How should DeFi be regulated? A European approach to decentralization

Published at: Jan. 22, 2022

Decentralized finance, known as DeFi, is a new use of blockchain technology that is growing rapidly, with over $237 billion in value locked up in DeFi projects as of January 2022. Regulators are aware of this phenomenon and are beginning to act to regulate it. In this article, we briefly review the fundamentals and risks of DeFi before presenting the regulatory context.

The fundamentals of DeFi

DeFi is a set of alternative financial systems based on the blockchain that allows for more advanced financial operations than the simple transfer of value, such as currency exchange, lending or borrowing, in a decentralized manner, i.e., directly between peers, without going through a financial intermediary (a centralized exchange, for example).

Schematically, a protocol called a DApp (for decentralized application), such as Uniswap or Aave, is developed in open source code on a public blockchain such as Ethereum. This protocol is powered by smart contracts, i.e., contracts that are executed automatically when certain conditions are met. For example, on the Uniswap DApp, it is possible to exchange money between two cryptocurrencies in the Ethereum ecosystem, thanks to the smart contracts designed to perform this operation automatically.

Users are incentivized to bring in liquidity, as they receive a portion of the transaction fee. As for lending and borrowing, smart contracts allow those who want to lend their funds to make them available to borrowers and borrowers to directly borrow the money made available by guaranteeing the loan with collateral (or not). The exchange and interest rates are determined by supply and demand and arbitrated between the DApps.

The great particularity of DeFi protocols is that there is no centralized institution in charge of verifying and carrying out the transactions. All transactions are performed on the blockchain and are irreversible. Smart contracts replace the intermediary role of centralized financial institutions. The code of DeFi applications is open source, which allows users to verify the protocols, build on them and make copies.

The risks of DeFi

Blockchain gives more power to the individual. But with more power comes more responsibility. The risks DeFi are of several kinds:

Technological risks. DeFi protocols are dependent on the blockchains on which they are built, and blockchains can experience attacks (known as "51% attacks"), bugs and network congestion problems that slow down transactions, making them more costly or even impossible. The DeFi protocols, themselves, are also the target of cyberattacks, such as the exploitation of a protocol-specific bug. Some attacks are at the intersection of technology and finance. These attacks are carried out through "flash loans." These are loans of tokens without collateral that can then be used to influence the price of the tokens and make a profit, before quickly repaying the loan.

Financial risks. The cryptocurrency market is very volatile and a rapid price drop can occur. Liquidity can run out if everyone withdraws their cryptocurrencies from liquidity pools at the same time (a "bank run" scenario). Some malicious developers of DeFi protocols have "back doors" that allow them to appropriate the tokens locked in the smart contracts and thus steal from users (this phenomenon is called "rug-pull").

Regulatory risks. Regulatory risks are even greater because the reach of DeFi is global, peer-to-peer transactions are generally anonymous, and there are no identified intermediaries (most often). As we will see below, two topics are particularly important for the regulator: the fight against money laundering and terrorist financing, on the one hand, and consumer protection, on the other.

The FATF "test": Truly decentralized?

As of Oct. 28, 2021, the Financial Action Task Force (FATF) issued its latest guidance on digital assets. This international organization sought to define rules for identifying responsible actors in DeFi projects by proposing a test to determine whether DeFi operators should be subject to the Virtual Asset Service Provider or "VASP" regime. This regime imposes, among other things, Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) obligations.

The FATF had initially considered, last March, that if the decentralized application (the DApp) is not a VASP, the entities "involved" in the application may be, which is the case when "the entities engage as a business to facilitate or conduct activities" on the DApp.

The new FATF guidance drops the term "facilitate" and instead adopts a more functional "owner/operator" criterion, whereby "creators, owners, and operators ... who retain control or influence" over the DApp may be VASPs even though the project may appear decentralized.

Related: FATF guidance on virtual assets: NFTs win, DeFi loses, rest remains unchanged

FATF, under the new "owner/operator" test, states that indicia of control include exercising control over the project or maintaining an ongoing relationship with users.

