How DeFi platforms are using data from TRM Labs to respond to Tornado Cash sanctions

In the wake of the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) levying sanctions on decentralized Ethereum-based cryptocurrency mixing service Tornado Cash on August 8, 2022, DeFi entities have been working to understand how best to mitigate sanctions risk.

Here are some important details on how this process works:

• All U.S. persons and entities, wherever located, must comply with OFAC sanctions. This means that covered DeFi entities must abide by U.S. sanctions, or face significant penalties.
• Because penalties for non-compliance can be severe, many DeFi entities have implemented sanctions compliance programs. Each entity creates its own sanctions program and policies based on its own unique context and risk tolerance.
• Entities that choose to comply with U.S. sanctions law often leverage a third-party data provider, like TRM Labs, to get sanctions risk data on blockchain addresses. In the case of TRM, we do not engage in any blocking of specific addresses and provide our risk data to our customers for use in their compliance programs. Organizations using TRM configure their own settings and risk thresholds to determine which addresses to block or freeze.
• In the instance of Tornado Cash — which allows people to send funds to an address without any involvement by the owner of that wallet — policy decisions that have not caused problems previously (e.g., guidance to block addresses that have transacted with sanctioned addresses) are now causing issues due to “dusting attacks.”
• These circumstances have triggered an urgent need for many DeFi interfaces to review and re-configure their settings and for our team to work closely with our customers to provide additional options for them to better filter transaction data given these new circumstances. In the meantime, many users who have “unintentional” sanctions exposure have been locked out of platforms.
• Due to the unprecedented nature of these sanctions, industry leaders are engaging with public officials to convey the complexity of these issues specific to DeFi platforms, and to understand what legal requirements exist for the treatment of addresses that have inadvertently transacted with sanctioned addresses.
• TRM will continue to partner with industry to improve the effectiveness of sanctions compliance implementation. For instance, TRM introduced “time-bound attribution,” which avoids propagating sanctions risk to addresses that interacted with Tornado Cash prior to the designation.
• Should future guidance require any change in how TRM surfaces data about on-chain sanctions exposure and the industry collectively gains greater clarity on the scope and application of these OFAC sanctions, we will take necessary action to continue providing an accurate dataset that best supports the crypto industry’s ability to operate in compliance with applicable laws and regulations.

How sanctions apply to crypto

In the United States, OFAC administers and enforces economic sanctions against targeted foreign countries, geographic regions, entities, and individuals to further U.S. foreign policy and national security goals. As part of these efforts, OFAC maintains a specially designated nationals (SDN) list that includes designated entities and individuals. Since 2018, OFAC has added 388 blockchain addresses to the SDN list, including 45 recently-added addresses associated with Tornado Cash.

Generally, if OFAC places an individual or entity on the SDN list, it means that the person’s assets and/or property in the U.S. can be blocked and that all U.S. persons and/or U.S. entities are prohibited from transacting with the designated party.

The consequences for sanctions violations are severe. OFAC may impose civil penalties for sanctions violations generally based on a strict liability legal standard. This means that a U.S. person or business may be held civilly liable for sanctions violations even without having knowledge or reason to know it was engaging in such a violation. There is, however, a substantially higher standard when it comes to the criminal prosecution of a sanctions violation, in which the government must prove a violation beyond a reasonable doubt.

There are ongoing debates about where DeFi protocols and frontends fit into the regulatory landscape — which is currently shaped around regulated financial institutions — but even so, most legal experts agree that DeFi frontends with any U.S. nexus (broadly defined) must comply with U.S. sanctions laws. The penalties for non-compliance can be severe, so most crypto companies have implemented a sanctions compliance program. Each company creates its own sanctions program and sets its own risk tolerances based on factors like where it is based, the products and services it offers, and ultimately by whom it is regulated.

For crypto companies, this usually includes blocking cryptocurrency addresses from using its services that are explicitly listed on OFAC’s SDN list, as well as blocking IP addresses from sanctioned countries. Companies — both crypto and non-crypto — may choose to put in place additional measures to mitigate sanctions and other legal risk such as doing KYC, doing diligence on source of funds (e.g., seeing if an address’ funds came from a sanctioned address or from a recent protocol hack), or screening IP address against sanctioned countries.

Tornado Cash introduces a new challenge for sanctions compliance

The Tornado Cash designation is the first time OFAC has sanctioned a set of smart contracts on the Ethereum blockchain. A smart contract is basically a software program that is uploaded to a blockchain and that usually anyone can interact with. Smart contracts can programmed to be ‘immutable,’ which means that they cannot be taken down or updated.

Historically, when an individual person is added to the SDN list — whether in TradFi or crypto — anyone who sends funds to that person or receives funds from that person is typically in violation of sanctions law. This is because, in the vast majority of those cases, it is clear that an individual has intentionally transacted with a sanctioned person or entity.

What makes the Tornado Cash designation challenging from a compliance and enforcement perspective is that any person who deposits funds into Tornado Cash can trigger the Tornado Cash smart contracts to send funds to any other Ethereum address(es). Theoretically, someone could send funds to Tornado Cash and then specify that those funds be deposited into a totally unrelated cryptocurrency address belonging to a random, unsuspecting, or even unwilling person.

In the days following the designation, we saw actors take advantage of this capability — presumably as a protest against OFAC’s novel decision to sanction a smart contract — by sending funds, unsolicited, from Tornado Cash to cryptocurrency addresses associated with high-profile individuals and celebrities.

