Abstract
Traditionally, the financial industry is marked by intermediary entities creating trust among industry participants and enabling regulators to address them as “a throat to choke” for the purpose of regulatory inquiries or enforcement. The decentralization of financial infrastructure driven by blockchain technology allows for the elimination of these intermediary entities and replaces them with software protocols. This phenomenon is commonly called decentralized finance (“DeFi”). Considering this disintermediation, how can DeFi be regulated when no centralized entity is around as a regulatory target? Could “embedded supervision,” i.e., implementing regulatory instruments into the technological infrastructure, be an effective tool to regulate DeFi? Can such a regulatory approach be implemented without making DeFi unattractive for businesses and users and thereby suffocating innovation? Can it be implemented from a technological perspective, and if so, should it? This paper aims to shed light on how relevant stakeholders and experts in the DeFi space answer these real-life questions, thereby contributing to finding common ground in the current discussions on DeFi regulation.
To address these questions, I conducted nineteen interviews with businesses, regulators, VC investors, and other experts in the DeFi space. My main empirical findings are that there is consensus among the interviewees that DeFi creates numerous risks that must be regulated, and that regulatory clarity is crucial for DeFi to thrive. The interviewees agreed that there are several potential regulatory approaches for DeFi, including embedded supervision, and that a combination of different tools will likely be the most promising approach. Embedded supervision could be particularly helpful in specific scenarios and meaningless in others, depending on whether direct access by the regulator seems critical for proper supervision.
The paper argues that, first, it is critical to create transparency by defining what “decentralization” means. Second, it must be clarified what regulatory measures can be taken to target “fully” decentralized financial technology as opposed to pseudo-decentralized structures. This is where, third, the idea of embedding regulatory instruments into blockchain infrastructure steps in. The paper argues that embedded supervision can be a helpful tool in various use cases; it does not provide the one “magic” solution to all issues caused by decentralization.
A. Introduction
I. Decentralized Financial Technology as a Challenge for Regulators all over the World.
What is Decentralized Financial Technology, and why is it relevant?
FTX, Silicon Valley Bank, First Republic Bank, Credit Suisse – those are just some of the prominent cases that most recently demonstrated how complex, intertwined, prone to systemic shocks, and partly fragile the global financial system can be. Considering the events surrounding these causally diverse but equally problematic cases, it becomes clear that financial regulation is an important tool to create a certain sense of trust and stability and ultimately prevent the financial system from collapsing. The financial industry plays a highly important role in world economies. Credit institutions, exchanges, investment funds, and many other players are pieces of the huge machinery that deals with the flow of money globally, powering activities such as investing, borrowing, lending, hedging against risks, and more. This system, for instance, enables individuals to increase their wealth through saving and investing, allows them to borrow money to buy real estate, and helps fund and scale the business operations of companies.
In traditional financial systems (“TradFi”), centralized parties such as banks or exchanges act as intermediaries in order to create trust among market participants and make processes more efficient. This can, for instance, include a bank processing payment flows between two parties, an exchange providing the platform for parties to trade financial products, or a clearing house stepping in between two parties of a derivative agreement in order to reduce counterparty risk when such agreements are settled. This intermediary-focused structure is commonly referred to as centralized finance (“CeFi”).
The increasing availability of sophisticated technological means, including advanced cryptographic methods and the growing efficiency of computer networks, allowed for the creation of digital assets such as “cryptocurrencies” that are not issued by a governmental institution and do not depend on a centralized entity such as a central bank. It also allows for the creation of “smart contracts,” meaning computer programs that execute certain steps automatically based on pre-agreed rules and thereby reduce the need for human intervention in the execution and settlement of the “contract.” This can, for instance, be used to create a “smart” derivative agreement that settles automatically without relying on an intermediary entity such as a clearing house.
This relatively new approach, based on cryptography, trust in distributed technological infrastructure, and economic incentives that promote honesty, reduces or, in truly decentralized cases, even eliminates the dependence on intermediary entities. This relatively new area of finance is commonly referred to as decentralized financial technology or decentralized finance (“DeFi”).
But what does that even mean? While this term is commonly used to describe various financial business models relying on decentralized infrastructure, there is no fixed and commonly agreed on definition for it yet. Generally, it can be observed that “fully” decentralized financial products, not relying on any centralized “bottlenecks” to operate, are quite rare at this point since a certain degree of centralization often results from the design and operational facts of a system, such as the concentration of power, which can occur when certain functions or decision rights are controlled by a small group of people or even a single individual.
How does Decentralized Financial Technology work?
