DeFi regulation, i.e., regulation for decentralized finance, is still evolving. Given DeFi’s status as an emerging technology, regulators have not yet offered clear and complete rules and compliance guidelines for platform owners.
Its wider acceptance will depend on whether regulators can establish a viable framework of legal regulation and compliance mechanisms. For now, users must address compliance challenges in an evolving industry by mitigating risk as much as possible, looking to broader fintech trends and blockchain regulation.
DeFi is a rapidly expanding blockchain-based alternative finance system that functions independently of centralized or traditional intermediaries. It facilitates multiple financial operations such as trading, investing, lending, borrowing, etc., effectively and straightforwardly.
DeFi services differ from centralized alternatives because they are run by groups of individuals through decentralized organizations and give users greater control over their activities. So-called smart contracts, embedded code that defines rules for interacting and transacting, automatically execute on the blockchain without further reference or instructions from any third party.
As a result, the technology enables peer-to-peer transactions that disintermediate typical go-betweens, including third parties such as banks and payment systems. Accordingly, it can be hosted and accessed from anywhere via the internet without going through a centralized provider. Although they mirror conventional financial institutions and banks, they also circumvent the traditional frameworks covered by current regulations.
DeFi Regulation and Compliance Challenges
Today’s scale highlights why gaps in DeFi compliance are opening the door to greater regulation. Total Value Locked, which represents the sum of assets deposited in DeFi, jumped by a factor of more than 12 times in 2021 to about $250 billion by year-end, per data provider DeFiLlama.
In addition, monthly global DeFi trading volume reached $147 billion in December 2021, after escalating over 600% in 12 months, according to The Block’s research. Even considering the deep dip in value for many tokens in January 2022, the data represent significant activity.
Given the lack of legal parameters, crypto industry participants must be ready to improvise while the industry awaits codification and direction. Meanwhile, issues around regulation, jurisdiction, transparency, and ownership remain unresolved. Regulators and market participants around the world are still coming to terms and grappling with how to deal with DeFi. Fundamental questions include the following:
No governments have yet enacted specific DeFi regulation to govern crypto compliance, which operates distinctly from traditional fiat finance. At best, virtual asset service providers (VASPs) look to industry frameworks like the recommendations of the Financial Action Task Force (FATF), such as the Travel Rule, which requires parties to a transaction to collect and share identifying personal data. Unfortunately, these standards still carry no force of law and hold out no guarantee that authorities will follow them in DeFi regulations.
Jurisdiction is another murky area. The location and applicable law for cryptoassets are not straightforward to determine. For example, should it be the country or jurisdiction where the asset owner is domiciled, or should it be the physical site of the asset itself, such as the location of the servers where the asset was mined?
Moreover, some cryptoassets, such as security tokens, are tied to geographical locations beyond distributed ledgers. As the International Monetary Fund (IMF) has warned, regulators will need to harmonize their approach to at least some degree to forestall regulatory arbitrage (where markets with “easy” regulatory regimes attract more business but at higher risk).
Furthermore, lack of transparency hinders DeFi compliance. Although blockchains themselves are public, the underlying funding arrangements may be opaque, including options, advisory roles, anti-dilution, and distribution rights. Blockchains do not reveal the identity of traders or owners of smart contracts, leaving individual investors vulnerable to unreliable signals and manipulative trading.
Trading practices called “front-running” can also obscure important information. Miners can position their buy and sell orders ahead of much bigger customer orders to extract profit. The deployment of arbitrage bots in blockchain systems, specifically in decentralized exchanges (DEXes), can disguise activity, bidding up transaction fees and exploiting network latency to bid up or obtain priority ordering for their transactions.
This lack of transparency can be especially challenging for retail investors who lack the resources to audit smart contracts or monitor market activity closely.
In the context of traditional finance, there is usually an entity and/or individuals providing the service. That intermediary is legally capable of assuming and complying with legal and regulatory requirements. Licensing regimes are built around licensing such entities and/or individuals.
But in the case of a decentralized protocol operating on smart contracts, there may not be an identifiable “person” who is clearly providing the financial services.
If there is a sponsor or promoter for the DeFi platform, they might seem like the more natural party to try to regulate since there is a semblance of coordination. Then again, because DeFi platforms often give governance rights to the investors, post-launch, the sponsor or promoter might not have significant influence over the platform after the initial phase.
Finally, the notion of pseudonymity (i.e, the ability to use a chosen user name rather than a legally given name) ties closely to problems of ownership and responsibility. Although transactions are not fully anonymous, users can trade and interact under pseudonyms that disguise their true identity.
In addition, the legal relationship between users/investors is not always clear. Have individuals entered into direct contractual relationships with each other, and should they be regarded as providing services? If so, how does the regulatory framework have jurisdiction over investors acting through a DeFi platform, and how will regulators enforce any restrictions?
As a result, building compliance processes to support core principles such as anti-money laundering and Know Your Customer (KYC) becomes complicated. Policing fraud, scams, and other malicious acts without knowing user identities raises a significant problem for platforms and operators.
What U.S. Regulators Are Saying (So Far)
Multiple U.S. regulators may end up with jurisdiction over DeFi, including the DOJ, FinCEN, the IRS, the CFTC, the SEC, and certain state authorities. The SEC has typically taken the most aggressive approach. While the CFTC has jurisdiction over digital assets as well, it is not as extensive as that of the SEC over securities. On November 9, 2021, SEC Commissioner Caroline Crenshaw outlined her view of the risks of information asymmetries and the role of the SEC in maintaining a level playing field for all investors.
