Industry Updates

DeFi platforms: Delineating the Regulatory Perimeter

Decentralised Finance Applications (DeFi)

Finance, at its primary level, concerns transactions that channel savings towards users that offer the highest potential returns for a given level of risk. At a secondary level, finance concerns transactions that seek to transfer financial risks. Financial assets created by finance – equity, debt and derivative instruments – are traded in financial markets, which seek to provide price discovery functionalities and liquidity. Blockchain based cryptographic tokens can be created and supplied as a fungible asset and therefore, like financial assets and money, tokens can be traded easily and are eligible to be used for financing transactions, be that a loan, a repo contract, a swap, or, indeed, any other form of collateralised or uncollateralised financing transaction.

Smart contracts can be programmed to create, hold, transfer, or perform other actions in relation to tokens. Consequently, smart contract technology’s obvious ramification is the ability to create a platform that permits multi-lateral execution of financing transactions with tokens, that is, enables token owners to exchange, lend, and borrow tokens, and use tokens as collateral. The platform includes the infrastructure needed for clearing of the transactions, transferring the various tokens by way of settlement of the mutual delivery obligations, and holding and administering the transferred tokens directly at the user’s blockchain address (meaning the platform is non-custodial).1 The set of smart contracts that underpins the platform can be coded to operate autonomously, automatically executing actions as programmed, which can increase efficiency, reduce costs, and minimise the potential for human error relative to traditional finance’s market infrastructure.2 A smart contract can also be coded to take data, eg a price feed, from an external source called “oracles”.3 Acceptance and validation of a transaction initiated by a blockchain address holder with a smart contract will lock the performance of that transaction into the smart contract, which will be programmed to effect transfer of the relevant tokens to or from the relevant blockchain addresses upon satisfaction of the coded conditions. Smart contract-based application platforms whose functionality permits the initiation, execution, and performance of these types of financial token transactions are referred to as “decentralised finance” or “DeFi”.

The most important DeFi platforms to date are lending platforms.4 In these constellations, smart contracts are used to replace the intermediary institutional balance sheet and automate the execution and settlement of loans. These are platforms such as Compound and Aave that permit users to lend or borrow funds directly to or from a smart contract. Interest rates can be set algorithmically based on supply and demand. A user-lender can connect their wallet to deposit the token they wish to supply to a particular smart contract-maintained pool. The user-lender receives an equivalent amount of a deposit token. For example, depositing a DAI via the Aave platform will give you an aDAI. The deposit tokens represent the supplied token and accrue interest in real-time, reflected by an increase in the balance of the deposit token. The typical DeFi loan is disbursed in stablecoin tokens, while the collateral consists of riskier unbacked tokens.5

Another important category of DeFi platforms comprises the decentralised exchanges (DEX). Order book DEXs such as dYdX permit the matching of buy and sell orders in a smart contract operated order book, much in the way of a traditional finance exchange trading engine. Automated market maker DEXs such as Uniswap permit users to connect their wallet to contribute tokens to a smart contract that operates as a “liquidity pool”. Each liquidity pool consists of a pairing of two tokens. Pricing of the token pair exchange rate is determined algorithmically based on the ratio of the tokens in the pool. The idea is that if the pool’s exchange rate is off market, users will reduce the spread by way of arbitrage transactions with the pool. These are all types of smart contract-based sets of applications that facilitate peer-to-peer token trading between users with minimal centralised intermediary functionality.6 The user can typically earn returns from trading activities and from commission-like income generated because of the deposit of tokens into a smart contract. The smart contract-based execution and asset holding means that the operator, the person or persons who deploy the smart contracts and maintain the application set, typically do not have control of the users’ transactions nor their tokens.7 DEX aggregator platforms such as 1inch can assist users in sourcing liquidity from various DEXs to offer users the best trading rates.

Thus far, traditional finance and DeFi have not been connected meaningfully. Certain financial assets have been issued as asset tokens on public blockchains, but these assets have not been traded in DeFi engines, yet. The combination of asset and security tokens, stablecoin tokens, and DeFi smart contracts, however, would enable the replication of existing financial services in a more open, interoperable, and transparent way, which should arguably facilitate improved pricing and reduced rent-seeking by intermediaries. Aramonte et al argue that DeFi would need to satisfy certain conditions if it is to become a widely used form of financial intermediation:8

“For one, blockchain scalability and large- scale tokenisation of traditional securities would need to be improved. No less importantly, DeFi will need to be properly regulated. Public authorities would need to interface with DeFi’s inherent governance structures, so as to ensure sufficient financial stability safeguards as well as to enhance trust by addressing investor protection issues and illegal activities.”