Typically, in DeFi business models, unlike in the traditional financial industry, there is no centralized trusted party that controls the relevant functions like, for instance, a central bank or a regulated stock exchange provider (“trustlessness”). Centralized intermediaries are superfluous in DeFi because the software systems underlying DeFi run by themselves and follow preset rules (“protocol”) that cannot be tampered with unless there is consent among the participants in the system to amend them. DeFi is based on distributed-ledger systems (“DLT”), usually blockchain technology; in such systems, information is not stored in one centralized place but distributed over all computers anonymously participating in the blockchain network (“peer-to-peer”) based on certain consensus mechanisms in a tamper-resistant manner. Accordingly, financial products in the DeFi space are created through non-centralized peer-to-peer networks using certain pre-defined sets of rules.
DeFi operates in a publicly transparent but usually (pseudo-) anonymized manner. This means that transactions are usually recorded on a publicly visible ledger while the involved parties are not personally identified but are merely represented by their account number (“public key”). DeFi is typically open to everyone to participate, and there is no permission by a centralized party required to join a DeFi platform (“permissionlessness”), while it is possible to create permissioned systems too. It can be used to create various products and infrastructure systems such as virtual “currencies” and other tokens, derivatives, exchange platforms, lending marketplaces, and more. Besides enhanced privacy and censorship-resistance, two aspects that are particularly important to the original libertarian idea behind crypto assets, DeFi allows the automatization of processes through “smart contracts,” which can make processes more efficient and reduces the need for intermediary parties.
When thinking about DeFi systems, one must differentiate between the different “layers” of technological infrastructure, which in combination, form the infrastructure “stack” that a DeFi user ultimately operates. The different layers involved in a blockchain-based DeFi infrastructure can be summarized as follows:
(a) Consensus / Settlement Layer: This is the most basic layer of blockchain infrastructure. It is the base layer upon which other DeFi transactions are built. It consists of a public blockchain and its native digital currency or cryptocurrency; transactions on DeFi apps are settled using this currency. One example of the settlement layer is Ethereum and its native token Ether (ETH).
(b) Protocol Layer: This layer contains the coded standards and rules written to govern specific tasks or activities. For instance, on Ethereum, this includes smart contracts that provide the specific functionality, for example, a service that allows for decentralized lending, such as Aave, or for the decentralized exchange of assets, such as Uniswap. The protocol layer provides liquidity to the DeFi ecosystem.
(c) Application Layer: This layer hosts the consumer-facing applications and thereby enables consumers to intuitively use a DeFi service. Most common applications in DeFi, such as decentralized cryptocurrency exchanges (“DEXes”) and lending services, reside in this layer. Ethereum describes this as “the products we use to manage and access the protocols.”
(d) Aggregation Layer: This layer provides the platform for aggregators who connect various applications from the previous layer in order to provide a service to investors and allow a smooth user experience.
(e) On-/off-ramps: This term refers to an exchange or similar service where you can offer fiat money in return for cryptocurrency or vice-versa.
With this stack structure in mind, it becomes apparent that the regulation of DeFi can target different technological layers, ranging from the basic consensus layer up to the ramps. I did not limit the scope of this paper to the regulation of an individual layer but rather investigated how DeFi regulation can be constructed generally. Even though the regulation of specific layers was in part discussed with interviewees to exemplify some of the challenges of DeFi regulation, this paper aims to give an overview of the broader picture.
How does Decentralized Financial Technology challenge regulators?
In summary, DeFi is characterized by (pseudo-)anonymity and the absence of intermediary entities gatekeeping the network that could be addressed by the regulators as responsible for creating and offering a financial product to obtain information or enforce regulatory actions. This lack of a centralized party can lead to regulatory gaps, causing risks for individual consumers and – with increasing amounts invested in digital assets traded on DeFi infrastructure – potentially, risks for the stability of the financial system.
DeFi in a globalized world poses difficult questions as to how a regulatory framework can capture activities that are conducted across borders and are not subject to just one but multiple jurisdictions. This can lead to complex situations when it comes to the enforcement of laws such as sanction laws. For instance, in the context of the automated validation and execution of transactions on a blockchain, it could be asked how the members and contributors to the blockchain (“nodes”) can prevent legal liability in case they are involved in the validation and processing of transactions that include a sanctioned party and are thus illegal under the specific jurisdiction where a given node is located. This could, for instance, be prevented by embedding compliance tools to automatically detect and opt out of illicit transactions. Such a situation could threaten the reliability of a blockchain if too many participants cannot validate certain transactions without infringing the laws of their respective jurisdictions. This is but one example of why regulation needs to be innovative in order to keep up with new opportunities and risks created by decentralization in the financial industry.
Against this background, the overarching research questions for this paper are:
(1) How can decentralized financial technology be regulated?
(2) Is embedded supervision an effective tool to regulate DeFi without suffocating innovation?