The test is this:

Does a person or entity have control over the assets or the protocol itself?Does a person or entity have "a commercial relationship between it and customers, even if exercised through a smart contract"?Does a person or entity profit from the service provided to customers?Are there other indications of an owner/operator?

FATF makes clear that a state must interpret the test broadly. It adds:

"Owners/operators should undertake ML/TF [money laundering and terrorist financing] risk assessments prior to the launch or use of the software or platform and take appropriate measures to manage and mitigate these risks in an ongoing and forward-looking manner.”

The FATF even states that, if there is no "owner/operator," states may require a regulated VASP to be "involved" in DeFi project-related activities… Only if a DeFi project is completely decentralized, i.e., fully automated and outside the control of an owner/operator, is it not a VASP under the latest FATF guidance.

It is regrettable that a principle of neutrality of blockchain networks has not been established, similar to the principle of neutrality of networks and technical intermediaries of the internet (established by the European directive on electronic commerce more than 20 ago).

Indeed, the purely technical developers of DeFi solutions often do not have the physical possibility to perform the checks imposed by the AML/CFT procedures in the design of current DApps. The new FATF guidance will likely require DApp developers to put in Know Your Customer (KYC) portals before users can use the DApps.

Application of security law?

We are all familiar with the legal debate that has become classic when it comes to qualifying a token: Is it a utility token, now subject to the regulation of digital assets (ICOs and VASPs), or is it a security token that is likely to be governed by financial law?

We know that the approach is very different in the United States where the Securities Exchange Commission (by applying the famous "Howey Test") qualifies tokens as securities that would be seen as digital assets in Europe. Their approach is, therefore, more severe, and this will certainly result in more prosecutions of "owners" of DeFi platforms in the U.S. than in Europe.

Thus, if DeFi services do not involve digital assets, but tokenized financial securities as defined by the European Markets in Financial Instruments Directive (MiFID Directive), the rules for investment services providers (ISPs) will have to be applied. In Europe, this will be a rare case as the tokens traded would have to be actual financial securities (company shares, debt or investment fund units).

Related: Collateral damage: DeFi's ticking time bomb

However, national regulations are likely to apply. For example, in France, it will be necessary to determine whether the regulation on intermediaries in various goods (Article L551-1 of the Monetary Code and following) applies to liquidity pools.

Indeed, pools allow clients to acquire rights on intangible assets and put forward a financial return. Theoretically, it would no longer be excluded that the Autorité des marchés financiers (AMF) decides to apply this regime. As a consequence, an information document will have to be approved by the AMF before any marketing.

However, in practice, there is not one person who proposes the investment, but a multitude of users of the DApp who bring their liquidity in a smart contract coded in open source. This brings us back to the test proposed by the FATF: Is there an "owner" of the platform who can be held accountable for compliance with the regulations?

The MiCA regulation

On November 24, the European Council decided its position on the "Regulation on Cryptoasset Markets" (MiCA), before submitting it to the European Parliament. It is expected that this fundamental text for the cryptosphere will be adopted by the end of 2022 (if all goes well...).

The draft EU regulation is based on a centralized approach by identifying a provider responsible for operations for each service, which does not work for a decentralized exchange platform (like Uniswap) or a decentralized stablecoin.

Related: Europe awaits implementation of regulatory framework for crypto assets

We should think about a legal system that takes into account the automated and decentralized nature of systems based on blockchain, so as not to impose obligations on operators who do not have the material possibility of respecting them or who run the risk of hindering innovation by removing the reason for progress: decentralization.

Europe has already shown itself capable of subtle arbitration in matters of technological regulation if we refer in particular to the proposal for a European Union regulation on artificial intelligence. This approach could serve as a source of inspiration.

Regardless of the balance chosen by the regulator, investors should become as informed as possible and pay attention to the technological, financial and compliance risks before undertaking a DeFi transaction.

As for DeFi application developers and service providers in this field, they must remain attentive to regulatory developments and cultivate a culture of transparency in their operations to anticipate regulatory risk as much as possible.

This article was co-authored by Thibault Verbiest and Jérémy Fluxman.

This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.

