The Structural Limits of the AML Paradigm in the Age of Decentralisation: Why the FATF’s Centralised VASP Model Is Doctrinally Outdated
Decentralised networks expose a fundamental mismatch between a gatekeeper-centric AML architecture and blockchain systems designed to minimise or eliminate intermediation.
Anti-money laundering frameworks were designed for a financial system built around hierarchical institutions, identifiable intermediaries, and delegated enforcement. The rise of public blockchains, DeFi, and DAOs fractures these assumptions. This article argues that the FATF’s centralised VASP model is structurally misaligned with strong-form decentralisation and cannot be transplanted onto such systems without distorting their core properties.
Anti-money laundering (AML) frameworks were designed in the late 20th century for a financial system characterised by hierarchy, intermediaries, and identifiable entities capable of serving as compliance gatekeepers. The Financial Action Task Force (FATF), as the global coordinator of AML standards, has built its normative architecture on this foundational assumption: that value flows are mediated by regulated actors who can be supervised, compelled to perform due diligence, and held accountable for compliance failures.
The emergence of decentralised networks—public blockchains, permissionless financial protocols, and decentralised autonomous organisations (DAOs)—exposes the profound fragility of this assumption. Whereas early crypto-assets could be conceptualised as digital currencies facilitated by identifiable intermediaries (e.g., exchanges), the evolution of decentralised finance (DeFi) introduces structures where no single actor exerts definitive control, where governance is distributed, and where transfer of value can occur without recourse to centralised platforms.
In this context, the FATF’s VASP (Virtual Asset Service Provider) model, built on the idea that there must exist a responsible intermediary to whom AML obligations can be attached, appears increasingly inadequate. The present article argues that the AML paradigm is structurally incompatible with decentralisation in its strong form. It explores the doctrinal, technical, and conceptual reasons why centralised gatekeeping mechanisms cannot be transposed onto decentralised environments without distorting their essence or undermining their functional integrity.
I. The Theoretical Architecture of the AML Paradigm: Gatekeepers, Intermediaries, and Identifiability
The standard AML framework rests on three mutually reinforcing pillars: (i) a system of supervised intermediaries, (ii) a model of value transfer based on identifiable counterparties, and (iii) a logic of delegated enforcement whereby institutions, not users, conduct risk mitigation. These assumptions—rarely articulated explicitly—form the doctrinal bedrock of AML systems worldwide.
First, AML relies on the presence of intermediaries embedded in the structure of financial institutions. Banks, money transmitters, payment institutions, and later e-money providers constitute the nodes through which value must transit. These entities are legally incorporated, licensed, and equipped with compliance departments. The financial system is thus conceived not merely as a marketplace but as a network of custodians whose institutional existence serves as a means of regulatory enforcement.
Second, AML presupposes identifiability. Value is not meant to flow anonymously. Institutions must know their customers (KYC), monitor transactions, and report suspicious activity. The legal responsibility for gathering, verifying, and preserving identity data is outsourced to these intermediaries, who employ procedures to ensure compliance.
Third, AML frameworks adopt a model of delegated enforcement. States rely on private institutions to act as extensions of the regulatory apparatus. This model is efficient only because institutions have both the technical capacity and the legal obligation to act as gatekeepers.
This architecture functioned effectively for traditional finance. But it presupposes a world in which value and infrastructure are inseparable from identifiable entities. The rise of decentralised systems breaks this structural symmetry.
II. Decentralisation as a Structural Challenge: Absence of Intermediaries and the Displacement of Control
Decentralisation, particularly in its blockchain-based form, is not simply a shift in technology but a transformation in the architecture of economic coordination. It replaces institutional trust with cryptographic assurance and replaces hierarchical control structures with open, distributed networks. Several features of decentralisation render the AML paradigm structurally inadequate.
1. The absence of a compulsory intermediary
In decentralised systems, value can circulate from user to user without passing through any regulated entity. Unlike the banking system, where each transfer is anchored in institutional custody, decentralised networks allow direct peer-to-peer transactions. Even when users interact with platforms that resemble intermediaries (e.g., decentralised exchanges), the underlying infrastructure does not depend on an identifiable operator. The protocol, rather than a legal person, executes the transaction.