Blockchain communities are acutely aware of the scalability risks and much work has been done on what is commonly referred to as “layer 2 roll-ups”,9 and other mechanisms that improve a network’s ability to push transactions through at speed, volume and low cost. Arguably, the engineering condition raised by Aramonte et al has been satisfied. The promulgation of an effective regulatory framework for DeFi trading engines, however, is still very much work in progress.

Regulating DeFi

Traditional financial services regulation is framed on the identification of an accountable actor, that is, the person who conducts the activities that are within the regulatory perimeter, and who must therefore apply for authorisation and comply with prudential and conduct of business rules in conducting that regulated activity. DeFi platforms, in their purest form, are arranged such that a great deal of the accountable effort is automated through software, that is, a set of smart contracts that are part of a blockchain that is run independently on a decentralised network. Once deployed successfully at their own unique public network address, the smart contracts become an immutable part of the particular blockchain and can be accessed directly (without the need for intermediation) by knowledgeable users of wallet software. The immutability of the program code means that it cannot be changed or updated, except, importantly, to the extent that the smart contract is programmed to give certain permissions to an administrator network address.

Subject, therefore, to any such administrator rights, the decentralised nature of the blockchain network ensures that the smart contract’s operations are not controlled by any single party, significantly reducing execution and non-performance risks, but also, correspondingly, eliminating accountability for the operation of the smart contracts. Accordingly, where a certain token that can be transacted through a DeFi platform is a financial instrument within the meaning of operative financial services and markets regulations, or a virtual asset within the meaning of the anti-money laundering and countering the financing of terrorism (AML/CFT) rules,10 the argument goes that there is no accountable actor to hold responsible for the offering and operations of the DeFi platform in question, and therefore, that the autonomous operations of the set of deployed DeFi smart contracts are not within the regulatory perimeter.

The question for any given DeFi platform is, therefore, how autonomous the operation of the set of DeFi smart contracts is in practice. If one or more stakeholders exercise a measure of control over the operations of the set of DeFi smart contracts, those stakeholders could be identified as accountable actors that conduct business that is within the regulatory perimeter. In that context, Recital (22) of the EU’s Regulation on markets in crypto assets (MiCAR)11 observes that a person or undertaking is a virtual asset service provider (VASP)12 in scope of MiCAR where the services are “provided or controlled, directly or indirectly, by them, including when part of such activities or services is performed in a decentralised manner”. The Recital continues to note that “[w]here crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of this Regulation”. In a similar vein, the UK’s HM Treasury observes in a recent Consultation Paper that regulators “should be able to apply rules to persons who maintain significant control or influence over a DeFi arrangement or protocol providing cryptoasset services and activities. To illustrate this point further, the objective is not to regulate the activity of developing software, but if software developers go on to maintain, run and operate systems used for regulated financial activities (e.g. exchange, lending) then they should be subject to financial services regulation”.13 In other words, the fact that a DeFi platform is arranged such that token transactions are executed, settled, and administered through smart contracts does not necessarily mean that no accountable actor can be identified whose business conduct is within the regulatory perimeter. The question is where the line is to be drawn between a platform that is essentially a CeFi platform that uses smart contract components to provide virtual asset services, and DeFi proper, where the originators of the set of smart contracts are merely developing and deploying software as a public utility.

The smart contract innovation essentially turned a network that operates eligible blockchain technology into a public computer that can be used for any programmable purpose. The search for an accountable actor in the context of DeFi should therefore start with the network. The engagement with the network by a user cannot easily be characterised as the formation of a contractual or agency relationship between the network, or a specific validator, and that user. The network does not have centralised management nor is it an organisational structure in a recognisable legal form. The most that can be said is that by using a blockchain, users implicitly agree to its consensus rules, which govern how the system operates and validates transactions. In some sense, this could perhaps be seen as a “contract” where all participants, both users and validators, consent to submit to these operative rules.

The European Commission’s Value Added Tax Committee grappled with this legal relationship question when it sought to identify a service relationship between a user and the network validators in cases of smart contract based autonomous self-minting of NFTs.14 The Committee concluded that “identifying the existence of a direct link between the gas fee paid and the publication on the digital ledger is not straightforward due to the difficulty in establishing the existence of a legal relationship between the one requesting minting to be done and the network validators involved in the said publication”.15 Naturally, these conclusions are predicated on the assumption that the network operates a public, not a private, blockchain, and that the network consensus mechanism operates with a sufficient degree of decentralised independence.

