Introduction

The proposed regulation of Decentralised Finance (DeFi) has stemmed ongoing debates on the most prudent approach for inter alia, safeguarding market integrity (and potentially financial stability), managing risks associated with financial crime and providing consumer protection. At the same time, critically allowing innovation to thrive in a way that would support the continuous evolution of this still nascent ecosystem.

Recommended regulatory approaches involve applying ‘regulatory hooks’ to various elements of the ecosystem whether in relation to identifiable controllers/operators and their facilitation of DeFi activities, specific assets utilized or data sources that support smart contract executions.

What is DeFi?

While there is no one accepted definition of DeFi, it is generally used to describe an ecosystem that consists of financial products, services[i], activities and arrangements[ii] that rely on self-executing code (smart contracts), utilizes crypto assets and runs on blockchains, without reliance on intermediation. DeFi provides open access to financial services, facilitating transactions in a ‘self-directed manner’ where users maintain control over their own assets[iii].

The DeFi infrastructure (sometimes referred to as the DeFi Stack) consists of various layers. Namely, the settlement/foundation[iv], asset, protocol[v], application[vi] and aggregation layers. Various literature has been produced illustrating the DeFi stack and outlining the relevant functions of each layer[vii]. In that regard, this article will not seek to repeat such illustrations.

The size of the DeFi market is measured by the amount of capital locked in DeFi protocols (Total Value Locked or TVL)[viii]. As at April 20, 2024 the DeFi market stood at $89.63b TVL[ix].

Benefits

DeFi is purported to, among other things, democratize finance by allowing access to financial products and services (to anyone with an internet connection) on a borderless and transnational scale, while fostering collaboration in a trustless manner[x]. Furthermore, DeFi offers the potential to provide greater levels of cost and time efficiencies using smart contracts and related automation. The use of blockchain technology also facilitates transparency and auditability of transactions. Finally, its composability lends to endless possibilities for the development of potential innovative products and services while offering users full control of their assets. 

Risks

Despite the potential benefits of DeFi, there are drawbacks of the ecosystem that have drawn the attention of regulators and have formed the centre of discussions in relation to appropriate regulation and supervision. Risks associated with DeFi include technology risks[xi], project risks[xii], money laundering/terrorist financing risks[xiii], scams and fraud[xiv], concentration risks, run risk associated with the use of stablecoins[xv], legal uncertainty for consumers[xvi] and lack of consumer protections[xvii]. Regulators have also highlighted concerns regarding the liquidity and maturity mismatches of liabilities and assets, high leverage, as well as interconnections among, and concentrations within, the various components of DeFi[xviii]. These risks bring to the forefront key concerns as they relate to market integrity, financial stability[xix], managing financial crime and ensuring consumer protection within the financial system.

Proposed approaches to the Regulation of DeFi

Given the potential, actual and/or emerging risks associated with DeFi, there have been various discussions regarding appropriate ‘regulatory hooks or touchpoints’ that may be utilised for the regulation of DeFi (or aspects of DeFi). International standard setters, academic scholars and industry participants have all contributed to this conversation.

Identification of Responsible Persons (controllers, owners or operators)

One key touchpoint that has been controversial is the identification of a responsible person/s that may be held accountable for the operation of protocols[xx] as it relates to the products, activities or services that are offered[xxi]. DeFi tends to operate, in the main, through community-driven governance[xxii] and therefore there are challenges at times, with identifying accountable persons for the operation of the network.

It has been contended that decentralisation within the DeFi ecosystem is “an illusion”[xxiii]. Regulators maintain that in many cases, human intervention in a centralised manner remains a key aspect of the governance of several DeFi protocols. Whether through concentrated holdings of governance tokens (or other tokens) or through the existence of administrative keys[xxiv] held by a select few, these aspects point to centralisation. Moreover, it has been suggested that identifiable “responsible persons”, that is, those who exercise control or sufficient influence over products, services or activities would likely include (depending on the facts and circumstances)[xxv] developers, foundations and DAOs[xxvi], holders of governance/voting tokens, those with administrative rights to smart contracts and/or a protocol, those who have the responsibility of maintaining/updating a protocol or other aspects of the arrangements, etc[xxvii].

Not surprisingly, there is a strong view that DeFi developers generally ought not be identified as crypto market intermediaries, as their only role is to develop and publish code (particularly where they do not retain administrative control). It has been suggested that the key consideration should be whether they directly facilitate financial transactions for customers or hold their assets.

