How to comply with laws and regulations for on-chain financial management DeFi projects?

Author: Liu Honglin, Xu Yuewen

Last month, Lawyer Hong Lin attended the Web3 Summit in Bangkok. During the exhibition, I communicated with several entrepreneurs who focus on on-chain DeFi aggregation services. During the communication process, I found that more than one entrepreneur had a serious misunderstanding of the relationship between "decentralization" and "legal compliance".

For example, many project owners who provide on-chain Yield Aggregator financial management services believe that their entrepreneurial projects are based on completely decentralized smart contracts and do not "touch" user assets, so there is no need to worry about compliance issues. Therefore, their entrepreneurship is simply to register a company in Singapore and then start working, with compliance costs almost zero.

Obviously, these friends have a big misunderstanding about compliance. I decided to write an article to talk about it at home on the weekend, hoping to provide some practical compliance advice and risk prevention guidelines for friends who are planning to start a business in on-chain financial management.

Analysis of industry status and revenue model

The machine gun pool is one of the classic applications in the DeFi ecosystem, mainly responsible for helping users optimize asset returns. Generally speaking, the machine gun pool is like an automated "financial management robot". Users deposit encrypted assets into it, and the platform will monitor the yields of various DeFi protocols (such as Aave, Compound, Curve, etc.) in real time, and dynamically adjust capital allocation according to market changes to ensure maximum returns. It is called a machine gun pool in order to understand and describe its profit-seeking properties more vividly, but in essence, as its name suggests, it is "revenue aggregation", or it can be understood as "asset data and schedulers generated in pursuit of maximum returns", a strategic mining pool that achieves optimal returns through intelligent scheduling.

For users, they deposit funds (such as BTC, ETH, USDT, etc.) into the aggregator platform for liquidity mining of third-party DeFi projects. The platform will switch funds to higher-yield DeFi projects for liquidity mining based on the real-time yield data monitored, thereby helping investors obtain higher returns.

For the machine gun pool platform, the profits will be obtained in the following ways:

First of all, from the perspective of the services provided by the platform, the first is management fee, that is, the platform charges a certain percentage of management fees on user income (such as 1%-2%). The platform monitors relevant factual data, deploys smart contracts, and manages the funds deposited by users.

In addition, some platforms will also adopt a performance-sharing model, that is, when the user's income exceeds a certain annualized rate of return, the platform will charge an additional performance fee for the excess portion (usually 10%-20%).

Finally, there are platform incentives, which guide user capital inflows through cooperation agreements and obtain incentives or commissions from partners.

In theory, the machine gun pool is completely based on the operation of on-chain smart contracts. The user's funds are always controlled by the smart contract, and the project party will not have control over the user's encrypted assets or private keys. However, if there are loopholes in the contract design, hackers or project parties may use their permissions to steal user funds. In addition, some centralized "machine gun pool" services require users to deposit funds into the platform account, which means that the platform has direct control over user funds, so there are risks in fund security and transparency, which is fundamentally different from the decentralized non-custodial model.

Common compliance misunderstandings among entrepreneurs

1. Technology decentralization ≠ financial security

Many entrepreneurs believe that as long as the user's assets are controlled by smart contracts, the project party does not need to be responsible for the security of funds. But in fact, the security of smart contracts directly determines the life and death of the project. If there are loopholes in the smart contract, hackers can steal user funds through reentry attacks, permission control loopholes, etc., resulting in capital losses, and the project party cannot be completely exempted from responsibility. Therefore, even for decentralized projects, technical security is still crucial. The project party must ensure that the smart contract undergoes strict third-party security audits, regularly fixes vulnerabilities, and keeps the code open source to enhance community trust and transparency. Otherwise, even decentralized technology cannot guarantee the absolute security of user funds.

2. Decentralization ≠ No KYC Required

Many machine gun pool project parties believe that as long as the platform does not hold user assets, it can circumvent anti-money laundering (AML) and know your customer (KYC) requirements. However, global regulators are stepping up their scrutiny of DeFi, especially in the US and EU markets, where projects providing financial services can hardly avoid KYC requirements. Ignoring this may result in huge fines and legal prosecution.

