CLARITY Act: blockchain security requirements

Executive Summary: What to Do Right Now

The H.R. 4763 "Financial Innovation and Technology for the 21st Century Act" (FIT21), passed by the House of Representatives on May 22, 2024, signals an inevitable tightening of regulation. Regardless of its final version, regulators (SEC, CFTC, FinCEN) are increasing their enforcement practices. Ignoring these trends creates direct legal and financial risks.

Key immediate steps:

1. Conduct a Risk Assessment: Determine if your activities fall under U.S. jurisdiction and assess your current level of compliance with AML/CFT requirements.
2. Implement Basic Screening: Immediately integrate tools to check addresses against sanctions lists (OFAC SDN List) at both the frontend and backend levels.
3. Develop Key Policies: Create and approve baseline versions of an AML Policy and Terms of Service, specifying jurisdictional restrictions.
4. Appoint a Responsible Officer: Officially designate a Compliance Officer, even if they hold dual roles.
5. Analyze the Degree of Centralization (for DeFi): Evaluate the presence of admin keys, control over the frontend, and revenue-sharing mechanisms to understand potential liability vectors.

---

1. The FIT21 Bill: Status and Key Provisions

Current Status (as of October 2024): The bill was passed by the House of Representatives on May 22, 2024, and referred to the Senate. Its approval is not guaranteed and may be delayed or significantly modified during political debates, especially in the context of the presidential election. However, its provisions already reflect the stance of regulators.

Key Provisions:

• Jurisdictional Separation between SEC and CFTC: FIT21 introduces clear criteria for classifying digital assets as "digital commodities" (supervised by the CFTC) or "securities" (supervised by the SEC). The primary criterion is the level of network decentralization.
• AML/KYC Obligations: The project solidifies the obligation for exchanges, custodians, and brokers to implement full AML programs, including customer identification (KYC), transaction monitoring, and filing Suspicious Activity Reports (SAR) with FinCEN.
• Sanctions and Penalties: FIT21 determines which jurisdiction an asset falls under, allowing the application of existing sanctions. Securities violations fall under the Exchange Act of 1934, while commodity market manipulations fall under the Commodity Exchange Act.

Separation of Powers: SEC vs. CFTC

Criterion	SEC (Securities and Exchange Commission)	CFTC (Commodity Futures Trading Commission)
Asset Type	Digital assets recognized as securities (e.g., within an ICO where there is an expectation of profit from the efforts of third parties).	Digital assets recognized as commodities that have achieved sufficient decentralization.
Degree of Decentralization	Low. The project is controlled by a single person or an affiliated group of persons owning >20% of tokens or voting power1.	High. No single person or related group controls the project; the code is open-source.
Product Examples	Security tokens, blockchain-based investment contracts, early-stage tokens before achieving decentralization.	Bitcoin (BTC), Ethereum (ETH), and other decentralized cryptocurrencies.

Methodology for Assessing Decentralization

The assessment is conducted based on a combination of quantitative and qualitative criteria.

Quantitative Criteria:

• Token Distribution: The share of tokens held by founders, the team, and investors. Concentration >20% by one group is a sign of centralization.
• Governance Activity: The number of independent token holders participating in votes.
• Code Control: The share of repository commits from independent developers.

Qualitative Criteria:

• Code Openness: The source code of key components must be publicly available and verified.
• Governance Process: Presence of a formalized and functioning on-chain or off-chain governance system (DAO).
• Dependence on a Central Entity: Whether a company exists that provides hosting, marketing, and receives the primary income from the protocol.

Calculation Example:
Project Y has 30% of tokens held by the team and 25% by a venture fund. Key code updates are made only by the core team. Conclusion: high degree of centralization; the asset will likely be classified as a security under SEC jurisdiction.

---

2. Market Participant Liability: From CEX to DeFi

Centralized Exchanges (CEX) and Custodians

They bear direct responsibility for implementing a full AML/KYC program. The precedent with Binance, fined $4.3 billion in November 2023, demonstrates the scale of consequences for systemic violations.