Protagonists argue that DeFi should not be viewed from a binary perspective (but rather as a spectrum[xxviii]) as, in a number of cases, DeFi protocols involve a phased process[xxix] where it starts off with some measure of centralisation with developers/founders but over time control/influence is no longer held by a small group of persons[xxx]. It is disbursed among various and numerous participants[xxxi]. In such instances, particularly where administrative control has been relinquished, it would be unduly burdensome and ineffective to designate original creators of such protocols as responsible persons.  

Furthermore, DeFi proponents have cautioned the approach of generalizing DeFi as a decentralised illusion. While it is accepted that there are instances where DeFi protocols (or applications)[xxxii] may not be truly decentralised, there does indeed exist genuine DeFi. As such, it would be imprudent to ignore this fact in an attempt to apply ‘centric based rules’ to decentralised operations. In that regard, advocates of genuine DeFi have proposed definitions to assist in recognising DeFi[xxxiii] in name only, from truly genuine DeFi[xxxiv].

Stablecoins

Another element of regulatory focus is the growing use of stablecoins in the DeFi ecosystem and their utility therein. Stablecoins have enabled the growth of the DeFi ecosystem as stable settlement assets[xxxv] and as the main bridge between TradFi and DeFi[xxxvi]. They are generally used for key DeFi activities including trading, lending and borrowing, for yield and the provision of liquidity[xxxvii]. The current stablecoin market cap is estimated at $159 billion[xxxviii]. (For a primer on stablecoins see my previous article here.)

Various standard setting bodies have set out recommendations on the appropriate regulatory regime for stablecoins[xxxix]. These include the implementation of appropriate licensing and registration requirements for stablecoin arrangements, governance and control requirements, management of material risks associated with stablecoins, robust systems for collecting, storing and safeguarding data; as well as maintaining integrity and security of pertinent data (both on chain and off chain).

There also remains an ongoing debate as to the types of stablecoins that should fall within the regulatory remit (i.e. those with offchain versus onchain or algorithmic stability mechanisms). The primary approach, adopted by many jurisdictions, has been to focus on the regulation of fiat backed stablecoins.

Industry contributions to the discussion on the regulation of stablecoins have, in the main, centred around the importance of implementing practical regulatory requirements that would not impede innovation, the need to recognise the varying nature of the different types of stablecoins[xl], the focus on protecting consumers and limiting market disruption; and the (debated) exclusion of algorithmic stablecoins.

Oracles

Although in its infancy, the idea of introducing a legal framework to regulate the operation of oracles has been circulating[xli]. Oracles play an important role in supporting DeFi activities and are generally utilised for the collection and dissemination of data to support the execution of smart contracts[xlii]. They can also carry out other functions, such as, computations based on data collected (which could otherwise restrain resources within a blockchain)[xliii]. Such functions support the creation of advanced and innovative financial instruments[xliv].

However, oracles[xlv] pose risks to the DeFi ecosystem given the high reliance placed on the collection and transmission of external information and the susceptibility to, inter alia, manipulation and/or operational failure. Oracles have been described by some as “the Achilles Heel of DeFi”. This is evidenced, for example, by the fact that DeFi protocols lost $403.2 million in 41 separate oracle manipulation attacks in 2022[xlvi] .

An appropriate legal framework for oracles could enable regulators to “define oracles’ liabilities” [xlvii] and allow for guardrails to be integrated into services that support key activities; helping to promote growth and stability within the DeFi ecosystem. The imposition of standards could assist in promoting efficiency and trust of oracles, among other things.

Of course, industry continues to work on solutions to address the challenges faced by oracles. The use of (decentralised) multiple source oracles[xlviii], on -chain verification, and oracle free protocols are some of the options being explored to address risks like manipulation.

Conclusion

The DeFi ecosystem, though still a small fraction of the wider market, continues to grow and has the potential to “bring more of the world’s economic value and transaction activity on to blockchains” [per Chainalysis][xlix]. The regulation of DeFi remains a controversial topic, but healthy debate can aid in bridging gaps and finding the most appropriate way forward.

The approach [of regulators] has been to explore key aspects of DeFi that can be regulated. Some argue that building guardrails without an appreciation of the nuances of DeFi, including importing intermediaries into genuine DeFi, is likely to endanger the growth and innovation of the ecosystem by compromising its nature and operations. On the other hand, activities that pose risks to investors and market integrity should not be left unregulated.

Finding the right balance is key and is not an easy task for policymakers. A sensible and measured approach that balances mitigating risks, while avoiding the implementation of impractical requirements will be critical to moving forward.

Some regulators have shown a willingness to explore measures in line with the nature of the ecosystem, by considering ways in which appropriate standards may be implemented, including at the settlement layer or in relation to the nature and functioning of smart contracts[l]. Such efforts are encouraging as it relates to bridging the differences in views as to how DeFi could be sensibly regulated. Applying principles and standards for the relevant layers and/or DeFi activities may be a more effective approach for the DeFi ecosystem.

