Is DeFi Truly Exempt from MiCA Regulations?

Decentralized Finance (DeFi) operates using distributed ledger technology (DLT) to offer financial services like lending, borrowing, trading, and insurance. The EU's Markets in Crypto-Assets Regulation (MiCA) aims to regulate crypto-asset services, but exempts those that are fully decentralized and lack intermediaries. However, the definition of "fully decentralized" is unclear, creating regulatory ambiguity. This article explores the perspectives of various regulatory bodies, common misconceptions about DeFi, the nuances of decentralization, and the regulatory challenges and implications under MiCA and other frameworks.

Definition of DeFi

Decentralized Finance (DeFi) refers to a financial ecosystem that operates in a decentralized manner, often without the need for central intermediaries, leveraging distributed ledger technologies (DLT) to provide financial services.

BIS’s Perspective on DeFi

According to the Bank for International Settlements (BIS), DeFi is a competitive, contestable, composable, and non-custodial financial ecosystem. It is built on technology that does not require a central organization to function and lacks a traditional safety net. This means that DeFi platforms allow users to engage directly with financial services in a decentralized manner, where control and ownership of assets remain with the users rather than a central entity.

CFTC’s Perspective on DeFi

The Commodity Futures Trading Commission (CFTC) highlights that DeFi is characterized by highly automated financial networks with no single point of failure. These networks do not depend on a single source of information and are not governed by a central authority capable of altering or censoring the data necessary for delivering financial services. 

Common Misconceptions About DeFi

A common misconception is that DeFi products and services are fundamentally different from those in conventional financial markets. In reality, putting technology aspects aside, many DeFi products and services closely mimic or resemble traditional financial market offerings. For instance, DeFi platforms provide lending, borrowing, trading, and insurance services similar to those offered by traditional financial institutions, but they do so using automated protocols.

Lending & Borrowing 

Platforms such as Aave and Compound enable users to lend and borrow crypto assets via smart contracts, automating the process without the need for a traditional bank. In contrast, traditional banks offer loans and credit services, with the bank acting as an intermediary and customers borrowing money at interest. 

Trading 

Decentralized exchanges like Uniswap and SushiSwap facilitate peer-to-peer trading of crypto assets directly from users’ wallets. Conversely, stock exchanges such as the New York Stock Exchange (NYSE) manage the buying and selling of stocks and other securities, typically through brokers. 

Insurance 

Nexus Mutual offers decentralized insurance services, allowing users to pool funds to insure against smart contract failures and other risks. Traditional insurance companies, on the other hand, provide policies to protect against various risks, pooling premiums to cover claims.

Decentralized Finance (DeFi) under MiCAR

MiCAR applies to natural and legal persons and certain other undertakings and to the crypto-asset services and activities performed, provided or controlled, directly or indirectly, by them, including when part of such activities or services is performed in a decentralized manner. 

Where crypto-asset services are provided in a fully decentralized manner without any intermediary, MiCAR does not apply. 

What Does “Fully Decentralized” Mean?

When crypto-asset services are provided in a fully decentralized way, without any intermediary, they fall outside the scope of MiCAR. However, EU authorities have not yet provided clear guidance on what constitutes a "decentralized manner." 

The European Securities and Markets Authority (ESMA) acknowledged Recital 22 of MiCAR but also noted that the precise scope of this exemption remains unclear and suggests that each system should be assessed on a case-by-case basis, considering its specific features. ESMA further emphasized that decentralization is not an absolute concept but exists on a spectrum, ranging from centralization to varying degrees of decentralization. There is no definitive threshold that signifies 'full decentralization,' as the degree of decentralization can always vary and evolve.

Decentralization vs. Disintermediation

There is a distinction between decentralization and disintermediation. Decentralization involves the distribution of control and decision-making, whereas disintermediation focuses on the removal of intermediaries. While these concepts are related, they are not identical. In many decentralized systems, disintermediation happens as a side effect because the necessity for central intermediaries diminishes. However, disintermediation is not a prerequisite for decentralization, and this view has been supported by the European Parliament in a post-MiCAR report. 

The MiCAR seems to confuse decentralization and disintermediation by stating that crypto-asset services are only excluded if provided both in a fully decentralized manner and without any intermediary. The removal of intermediaries can be a consequence of decentralization due to the reduced need for centralized infrastructure. Yet, as parts of the financial services value chain become decentralized, re-concentration can occur in different, potentially less regulated and less transparent, areas of the value chain. In practice, many DeFi ecosystems rely on crypto intermediaries that are crucial for the ecosystem's functionality, referred to as Systemically Important Crypto Intermediaries (SICIs). These intermediaries play a vital role in the operation and sustainability of DeFi systems, highlighting that complete disintermediation is not always feasible or desirable.

