like
who is it that the agencies would.
interact with. Yeah, that's a great question. Actually, one I've just got very recently, which is,
that's great. But if you're sawing us that nobody runs this, then who do we call? Right?
When something happens, and I think what, you know, when Michael was talking about, oh, well,
they'd call the C-SO of the big banks that they saw an incoming Lazarus threat, it's just not going to
look like that with critical infrastructure. I think there are a few things that they, that CISA plus
OSEP do, one of which the industry has been calling for in a very widespread way, which is
having cyber standards generally and best practices for cyber. I think there have been some
industry efforts to do that, but I'm not sure we've got it there. I think also cyber audits is
something that OSEP looks at, you know, for financial institutions, but also for the financial
services sector more generally. The information sharing is really important. So I think there's
actually, and we sort of allude to this at the end of the section, some of what Ossif does
has been bubbling up in the industry here and there. This would really turbocharge these
efforts. I think for something like incoming Lazarus threat to, you know, D-Fi Protocol X,
I mean, maybe they'd call the dev code, but then, you know, I think, and Michael can speak to this
maybe a little bit, but a lot of times when law enforcement calls, the answer is, well, there's
nobody here to do anything. Now, I don't think that's always going to be the answer when they're
incoming threat, not just because they're a system control persons or things like that, but really
because there's a lot the industry can do in many different ways that doesn't look like shutting down
a part of your system or doing something like that. I think that because the technology is emerging
and the way the industry works is emerging, there are going to be a lot of new ways that OSIP can work
with it. But I think there are things they could do literally out of the gate today that would be so
effective in defy, especially on preventing things on the cyber risk side. And, you know,
and on the system management risk side.
Okay, but I don't know if you fully answered the question of like who they would call.
So there would be these standards.
Sure, I think it depends.
I think you could call all the auditors in.
I think you could talk to Demco's more generally who are developing this.
I think having standards out there that Debcoes could abide by, right?
Like, I don't think you, I don't think O'SIP always has to call people in.
I think they can also push.
information out. And when you look a lot of what Sysa does, they put out a lot of information
as to these kinds of things that we're talking about, which is why when we really looked at it,
it's not just about calling people. And I know Michael's had that experience and maybe you do that,
right? Like, oh, well, Defi Protocol X is deployed on this L2. So we're going to call all the
dev codes for them and see what's going on. Maybe they can do nothing. Or maybe there is something they
can do, right? Maybe they host a front end that's centralized or something and you may not be
able to do anything. I'm just saying that I think they probably still call them codes, but the answer may
not, for something like genuine DIPI, maybe nothing can happen. But I just don't think that's even
the most important thing that they could do at the outset, more of which is, you know, making sure
that the way the industry operates is at a certain level of protection. And then who determines whether
any of these defyre protocols would rise to that level of being called critical infrastructure?
I mean, that's a great question. I think some of that, as we say in the paper,
still really needs to be examined because I don't think, you know, brand new defyce protocol
XYZ that has very little and total value locked may necessarily rise to that level, but I do
think that there are other longstanding very well regarded and well tested devisexed.
protocols that do underpin much of the industry that, you know, it seems unlikely that they've
necessarily qualified to date, but some of them could if there's really interest in bringing
defy, you know, within the arms of where we are today.
Yeah, and just, I mean, a lot of this really tracks with the 16 critical infrastructure sectors
and the ISACs that you would have for those. Like, even within the transportation sector,
there might be a local light rail that's probably not a member of the ISAC necessarily
or considered like the piece member of the critical infrastructure.
But rails themselves might and Amtrak is and other certain,
there's certain thresholds that you would reach that like, okay, now you're really
part of the critical infrastructure and you really might be part of the ISAC.
And so I think there's a pretty natural analog to this across the other critical infrastructure
sectors that would probably tie into the way the ISAC is populated in the way that like the
FSISAC is 4,600 members and some are different levels of technology versus actual financial
institutions. And not everybody that just has a thing that has something financial is going to be
a member of that. There's an element of threshold to that, even if it's, even if some of that is sort of
just amongst the members and deciding that and working with OSIP around that. And so I think I see, my
assumption in some level, as Rebecca and I were thinking through this, is there would be
certainly thresholds, as Rebecca described, and some of that would be pretty organic in that early
protocols that, that, you know, it might be open source contributors from all over, but it's
pretty clear that this is very early. They're just out of a test net or whatever versus like the uniswap
protocol where regardless of who it is, there's enough going on that somebody is in the community
in whatever form is likely to say,
I would love to be part of a crypto-isac
and get this information
and love to be there getting
an alert before Lazarus attacks
so that we can fix a bug or something like that.
