DeFi Regulation Misconceptions and the Role of Legal Counsel

Decentralized finance (DeFi) is regulated in the United States, and that should be a fairly uncontroversial statement. While laws, rules, and guidance may lack direct references to crypto industry terms like decentralized finance, they do address the activities these applications carry out. Misconceptions about the regulatory status of DeFi have led to numerous enforcement actions in recent years, highlighting the need for developers and companies to understand and comply with existing regulations. This article explores the regulatory landscape for DeFi, debunks common myths, examines recent legal actions, and emphasizes the importance of legal counsel for ensuring compliance.

Misconceptions About DeFi Regulation

Assumptions that DeFi activity isn’t regulated because of supposed decentralization have led to a torrent of regulatory actions in the last two years. From mixer-related arrests to prominent exchanges being sued for lack of registration, services being charged for sanctions violations, deceptive practices, and more, it’s clear that DeFi is very much on the regulatory radar. This all adds up to heavy fines and settlements, making it too costly to continue with the assumption that existing rules do not (or cannot) be applied to DeFi.

Every U.S. financial regulator has weighed in with public comments, enforcement actions, and clear warnings. Despite this, there remains a persistent narrative that these decentralized financial services are either unregulated, lightly regulated, or that regulation isn’t clear. If this narrative does not go away, then developers, companies, and DAOs will continue to be fined out of existence in the U.S. until an entirely new regulatory regime is introduced (possible but less likely), or there will be an indirect ban on DeFi due to the industry's stubbornness to comply.

Key Regulatory Considerations for DeFi

The basic question all DeFi developers and providers should be asking themselves is where they fall in the regulatory landscape. At a minimum, they should be asking this about their requirements to limit financial criminals' abuse of their services, protect against market manipulation, avoid conflicts of interest, and provide a transparent experience for users. If regulation were discussed this way with developers, they may approach their projects with compliance in mind from the beginning. Instead, developers seem to be taking a build first, ask questions later approach - and in some cases, like Tornado Cash, they avoid asking important questions altogether.

If the list of four asks is turned into a short list of what regulations developers should at least be aware of, then it includes securities and commodities regulations, anti-money laundering and sanctions regulations, unfair-deceptive-abusive-acts-and-practices (UDAAP) regulations, truth in lending & truth in savings, and electronic funds transfer regulations. DeFi developers should be speaking with lawyers at the inception of their project, through the project development, and should be gathering written legal opinions to understand what, when, and how they must comply with these requirements. The nature of what their service does will determine if and with whom the service must register, what internal controls they must have in place, and what disclosures they must make to their users.

Regulatory Actions Against Decentralized Organizations

There have been successful actions by the CFTC, and one upcoming by the SEC, that make it clear that decentralization as the organizing principle of a service is not sufficient to insulate that service from the regulatory requirements related to what it does. The SEC has issued a Wells Notice (notification of upcoming charges) to UniSwap - a decentralized exchange. While the Wells Notice itself has not been publicized by UniSwap, it can be reasonably assumed that the SEC does not view a decentralized organization as being outside of the scope of its registration requirements when providing a cryptocurrency exchange service. This will have to be further litigated, as UniSwap stated in their public response that they intend to fight this in court.

It is certainly the case for the CFTC that they do not view a decentralized organization as out of scope for commodities regulations, and they have a recent decision to back this up. In the case, CFTC v. Ooki DAO (formerly d/b/a bZx DAO), an unincorporated association and the enforcement action In the Matter of bZeroX, LLC; Tom Bean; and Kyle Kistner, the Commission made clear that offering certain financial products and services still requires registration and compliance with the Commission's rules.

Case Study: CFTC vs. Ooki DAO

The CFTC charged Ooki DAO with several violations, including operating an unregistered trading platform and failing to comply with requirements for derivatives trading. This enforcement action was significant because it directly addressed the assumption that decentralization could shield entities from regulatory obligations. The CFTC’s approach in this case underscores that regulatory compliance is not dependent on the organizational structure of a service but on the nature of its activities and the regulatory framework governing those activities. In other words, Ooki DAO, and others like it, are not just software developers, they're responsible parties providing a regulated service.

In traditional finance, entities offering derivatives and leveraged trading must adhere to stringent regulations to protect investors and ensure market integrity. These regulations are designed to mitigate risks associated with speculative trading and to prevent fraud. The CFTC argued that Ooki DAO, despite being decentralized and not having a traditional corporate structure, facilitated similar financial activities that fall under its regulatory purview. Therefore, Ooki DAO was subject to the same requirements as centralized entities offering comparable services.

The central argument in the case was whether the decentralized nature of Ooki DAO could exempt it from regulatory oversight. The CFTC asserted that the legal responsibilities tied to financial services do not dissipate simply because the service is decentralized. The agency emphasized that the critical factor is not how a service is organized but rather what activities it performs. If those activities fall under regulated categories, then the entity, regardless of its decentralized structure, must comply with the relevant regulations.

The court's decision reinforced this viewpoint, indicating that participation in the governance and operational activities of a decentralized entity can carry legal and regulatory responsibilities. This sets a precedent that DAOs and other decentralized entities cannot escape regulation by dispersing control among their members. The ruling clarified that participants in DAOs who engage in or facilitate activities regulated by the CFTC can be held accountable for compliance with relevant laws and regulations. This principle holds for other regulatory agencies as well – seen in SEC actions related to securities issuance and exchange services, FinCEN actions related to money services businesses and anti-money laundering, and potentially in a CFPB action related to lending and borrowing.