Regulatory Scope of MiCAR vs. MiFID on Fully Decentralized Models

MiCAR is part of the broader financial regulatory framework in the EU and interacts with other legislation, such as MiFID II. MiCAR expressly excludes from its scope crypto-assets that may qualify as financial instruments under MiFID II. In January 2024, ESMA provided structured yet flexible conditions and criteria to determine whether a crypto-asset can be classified as a financial instrument under MiFID and if crypto-assets meet these criteria, they will fall under existing EU legislation and continue to be regulated by the corresponding framework (MiFID II). 

Therefore, it is important to note that different rules may apply to crypto assets classified as financial instruments under MiFID compared to those falling within the scope of MiCAR. MiCA exempts fully decentralized models from its regulatory scope, which differs from the approach taken by MiFID II. Under MiFID, there is no exemption for fully decentralized crypto-asset services. The primary criterion for determining MiFID's applicability is whether a crypto-asset is classified as a financial instrument.

If a fully decentralized protocol offers custody services or facilitates the trading of crypto assets that qualify as transferable securities, it engages in regulated activities under MiFID. Consequently, such a protocol (operator) must obtain an authorization as an investment firm.

However, because MiCAR does not apply to services provided by fully decentralized protocols, the MiCAR rules for Crypto Asset Service Providers (CASPs) do not extend to these services. Therefore, while MiCA's regulatory framework excludes fully decentralized models, MiFID subjects them to regulatory oversight if they deal with financial instruments. This creates a complex regulatory landscape where fully decentralized protocols might be regulated under MiFID but not under MiCAR, depending on their activities and the nature of the crypto-assets involved.

Decentralized or Centralized?

A key issue in the regulatory debate is defining what it means for a platform to be decentralized. Clear definitions are crucial to determine regulatory scope and responsibilities. However, given that DeFi is a nascent and rapidly evolving ecosystem, defining it in a single, comprehensive way is extremely challenging.

The Illusion of Decentralization

According to the Bank for International Settlements (BIS), there is an "illusion of decentralization" in DeFi because of the inevitable need for centralized governance and the tendency of blockchain consensus mechanisms to concentrate power.

All DeFi platforms possess central governance frameworks that define their strategic and operational priorities. These frameworks usually revolve around holders of "governance tokens" who vote on proposals, similar to corporate shareholders. This centralized element can justify recognizing DeFi platforms as legal entities akin to corporations. Moreover, certain features of DeFi blockchains favor the concentration of decision-making power among large coin-holders, with many blockchains initially allocating a significant portion of coins to insiders, further exacerbating concentration issues.

Key Indicators of Centralization and Decentralization

Decision-making Authority

• Centralized: A central authority makes key decisions about upgrades, security measures, and operational parameters.
• Decentralized: Decision-making is distributed across the community (without concentration of token holders), often through voting mechanisms and decentralized governance structures.
  
  

Ownership and Control of Private Keys

• Centralized: If the platform or a specific entity holds users' private keys, it exercises control over the assets.
• Decentralized: Users hold their own private keys, maintaining control over their assets.
  
  

Concentration of Voting Rights

• Centralized: If a small number of entities or individuals hold a majority of the governance tokens, they can disproportionately influence decisions. For example, if 10% of token holders control 90% of the voting power, the voting system is highly centralized.
• Decentralized: Governance tokens are widely distributed among many participants, ensuring no single entity or small group can easily dominate decisions. For instance, if the top 10 holders control less than 10% of the voting power, it suggests some degree of decentralization.
  
  

Smart Contracts

• Centralized: If the deployment and control of smart contracts are managed by a single entity or a small group, it indicates centralization. For instance, if the smart contract upgrades require approval from a central authority, it limits decentralization.
• Decentralized: Smart contracts operate independently without needing continuous intervention from a central authority. For example, if changes to smart contracts require widespread consensus from token holders, it indicates some degree of decentralization.
  