II. Regulatory Approaches to Decentralized Financial Technology.
It is currently heavily debated, globally and in most jurisdictions, what a successful regulatory approach to DeFi could look like. Most recently, there have been several statements by regulators such as the SEC and lawmakers such as the House of Commons of the United Kingdom (Treasury Committee), as well as (proposed) legislation, particularly the European Markets in Crypto-Assets Regulation (MiCA) and a “Proposal for a regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing” that mention DeFi but do not yet provide a fully comprehensive regulatory framework. In addition, multiple international organizations, such as the OECD, the International Organization of Securities Commissions (IOSCO), the World Economic Forum (WEF), and the Bank for International Settlements (BIS), have issued evaluations of the challenges created by cryptocurrencies and DeFi. Overall, the current regulatory regimes, including the new European MiCA, do not sufficiently cover fully decentralized infrastructure.
When thinking about how a transparent and comprehensive regulatory approach to DeFi can be achieved, many questions arise: Can old legal frameworks that partly date back many decades provide sufficient flexibility to be applied to this new area of finance without creating a lack of transparency and, ultimately, legal uncertainty? How can we make sure that innovation is not suffocated or pushed abroad by such a lack of transparency or overly rigid regulation? What could a future regulatory framework for DeFi look like? How do we deal with the trading of assets across jurisdictions? Do we need innovative regulatory instruments for DeFi, and what could they look like?
To answer these questions, one can generally think about various potential approaches, including a full ban on certain DeFi business models. For the purpose of this paper, I want to highlight particularly the following ideas:
(1) Targeting Coders: This approach targets the relevant software developers or other persons involved in the creation of DeFi products as regulatory subjects; one could argue that people who are ultimately responsible for the creation of a financial product or infrastructure should be held responsible under regulatory rules even after a protocol has been coded and deployed and thereby arguably left the individual coder’s sphere of influence. Choosing this regulatory approach would likely have a deterrent effect on software developers and prevent them from innovating in the DeFi space in jurisdictions that apply such a rule.
(2) Targeting Entities: One could further think about applying regulatory rules to entities used to set up, commercially exploit, and potentially govern a decentralized financial infrastructure, such as decentralized autonomous organizations (“DAOs”) or foundations, which are commonly used in the context of DeFi. This approach would likely face issues in practice because such entities may be organized in ways and in jurisdictions that make it hard or impossible for regulators to address them to enforce regulatory actions.
(3) Targeting Activities: It could also be considered more broadly to focus on an activity-based rather than an entity-based approach, thereby shifting the regulatory nexus away from a centralized party and towards whoever performs certain activities relevant to providing a DeFi service. This would, however, not solve the problem that activities in DeFi are, for a large part, automated and performed through the software protocol; therefore, it may be hard or impossible to identify an individual or an entity that actually performs relevant activities.
(4) Embedded Supervision: While the approaches outlined above were partly addressed in the interviews conducted for this paper and, where relevant, will be described in some more detail in the interview analysis below, I put the main emphasis in the interviews on another innovative regulatory instrument: Embedded supervision. This term refers to incorporating an access point for regulatory authorities into the relevant blockchain software framework of a decentralized – or centralized – financial infrastructure. This would allow the regulatory authority to perform certain actions directly in the technical infrastructure underlying regulated products and activities; this can particularly include conducting (real-time) monitoring of information such as transaction data or capital requirements, feeding data into such infrastructure, for instance for the purpose of determining interest rates or prices of certain financial products relying on a reference value, and potentially even enforcement powers to, for instance, block or reverse illicit transactions or to freeze assets.
When it comes to terminology, one sometimes encounters the term embedded regulation as opposed to embedded supervision. Vividly, Zetzsche et al. (2020) define embedded supervision as an “automated form of compliance, monitoring, and supervision, using the system itself to implement, monitor, and enforce compliance requirements.” Embedded regulation, on the other hand, is then understood as the “key regulatory objectives of market integrity, market conduct, and financial stability” being built into the design of a DeFi system. The authors stress that “any system’s architecture should include systems of transparency, disclosure, compliance, etc.” This school of thought concludes that the “end result, however, may be that the objective of decentralization, in fact, requires an external guarantor—the platform where the regulation is embedded and that facilitates supervisory cooperation.” Similarly, Auer (2022) understands regulation as the “process of writing the rules that apply to the regulated entities,” supervision on the other hand, to him means the “enforcement of these rules.” Therefore, regulatory automata are “a regulatory framework that allows for automated supervision.”
For this paper, I focus mostly on embedded supervision while, in some instances, touching upon questions of embedded regulation insofar that I discuss the technical feasibility of embedded supervision, which may depend on a DeFi platform allowing certain access rights for the regulator in the design of a DeFi system, and self-regulation through embedding rules.
Embedded supervision can be imagined as creating a layer of transparency and access in the decentralized infrastructure only for the supervisory authority to directly monitor or provide information, including information required for supervision of compliance with anti-money-laundering laws, or to even take active measures of enforcement, while everything else on the blockchain is and remains (pseudo-)anonymous. This approach could make supervision more efficient, reduce costs for supervised entities resulting from accumulating and providing data to supervisory authorities, thereby creating a level playing field for smaller companies with smaller compliance budgets, and enhance transparency regarding the regulatory requirements that have to be met by DeFi providers if properly put into law.