That same conceptual obstacle logically operates in the context of the application of financial services or AML/CFT regulations on DeFi smart contract-based operations. It would be difficult to interpret the validation activities of the group of validator nodes, or any one of them, as financial or virtual asset services provided by a specific validator or the network only because the network validates the deployment of a DeFi smart contract or the execution of a DeFi smart contract call. Even if a legal relationship were found between a validator or a group of validators and a user, as the network validator activity is content neutral, it would not plausibly lead to accountability on the part of the network or a validator solely on the grounds that the publicly available infrastructure is used in consideration for a network access fee that is otherwise unrelated to the features of the DeFi platform.

Next in line to be examined as a potential accountable actor in the context of a DeFi platform is the originating team, incorporated or otherwise, who deployed and may maintain the set of smart contracts. The originating team very often not only deploy the set of DeFi smart contracts but also provide centralised web-based user interfaces (UIs), that is, a front-end, user-facing component of the DeFi application stack. UIs display relevant information from the smart contracts and allow users to send transactions, view data, and interact with the smart contract functions. If the UI application operates such that the UI provider effectively intermediates between the user and the DeFi smart contracts, the UI operator could be a virtual asset service provider (VASP) within the meaning of the applicable financial services or AML/CFT regulations on grounds that it serves as an arranger or person receiving and transmitting orders from users to the DeFi platform.16 Similarly, if the originating team coded the set of DeFi smart contracts such that it can be controlled through administrator private keys that permit the controller to amend and upgrade the smart contract code and its operational features, assuming the originating team operates as a business, the originating team’s activity would very likely be a VASP activity and the platform should be characterised as a CeFi platform.

Smart contracts can be designed without access rights so that once the smart contract is deployed, it is immutable except through exploitation of bugs and code errors. Further, UIs can be decentralised, relying on technologies like IPFS (InterPlanetary File System) for hosting front-end files, or it can be offered by way of software as a service, where the UI provider offers the application for downloading and local operating. It may be that the UI provider earns a royalty for use of the software IP, but that is not the same as earning a fee for intermediary activities. In such cases, where the DeFi smart contracts are not controlled by the originating team and the UI is not heavily centralised but offered as a tool for the user by way of licensed software, it would seem to be difficult to construct an argument that brings what is essentially a software provider into the VASP perimeter. To do so would require legislative intervention, eg to bring the provision of wallet software or the deployment of DeFi smart contract sets within the VASP perimeter as a specified regulated activity.

In a case that is very much on that point, certain duped users of the Uniswap DeFi platform sought to hold the originating team, Universal Navigation Inc. trading as “Uniswap Labs”, liable for their losses on several grounds. Access to the Uniswap pools is available through a Uniswap Labs-developed UI, and another by wallet application extensions that permit direct access to the pools without relying on intermediaries or needing permission. Plaintiffs argued, among other matters, that Uniswap Labs controls the token transactions in the Uniswap pools. While the court accepted, without making a finding, the assertion that the tokens in question were securities for US securities regulation purposes, it observed that plaintiffs’ argument that Uniswap Labs somehow sold the tokens as an unregistered broker-dealer was not sustainable, in essence because the court considered the set of Uniswap pool smart contracts to be mere software tools made available to the users at their discretion.

“Looking at the allegations [...], it defies logic that a drafter of computer code underlying a particular software platform could be liable under Section 29(b) for a third-party’s misuse of that platform.”

The court declined “to stretch the federal securities laws to cover the conduct alleged” and concluded “that Plaintiffs’ concerns are better addressed to Congress than to this Court”.17

On the other hand, the US Commodities Futures Trading Commission (CFTC) recently issued orders against originating teams of three different DeFi platforms that facilitate token derivatives trading.18 Unlike the Uniswap platform, where users self-create pools or access pools created by other users, the originating teams of the platforms that are the subject matter of these CFTC orders, as stated by the CFTC, “retained control” over the DeFi platform, eg the “ability to update relevant smart contract code to adjust how the smart contracts operated in order to, among other things, suspend trading or prevent users from depositing collateral”.19 Importantly, unlike Uniswap Labs, the originating teams also earn fees directly from the trading smart contracts. Essentially, therefore, the CFTC is arguing that these platforms are CeFi platforms operated by an accountable actor, and not DeFi platforms.