  

Decentralized Autonomous Organizations (DAOs) as Legal Entities

DAOs, which govern many DeFi projects, describe governance and decision-making by token holders. The founding teams often hope that these "organizations" (referred to as "undertakings" in MiCAR) are decentralized and thus not regulated by MiCAR. While this may be true, in many jurisdictions, legal systems are beginning to adapt where DAOs can be considered legal entities:

United States

• Wyoming has been a pioneer in recognizing DAOs as legal entities. In 2021, Wyoming passed legislation allowing DAOs to be registered as Limited Liability Companies (LLCs), providing a clear legal framework for DAOs to operate within the state.
• Vermont has also introduced legislation that allows blockchain-based LLCs, which can include DAOs, to be recognized legally. This enables DAOs to operate within the legal framework of a traditional LLC.
  
  

Europe

• Switzerland is known for its favorable regulatory environment for blockchain and crypto projects. DAOs can be structured as associations (Verein) under Swiss law, which provides flexibility and is relatively straightforward to establish.
• Germany allows DAOs to potentially be recognized as legal entities if they meet certain criteria, such as pursuing a common purpose among token holders. They can be registered as associations (Vereine) or cooperatives (Genossenschaften), depending on their structure and objectives.

If the legal wrapper classifies the DAO as a legal entity, the project may no longer be considered fully decentralized.

However, assuming a DAO is not structured as a legal entity and lacks a legal wrapper, one must closely examine its governance to determine if it is still partly centralized. DAOs can indicate some level of centralization through the concentration of voting rights, decision-making authority, control over private keys and smart contracts. These factors can impact how decentralized or centralized a DAO truly is.

Spectrum of Decentralization in DeFi

Decentralization is a fundamental principle of DeFi, but it operates on a spectrum. The level of decentralization affects how these platforms are perceived and regulated. According to the CFTC, most DeFi systems are neither completely decentralized nor completely centralized. Instead, they exist on a multi-level spectrum of decentralization, varying across different functional and technical dimensions. This variability poses a challenge in defining what constitutes a "sufficiently decentralized" system, particularly as policymakers aim to ensure accountability in systems that support high-risk activities.

Dimensions of Decentralization

Decentralization in DeFi enterprises, projects, and ecosystems can be evaluated by analyzing five key dimensions: access, development, operations, governance, and finances. The more these dimensions exhibit decentralization, the more likely the system is to be considered decentralized.

Access

• Centralized (Permissionless Network): Access is controlled by a central authority that can grant or revoke user permissions.
• Decentralized (Permissioned Network): Access is open to anyone without needing permission from a central authority.
  
  

Development

• Centralized: Development decisions and updates are made by a central team or entity.
• Decentralized: Development is carried out by a community of contributors, with decisions made through consensus mechanisms.
  
  

Operations

• Centralized: Operational tasks such as maintenance, upgrades, and customer support are managed by a central team.
• Decentralized: Operations are automated through smart contracts, with community members handling support and maintenance.
  
  

Governance

• Centralized: Governance decisions are made by a central authority or a small group with significant control.
• Decentralized: Governance is conducted through a decentralized autonomous organization (DAO) with voting rights distributed among a broad base of token holders.
  
  

Finances (Balance Sheet)

• Centralized: A single, centralized balance sheet is used to raise and deploy capital and provide financial products and services to customers.
• Decentralized: Automated protocols replace centralized financial intermediaries, pooling capital, allocating investments, trading assets, and offering other financial services.
  
  

Mixed Decentralization in DeFi Stacks

Each combination of services on a DeFi platform (referred to as the "DeFi Stack") can be viewed as a distinct, miniature financial ecosystem. Based on the EU Research, some functions of the DeFi Stack may be decentralized, while others remain centralized. For example:

• Governance: The stack may be governed in a decentralized manner, with multiple token holders holding voting rights over technical or financial aspects of the protocol.
• Lending: This function may be provided by a pool of users’ funds, acting collectively like a credit institution, with interactions executed by smart contracts.
• Trading: A single trading intermediary (functionally, an exchange) may organize trading activities.

The substance of decentralization can vary widely, highlighting that while some aspects may be decentralized, others might retain central elements.

Personhood in DeFi and Its Importance for the EU Standards

Tuang Lee Lim, Chair of IOSCO’s Board-Level Fintech Task Force, stated that there is a widespread misconception that DeFi is entirely decentralized and governed solely by autonomous code or smart contracts. In reality, regardless of the DeFi arrangement's operating model, 'responsible persons' can be identified. According to IOSCO, the code that implements a DeFi protocol is created, deployed, operated, and maintained by humans; it does not spontaneously materialize and self-execute. Clearly, the code itself cannot be held liable, but the individuals who create, deploy, operate, and maintain it can.