Such an embedded tool is not yet used in financial regulatory law on a day-to-day basis, but it is discussed among regulatory experts. For instance, in October 2022, the European Union (Commission) initiated a “Study on Embedded Supervision of Decentralised Finance.” This pilot project looks to “develop, deploy and test a technological solution for embedded supervision of DeFi activity.” The project will “seek to benefit from the open nature of transaction data on the Ethereum blockchain, which is the biggest settlement platform of DeFi protocols.” Its main focus will be on “automated supervisory data gathering directly from the blockchain to test the technological capabilities for supervisory monitoring of real-time DeFi activity.”
There are further examples of regulatory authorities exploring the potential of embedding regulatory instruments into decentralized infrastructure, elaborated below.
The Federal Reserve Bank of Boston published a paper Beyond Theory: Getting Practical With Blockchain (2019), analyzing in detail the potential of an embedded approach (“supervisory node”). The Federal Reserve Bank of Boston asks two vital questions: “What business functions (audit, regulatory supervisor, payment network rule-enforcer) could supervisory nodes perform?” and “How can data access be limited only to whatever is needed to perform the stated function?”
The Bank of Lithuania’s blockchain-based sandbox “LBchain” launched in 2019 seeks to embed a regulatory infrastructure in a DLT-based market. LBChain is the world’s first-of-its kind blockchain sandbox developed by a financial market regulator. It combines regulatory and technological infrastructures and allows market participants to test their business solutions in a controlled environment. The platform is based on both Hyperledger Fabric and Corda.
The Monetary Authority of Singapore (MAS) launched “Project Guardian” including a regulatory sandbox in October 2022. Project Guardian is a collaborative initiative with the financial industry that seeks to test the feasibility of applications in asset tokenization and DeFi while managing risks to financial stability and integrity. This project includes studying “the introduction of regulatory safeguards and controls into DeFi protocols to mitigate against market manipulation and operational risk.”
But what does all that mean in practice? What are potential scenarios that make an embedded regulatory approach seem worthwhile and technically feasible, and what embedded powers would actually help regulators mitigate the risks caused by DeFi and effectively supervise and enforce rules in this realm? Can embedded supervision solve most or all of the regulatory challenges in DeFi? Or is it merely one piece of the puzzle of a complex regulatory framework? In order to answer those questions, I want to differentiate between the three categories of embedded regulatory powers laid out above and clarify in which scenarios such powers might be helpful and where they are less helpful.
III. Potential Scenarios and Use Cases for Embedded Supervision.
For this paper, I emphasize three different types of powers that could be granted to regulators through embedded instruments. These powers can be imagined as a spectrum ranging from passive monitoring powers to active enforcement powers:
(1) Passive (real-time) monitoring: One of the mildest cases of embedded supervision would be the ability of the regulator to monitor financial data of regulatory relevance, for instance, transaction data or funds reserves data. This could be achieved by granting the regulator certain pre-defined access rights to specific data that is not visible to the public. It is challenging to determine which data relating to the identity of users should and technically can be accessible, in particular, for purposes of “Know Your Customer” (“KYC”) checks and Anti-Money Laundering rules (“AML”), as well as regarding the verification of the accuracy of data that can be accessed through an embedded supervisory instrument.
(2) Active feeding of data into (decentralized) infrastructure: The second level of embedded regulatory powers would be the establishing of a regulatory gateway, in the blockchain terminology this is commonly referred to as “oracle,” in order to actively provide official and trustworthy data into a DeFi platform. This could, for instance, be used for feeding in central bank interest rates that are relevant to determine prices for certain financial products traded on a decentralized infrastructure or blacklists such as sanction lists blocking sanctioned parties from engaging in certain financial transactions.
(3) Active enforcement powers: The most intense type of embedded instrument would be to allow the regulator to take active measures such as blocking or reversing individual transactions, freezing assets, or even shutting down an entire decentralized infrastructure. This could be achieved by granting the regulator certain pre-defined powers to conduct such steps. The most extreme degree of this idea would be a “permissioned” blockchain provided and run by a governmental entity such as a regulatory authority. This would mean that access to the permissioned blockchain is controlled by a governmental entity which would enable it to directly enforce rules, for instance, related to identification, such as KYC rules. While this would give the regulator a high degree of control, such an infrastructure would on the other hand lose a lot of the benefits regarding privacy and anonymity that are valued by many members of the crypto-community.