These so-called “dusting attacks” have surfaced a number of significant questions for crypto companies that are trying to stay in compliance with sanctions law, including:

1. Are crypto entities expected to block addresses that have transacted with sanctioned addresses, like Tornado Cash? Even if those addresses are not sanctioned, are crypto companies at risk of sanctions exposure if they interact with addresses that have transacted with Tornado Cash?
2. If yes, how should crypto companies treat addresses that have received funds unsolicited from a “dusting attack”? Are crypto companies expected to determine whether sanctions or related exposure is “real” or “unintentional”?
3. Are the requirements for “DeFi frontends,” or websites that provide an interface for users to submit transactions to the blockchain, different from the requirements for regulated financial institutions or even hosted websites of web2 companies?

About DeFi frontends

A decentralized finance (”DeFi”) protocol typically refers to one or more smart contracts that together facilitate financial activity on blockchains. Smart contracts are persistent computer programs that run on blockchain networks. Smart contracts are different from traditional computer programs in that they can run on open-source networks and can be used by anyone. Smart contracts are also unique in that they can be installed on blockchains as permanent computer programs that cannot be modified. (Source).

Anyone can interact directly with DeFi protocols and other smart contracts on Ethereum with open-source software protocols and libraries like JSON-RPC and web3.js.  However, most people use web applications and wallets built by third-parties that streamline interacting with DeFi protocols. This is similar to email. While anybody could send an email with the SMTP Protocol, most people use a third-party email client like Gmail or Yahoo Mail that wraps the SMTP protocol behind an easy-to-use interface. There may be multiple wallets and websites (”DeFi frontends”) that let people easily connect to a specific DeFi protocol, in the same way that there are multiple popular email clients built on the common SMTP protocol.

DeFi frontends (also known as DeFi interfaces) are often designed to run automatically, with minimal human intervention. They may be serverless, be hosted on peer-to-peer data networks like IPFS, and leverage open-source code.

DeFi frontends are increasingly implementing sanctions compliance

In line with the guidance provided by OFAC, many leading DeFi frontends have implemented sanctions screening to block blockchain addresses included on the SDN list from their websites.

While anyone can manually search OFAC’s website to see if a cryptocurrency address has been sanctioned, many businesses choose to use a third-party data provider that aggregates data from multiple sanctioning bodies (e.g., United States, United Kingdom, United Nations), pairs it with transaction data from public blockchains and delivers it via API. This is what allows platforms to process hundreds of thousands of transactions in a day without causing major delay or disruption to the user experience.

How DeFi frontends are using TRM Wallet Screening for sanctions compliance

TRM Wallet Screening allows organizations to query data about an on-chain address or transaction to detect sanctions or AML risk. When an organization requests data about an address from TRM, it sends only the blockchain address to TRM. No other identifiers are sent to TRM.

The optional data points the requesting organization can derive from TRM’s API include:

• whether an address appears on a sanctions list or is associated with an entity on the sanctions list (”ownership risk”)
• whether an address has transacted with a sanctioned address (”counterparty risk”)
• whether an address has received funds from or sent funds through multiple “hops” to a sanctioned address (”indirect risk”)

TRM customers are able to configure their settings to specify what information they want to retrieve from TRM’s Wallet Screening API.

• A DeFi frontend may choose to query TRM’s API to detect only for “ownership sanctions risk,” or addresses that are themselves sanctioned, and block any addresses that are sanctioned.
• A centralized exchange may choose to query TRM’s API to detect both “ownership sanctions risk” and “counterparty sanctions risk.” Centralized service providers typically query for a larger breadth of risk given additional AML requirements. They also typically retain compliance staff to review risk alerts before mitigation steps are taken.

How TRM is working with industry to define practices for more effective sanctions screening

TRM enables granular configuration by allowing organizations to query data based on numerous parameters:

• Differentiate between multiple types of sanctions exposure including ownership risk, counterparty risk, and indirect risk
• Customize volume thresholds based on the magnitude of funds transferred.
• Filter an address’ counterparty risk to only surface transactions with sanctioned addresses that occurred after the sanctions designation date

Each organization sets its own sanctions policies based on its own context and risk tolerance. Organizations may take different approaches based on where they operate, how they are set up (centralized, decentralized, or somewhere in between), what services they offer, and whether they have additional regulatory requirements such as AML/KYC. Notably, determinations on which addresses and transactions an organization chooses to permit on its platform remain the sole discretion of the platforms itself; TRM cannot block any blockchain address nor transaction.

With the advent of “dusting attacks” that propagate counterparty sanctions risk to unwilling addresses, TRM is developing ways to surface additional data points to customers that allow them to estimate between “real” and “unsolicited” sanctions exposure. However, without clear guidance from regulators on the implications of “dusting attacks,” TRM is unable to dismiss suspected “dusting” transactions without putting its customers at risk, as these customers rely on TRM for factual and complete on-chain data.

Looking forward

TRM is committed to building innovative products that ultimately support the growth of the crypto economy — specifically, by enabling crypto companies and platforms to comply with applicable laws and by limiting the ability of threat actors to use crypto for illicit activities like nuclear weapons proliferation, terrorist financing, and hacks that impact the livelihoods of thousands of crypto users. We will continue to work with our customers and leaders across the crypto ecosystem to build a safer financial system.

‍