This means that the core premise of AML—that all value must transit through identifiable gatekeepers—is no longer universally valid. AML was designed for a world of mandatory intermediation; DeFi operates in a world of optional intermediation.
2. Displacement of control from institutions to protocols
In decentralised ecosystems, control is exercised not through ownership or corporate governance but through protocol design, consensus mechanisms, and distributed governance tokens. Decision-making is fragmented across thousands of actors. No single entity can unilaterally alter the system or enforce compliance obligations without collective consent.
The FATF model presupposes a responsible “owner/operator.” In decentralised systems, this legal category may not exist in any meaningful sense. Even where there are developers, their role is often limited to initial code creation, with no ongoing operational control. The ability to modify the protocol may be distributed among token holders or may require a decentralised governance vote. Imposing AML obligations on such actors requires an artificial reconstruction of control that contradicts the technical and organisational reality.
3. Pseudonymity and the erosion of identity-based enforcement
Identity in blockchain systems is based on addresses, not persons. While blockchain analysis tools can infer behavioural patterns, they cannot on their own establish verifiable identities. The AML model requires reliable identification at onboarding; decentralised systems eliminate onboarding entirely. Without a natural chokepoint where identity can be captured, the AML logic becomes difficult to apply without intrusive surveillance or architectural redesign.
III. The VASP Concept as a Centralising Mechanism: Doctrinal Ambition and Practical Limits
In its 2019 and subsequent guidance, the FATF introduced the category of Virtual Asset Service Providers (VASPs) as a way to transplant the AML gatekeeping model into the crypto-ecosystem. VASPs are entities “conducting” activities such as exchange, transfer, safekeeping, or issuance of virtual assets. The FATF attempted to extend this category to decentralised environments by stating that an entity may be a VASP even if “some or all” of its activities occur through automated means.
This construction attempts to preserve the AML paradigm by insisting that decentralised systems must have an accountable intermediary. Yet this assumption is doctrinally strained and technically fragile.
1. The artificial reconstruction of intermediation
By insisting on the presence of an operator, the FATF effectively reconstructs centralisation where the technology has deliberately eliminated it. This reconstruction is driven not by the actual governance structure of the protocol but by the regulatory need to identify a compliance counterpart. The FATF model therefore risks imposing legal fictions, attributing control to actors (e.g., developers, front-end operators, governance token holders) who may lack the capacity to fulfil AML obligations.
2. The problem of “sufficient influence”
The FATF introduced the notion that an actor may be considered a VASP if it has “sufficient influence” over a protocol. Yet “influence” is an ambiguous concept. Developers who no longer retain commit access, governance token holders dispersed across thousands of wallets, or DAOs with no legal personality pose substantial difficulties. In effect, the FATF introduces a presumption of accountability that is difficult to substantiate doctrinally and even harder to enforce.
3. The incompatibility between decentralised operability and AML functionalities
Protocol-level decentralisation is designed to ensure censorship resistance and neutrality. Embedding AML compliance—e.g., blocking addresses, performing identity verification—would require altering the architecture of decentralised systems. The FATF’s approach implicitly pressures developers and communities to introduce design features that undermine decentralisation itself, creating a tension between technological integrity and regulatory compliance.
IV. Technical and Practical Barriers to AML Enforcement in Decentralised Systems
Beyond doctrinal inconsistencies, decentralisation presents concrete barriers to AML enforcement that make the VASP model inadequate.
1. Smart contracts lack compliance interfaces
Unlike institutions, smart contracts cannot conduct KYC, verify documents, or make subjective assessments. They can enforce rules deterministically, but compliance requires human judgement, discretion, and data that is exogenous to the blockchain. As long as DeFi protocols operate autonomously, they cannot assume AML responsibilities unless redesigned to include external authentication layers—effectively reintroducing centralisation.