When thinking about such embedded regulatory instruments, one must differentiate between potential use cases. As laid out above, DeFi can come in different shapes and forms and can be used for multiple types of applications, encompassing large-scale infrastructure such as exchange platforms and individual financial products such as derivatives. It is, therefore, important to clarify that certain embedded instruments may be suitable in certain contexts while others are more promising to use in a different context.
To give a specific example, the abovementioned regulatory power of passive (real-time) monitoring would not be much of an innovative idea in cases where all or most of the relevant information, such as wallet addresses and the according transaction flows, is publicly available anyway through the public ledger of a decentralized infrastructure. In this case, regulators can and – as we will see in the interview analysis – do use commercial analysis tools like Chainalysis to analyze this information with a relatively fast reaction time. If, however, the relevant information is veiled through specialized tools such as “mixers” that make it hard or impossible to reliably track payment flows, the built-in ability to passively (real-time) monitor such information regardless of the attempt to veil it can be very valuable for regulators. This concept will be discussed in more depth below.
It seems plausible that if a technical standard for embedded supervision is developed and accepted by regulatory authorities, this could, to a certain extent, create a “safe harbor,” transparency, trust among users, and more reliability for investors in DeFi companies – ideally fostering innovation through an incentive to build new products in a more transparently regulated space. At the same time, every constraint of true decentralization and anonymity in DeFi products will potentially be met with skepticism by users who highly value privacy.
B. Methodology
In this paper, I assess the challenges that DeFi causes for regulators, explore potential ways of DeFi regulation, and investigate the idea of embedding regulatory instruments into distributed infrastructure on a high level. I show how DeFi regulation is currently perceived by stakeholders and experts in the DeFi space and aim to shed light on how entrepreneurs, regulators, and other experts in the DeFi space think about challenges and solutions. My goal is to provide a “snapshot” of the current debate on DeFi regulation and thereby contribute to finding a regulatory approach that works for all involved parties.
Since regulating DeFi is of global relevance, the scope of the research underlying this paper is not limited to specific jurisdictions. I focused my research mainly on the United States and Europe – two relevant markets for DeFi, both offering numerous interview subjects – while keeping the research questions as open as possible to ensure that the research results are not limited to certain jurisdictions.
The research population comprises specific regulatory approaches to DeFi as assessed by the relevant stakeholders in DeFi, particularly embedded supervision. The variables I analyze include the technical feasibility and effectiveness of such approaches and how they may affect innovation in the DeFi space, the ability to raise capital from VC investors, commercial success, and consumer trust. I used the following methods to measure the relevant variables.
I. Research Strategy Overview.
The research strategy underlying this paper comprised the following steps.
(1) I reviewed academic literature and publications/statements by regulatory/supervisory authorities as well as other organizations dealing with DeFi regulation and related information on regulatory approaches to DeFi in general.
(2) I reviewed specific academic literature and publications/statements by regulatory/supervisory authorities as well as other organizations dealing with DeFi on embedded supervision in order to track the development and status quo with a focus on the purpose, the technical background and functioning, and policy discussions regarding embedded supervision.
(3) I conducted semi-structured, in-depth technical expert interviews with computer science and blockchain experts on DeFi regulation and embedded instruments in order to form an understanding of the status quo of research on this topic from a technical and policy perspective.
(4) I conducted semi-structured, in-depth interviews with stakeholders in the DeFi space to find out their respective perceptions of DeFi regulation and embedded supervision.
The Interviews.
The main data source for this paper is semi-structured, in-depth interviews, approximately thirty to sixty minutes each, with stakeholders and experts in the fintech realm. The interviews were conducted in early 2023.
Considering the relatively small group of highly specialized people engaging in this field able and willing to share their insights, I did not perform any sampling.
I conducted the interviews based on three questionnaires, each tailored to the specific interviewee group. Interviews with technical experts, think tank representatives and academics were not based on a fixed questionnaire but used select questions from the different questionnaires.
Most interviewees opted for anonymization, and, therefore, I decided to anonymize all interviewees.
I interviewed nineteen individuals stemming from the following stakeholder and expert groups:
1. Fintech companies engaging in decentralized financial technology (e.g. founders/managers/business leaders/general counsels) (eight interviews),