The views, thoughts and opinions expressed here are the authors’ alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Thibault Verbiest, an attorney in Paris and Brussels since 1993, is a partner with Metalaw, where he heads the department dedicated to fintech, digital banking and crypto finance. He is the co-author of several books, including the first book on blockchain in French. He acts as an expert with the European Blockchain Observatory and Forum and the World Bank. Thibault is also an entrepreneur, as he co-founded CopyrightCoins and Parabolic Digital. In 2020, he became chairman of the IOUR Foundation, a public utility foundation aimed at promoting the adoption of a new internet, merging TCP/IP and blockchain.
Jérémy Fluxman has been an associate at international law firms in Paris and Luxembourg in the fields of private equity and investment funds, as well as at a Monaco law firm since 2017. He holds a master II in international business law and is currently an associate at the Metalaw firm in Paris, France where he advises on fintech, blockchain and crypto-finance.
Tags
Technology
Blockchain
Regulation
United States
Government
Defi
Europe
Aml
Kyc
European Union
Related Posts
The new episode of crypto regulation: The Empire Strikes Back
The latest news has left the decentralized finance community in a collective fetal position. Responding to the threat of increased regulatory oversight, leading decentralized exchange Uniswap recently restricted the trading of certain tokens. Earlier in July, Dan M. Berkovitz, chairman of the Commodity Futures Trading Commission (CFTC), said that DeFi derivatives platforms might contravene the Commodity Exchange Act (CEA): “Not only do I think that unlicensed DeFi markets for derivative instruments are a bad idea, but I also do not see how they are legal under the CEA.” Most worrisome of all is the initial version of the United States …
Technology / Aug. 27, 2021
3 Common Compliance and Regulatory Pitfalls to Watch for in 2020
Regulations are not going anywhere. On the contrary, financial service providers face more regulatory challenges and higher costs than ever before. During the early days of cryptocurrencies, a “Wild West” culture emerged when regulators, uncertain on how to tackle this thing called blockchain, paid little attention to the thefts, scams and hacks plaguing the virtual-asset market. Today, this is no longer the case. No matter their roots, every virtual asset project from Telegram to Shapeshift to Libra is ramping up compliance while regulators continue to issue guidance, enforce regulations and pay closer attention to digital securities platforms, crypto exchanges and …
Technology / May 30, 2020
From NFTs to CBDCs, crypto must tackle compliance before regulators do
Each year that we get a little further away from Satoshi Nakomoto’s whitepaper, crypto becomes more popular than ever, breaking more barriers — not just in sheer enthusiasm, but in mainstream acceptance. From nonfungible tokens (NFTs) to the Metaverse, 2021 was the year of crypto, even following a decade where just about every other year could make the same claim. Despite that peak enthusiasm and excitement though, we shouldn’t be blind to the fact that there are still fundamental issues that must be solved before crypto truly becomes the dominant “coin of the realm” across the globe, along with the …
Technology / Dec. 11, 2021
Did CBDCs affect the crypto space in 2020, and what’s next in 2021? Experts answer
It is hard to imagine that just two years ago, the general discourse around central bank digital currencies, or CBDCs, was mainly focused on the potential and possibility of issuing them. Even in 2019, the question was about whether we need state-owned cryptocurrencies, with only 70% of central banks worldwide studying the potential of issuing a CBDC, according to a survey published by the Bank for International Settlements at the beginning of 2019. But this year, everything is indeed different. 2020 started with a major event within the financial world: the World Economic Forum in Davos, where the WEF released …
Technology / Dec. 27, 2020
Stablecoins present new dilemmas for regulators as mass adoption looms
Stablecoins present peculiar challenges to regulators. Although there is no single, agreed-upon definition of a stablecoin, the common denominator of the commonly used definitions is that stablecoins are designed to maintain a stable value in relation to a specified currency, asset or pool of such currencies/assets. They are contrasted with regular cryptocurrencies, which have no such stability mechanism and whose values tend to fluctuate, sometimes even substantially. Related: All risk, no gain? The vague definition of stablecoins is causing problems Stablecoins do not denote a uniform category but represent a variety of crypto instruments that can vary significantly in legal, …
Technology / May 9, 2021