DeFi Projects

Liability for developers or operators of a DeFi protocol may arise if factors of control or facilitation of illegal activities are present.

Risk Factors:

1. Centralized Governance: Presence of admin keys or multi-sigs that allow changing smart contract logic or controlling funds.
2. Infrastructure Control: Management of the frontend interface, domain name, or API servers.
3. Revenue Generation: Collection of fees directed to the development team.
4. Active Marketing: Targeted efforts to attract users from the USA.

Legal Precedents:

• OFAC vs. Tornado Cash (August 2022): The listing of the mixer on the sanctions list and the prosecution of developers showed that creating code for anonymizing transactions can lead to liability. Source: OFAC Press Release.
• CFTC vs. Ooki DAO (September 2022): The CFTC successfully filed a lawsuit against the DAO as an "unincorporated association," holding its voting members liable. Source: CFTC Press Release.

Recommendations for Minimizing Risks in DeFi

• Legal Disclaimers: Include clear warnings in the Terms of Service, on the website, and in the README.md on GitHub regarding restrictions on protocol use for persons from sanctioned jurisdictions.
• Decentralization Roadmap: Publicly document and follow a plan for the gradual transfer of control to the community (DAO) and the phasing out of centralized elements.
• Renouncing Admin Keys: Upon completion of the active development stage, transfer control over smart contracts to a time-lock contract or a DAO, or burn the keys to technically eliminate the possibility of unilateral interference.

---

3. Practical Compliance Implementation Plan

This plan combines legal, organizational, and technical measures in a logical sequence.

Compliance Roadmap

Task	Priority	Responsible
Phase 1: Minimum Viable Compliance (Q1)
1.1. Appoint a Chief Compliance Officer (CCO).	High	CEO
1.2. Develop and approve a basic AML Policy.	High	CCO, Legal
1.3. Update Terms of Service with jurisdictional restrictions.	High	Legal
1.4. Integrate software for screening wallets against sanctions lists (OFAC).	High	CTO, CCO
1.5. Conduct a preliminary gap analysis of current processes.	Medium	CCO
Phase 2: Building a Comprehensive System (Year 1)
2.1. Select and integrate a KYC provider for user verification.	High	CTO, CCO
2.2. Implement transaction monitoring software (Chainalysis, Elliptic, etc.).	High	CTO, CCO
2.3. Set up a system for identifying and investigating suspicious activity.	Medium	CCO
2.4. Develop and test an incident response plan.	Medium	CISO, CCO
2.5. Provide AML/CFT training for employees.	Medium	CCO
Phase 3: Advanced Measures and Audits (Ongoing)
3.1. Set up an automated system for filing SAR reports to FinCEN (for CEX).	High	CCO
3.2. Conduct an independent audit of the AML program.	Medium	CEO, CCO
3.3. Implement the decentralization roadmap (for DeFi).	Long-term	CEO, CTO
3.4. Conduct a smart contract security audit with an independent vendor.	High	CTO, CISO

Estimated Budgets and Assumptions

Estimates are based on a project with ~10,000–50,000 active users, operating in EU/US markets, with a moderate level of automation.

• Phase 1 (MVC): $15,000–$35,000 (software screening licenses, legal consulting for policy development).
• Phase 2 (Comprehensive System): $50,000–$200,000+ per year (including staff of 1–2 compliance specialists, expanded software licenses).
• Independent AML Audit: $20,000–$50,000 per review.

---

4. Key Document and Artifact Templates

Example AML Policy Structure

1. Introduction and Policy Objectives.
2. Role and Responsibilities of the Chief Compliance Officer (CCO).
3. Customer Identification Program (CIP/KYC):
   • Data collection (Full name, DOB, address, ID).
   • Verification procedures (documents, biometrics).
   • Customer Risk Rating assessment.
4. Transaction Monitoring:
   • Thresholds and "red flags" for identifying suspicious activity.
   • Sanctions screening procedures (OFAC, UN, EU).
5. Filing Suspicious Activity Reports (SAR).
6. Recordkeeping: Data storage periods and formats.
7. Staff Training.
8. Independent Program Audit.