2. Governance is fragmented and dynamic
Even when governance tokens permit modification of a protocol, the holders of such tokens are dispersed, pseudonymous, and often passive. No governance participant can be singled out as a responsible intermediary. Collective decision-making may prevent timely compliance, and coercing a DAO into AML conformity raises unresolved legal questions about jurisdiction, representation, and liability.
3. Cross-border, permissionless composability
DeFi protocols are composable: any user or protocol can interact with them. This characteristic erases territorial boundaries and eliminates traditional licensing prerogatives. AML systems rely on jurisdiction-specific supervision; decentralisation erodes the very concept of jurisdiction. Enforcement is technically possible only at the edges—user devices, web interfaces, fiat on/off ramps—not within the core protocol.
4. The problem of “unhosted wallets”
Unhosted wallets, controlled directly by private keys without intermediaries, constitute a fundamental obstacle to AML enforcement. The FATF recognises this challenge but has no mechanism to impose identification requirements on peer-to-peer transfers. Proposals to regulate wallet software or device manufacturers raise major constitutional, privacy, and practical concerns.
V. Conceptual Consequences: The Collapse of the Intermediary-Centric AML Model
The limitations outlined above reveal a deeper structural problem: AML frameworks are not simply stretched by decentralisation; they are conceptually undermined by it. The AML paradigm presupposes that intermediaries are the natural points of control in financial networks. Decentralisation contests this presumption by distributing or eliminating control.
1. The decoupling of value and intermediaries
AML depends on institutions serving as custodians of user funds and data. Decentralised systems decouple custody from institutions. Value can be held and transferred without any entity being able to observe, stop, or understand the underlying flows. This decoupling is not incidental; it is the primary innovation of blockchain technology.
2. The end of the “chokepoint strategy”
A central strategy of AML enforcement is the creation of regulatory chokepoints: banks, payment institutions, and exchanges that serve as control interfaces. In decentralised systems, chokepoints are either absent or optional, severely reducing the leverage of regulators.
3. The inadequacy of identity-centric regulation
AML requires identification of persons. Decentralisation creates systems where identity is replaced by address-based reputation and cryptographic proofs. Attempting to reintroduce identity not only contradicts the philosophy of these systems but also risks introducing vulnerabilities that undermine security and user autonomy.
VI. Toward a Reconsideration of AML in a Decentralised World
The inadequacy of the VASP paradigm does not imply that AML objectives are unattainable in decentralised systems. Rather, it suggests that a paradigm shift is necessary. Several avenues for rethinking AML in a decentralised context exist, including user-centric attestations, zero-knowledge identity proofs, and protocol-level risk scoring. These innovations indicate that alternative forms of compliance may emerge that do not rely on centralised gatekeepers.
However, such approaches require abandoning the assumption that AML must be institutionalised through identifiable intermediaries. They instead demand a reconceptualisation of compliance as a network property, not an institutional obligation. This shift is profound and requires coordination between regulators, protocol designers, and legal scholars.
Conclusion
The FATF’s VASP framework represents an effort to preserve the traditional AML architecture in the face of technological innovation. Yet its underlying assumptions—intermediary control, identifiability of actors, and delegated corporate enforcement—are fundamentally incompatible with decentralised financial systems. The VASP model attempts to impose a centralised compliance apparatus on environments deliberately engineered to eliminate centralisation. This doctrinal misalignment reveals the structural limits of the AML paradigm when applied to decentralised networks.
As decentralisation deepens, AML strategies must evolve beyond institution-based regulation. Future solutions will likely require a reconceptualisation of compliance mechanisms, embracing cryptographic identity, protocol-native controls, and risk-based network analysis. The challenge for regulators is not merely to adapt existing tools but to rethink the conceptual foundations of AML in a world where intermediation is no longer the defining characteristic of financial systems. Only then can AML frameworks maintain both their effectiveness and their coherence in the age of decentralisation.
Key takeaway. Strong-form decentralisation dissolves the institutional chokepoints on which AML was built. Preserving regulatory objectives will require moving beyond the centralised VASP paradigm toward compliance mechanisms native to open, permissionless networks.