2. Regulatory authorities (EU/Asia) (five interviews; one conducted with two participants simultaneously),
3. Technical and regulatory policy experts, think tank representatives, academics (three interviews), and
4. Venture capital investors (three interviews).
The following interviewees stemming from the four stakeholder groups participated in the study:
Fintech companies
Founder of a DeFi wallet provider (not conducted in English; translated by the author)
Founder of a company providing software tools to financial institutions related to payments and identity
Computer scientist with a company offering DeFi services
Lawyer with a company providing a global DeFi platform
Lawyer with a company providing software tools for monitoring digital assets trading and compliance
Lawyer with a company offering services relating to crypto currencies
Lawyer with a company offering infrastructure services relating to crypto products and DeFi for institutional clients
Lawyer with a cryptocurrency exchange platform and provider for DeFi payments in Latin America
Regulators
Two agents of the National Financial Supervisory Authority of an EU Member State (joint interview; not conducted in English; translated by the author)
Agent of the National Financial Supervisory Authority of an EEA Member State (not conducted in English; translated by the author)
Agent of the National Supervisory Authority of a large Asian country
Former agent of the National Financial Supervisory Authority of an EU Member State (not conducted in English; translated by the author)
Technical and regulatory policy experts, other experts
Ph.D. candidate in Computer Science, Stanford University
Expert on financial regulatory policy (U.S. Think Tank)
Former European regulator and expert on regulatory policy (blockchain organization in Europe)
Investors
Lawyer with a VC investment company focused on blockchain technology
Lawyer with a hedge fund focused on crypto assets
General Partner with a VC fund investing in blockchain technology
C. Analytical Literature Review
I. Overview.
Financial technology (“fintech”) has been around for quite some time. A prominent example of widely used financial technology can be found in the payment service provider PayPal which was founded in 1998. DeFi is an innovative and younger area of fintech that gained increasing relevance with the creation of the first popular crypto token, Bitcoin, in 2009 and later, in 2013, the creation of the Ethereum blockchain that allows for the building of decentralized applications (“DApps”) which can be used in many different contexts, including financial transactions, to create automated smart contracts.
This difference in age and – at least for now since crypto/DeFi is a niche of broader fintech – economic relevance is reflected in the amount of literature that is available on the topics. While there is a good amount of legal literature on financial technology in a broader sense, the amount of legal literature on DeFi and how it should be regulated is relatively slimmer and is just starting to really take off. This is because DeFi as a mainstream topic has not been on the radar of legal scholars and other relevant players in the world of financial regulation for very long. A landmark event in this regard was the release of the Bitcoin white paper by Satoshi Nakamoto (2009). The release of this paper and the subsequent rise of Bitcoin and other digital tokens increasingly sparked the interest of lawyers trying to understand the implications of such decentralized technology and how it should be treated from a legal perspective, including but not limited to a financial regulatory angle.
While the more general and broad discussions on DeFi and its legal treatment are interesting to follow and can, in some instances, help provide background to the subject of this paper, a comprehensive examination of such literature would go beyond the scope of this paper. Therefore, I will refer in this paper mainly to the most relevant works that provide critical information for the research questions underlying this paper on DeFi regulation, in general, and embedded regulatory instruments, in particular.
Since very recently, with its increasing relevance, there is a growing amount of literature available on the regulatory challenges related to DeFi and potential solutions, in many cases published by regulatory authorities and other organizations involved in financial regulatory policy as well as practitioners. This includes, i.a., the Bank for International Settlements (BIS), the Financial Stability Board (FSB), the European Systemic Risk Board (ESRB), the World Economic Forum (WEF), the Organisation for Economic Co-operation and Development (OECD), and the International Organization of Securities Commissions (IOSCO).
However, there still seems to be a gap in the legal literature when it comes to an empirical study that analyzes the similarities and differences in the views on DeFi regulation, especially embedded supervision, of different stakeholders and experts involved in DeFi. This paper aims to fill this gap and present a “snapshot” of those views in order to draw conclusions for the ongoing regulatory discussions.
An empirical legal approach to DeFi regulation in general and embedded supervision specifically, to the best of my knowledge, has not been widely explored yet. Against this background, this research project picks up on the current theoretical discussions and some early-stage political initiatives and tries to shed light on the real-life perception of DeFi regulation and embedded supervision by the relevant stakeholders.
II. Literature on Regulating DeFi in General.
DeFi regulation, in general, has most recently been addressed by several scholars and governmental as well as international institutions; due to the multidisciplinary nature of DeFi, the relevant material was, for a good part, created by economists, not by lawyers. The materials are, thus, mostly different from typical papers stemming from legal academia. They are rather focused on practical issues, technical considerations, policy debates, and a few specific legal implications rather than on legal theory and reciprocal discussions of legal concepts and arguments.
The relevant publications mostly cover only certain aspects of what a regulatory framework for DeFi could look like and usually focus on partial questions instead of presenting a specific framework for DeFi regulation that could, in its totality, be applied in practice. None of these publications seem to in detail address the different views of the relevant stakeholders and experts in an empirical manner in order to draw conclusions about what the best overall regulatory approach would be, taking into account the relevant interest groups in the DeFi space.
Papers published by academics & policy/regulatory institutions.
Some of the relevant material was published either in the form of academic papers, especially from the fields of law and economics, or by policy/regulatory institutions such as the Bank for International Settlements (BIS) in the form of working papers, bulletins, or similar formats.