References

[i] DeFi products and services include payments, lending and borrowing, trading and investments, capital raising (crowdfunding), and insurance.

[ii] As described by IOSCO, Final Report with Policy Recommendations for Decentralized Finance (DeFi) (December 2023) click here

[iii] See also ‘Genuine DeFi as Critical Infrastructure: A Conceptual Framework for Combating Illicit Finance Activity in Decentralized Finance’, @ click here where the authors provide a definition of “Genuine DeFi”.

[iv] Examples include Ethereum, Algorand, Cardano, Solana, Binance Smart Chain, Cosmos, Polkadot, Luna, and Avalanche.

[v] The protocol layer contains the combination of various smart contracts and represent the terms, conditions, and standards on which a DeFi product/ service is articulated.

[vi] Graphical interfaces which allow users to interact with the underlying protocols.

[vii] See for example: IOSCO, Decentralized Finance Report (Mar. 2022), available at click here, Schär, Fabian. (2020). Decentralized Finance: On Blockchain- and Smart Contract-based Financial Markets. click here and Raphael Auer & Bernhard Haslhofer & Stefan Kitzler & Pietro Saggese & Friedhelm Victor, 2023. "The Technology of Decentralized Finance (DeFi)," BIS Working Papers 1066, Bank for International Settlements.: click here

[viii] Metrics such as number of transactions or fees generated are also used to measure the size of the market.

[ix] TVL increased from $1b in 2020 to over $100b in 2021 and continued steadily increasing during 2021 to a high of approximately $176b by Nov 2021. However, the market size declined to less than $50b by April 2023. The DeFi market was impacted by a number of events including the crash of Terra (LUNA) and its stablecoin TerraUSD (UST) in May 2022 and other events within the crypto market. See “TVL (total value locked) across multiple Decentralized Finance (DeFi) blockchains from June 2018 to November 17, 2023” : click here

[x] IOTA Foundation, ‘Bringing clarity to the DeFi sector: a cross sector proposal for a unified DeFi definition’

[xi] The nature of DeFi and the technology relied upon naturally leads to potential vulnerabilities for the ecosystem through exploits/hacks, bugs/errors, congestion or other issues. Such technological risks may emerge from the blockchain utilized, smart contract coding errors or other weaknesses.

[xii] DApps may fail due to idiosyncrasies associated with each app. 

[xiii] DeFi is generally used to move stolen crypto funds (usually obtained through hacks/scams, etc) for more liquid crypto asset. DEXs for example tend to be used to convert certain crypto assets to ether which in turn are sent to Ethereum based mixers before attempts are made to remove it from the ecosystem and convert to fiat. See CHAINALYSIS, 2023 Crypto Crime Report (Feb. 2023), at click here which notes, among other things that hackers holding stolen crypto assets send a majority of those funds (57%) to DeFi protocols.

[xiv] These include exit scams, pump and dumps, front running, etc.

[xv] Assets used to lend support to the stability of stablecoins are not always transparent or reliable. Stablecoins also face risk runs when confidence becomes an issue. Such runs threaten their ability to guarantee the stability of certain activities such as lending/borrowing within the ecosystem.

[xvi] For example, there is no clarity in terms of the legal rights of consumers arising from services facilitated through the use of smart contracts.

[xvii] Because there are no recovery schemes or dispute resolution mechanisms, there is a risk of total loss in default situations and little to no recourse as a result.

[xviii] Regulators have noted that the ecosystem lacks appropriate shock absorbers that can provide liquidity in times of stress. This means that loss of liquidity within the ecosystem coupled with interconnectedness could lead to a collapse of certain protocols and spillovers to various participants within the ecosystem and beyond.

[xix] In 2023, the Financial Stability Board released a report on DeFi highlighting, inter alia, certain concerns such as operational fragilities, liquidity and maturity mismatches, leverage, and interconnectedness, could lead to potential impacts on financial stability. click here

[xx] Some argue that focus should be on Apps and not protocols in terms of identifying responsible persons.

[xxi] See IOSCO (2023) Report. Supra. 

[xxii] With many underlying blockchains utilizing decentralized consensus mechanisms. 

[xxiii] See for example BIS, “DeFi risks and the decentralisation illusion” (2021) click here. The BIS notes that “all DeFi platforms have central governance frameworks outlining how to set strategic and operational priorities, eg as regards new business lines”. Furthermore, certain features of DeFi blockchains favour the concentration of decision power in the hands of large coin-holders”. For example, blockchains based on proof of stake tend to lead to concentration naturally as token holders are incentivized to stake a large number of tokens in order to win the next block and receive compensation.