Crenshaw described how the lack of transparency in cryptoassets impacts retail investors in a two-tier market, who lack resources to reap institutional scale returns, such as by auditing code. “DeFi removes intermediaries that perform important gatekeeping functions,” she noted.
The Commissioner also stressed her commitment to innovation. To that end, she advocated a system that would reduce manipulative conduct, encourage capital flows to promising projects, and advance interconnected markets while maintaining safeguards against shocks and rapid deleveraging.
Regulators’ Plans in Europe
Across the Atlantic, Germany’s regulator BaFin issued clear guidance on cryptoasset regulation in an amendment to the German Banking Act in 2020. The ‘Regulation on Markets in Crypto Assets' (MiCA) aims to provide harmonization, uniform rules, and new shared standards. The commission’s expectation is that MiCA will be enacted within the next four years, giving cryptocurrency organizations considerable time to prepare for compliance.
MiCA defines service providers more broadly than the FATF does and would apply to those supplying “the provision of one or more cryptoasset services to third parties on a professional basis.”Issuers would be obligated to incorporate as a legal entity, and comply with certain marketing and infrastructure requirements. Perhaps most significantly, the proposals could impact one of the biggest innovations of crypto: the ability to raise funds.
Element of a Compliance Program
Regulators are likely to apply pressure in four major areas of compliance. However, the self-governing nature of DeFi and the anonymity it accords to developers will make it challenging for DeFi platforms to comply with regulatory oversight in these areas. Although the creation of DeFi-first regulatory frameworks might alleviate the path to regulation without constraining technological innovation, much work remains to be done. But at present, participants should analyze the underlying operational, insurance, and cybersecurity risks before entering into a DeFi project and proactively enact risk mitigation strategies.
Customer Due Diligence
Operators and platform owners for crypto services in the U.S. should be ready to demonstrate adherence to compliance disciplines. Right now, in the absence of more explicit DeFi regulation, crypto service providers must resort to precedent and analogy. Crenshaw points out how “digital products and activities have close analogs within the SEC’s jurisdiction.” For example, FinCEN’s Customer Due Diligence Rule (CDD) requires that financial institutions know the beneficial owners of 25% or more of their legal entity customers. A decentralized exchange could theoretically apply an equivalent threshold.
More generally, disclosure is a two-way street, imposing obligations on both DeFi users and platform operators. The former must provide ID information; the latter are obliged to relay those details to regulatory authorities.
DeFi platform owners and operators can often discharge these duties with simple disclosure and acceptance statements, whereby liquidity providers and exchange users provide their names, addresses, birth dates, and government ID numbers. Exchange operators should follow up with periodic or ad hoc reviews of those details.
Know Your Customer (KYC)
Regulators have most keenly focused on Know Your Customer (KYC) and Anti-Money Laundering (AML) controls, which pertain to criminal activity. To satisfy KYC disclosures, they will likely compel decentralized exchanges to provide the ID details noted above, in line with FinCEN rules. Likewise, issuers and lenders of stablecoin, which is pegged to fiat currencies or assets, should follow KYC identifications: country of domicile, political exposure, known AML events, and sources of wealth.
To address AML risks, VASPs will likely take the FATF’s Five Pillars approach, which stipulates:
- Written policies and procedures
- Ongoing training
- Customer due diligence
- Appointing an AML officer
- Independent compliance testing
These stipulations follow the model of any robust compliance program. Maintaining records would help address the dilemma of allowing platform users to disguise their activity through pseudonyms while at the same time using those records to report ID details to regulators. Smart contracts might even embed AML features. Blockchain analysis tools also support crime monitoring and fraud prevention, such as Elliptic, Chainalysis, TRM Labs, Coinpath, and many others. Blockchain regulation and compliance will likely require such tools to handle the volume and complexity of this arena.
Finally, the applicability of securities law plays a vital part in DeFi regulation. Selling unregistered securities is itself a crime. But are virtual assets, like Bitcoin and Ether, in fact, securities? The SEC has not yet ruled, although two leading cases offer a litmus test. The Howey test defines a security as an investment in a common enterprise, with an expectation of profit derived from managerial or entrepreneurial efforts. The Reeves analysis examines buyer and seller motivations, distribution, public expectations, and risk-reducing features.
Conclusion: The Best Approach for DeFi Compliance in Today’s Climate
It is early days in the Wild West of DeFi trading and supporting regulation. Industry innovations will bring a growing range of products to investors (especially in terms of DeFi products involving non-fungible tokens and the growth of the metaverse). However, regulators are still grappling with appropriate compliance controls that will ensure adequate protection for investors and deter criminal activity. Their overarching goals are to maintain a fair and level playing field and provide equal access while fostering sustained innovation for financial instruments and marketplaces.
Where rules are still undetermined, investors and operators must navigate by existing laws, financial industry norms, and emerging frameworks to anticipate the shape of future regulation. Meanwhile, it would be prudent to mitigate by following, where possible, the current principles that underlie traditional compliance for Fintechs.
Regulators will likely acknowledge good faith efforts to implement the spirit of established legislation. At the same time, they will scrutinize products and processes that appear to circumvent regulatory goals.
Contact us with questions about current compliance requirements and best practices to adopt while crypto and DeFi regulation evolve. InnReg can help you address your exposures and plan a safer course.