Notably, Garcia Ocampo et al. (2023) provide an overview of “policy measures taken in nineteen jurisdictions to address the risks associated with activities that incorporate cryptoassets and DLT programmability capabilities in financial services.” They identify multiple risk categories of DeFi as well as the corresponding regulatory need for action and conclude that “the recent turmoil in cryptoasset markets underscores the critical need for swift and global implementation of international standards.” They highlight the risks of the lack of a comprehensive regulatory framework and stress that “the inherently global nature of cryptoassets lends itself to regulatory and supervisory arbitrage. Jurisdictions cannot fully mitigate their risks as long as they are exposed to weaknesses and inconsistencies across borders.” They also stress that “in addition to consistent implementation of international standards, a harmonized framework for the regulation of cryptoassets and related services is key to addressing the related risks.”
This conclusion reflects DeFi regulation mainly from the regulator’s perspective and serves as proof of the relevance of the research question underlying this study; I aim to take these observations one step further and expand the perspective, including the opinions of entrepreneurs, investors, and other DeFi experts in order to show similarities and differences in the opinions of these relevant stakeholders and experts.
Schuler et al. (2023) propose a framework to assess the degree of decentralization of DeFi projects. Combining “technical and legal perspectives,” they discuss potential centralization vectors that can be present on a project itself or can be inherited through dependencies. The authors find that “most of what is commonly referred to as DeFi today has severe centralization vectors.” With regard to what this means for regulation, they conclude that “the distributed, open-source nature of DeFi lacking legal hooks leaves regulators essentially with two possible strategies.” Regulators could “condemn DeFi and attempt to ringfence it” or “embrace DeFi’s beneficial properties and focus on accompanying measures.” Initially, this would require a “clear definition of what constituted genuine DeFi.” “In this second scenario, the regulatory focus would remain on the on-/off-ramps between the three spheres of DeFi, on-chain CeFi, and (traditional) CeFi.”
The arguments laid out in Schuler et al. (2023) regarding the need for a clear definition of “genuine” DeFi and the analysis of how the degree of decentralization affects the regulatory policy discussions for DeFi show that it should be helpful to get a better understanding of what the affected stakeholders think about the current market standard for DeFi when it comes to the degree of decentralization and how they assess regulatory policy discussions against that background. I attempt to achieve this in the paper.
Aquilina et al. (2023) argue with regard to DeFi regulation that “the rationale for regulation applies to DeFi in a manner analogous to how it applied to TradFi.” According to the authors, “DeFi attempts to fulfil many functions that match those of TradFi. In doing so, it uses a different technology but the objectives it seeks to achieve are very much the same. This means that the economic rationale for the regulation of TradFi applies – with some adaptation – to DeFi as well.” They conclude that “a potential way forward on the regulation of DeFi using two pillars. One of these is akin to the one used in TradFi and the other exploits the potential of programming requirements into DeFi applications. These pillars could bring benefits to society and to private developers, setting the stage for more sustainable long-run innovation.” By “exploiting the potential of programming requirements into DeFi application” the authors refer to the idea of embedded supervision and regulation as will be further addressed below under Part III.
Zetzsche et al. (2020) give an overview of how DeFi generally functions and address the challenges for regulatory frameworks created by decentralization. They conclude that “law must adapt to the challenges of DeFi.” When it comes to specific regulatory measures that could be taken, the authors elaborate that “tools include those designed to enhance cooperation of competent authorities, enhance tech risk management, require data and reserve localization, require RegTech to strengthen financial supervision and enforcement, and mandate open data and open access to services where data economies lead naturally, as in other forms of core infrastructure, to reconcentration.” In summary, according to the authors, “these tools may well require a central role for government in monitoring and potentially controlling the central underlying systems: ironically, realization of the DeFi dream may well require government intervention.”
While this conclusion gives an illustrative overview of potential measures that can be taken to regulate DeFi, the authors do not present a comprehensive and elaborate framework for DeFi regulation that could be applied in practice, and they do not address in detail how different approaches are perceived by the different stakeholders in DeFi.
Another recent paper by Auer et al. (2023) addresses the fact that “recent episodes of market turmoil have led to a discussion on whether and how DeFi industry should be regulated. Nevertheless, we consider DeFi a relevant development because it harnesses innovative technology that might shape the future financial ecosystem.” The paper gives a good idea of the individual components of DeFi and how they interact through the lens of a DeFi stack reference (DSR) model featuring three layers: settlement, applications, and interfaces. While the overview of the technical side of DeFi covered in the paper is helpful for the context of this study, in does not address the regulatory challenges from a legal perspective in depth.
Opinions published by entrepreneurs and investors.
The literature review revealed that some entrepreneurs and investors in DeFi companies frequently give their opinions, i.e., on DeFi regulation. While such publications are obviously no academic legal literature, they can be very helpful for understanding the current discussions on DeFi regulation. I consider the following publications to be particularly noteworthy and used them to phrase certain questions in my discussions with the interviewees.