[xxiv] OECD (2022), Why Decentralised Finance (DeFi) Matters and the Policy Implications, OECD Paris, Why-Decentralised-Finance-DeFi-Matters-and-the-Policy-Implications.htm.

[xxv] IOSCO (2023) Report.

[xxvi] Identifying developers, investors, DAO participants or token holders as responsible persons could discourage developers from innovating, investors from supporting promising projects, and ordinary members of the public from participating in governance”. Per Consensys website: click here

[xxvii] IOSCO Report, Ibid.

[xxviii] “Acknowledging the varying degrees of decentralization, over a projects life cycle, allows for the recognition of a wide range of components (e.g. operational and managerial autonomy) and trade-offs with unique sets of features and risks”: per The European Crypto Initiative (EUCI), the Canadian Web3 Council (CW3), Blockchain Association Singapore (BAS), and Bharat Web3 Association. click here

[xxix] See for example Coinbase’s submissions in response to the IOSCO DeFi report: click here

[xxx] “The level of decentralisation could be described as a fluid characteristic along a spectrum”. OECD (2022), Why Decentralised Finance (DeFi) Matters and the Policy Implications, OECD, Paris.

[xxxi] Blockchain Australia for example notes that certain persons who may have initially qualified as Responsible Persons may, depending on the lifecycle of the relevant offering, no longer have any involvement with the relevant DeFi protocol at later stages of its development and operation: click here

[xxxii] Several self-proclaimed “DeFi projects” are hybrid in nature and consist of a combination of a centralised front-end business set-up with a DeFi architecture at the back end of the application.

[xxxiii] See ‘On DeFi and On-Chain CeFi: How (Not)to regulate Decentralized Finance’. Journal of Financial Regulation, 2024, 00, 1–30 click here. Where centralized vectors are utilized to ascertain genuine from non-genuine DeFi infrastructure.

[xxxiv] See ‘Genuine DeFi as Critical Infrastructure: A Conceptual Framework for Combating Illicit Finance Activity in Decentralized Finance’, @ click here as well as the Crypto Council for Innovation’s definition which suggests that DeFi (protocols) are truly decentralised when, “no single person or the managerial efforts of a specific or limited group of persons can (i) control or fundamentally alter a protocol’s purpose or code; (ii) control user funds or assets; (iii) reverse transactions; or (iv) restrict access to the protocol”. click here

[xxxv] Stablecoins are widely used as collateral for crypto asset loans. The loss of parity (depeg) of a stablecoin (against the currency it is supposedly pegged to) has the potential to undermine the stability of many applications, as the chain effects of the Terra-Luna collapse have shown.

[xxxvi] Regulators have noted that stablecoins are the primary potential vector through which shocks can be transmitted from DeFi to the more traditional areas of finance.

[xxxvii] Stablecoins provide most of the liquidity in DeFi applications such as decentralised exchanges and lending protocols.

[xxxviii] click here

[xxxix] See https://kmafiles.com/71 for a more comprehensive list of recommendations.

[xl] Stablecoin regulatory requirements should not treat all stablecoins as though they are the same but should recognize the diversity of stablecoin designs and be calibrated to each design’s particular risks.

[xli] See FCA Research Note, Review of Maximal Extractable Value & Blockchain Oracles (2024) click here, European Commission, Directorate-General for Financial Stability, Financial Services and Capital Markets Union (EC DG FISMA) (2022): Decentralized finance : information frictions and public policies : approaching the regulation and supervision of decentralized finance, click here, and BIS-FSI Insights , ‘Crypto, tokens and DeFi: navigating the regulatory landscape (May 2023) click here.

[xlii] Oracles may be described as inbound or outbound depending on connections into or out of a DeFi system. “Inbound oracles act as data gateways, retrieving and delivering information from external sources into the DeFi system. Outbound oracles serve as conduits, transmitting data from the DeFi environment to external parties, fostering interoperability and expanding the reach of DeFi”.

[xliii] BIS Bulletin: The oracle problem and the future of DeFi. click here.

[xliv] click here.

[xlv] All oracles, regardless of their degree of (de)centralisation, could be manipulated.

[xlvi] click here.

[xlvii] See Crypto, tokens and DeFi: navigating the regulatory landscape (May 2023), noted above.

[xlviii] The idea is that decentralized oracles utilise multiple sources of information to aid in minimizing counterparty risk and address concerns associated with reliability and trust, since oracles that provide false data will be penalized for data manipulation.

[xlix] Chainalysis 2024 Crypto Spring Report: click here

[l] See for example the discussion paper of the The Autorité de contrôle prudentiel et de résolution (ACPR): click here