Understanding Regulatory Frameworks for DeFi in the U.S. and Beyond

Decentralized Finance (DeFi) is a fast-evolving and expanding space, but regulating DeFi is still in its early stages and presents challenges. Regulators in the U.S. and other major global jurisdictions have already been working to provide more regulatory clarity in this innovative domain. Let’s take a closer look at how these regulators attempt to approach DeFi and the possible challenges they may be facing along the way.

Defining DeFi

What is Decentralized Finance (DeFi)?

Simply put, DeFi aims to reconstruct centralized/traditional finance and perform similar activities using a decentralized infrastructure. The International Organization of Securities Commission (IOSCO) defines DeFi as:

“DeFi commonly refers to financial products, services, activities, and arrangements that use distributed ledger or blockchain technologies (DLT), including self-executing code referred to as smart contracts. DeFi aims to operate in a disintermediated and decentralized manner, eliminating some traditional financial intermediaries and centralized institutions, and enabling certain direct investment activities.”

Nevertheless, there is no generally accepted definition of DeFi, even among industry participants, or what makes a product, service, activity, or arrangement decentralized. Decentralized systems are composed of subsystems; if an essential subsystem is centralized, the system is centralized. However, defining and measuring the level of decentralization proves complex, does not translate easily across different architectures, and needs to be clearly defined. 

In respect to the spectrum of decentralization, the U.S. CFTC highlights that “The dimensions of decentralization of DeFi enterprises, projects, and ecosystems can be observed by analyzing five major dimensions: access, development, governance, finances, and operations. The more dimensions of decentralization observed, and the greater the use of technologies designed to achieve decentralization, as well as lesser concentration across the economic functions performed by the application or system, the more likely it is that an enterprise, project, or ecosystem should be viewed as decentralized”.

DeFi Metrics and Growth

Measuring DeFi: Total Value Locked (TVL)

DeFi has seen exponential growth during the past few years. A popular DeFi metric is Total Value Locked (TVL), which measures the amount of capital locked in DeFi applications. According to DeFi Llama, TVL has grown 250-fold from $1 billion (May 31, 2020), compared to its all-time high of $250 billion (Dec 1, 2021), before falling back to $106 billion (May 24, 2024).

Blockchain Dominance in DeFi

In terms of blockchains, the dominance of TVL on Ethereum is 61% (May 24, 2024), with the top five chains after Ethereum being: Tron (8.2%), BSC (5.1%), Solana (4.5%), Arbitrum (2.9%), and Blast (1.8%).

Key Players in U.S. DeFi Regulation

U.S. Regulatory Authorities Overseeing DeFi

In the United States, multiple federal authorities likely have jurisdiction over aspects of DeFi, including the Department of Justice, the Financial Crimes Enforcement Network, the Internal Revenue Service, the Commodity Futures Trading Commission, and the SEC. On top of federal regulators, state authorities likely have jurisdiction over aspects as well.

President Biden’s Executive Order on Digital Assets

President Biden’s Executive Order on Ensuring Responsible Development of Digital Assets, signed in March 2022, is a significant step towards developing a comprehensive federal approach to digital assets. It is also possible that some agencies such as FinCEN will contribute ideas on how to approach DeFi.

Inherent Risks and Regulatory Concerns

Benefits and Risks of DeFi

DeFi has been presented as providing certain benefits, which, due to the disintermediation between parties and transactions, arguably leads to faster, cheaper, and more efficient execution of transactions. On the flip side, DeFi is also associated with risks which need to be identified and addressed.

Regulatory Concerns and Challenges

In March 2022, IOSCO issued a public report on DeFi and identified some areas of potential regulatory concern (indicative):

• Illicit activity and fraud risks associated with the 24/7 availability, cross-border, and anonymous nature of DeFi have increased the opportunities for bad actors to engage in exit scams, fraudulent schemes, or illicit activities.
• Operational and technology-based risks associated with the underpinning DeFi-related blockchain protocol or service i.e., incentives for validators to remain motivated, forks, attacks, maintaining the internet infrastructure, oracles, smart contracts, etc.
• Lack of disclosures which should be in place to help common investors, usually not having the technical knowledge to understand some aspects of the technology, make informed and suitable investment decisions.
• Market integrity risks associated with speculative trading, sometimes involving high leveraging (up to x100) strategies, which can exacerbate liquidation risks if they materialize, price manipulation, and conflicts of interest.
• Nascent stage of development and early-stage challenges associated with blockchain technology, scalability, supportability, and reliability.
• Cybersecurity risks and attacks, possibly associated with the nascent and permissionless nature of DeFi, protocols, and smart contracts.
• Governance risks associated with DeFi protocols or smart contracts governance, exercised by selected groups with concentrated voting rights, who may retain ultimate control or even terminate the protocol.

