How should DeFi be regulated? A European approach to decentralizatio

Decentralized finance, known as DeFi, is a new use of blockchain technology that is growing rapidly, with over $237 billion in value locked up in DeFi projects as of January 2022. Regulators are aware of this phenomenon and are beginning to act to regulate it. In this article, we briefly review the fundamentals and risks of DeFi before presenting the regulatory context.

The fundamentals of DeFi

DeFi is a set of alternative financial systems based on the blockchain that allows for more advanced financial operations than the simple transfer of value, such as currency exchange, lending or borrowing, in a decentralized manner, i.e., directly between peers, without going through a financial intermediary (a centralized exchange, for example).

Schematically, a protocol called a DApp (for decentralized application), such as Uniswap or Aave, is developed in open source code on a public blockchain such as Ethereum. This protocol is powered by smart contracts, i.e., contracts that are executed automatically when certain conditions are met. For example, on the Uniswap DApp, it is possible to exchange money between two cryptocurrencies in the Ethereum ecosystem, thanks to the smart contracts designed to perform this operation automatically.

Users are incentivized to bring in liquidity, as they receive a portion of the transaction fee. As for lending and borrowing, smart contracts allow those who want to lend their funds to make them available to borrowers and borrowers to directly borrow the money made available by guaranteeing the loan with collateral (or not). The exchange and interest rates are determined by supply and demand and arbitrated between the DApps.

The great particularity of DeFi protocols is that there is no centralized institution in charge of verifying and carrying out the transactions. All transactions are performed on the blockchain and are irreversible. Smart contracts replace the intermediary role of centralized financial institutions. The code of DeFi applications is open source, which allows users to verify the protocols, build on them and make copies.

The risks of DeFi

Blockchain gives more power to the individual. But with more power comes more responsibility. The risks DeFi are of several kinds:

Technological risks. DeFi protocols are dependent on the blockchains on which they are built, and blockchains can experience attacks (known as "51% attacks"), bugs and network congestion problems that slow down transactions, making them more costly or even impossible. The DeFi protocols, themselves, are also the target of cyberattacks, such as the exploitation of a protocol-specific bug. Some attacks are at the intersection of technology and finance. These attacks are carried out through "flash loans." These are loans of tokens without collateral that can then be used to influence the price of the tokens and make a profit, before quickly repaying the loan.

Financial risks. The cryptocurrency market is very volatile and a rapid price drop can occur. Liquidity can run out if everyone withdraws their cryptocurrencies from liquidity pools at the same time (a "bank run" scenario). Some malicious developers of DeFi protocols have "back doors" that allow them to appropriate the tokens locked in the smart contracts and thus steal from users (this phenomenon is called "rug-pull").

Regulatory risks. Regulatory risks are even greater because the reach of DeFi is global, peer-to-peer transactions are generally anonymous, and there are no identified intermediaries (most often). As we will see below, two topics are particularly important for the regulator: the fight against money laundering and terrorist financing, on the one hand, and consumer protection, on the other.

The FATF "test": Truly decentralized?

As of Oct. 28, 2021, the Financial Action Task Force (FATF) issued its latest guidance on digital assets. This international organization sought to define rules for identifying responsible actors in DeFi projects by proposing a test to determine whether DeFi operators should be subject to the Virtual Asset Service Provider or "VASP" regime. This regime imposes, among other things, Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) obligations.

The FATF had initially considered, last March, that if the decentralized application (the DApp) is not a VASP, the entities "involved" in the application may be, which is the case when "the entities engage as a business to facilitate or conduct activities" on the DApp.

The new FATF guidance drops the term "facilitate" and instead adopts a more functional "owner/operator" criterion, whereby "creators, owners, and operators ... who retain control or influence" over the DApp may be VASPs even though the project may appear decentralized.

FATF, under the new "owner/operator" test, states that indicia of control include exercising control over the project or maintaining an ongoing relationship with users.

The test is this:

Does a person or entity have control over the assets or the protocol itself?
Does a person or entity have "a commercial relationship between it and customers, even if exercised through a smart contract"?
Does a person or entity profit from the service provided to customers?
Are there other indications of an owner/operator?
FATF makes clear that a state must interpret the test broadly. It adds:

"Owners/operators should undertake ML/TF [money laundering and terrorist financing] risk assessments prior to the launch or use of the software or platform and take appropriate measures to manage and mitigate these risks in an ongoing and forward-looking manner.”
The FATF even states that, if there is no "owner/operator," states may require a regulated VASP to be "involved" in DeFi project-related activities… Only if a DeFi project is completely decentralized, i.e., fully automated and outside the control of an owner/operator, is it not a VASP under the latest FATF guidance.