All right.
So the last part of your paper
has a suggestion
that there be new laws for businesses
that are used to transmit communications about DFI
such that they are not subject to the bank
Secrecy Act. So talk a little bit about what you think that should look like. Sure. So we call
these critical communications transmitters or CCTs. One of the things that Michael and I went down
a little bit of a rabbit hole on when we were really looking at the history of the Bank
Secrecy Act is that telegraphs were included as financial institutions. And, you know, where
telegraphs have evolved or where technology has evolved, we certainly don't make any part of,
you know, the tech stack FIs.
right now, financial institutions. And we really don't, to the extent we can, regularly just
true software. And not that's in the financial services sector, but sort of more widely, I think that
is sort of a more long-term goal. But obviously, the ways that information about transaction
are communicating to blockchain have evolved in many ways, one of which is through these
businesses, which we call RPC node as a service, most people in the industry can call them that,
that I would say the majority of communications actually flow through to blockchain technology.
And one of the hallmarks are critical pieces for us in doing this analysis was that we both
believe, I think, that the base layer needs to remain critically neutral and permissionless.
And so this was really thinking about where you would actually have a very effective regime,
for financial integrity or combating illicit finance.
And if, you know, 80% of transactions go through these RPC nodes as a service, then you
actually have a really interesting gateway or, you know, place to look at whether anything could
be done without really turning them into a financial institution that would have to comply
with the BSA.
They also don't, RPC nodes in the service don't ever take custody.
They don't ever transmit value.
they just transmit communications because RPC stands for remote procedure call, as Michael alluded to,
is just a computer language that allows computer networks to talk to each other,
has been around since the 1970s.
And so this computer language now allows, you know, DFI protocols to speak to blockchains.
And so because so much goes through, you'd be able to do a couple of things.
And, you know, Michael's talked a lot about the transparency blockchains at this point.
and how much they can be used by law enforcement.
But the other way they can be used
is to really gather a lot of information
in a very quick way about wallets.
It doesn't necessarily tag, you know,
you, Laura, or me to a certain wallet,
but it certainly can tag wallets to hacks, other exploits.
And that's a lot of what the blockchain analytics companies
have done with a lot of the on-chain data
is to really look at where are these high-risk wallets.
And they have a number of different pieces of software
that look at that. And I can say, for my own experience, right, when wallets get both when I was in
private practice and even now, when there is an hacker and exploit, you can find out which
wallets are associated with that hacker exploit maybe, you know, very shortly after it. And you can
watch in the, you know, short immediacy after a hack, the initial wallet move it out to 14 or 15
wallet. Do you know the addresses and you can do the online tracing and then really look at where
are these illicit funds or bad actors, what wallets are they associated with? And so,
if they're using RPC notes, which most of them probably are, I haven't talked to them,
but you can run your own, but I'm not quite sure that most, a lot of people actually run their
own RPC nodes, just like not everybody runs their own validator node. Then this is where
you can catch sort of these wallets that have the illicit funds before they ever get to the
blockchain, right? So there are these two concepts in blockchain, liveliness and finality.
And this RPC node is part of the liveliness, right? I'm live bringing.
the transaction through and then the blockchain network is really about the finality.
And so by blocking off these transactions, these communications from high risk wallets,
you'd really be able to block a lot of the more illicit actors from being able to
finalize their transactions on a blockchain network.
And so is that like a concept that has been discussed a lot?
Like I'm not sure how people would feel about wallets being scored on risk and then potentially
blocked based on that. Is that something where, you know, you know what the temperature of the
community is on that? Well, first of all, it's already happening, right? There's a lot of,
there's programs already from the blockchain analytics companies that do this. And I think that some of
the larger players in the space who are already registered as money services business use some of
this technology already. What I do think, if you do need new laws, I think we'd have to figure out
probably through notice comment and rolemaking how you determine what you're saying about
what sort of the risk of the wallet. I don't think we could just go based on whatever, you know,
the blockchain analytics companies decide to date. Some of it may be RBC nodes would have to,
you know, figure out how to do the configurations. But I think you'd still probably need to have
some guidance out there on how to decide what constitutes a high risk wallet. But I think in writing
this, we're really contemplating things like proximity to a hack or tracing.
hacked funds have been traced to you.
Blockchain and alerts companies are doing all of that already anyway.
Yeah, and just to be clear, like, this is not proposing any sort of like social credit
scoring for wallets or something.
This is all very much in the critical infrastructure space.