Regulatory Approaches to DeFi

Applying Existing Regulations to DeFi

Although blockchain technology is relatively new, many DeFi offerings and products closely resemble or replicate products and functions in the traditional financial marketplace, providing arguments in favor of an approach to regulate DeFi by applying existing financial regulations.

For example, decentralized applications that enable people to obtain an asset or a loan upon posting a crypto-asset as collateral resemble traditional collateralized loans. The option to stake/deposit a digital asset and receive a return resembles a traditional bank term deposit, etc. The main distinguishing feature is that these services are provided without central intermediaries.

In the U.S., the SEC has utilized the Howey Test* to assert whether a certain crypto-token may be considered a security, thus falling under the Securities and Exchange Commission (SEC) existing regulatory framework. Finally, in July 2023, the Financial Stability Board (FSB) finalized its global regulatory framework for crypto-asset activities which is based on the principle of “same activity, same risk, same regulation”.

Evolving Technology for Better Risk Monitoring

DeFi activities may not change the underlying risks; instead, they may open new ways of supervising these risks. Thus, instead of fitting DeFi into existing regulations, the use of new technologies could evolve alongside that of the financial industry to better monitor risks in financial markets.

In this concept, Raphael Auer from the Bank for International Settlements (BIS) has put forward the concept of “Embedded Supervision”, envisioned as a regulatory framework that provides for compliance in decentralized markets. DeFi-based markets should be automatically monitored for compliance purposes by reading the market’s blockchain ledger, which reduces the need for firms to actively collect, verify, and deliver data.

Other aspects include: “Compliance-by-design”, which according to Boston Consulting Group means: “Applying a systematic approach to integrating regulatory requirements into manual and automated tasks and procedures” and “Dynamic Compliance”, which is the ability of a system to adapt to regulatory changes in real time, using advanced technologies such as Artificial Intelligence, machine learning, and blockchain.

Leveraging Regulatory Safe Harbors and Sandboxes

The Bank for International Settlements (BIS) highlighted that over 50 countries have introduced regulatory sandboxes to foster financial innovation. In respect to DeFi, Singapore’s Monetary Authority (MAS), UK’s Financial Conduct Authority (FSA), Abu Dhabi’s Global Market (ADGM) are among some of the global regulators that have been leveraging regulatory sandboxes to include or focus on DeFi projects.

Safe Harbor I and II frameworks are particularly beneficial in new or uncertain legal environments and can apply when specific conditions are met. Although Safe Harbor frameworks for DeFi might not (yet) exist, in April 2021, U.S. SEC’s Commissioner Hester M. Peirce released a statement “Token Safe Harbor Proposal 2.0”, including an updated version of a token safe harbor proposal, originally suggested in Feb 2020. The proposal seeks to provide network developers with a three-year grace period within which, under certain conditions, they can facilitate participation in and the development of a functional or decentralized network, exempted from the SEC’s registration and securities law provisions. Later in Oct 2021, the House Financial Services Committee introduced a Bill, titled “The Clarity for Digital Tokens Act of 2021”, that substantially embodied Commissioner Peirce’s Token Safe Harbor Proposal 2.0.

Specific U.S. Regulations Impacting DeFi

The Bank Secrecy Act and Its Application to DeFi

In the U.S., the Bank Secrecy Act (BSA) essentially imposes obligations on financial institutions, i.e., record keeping, reporting, KYC, and AML programs, to help the U.S. government detect and prevent money laundering.

In April 2023, The U.S. Treasury released its 2023 DeFi Illicit Finance Risk Assessment, which also includes recommendations for U.S. government actions to mitigate the illicit finance risks associated with DeFi services, in accordance with the BSA.

As stated in the corresponding press release: “The primary vulnerability that illicit actors exploit stems from non-compliance by DeFi services with AML/CFT and sanctions obligations. DeFi services engaged in covered activity under the Bank Secrecy Act have AML/CFT obligations regardless of whether the services claim that they currently are or plan to be decentralized. Other vulnerabilities include the potential for some DeFi services to be out of scope for existing AML/CFT obligations, weak or non-existent AML/CFT controls for DeFi services in other jurisdictions, and poor cybersecurity controls by DeFi services, which enable the theft of funds.”

The 2023 DeFi Illicit Finance Risk Assessment can be considered as an attempt from the federal government to state that the BSA could apply to many DeFi services. The BSA is basically “activity-based”, thus, anyone engaging in financial services still has those obligations, whether the financial activity is centralized or decentralized. When such obligations are not met, illicit key actors take advantage of vulnerabilities in the domestic U.S. AML/CFT framework, and are able to misuse DeFi services, and competent authorities are being challenged to detect and prevent such activity. In addition, the assessment recommends taking several actions to address these risks, including:

• Issuing additional regulatory guidance
• Engaging with foreign partners; and
• Engaging with innovative AML/CFT solutions providers in the DeFi space.