Compliance is Key: The Importance of Legal Counsel

The principle holds the same across agencies – it is the activity that matters, not the means of organization for the service provider. The CFTC vs. Ooki DAO case established a clear precedent that regulatory oversight extends to decentralized entities that perform activities within the scope of financial regulations. If UniSwap goes to court with the SEC, a similar outcome that establishes a precedent for enforcement of securities regulation on decentralized exchanges is likely.

Organizational Structures and Regulatory Scope

The organizational structures of decentralized finance have less to do with whether or not they are within the scope of the broader regulatory landscape in the U.S. than industry participants seem to realize. This is to their detriment, as seen in the case of Tornado Cash and other mixers who have violated the Bank Secrecy Act, administered by FinCEN, and have faced sanctions, arrests, and convictions with lengthy prison sentences.

Financial Services and Money Substitution

If a decentralized financial service creates and distributes value that substitutes for money (and is not chartered as a bank or trust company), then it is in scope for the requirements to register as a money services business and implement an anti-money laundering compliance program. Further, it has licensing and other requirements at the individual state level. Avoiding compliance with these requirements is a federal crime, and violators face more than the fines resulting from ignoring SEC and most CFTC rules.

Regulatory Considerations for Decentralized Services

When a regulator considers how decentralization plays a role in enforcement of their rules, they’re trying to determine who may be liable for services provided by an organization. FinCEN has issued one of the clearer guidance documents for this in 2019 in its publication FIN-2019-G001 Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies. In short, FinCEN directly references “unincorporated organizations” (i.e., decentralized organizations) and clarifies that the Bank Secrecy Act and its implementing rules and regulations do apply to such organizations. They even take this a step further and warn involved parties that they may be subject to additional regulatory frameworks that govern licensing, chartering, safety and soundness, securities, minimum capital and reserve requirements, and consumer and investor protection.

Sufficient Decentralization and Legal Precedents

Entities operating within the DeFi ecosystem must consider the regulatory implications of their activities irrespective of their decentralized nature. There is an often cited and sought-after standard a former SEC Director articulated in 2018 that can be referenced as “sufficient decentralization”. When describing this concept, Director William Hinman stated that a digital asset would no longer be a security if a person or group were no longer carrying out essential managerial or entrepreneurial efforts. This was a reference to the Howey Test, and one to two of its four prongs - i.e., a common enterprise and efforts of a promoter or third party. This may have muddled the overall regulatory discussion, as frustration from the digital asset industry seems to be coming primarily from the SEC in the past two years and with sufficient decentralization in mind.

The concept does not have precedent outside of the digital asset industry. The only cases where the defendant uses decentralization as a defense to security issuance are SEC v. Kik Interactive in 2020 and SEC v. Ripple Labs more recently. Kik’s Kin token was ruled to be a security, and Ripple’s XRP was ruled to be a security when it was sold to institutional investors. The organizations were held accountable despite claiming they were decentralized in the issuance of their cryptocurrencies - much like the disparate group of Bitcoin developers, who by comparison do not work for an incorporated entity such as Ripple Labs or Kik Interactive.

The Reality of Decentralization and Regulatory Requirements

Decentralization is a peculiarity of the digital asset financial services industry, but it does not create a regulatory vacuum. At best, decentralization describes an unaffiliated group of developers contributing to an open-source project (e.g., Bitcoin), more commonly it refers to an unincorporated organization that has coordinated efforts and features similar to uncoordinated governance and distributed infrastructure. For U.S. regulators, as long as a person is contributing, and making decisions related to the project's existence, then there is a responsible person who should be responding to the regulatory requirements related to that service.

Developers, creators, promoters, or any involved party with a decentralized financial service, must understand that the service is not out of scope for regulation in the U.S. by virtue of decentralization. Regulators and courts have been consistent in noting that it is the service in question that determines whether or not a DeFi service is in scope, and the means of organization are simply how they determine who is the responsible party when it comes to complying with the regulation or facing enforcement due to lack of compliance.

Engaging Legal Counsel from the Start

Numerous court cases, settlements, and unfortunate jail sentences have resulted in the common misunderstanding that decentralization is a get-out-of-regulation-free card. It is not. The best way to understand the requirements is to engage with legal counsel at every step of product development.

Any decentralized financial service must consult with legal counsel at inception and maintain a relationship with legal counsel for the rest of its operating existence. Delaying this until launch could result in enforcement action, or at least cause difficulty with obtaining licensing and registration when they disclose active use of their services as part of the license application. If this is avoided altogether, then the expectation of a cease-and-desist order or criminal penalty will need to be a part of the project's risk assessment and possibly the last step in its roadmap.

Conclusion

Legal counsel will determine whether or not the product or service is in scope with registration, licensing, or other compliance requirements. They will advise the project how to comply, and set expectations for what this may cost. Importantly, it will better facilitate the longevity of the project if it is firmly understood when and how to comply with the regulatory requirements rather than fighting upstream with the assumption that the project is not regulated by virtue of decentralization.

The future of DeFi hinges on its ability to adapt to and comply with regulatory frameworks. By acknowledging and embracing these legal obligations, DeFi projects can ensure their continued operation and growth. Ignoring the regulatory landscape not only jeopardizes individual projects but also threatens the broader acceptance and integration of DeFi within the financial system. Therefore, proactive compliance and ongoing legal consultation are essential for the sustainable development of decentralized finance.