So much of the sort of risk screening of interactions is happening already, including
in TradFi or in Web 2 at the cyber level.
So, like, AWS itself probably uses Cloudflare.
Like most websites use Cloudflare and other cybersecurity tools and proxy checks and other things that are looking for DDoS attempts and other cyber-related high-risk activity coming at them to sort of attack them.
Much like financial services front end of the Bank of America website is constantly having risk indicators sensing, you know, what's coming at, what bots are coming out of DDoS and things like that.
And so I think it's important to make sure that we're clear that this is very much in the cybersecurity and critical infrastructure world.
There's overlap in there with someone like Lazarus Group that has certain trends in typologies and in the way that they do attacks, some of which might be a classic cloud flare type cyber method that they would detect.
Others, it would come through proxy check because it's a high risk proxy.
And we're not talking about blocking VPNs.
I mean like actual, this is a proxy known as one that Lazarus uses, which bank frontends use,
AWS uses it probably Amazon for their e-commerce.
And I don't think there's a lot of resistance even in Web3 of saying we'd rather not
be D-DAS and take them down by Lazarus as you get farther out into the sort of like
sanctions lists and things like that or whatever.
That's where you need to have a conversation, you know, on the more political ones.
but we're really looking to reach alignment on the critical infrastructure pieces of this.
And like Rebecca said, set thresholds.
This is critical infrastructure.
It's critical infrastructure attacks.
This isn't turning anything into a financial institution by any means.
It's really, we're just trying to say in what a lot of websites themselves in Web 2 do,
this is critical infrastructure as well.
So it's not into the sort of political piece of it.
Yeah, I mean, because like immediately I was thinking,
even if the blockchain analytics providers are already doing this,
then it's a question of, you know, like, which governments are they doing it for?
Or, you know, who's determining what is considered like a risky wallet?
You know, like the situation in the Middle East right now is one of those ones where like
nobody wants to name a or should maybe phrase it the other way.
Like everybody thinks the other side is the bad guys, right?
Yeah.
But I think that's a really important point.
And that's partly what Rebecca mentioned the importance of base layer neutrality and how really central to this that is. And it's really important why we're talking at a cyber critical infrastructure level here that nobody wants to be dedos wherever jurisdiction you're in. That's not about the politics of sanctions in a certain jurisdiction. And so what we're proposing is we say a crawl, walk, run approach. Like there should be, we should be going for the natural alignment of DDoS type Lazarus type Lazarus.
attacks that are very cyber and critical infrastructure.
So there's a really starting at a global consensus-driven foundation.
And this comes up in cloud service providers in Web 2 all the time right now, where there
might be fragmentation of regulation of them across jurisdictions.
And it's a huge problem because it has to be a global internet.
And so what we're saying is in the same way that Web 2 needs to be a global internet, but
there are baseline cybersecurity around dedossing and attacks.
that's where this should start at a very much a crawl that everybody agrees with.
Like you said, Laura, like you can't have this fracturing across jurisdictions. And so keeping it
global, not jurisdictional. Yeah. And just to put another piece on that, I don't think high
risk wallet meat is anything political. I think of it very much like how we think about
illicit finance risk, even in Tradfai, right? Like, are you associated with illicit funds?
Now, maybe your point would be like, well, both sides think there were illicit funds or something like that.
But I think this is very much like, was there an exploit?
And is this wallet, you know, directly involved in this exploit?
Then, you know, it probably has a risk score or something like that.
I really don't think the political part comes into play.
But you're right.
I mean, I think those are things that have to still be worked out.
But as I said, I do think that's sort of that even if FinCEN is given this new authority, I think that there's still.
has to be noticed comment, rulemaking, and regs put out to really actually operationalize it.
That's the next paper Michael's going to write.
With Rebecca.
So let's talk a little bit about how this kind of proposal would apply to something like
a tornado cache.
Obviously, that was probably one of the biggest, you know, debates where this type of regulation,
or not this type, but the traditional regulation bumped up against the crypto world.
So walk us through, you know, what you think that would look like.
So let's talk about the Tornado Cash Protocol on its own in its current iteration.
So I think there were, you know, earlier iterations of the Tornator Cash protocol.
But as it exists today, it has no administrative key.
The Dow can't do anything to it.
Token holders can't make any changes to it.
And it is just a piece of autonomous software that it's going to run.
on Ethereum in perpetuity with little to no changes, you know, in terms of how it works.
That on its own is genuine defy.
Now, I think from what we've learned, there are systems that have been built up on top of or around
tornado cash.
And I think those would have to come under the analysis in the first part is, is there a system
control person?