3. Non-custody ≠ zero liability

"We never touch user funds" is a common explanation from many machine gun pool project parties. However, even if the platform does not directly host user funds, the project party may still face legal liability. If a smart contract has a vulnerability or is attacked, resulting in loss of user funds, the project party still needs to bear certain responsibilities. Therefore, the project party must clearly inform users of risks in the platform interface and user agreement, including potential problems such as market fluctuations and smart contract vulnerabilities. At the same time, consider providing users with additional safeguards, such as introducing insurance mechanisms or compensation mechanisms, which can not only reduce users' losses, but also enhance the platform's reputation and trust.

4. Tax compliance: Don’t think you can stay in the “gray area” forever

Some entrepreneurs believe that the crypto industry is in a "gray area", so tax compliance is not a top priority. But in fact, tax authorities in various countries have increased their supervision of the crypto industry, and more and more countries and regions require crypto projects to declare income and revenue. Regardless of whether the project has cross-border transactions or whether there are some anonymous transactions, tax compliance is an obligation that cannot be ignored. If you fail to declare in time, you may face high fines, interest, or even criminal liability in the future. Therefore, entrepreneurs should set up a dedicated tax compliance team to ensure that the platform's operating income, user income, and any cross-border capital flows can be declared in a timely and legal manner. For cross-border operating projects, special attention should be paid to the differences in tax laws of various countries to avoid violations due to lack of understanding of local laws.

Mankiw's Compliance Advice

The charm of on-chain financial management projects lies in innovation and technology-driven, but compliance and security are the cornerstones of the long-term development of the project. Decentralization does not mean liability exemption. Entrepreneurs should not only pay attention to the design of smart contracts, but also be fully prepared in KYC, AML, tax compliance and market promotion. Technology may accelerate innovation, but only compliance can make the project go further.

I hope this article can provide practical advice for friends who are interested in starting a blockchain financial management business.

1. Strengthening smart contract security: security is not a "one-time investment"

Smart contracts are the core of the machine gun pool project, but security should not be just a one-time audit, but a continuous process. Auditing is the starting point, and regular security monitoring, vulnerability repairs, and contract updates are also crucial. Especially in core links such as fund management and profit distribution, once contract vulnerabilities are exploited by hackers, the losses will be huge.

Therefore, the project party needs to establish a complete contract security system to ensure that smart contracts can be continuously optimized with market changes and technological advances. At the same time, open source code allows the community to participate in contract review, which not only improves transparency but also enhances the community's sense of trust. In addition, if the platform's contract is attacked, being able to respond and repair quickly is the key to maintaining user trust.

2. Compliance due diligence: Anti-money laundering is important

Don’t hope that “decentralization” can avoid regulation. Before launching a project, ask a professional lawyer to conduct compliance due diligence, especially for AML and KYC requirements. Rather than dealing with regulatory investigations after the fact, it is better to make a good compliance layout in the early stage to avoid facing high fines and legal disputes in the future. A reasonable compliance layout in the early stage can not only avoid high fines, but also prevent potential legal risks. Project parties should cooperate with experienced legal advisors to ensure that they can operate legally under the laws and regulations of different countries and regions.

3. Tax compliance: After-tax income is the real income

Be sure to have a sense of tax compliance! Ensure that project income and user benefits are reported on time. Globally, tax supervision of cryptocurrencies and DeFi projects has gradually become a focus, and tax authorities have begun to increase their scrutiny of the crypto industry. Ignoring tax compliance may result in huge fines, interest, or even criminal liability, and even affect the long-term development of the project. Therefore, it is imperative to do a good job of tax declaration of project and user benefits to ensure compliance and avoid unforeseen legal burdens on the project.

4. Be cautious in marketing: truthfulness and transparency are the key to long-term success

Advertisements should avoid exaggerating profits and must truthfully reflect the risks and benefits of the platform. Short-term traffic is tempting, but long-term user trust is the foundation. Compliance with regulations can not only avoid regulatory risks, but also enhance brand image.

Especially in DeFi projects such as machine gun pools, volatility of returns and contract risks are inevitable. The platform should truthfully reflect the key data of the platform such as risks, returns, liquidity, etc., and clearly inform users of possible risks. Through compliant marketing, it can not only avoid being punished by regulators, but also establish a stable brand image and lay the foundation for the long-term development of the platform.