Example Incident Response Plan Structure

1. Preparation: Role definition, system inventory, team training.
2. Identification: Incident detection (alert from monitoring system, user report).
3. Containment: Isolating affected systems, blocking compromised accounts.
4. Eradication: Eliminating the root cause of the vulnerability.
5. Recovery: Restoring systems from backups, post-incident monitoring.
6. Post-Mortem Analysis: Reviewing the incident, updating policies and procedures.

Smart Contract Audit Requirements Template

• Automated Analysis: Use of static analysis tools (Slither, Mythril).
• Manual Code Review: Verification against business logic and identification of vulnerabilities.
• Vulnerability Testing:
  • Reentrancy.
  • Integer Overflow/Underflow.
  • Incorrect access control (including functions with onlyOwner).
  • Vulnerabilities related to price oracle manipulation.
  • Compliance with standards (ERC-20, ERC-721, etc.).
• Review of documentation and code comments.
• Formal report with vulnerability classification by severity.

---

5. Technical Security Standards

Key Storage

• Hardware Security Modules (HSM): Use HSMs certified to FIPS 140-2 Level 3 or FIPS 140-3 standards. This ensures physical protection of keys from unauthorized access. It is recommended to deploy a cluster of multiple HSMs in geographically distributed data centers.
• Multi-signature (Multi-sig): Implement wallets with an m-of-n scheme (e.g., 3-of-5), where signatures from several independent parties are required to authorize a transaction. Develop strict key rotation policies (every 6–12 months) and secure revocation procedures.

Monitoring and Logging

• Data Collection: Ensure continuous logging of all actions related to key management and transactions. According to FinCEN requirements, data must be stored securely for at least 5 years.
• Backup: Develop and regularly test procedures for creating and restoring key backups. Backups should be stored in encrypted form in several geographically remote and secure locations.

---

Key Conclusions and Recommendations

Proactive implementation of compliance procedures is not an option, but a necessary condition for long-term business sustainability.

• For CEX and Custodians: The primary focus is on building a full AML/CFT program similar to traditional financial institutions. Prepare for licensing and regular audits.
• For DeFi Protocols: The key task is to minimize legal liability through real decentralization of governance and technical measures to restrict access for sanctioned addresses.
• For Startups: Implement compliance from day one ("compliance-by-design"). Basic measures, such as address screening and policy development, require minimal costs at the start but significantly reduce risks in the future.

---

Glossary

• AML/CFT: Anti-Money Laundering / Combating the Financing of Terrorism.
• CCO: Chief Compliance Officer.
• CISO: Chief Information Security Officer.
• CFTC: Commodity Futures Trading Commission (USA).
• FinCEN: Financial Crimes Enforcement Network (U.S. Treasury).
• FIPS 140-2/3: Federal Information Processing Standards—U.S. federal standards for cryptographic modules.
• FIT21 (H.R. 4763): Financial Innovation and Technology for the 21st Century Act.
• HSM: Hardware Security Module.
• OFAC: Office of Foreign Assets Control (U.S. Treasury).
• SAR: Suspicious Activity Report.
• SEC: Securities and Exchange Commission (USA).

Useful Links

• H.R. 4763 Bill Text (FIT21) (As of 10.28.2024)
• OFAC Sanctions List (SDN List) (As of 10.28.2024)
• FinCEN Guidance on Virtual Currencies (As of 10.28.2024)
• U.S. Department of Justice Press Release on Binance Case (As of 10.28.2024)

Footnotes

1. The criterion of owning >20% of tokens or voting power is explicitly stated in the definition of a "decentralized system" in Section 2(a)(7) of the FIT21 bill. ↩