Personhood in DeFi involves identifying individuals and entities within a decentralized finance arrangement who can be held accountable under regulatory frameworks. These "responsible persons" are those who control or significantly influence the offering of financial products, the provision of services, or engagement in activities. The concept of personhood is crucial as it allows regulators to pinpoint who can be held liable and ensures compliance with legal standards, despite the alleged decentralized nature of these systems. 

MiCAR

Identifying ‘responsible persons’ is vital for enforcing general compliance with MiCAR. If a DeFi platform has centralized elements, such as key individuals controlling smart contracts or making decisions, these persons can be subjected to the same regulatory standards as other crypto asset service providers, including but not limited to authorization requirements. 

Furthermore, EU regulators may seek to require ‘responsible persons’, including providers of DeFi products and services, to identify and, where practicable, address conflicts of interest that adversely impact their users or investors, even if these conflicts do not directly involve the providers. ESMA has highlighted that elements of distributed ledger technology, such as Maximal Extractable Value (MEV), can reveal instances of market abuse and in alignment with IOSCO Recommendations, it is anticipated that EU regulators will hold providers of DeFi products or services accountable for identifying, managing, and mitigating the impact of MEV strategies employed by miners or validators on the underlying blockchain.

AML

Beyond MiCAR, the Financial Action Task Force (FATF) also recommends identifying individuals or entities with control or sufficient influence over DeFi protocols to ensure they adhere to AML/KYC requirements. These ‘responsible persons’ are essential for implementing and maintaining AML/KYC protocols within DeFi ecosystems. FATF believes that in many cases, DeFi arrangements are decentralized in name only and there are persons, entities or centralized elements that may be subject to the FATF requirements as VASPs.

Compliance by Design

Integrating AML/KYC compliance into DeFi systems from the outset is crucial for ensuring regulatory adherence and protecting the crypto ecosystem. Incorporating regulatory considerations at the early stages of development is critical for maintaining market integrity. Engineers and developers need to view policy objectives and specific regulatory obligations as technical requirements and by identifying the most effective and economical applications of controls and security features, they can drive the design and development of solutions that integrate these features early in the life cycle of DeFi systems.

Emerging technologies offer potential solutions to enhance AML/KYC compliance in DeFi:

• Blockchain Analytics: These tools can trace and analyze transactions on the blockchain, helping to identify suspicious activities and potential money laundering attempts.
• Decentralized Identity Solutions: Such systems enable users to verify their identities while preserving privacy. Decentralized identity mechanisms can ensure that KYC requirements are met without relying on a central authority.
  
  

Dynamic Regulatory Compliance

Compliance in DeFi is neither simple nor static; risks and regulatory regimes evolve over time, requiring DeFi projects to adapt continuously. Building dynamic AML compliance into DeFi protocols and systems is essential for adapting to evolving risks and regulatory requirements. As automation grows within DeFi and points for human or organizational intervention diminish, the ability for technical intervention and adaptation must increase. This involves developing mechanisms to update protocols and system components to reflect future regulatory changes, particularly in areas like illicit finance compliance. These updates are crucial for protecting against new vulnerabilities and typologies in the rapidly changing DeFi landscape.

Conclusion

While MiCAR explicitly exempts fully decentralized models from its regulatory scope, the reality is more nuanced. EU authorities, including ESMA, have acknowledged the need for clearer definitions and guidance on what constitutes a "decentralized manner." This lack of clarity creates uncertainty for DeFi operators and raises the possibility that some services may fall within the scope of MiCAR due to their operational structures.

Regulators must provide further clarity to distinguish between "partially decentralized" services, which fall under MiCAR, and "fully decentralized platforms without intermediaries," which are currently exempt. Operators must also critically evaluate their platforms' governance and operational models. Despite claiming to be decentralized, many DeFi platforms exhibit levels of centralization, such as concentrated decision-making power or centralized control over smart contracts, which could subject them to regulation under MiCAR or other frameworks like MiFID.

In summary, while DeFi aims to operate outside traditional regulatory frameworks, its evolving nature and the inherent complexities of decentralization mean that complete exclusion from MiCAR is not guaranteed. Both regulators and DeFi operators must engage in ongoing dialogue and analysis to ensure that regulatory frameworks effectively address the risks and realities of this innovative financial ecosystem. 

Furthermore, DeFi operators should not overlook the importance of AML compliance. As regulations and regulatory expectations evolve, integrating robust AML/KYC measures from the outset will be crucial.