And if so, what are they doing?
We know there was a system that related to the front end and relays and the torn token.
where they had to stakeweight the governance token in order to be the chosen relayer.
I don't think we've put, while we've put a lot of time into this paper,
I don't think we've put the time into really doing a full analysis of where the additional
part of that system for tornado cash may actually fall under the system control person.
But that's how I see the divide around what happens there, that the protocol itself is really
critical infrastructure.
Then you have to look at whether the system around it has a system control person.
otherwise as facts and circumstances that would make it into a money into a financial institution.
Yeah, I would just add on the Dow piece because we touched on this earlier.
I mean, part of the reason that we included this clarity around the Dow's of not being by default
any sort of controlling element is what you see in the tornado cash space with the Dowell there,
that there's a lot of nuance about a lot of limits on what they could possibly do.
and I think it's also important to tie that back, since you're talking about the tornado cash case,
without getting into the case itself, this is consonant with the way OFAC has approached
unincorporated associations for many, many, many years. It's not new to them. Like, certainly they
designate, you know, dirty banks abroad and things like that, and corporations that are laundering,
but they also have designations against Los Zetas, Sinolaa cartel, Russian organized crime that are not
corporations, but the test for that is not just, it's everybody's got a token or something like that.
You know, it's like you, it's a group of people under a head who are financially and actively,
proactively aligned in achieving a common mission, which is not maybe the token goes up.
I mean, it's like, hey, everybody, let's go out, create a trafficking line and potentially kill
anybody who might squeal on us.
These are extremely aligned, proactive groups that are
accomplishing a very definite mission together.
And having been at OFAC and in fact been part of writing packages for some of those,
it's a pretty substantial legal test to show that when there's not an otherwise clear
membership among people, that there's sufficient alignment of interest that you could
say this person is actually a member of Los Zetas.
it's not that like they were there in the town once and they paid they had to pay somebody off
so they've given money to Los Adas. It's like, no, you're actually a part of it.
But what about how North Korea, you know, laundered a significant amount of money through
tornado cash? Like how would this setup prevent that?
The CCTs would block off the wallets. So they'd never, the transaction to it from tornado cash could
never get executed. The way that you transfer from one wallet.
to another typically requires you to go through the CCTV as well. So this is like this is sort of
part of the effectiveness point, right? Like you can't even get your transaction through unless you're
hosting your RPC down. And I think, you know, people will say like, oh, well, isn't that a flaw in it?
But, you know, just like there are flaws in the way the system works and tried by now. And I think
Michael and I felt very strongly about making clear that both the BSA and the sanctions regime in the
United States is not zero tolerance because it can't be, right? Like it's just it doesn't work like that.
And we can't achieve that no matter how much we all aspire to. And so, you know, I think the CCTs are
the most effective way and almost to immediately start blocking off some of this more illicit activity.
And I, you know, I'd say, well, we don't know everything about the way Lazarus works in crypto.
And Michael may be able to speak to this more. We know a lot. We know what wallets they have.
We know wallet that they've never moved crypto from.
And I think that there's been a lot of work done to identify sort of their movements.
And so even at the outset of a hack, people look at the activity within the first hour, hour and a half and say whether they think it's Lazarus or not.
So this is where the CCTs would work because maybe if they hack some other protocol, then they try to move it to tornado.
They'd never be able to because the CCTs would be blocking it off.
Yeah, and I just add one other piece to that, because Laura, it's a good question in terms of prevention.
Like, I also think part of the prevention, if you have like a crypto ISAC that's having this sort of threat typology information sharing going on, and you have touch points for the, you know, whoever it is, it could be an open source contributor that that is good at fixing code.
If you have this OSIP and F and sort of crypto ISAC setup, then as Lazarus is preparing attacks and there's information.
they're preparing attacks and here's the new attack vector they're going and this is how they're doing it now
because they're constantly evolving and that's something that obviously the national security
system is looking at they would be sharing that with whoever can have any impact whether it's
the ccTs or whoever it is in the ecosystem to do whatever they can do or improving code somewhere
you know that sort of thing so you'd be preventing it in that sense and one other last point is just
you know because i think it's it's it's true like as you mentioned the amount of Lazarus funds that were
that were not prevented in part because maybe there wasn't a crypto iSAC i don't know but um i think
you know that led to the sanctions and and that will play out in the courts how it works but
if if hundreds of millions of dollars going through an entity was the justification to sanction it
no matter what the collateral impact i think it was like 880 million dollars
of Sinaloa and Norto de Valle cartel money went through HSBC.
And it was prosecuted.