A third category of potential accountable actors that are typically part of the DeFi platform are the smart contract-based token operated governance structures commonly known as “Decentralised Autonomous Organisations” (DAOs). Many DeFi platforms have implemented a DAO layer as part of the DeFi application stack. The aim is to offer users of the DeFi platform governance tokens that usually enable them to vote via the DAO smart contract structure and so have a say in the DeFi platform’s development, and, importantly, changes to the DeFi smart contracts. Not all DeFi platforms have a full-fledged DAO governance structure in place, especially in their early stages, when the developers might retain control over the protocol to develop the platform without going through a lengthy governance process. Some DeFi platforms offer hybrid structures that incorporate certain DAO components but also retain some centralised control or decision- making processes, eg for reasons of efficiency or security. A DAO’s legal characterisation will depend on the facts and circumstances of the DAO operation. US Federal courts have not struggled to decide in preliminary findings that a certain type of DAO may be a general partnership or unincorporated association if certain facts and circumstances support that finding – most notably, that token holders can participate in management or profits of the DAO operations – and accordingly, that such DAO token holders may be held liable jointly for the DAO’s decisions and actions.20

In conclusion, it would stretch the applicable financial services and AML/CFT laws to identify a VASP in the context of DeFi proper, such as the Uniswap platform. To bring DeFi proper within the regulatory perimeter, statutory intervention will be required. However, if a platform operator arranges for token transaction execution and settlement through a set of smart contracts and/or it, or a DAO, retains a certain level of control, the platform operator or the DAO could be held responsible as a VASP on the grounds that either or both arrange the transactions and/or control and profit from the platform.

Footnotes

1See BIS Working Papers No 1066, The Technology of Decentralized Finance (DeFi), Raphael Auer, Bernhard Haslhofer, Stefan Kitzler, Pietro Saggese and Friedhelm Victor Monetary and Economic Department, January 2023.

2See for a helpful analysis of how a decentralised smart contract functions, Bina Ramamurthy, Blockchain in Action (Manning Publications, 2020), 22-29.

3In the context of smart contracts, an oracle is any data source for reporting information external to the blockchain network, where that data is used by the smart contract to execute transactions. See on oracles and oracle risks, Campbell Harvey, Ashwin Ramachandran, Joey Santoro, DeFi and the Future of Finance (Wiley, 2021), 23, 137.

4The Organization for Economic Cooperation and Development, Why Decentralised Finance (DeFi) Matters and the Policy Implications (OECD, 2022), 27.

5See the IOSCO analysis in International Organization of Securities Commissions, Decentralized Finance Report (IOSCO, OR01/2022 March 2022), 11. See also DeFi and the Future of Finance, n 3, 69ff.

6See OECD (2022), n 4, 36. See also DeFi and the Future of Finance, n 3, 95ff.

7See IOSCO (OR01/2022 March 2022), n 5, 14.

8See Sirio Aramonte, Wenqian Huang, Andreas Schrimpf, DeFi risks and the decentralisation illusion (BIS Quarterly Review, December 2021), 21.

9Layer 2 protocols, such as roll-ups, operate through the primary protocol’s network and typically rely on the layer 1 protocol to confirm proof of the transactions first executed and recorded by the layer 2 protocol.

10As outlined in Financial Action Task Force (FATF, 2012-2023), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation. Recommendation 15 requires that virtual asset services providers (VASPs) be regulated for AML/CFT purposes, that they be licensed or registered, and subject to effective systems for monitoring or supervision. ‘Virtual assets’ are defined as “a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes”.

11Regulation (EU) 2023/1114 of 31 May 2023 on markets in crypto assets (MiCAR).

12Or, in MiCAR terms, a “crypto-asset service provider”, see Art 3(10)(15) MiCAR.

13HM Treasury, Future financial services regulatory regime for cryptoassets – Consultation and call for evidence (February 2023), 11.7.

14Value Added Tax Committee (Article 398 of Directive 2006/112/EC) Working Paper No 1060 (21 February 2023).

15See EC VAT Committee, n 12, 9-10.

16See eg para 14A(1) of the UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which brings “arranging or making arrangements with a view to” into the VASP perimeter, and Art 80 of MiCAR (Reception and transmission of orders for cryptoassets on behalf of clients).

17Risley, e.a. v Universal Navigation Inc., d/b/a Uniswap Labs, e.a, Case No. Case 1:22-cv- 02780-KPF (S.D.N.Y. Aug 29, 2023).

18https://www.cftc.gov/PressRoom/ PressReleases/8774-23

19Commodity Futures Trading Commission, re: Deridex, Inc., CFTC Docket No. 23-42 (Sep 7, 2023).

20See Sarcuni v bZx DAO, Case No. 22-cv-618- LAB-DEB, 2023 WL 2657633 (S.D. Cal. Mar. 27, 2023), and Commodity Futures Trading Commission v Ooki Dao, Case No. 3:22-cv- 05416-WHO (N.D. Cal. Dec 20, 2022).