Global Perspectives on DeFi Regulation

International Regulatory Developments and Perspectives

Major regulators in the U.S. and around the world have already been working to provide more regulatory clarity on the DeFi domain. Here are some indicative recent (6-12 months) regulatory developments:

• Jan 2024: U.S. CFTC released a report on DeFi, which highlights that DeFi presents promising opportunities and complex, significant risks to the U.S. financial system, consumers, and national security. The central message of this report is that both government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi and advance its responsible and compliant development.
• Oct 2023: The European Central Bank (ECB) published a paper titled “The Future of DAOs in Finance: in Need of Legal Status”. The paper highlights that many DeFi projects are structured in the form of DAO, and that most countries around the globe do not yet have in place a specific legal regime for DAOs.
• Sept 2023: IOSCO issued a Policy Recommendations for Decentralized Finance (DeFi), and recommends applying the principle of “same activity, same risk, same regulatory outcome”. Later in Dec 2023 IOSCO published its final report, outlining nine policy recommendations to address market integrity and investor protection issues in DeFi.
• July 2023: U.S. Attorney Damian Williams announced the first-ever criminal case involving an attack on a smart contract operated by a decentralized cryptocurrency exchange. This signifies the DOJ’s will to pursue criminal charges when a person intentionally uses a protocol in a way not intended to.
• June 2023: A U.S. federal judge ruled in favor of the U.S. CFTC in a civil enforcement action against Ooki DAO, declaring that the DAO is considered a "person" under the Commodity Exchange Act a concept known as “Personhood”, and therefore can be held liable for violations of the law. Similar arguments whether a decentralized protocol can be considered a “person” were raised earlier in Aug 2022, when the U.S. Office of Foreign Assets Control (OFAC) sanctioned a mixer called Tornado Cash. Six Ethereum blockchain users challenged OFAC’s designation of Tornado Cash in the Western District of Texas in Sept 2022. The court dismissed the claims later in Sept 2022, sided with the Treasury, having found Tornado Cash a “Person”. While the Tornado Cash sanctions were a U.S. action, it has wider implications including in the EU, with the conviction of Tornado’s Cash developer in the Netherlands for money laundering, which gives an indication regarding what this means for DeFi.
• June 2023: The Financial Action Task Force (FATF) released its targeted update on the implementation of the crypto-related FATF Standards and highlights that comprehensive DeFi risk assessments are challenging for most jurisdictions, due to the lack of reliable and complete data, and the lack of law enforcement and enforcement cases that include DeFi.
• June 2023: The European Union’s Markets in Crypto Asset law (MiCA) was published in the Official Journal of the European Union. However, only partially decentralized crypto services are subject to MiCA, while fully decentralized services provided without intermediaries are excluded from its scope.

Conclusion

The Path Forward for DeFi Regulation

Even though Decentralized Finance is a fast-growing and evolving space, DeFi regulatory materials are still in their early stages. Major regulators in the U.S. and around the world are already working to provide more regulatory clarity in this domain, having the option to explore a variety of approaches:

Balancing Innovation with Risk Management

Attempt to fit DeFi activities and crypto assets into existing regulations. This is not always straightforward, and many regulators use regulatory sandboxes to understand, experiment with, and explore new products and characteristics that cannot easily fit into existing regulations; Evolve the technology and develop a regulatory framework that relies on the trust-creating mechanism of decentralized markets for regulatory purposes as well; nevertheless, this requires technological know-how, education, and training.

Finding the optimal approach may also include trade-offs. Most regulatory authorities have acknowledged that some aspects of blockchain technology are beneficial (i.e., stablecoins and Central Bank Digital Currencies) and can lead to faster and cheaper cross-border fund transfers. On the flip side, DeFi is far more complicated and holds potential substantive risks to financial markets, while major regulatory concerns in the U.S. and globally include financial stability, consumer/investor protection, financial crime/AML/CFT considerations, market manipulation, and technology risk associated with the nascent stage of DeFi applications, etc. These risks call for broader regulation, supervision, enforcement, and better risk management. In the U.S., DeFi services may fall under the requirements of the Bank Secrecy Act. Ultimately, global harmonization and further regulatory clarity are beneficial, will increase consumer confidence, and lead to massive adoption.

* The Howey Test, which was developed by the U.S. Supreme Court in a landmark 1946 case, defines an “investment contract”, thus falling under the jurisdiction of the U.S. Securities and Exchange Commission (SEC), as possessing the following attributes: 1. An investment of money 2. In a common enterprise 3. With a reasonable expectation of profits 4. Due to the managerial efforts of others. Nevertheless, there have been voices such as SEC’s Commissioner Hester M. Peirce, who criticized the applicability of the Howey Test to digital assets, arguing cases when crypto assets may not represent an investment contract. See: https://www.sec.gov/news/speech/speech-hinman-061418 and   https://www.sec.gov/news/speech/peirce-how-we-howey-050919