It wasn't sanctioned.
And part of the reason it wasn't sanctioned, even though there were sanctions violations,
because both those cartels were sanctioned,
is because the collateral impact on innocent people would just be too much.
And I think that's the balance that is a substantial tension in the tornado cash designation,
in part because there were a lot of innocent people.
In fact, we know that at least 70% of the users were not identified with any illicit activity.
And so I think, however the case comes out, it's just important for us to note that we don't want to jump to this sort of sanctions tool with that kind of collateral impact in the same way that we don't do it with other financial infrastructure.
And just understand the critical communications transmitters, these CCTVs, are they like mostly front ends or no?
They're literally an RPC as a service.
So if you've heard of Infura or alchemy, things like that, they're literally this totally separate thing.
They're not, this, this proposal is really meant to sort of pivot off of this focus on KYCing front ends and turning validators into financial institutions.
I think both of which we think may not be the most effective way to achieve our policy goals for financial integrity in Defi and really think like, where are we going to do something that will be affected?
They're not front ends at all.
And I think there are two parts that, one of which is the substantial amount, right,
that a substantial amount of the communications go through.
The communications don't go through front ends.
They go through, you know, they start at your wallet.
And the front ends may allow you to communicate, but they don't, you don't, the front ends
don't do the communication, the RPC does do.
And so we were very, very intentional and surgical about the CCT definition because we
didn't want to overcapture different parts of the tech stack.
Yeah, and also just to underline, like, we're also not saying the CCTs are financial institutions
in any form.
This fits with the sort of the way we think about AWS now and Microsoft Cloud, Google Cloud,
there's all these services out there that are underpinning that are critical, because if they
go down, it impacts a lot of financial services, but they're not banks, they're not doing KYC
on every transaction that goes through AWS.
or Google Cloud, and they are already using Cloudflare and doing other sort of detection.
And by the way, they're also, they're absolutely sharing information, probably through the
FSISAC because they underpin so much financial infrastructure.
All right. So now that this paper is out, what's next?
You know, how do you get this made into something that applies in the real world?
Well, I think what's next is that, you know, Michael and I were really intentional about seeing this.
as the beginning of a conversation about how to combat elicit in finance in defy.
I don't think we think this is by any means the only proposal that can work.
And I think that we do want to see this as a really collaborative effort to move this forward,
both with industry and with regulators and policymakers in the U.S. for sure.
We've already, in the first three days, gotten great feedback and questions from both industry
and on the policy regulator's side of things
and are just excited to engage in a number of conversations
on both sides, both industry and regulators' policymakers,
and to think about what is next.
I do think we can say that there's a lot of interest
on the hill generally in thinking about AML
and what they can do with crypto.
And so I do think we're going to see more bills coming out,
whether anything incorporates this.
I think this is pretty novel,
and it's different than what's,
the conversation has been to date. So I do think there was going to be some time to socialize it and talk
about it. And Michael, since you, you know, have that background in FinCent and such, like, you know,
what do you feel are the best kind of ways to get this considered seriously? Yeah, thanks, Laura.
I think, I think it's really, like Rebecca said, it's having the conversations. Like, it's a,
it's admittedly a bit dense. But it's a, but part of it was to really create a resource.
a foundation for these conversations.
And so part of it is hopefully going into FinC, Treasury, OFAC, Department of Justice, wherever,
and having these conversations of here's why we said it this way or this is why we see it this way.
And here's why we think that there's actually at a core starting spot,
like a lot of natural alignment on creating accessible and resilient financial infrastructure
that doesn't have to be turning everything into a bank.
All right. Well, thank you so much for explaining your ideas. Where can people learn more about
each of you and your work? I'm on Twitter and LinkedIn. Michael.
I'm on Twitter and not LinkedIn.
And your firm website.
Oh, yeah, we've got websites for, website for Ex-antea and website for Arcturus for sure.
All right. Well, we will put all the links to that in the show notes.
Thank you both so much for coming on unchanged.
Thanks, Laura.
Thanks, Laura. Thanks so much for joining us.
today to learn more about Rebecca and Michael's recently released paper on regulating
defythe check out the show us for this episode. Unchained is produced by me, Laura Shin,
without from Nelson Wong, Matt Pilcherd, Juan Aranovich, Megan Gavis, Shashonk, and Margaret Curia.
Thanks for listening. Unchained is now a part of the Coin Desk Podcast Network. For the latest
in digital assets, check out markets daily five days a week with host Noelle Atchison.
Follow the Coin Desk Podcast Network for some of the best shows in crypto.
Thank you.