Voloder, Reggianini, Grosskopf & Weiss (2023) assembled a list of policy action items that they consider crucial for future DeFi regulation in Europe. Their considerations include DAO legal recognition in future European legislation, national API repositories integrated into EU oracle frameworks, soulbound token recognition in European legislation, a voluntary compliance/supervision mechanism over off/on chain data flows provided through a modular approach, and how to address or reduce public/market specific risks to promote risk management practices, further ensuring compliance through public observatories and, lastly, oracles as a nexus for both stability and supervisory requirements and opportunities.
Especially the items relating to oracles are interesting to discuss in the context of embedded supervision to test whether this is a practically feasible concept.
Grosskopf (2022) analyzes future regulatory concepts for DeFi and argues that “more automated regulation means less pain.” He differentiates between regulation “at development, before deployment, and at runtime.” The author states that “before deployment a static security and functionality audit should happen. At runtime, there should be limited/controlled ways to change smart contract behavior at runtime (e.g. through oracles). Furthermore, there should be public interfaces to read and audit all data flows at runtime (reading from the Blockchain or create something custom).” The author argues that “regulators will do ‘Regulation as Code’ and sit in front of a NASA launchpad style Dune Analytics dashboard and inspect market data and participants in real time.” With regard to the issue of identification of users in a DeFi context, the author mentions that “digital identity can be issued by a governmental body or be a verified token / credential by an obliged person.”
These ideas give vivid examples of what future regulatory approaches to DeFi could look like and how certain instruments could be embedded or, at least, lead to more automation and potentially a more active role of the regulator. Multiple of those concepts were discussed with participants in the study.
Jennings (2022) looks at what DeFi layer should be targeted by the regulator. He argues that “apps ought to be regulated, not protocols” and draws a comparison to how the internet is regulated in a similar way. The author bases this assessment on the thought that it is “not technologically possible for protocols to comply with regulations, which often require indefinable, subjective determinations.” Second, it is “impractical for protocols to incorporate global regulations, which vary – and may clash – by jurisdiction.” And third, it is “unnecessary and counterproductive to rewrite the web’s technical underpinnings given that apps or clients can comply with regulations further up the tech stack.”
This assessment inspired me to discuss with some interviewees what exactly the regulatory target should be and serves as an example of how technical discussions about DeFi regulation can get. It also shows that regulatory policy discussions are often shaped by specific perspectives that may be influenced by commercial interests, too.
Guidelines and policy papers published by regulatory authorities and political institutions.
Other relevant sources of information are guidelines and other documents published by regulatory authorities or political institutions such as the European Commission and the European Securities and Markets Authority (ESMA).
Most notably, European Commission (FISMA) (2022) addresses some of the regulatory challenges posed by DeFi and makes proposals to address them. The report mentions that the “permissionless and pseudonymous nature of DeFi poses a general challenge to a universal enforcement of public actions. […] [T]he pseudonymous part - owing to the asymmetric identification problem previously discussed - prevents policies to make pseudonymous entities liable for their actions.” As a solution to this, the report proposes an “open policy framework with attractive benefits to DeFi services that can produce voluntary compliance. In such a setting, entities and protocols voluntarily seek to comply with a given set of policy requirements in order to obtain a public stamp of approval and other potential benefits.” The report further states that “despite its importance, the question of the optimal design for oracle markets remains largely under-developed. Hence, a set of concrete policy guidance is hard to obtain at this stage” and goes on to deliver comprehensive ideas for making oracles operate more reliably given their importance for the functioning of smart contracts.
Overall, the report shows that there are multiple regulatory issues in DeFi currently being discussed and it is a goal of this study to address them with regulators and industry representatives alike to see whether there are differences in perception and to find out what the stakeholders consider to be the best solutions to solving those issues.
A discussion paper by Banque de France (2023) contains a comprehensive analysis of DeFi risks and proposes “avenues” for a regulatory framework; this includes ensuring a minimum level of security with respect to infrastructure, providing a suitable oversight framework in view of the algorithmic nature of services, and regulating the provision of and access to services.
This discussion paper is another good example of the increasing number of comprehensive materials being very recently issued by governmental authorities to address the risks posed by DeFi with – in part – innovative regulatory tools. The paper was briefly discussed with an interviewee.
Summary and contribution of this study.
Overall, there is a clear lack of qualitative empirical-based legal literature on DeFi regulation that shows how different stakeholders and experts think about the topic and how this could influence discussions among policymakers. Considering that DeFi regulation is highly topical and subject to rapid and frequent development, it is hard to find definitive answers to all open questions at this point. However, it seems helpful to capture the current sentiments in the DeFi world in a qualitative manner and use this knowledge to make suggestions for potential regulatory approaches.
III. Literature on Embedded Supervision.
The innovative regulatory approach of embedded supervision lies at the intersections of cutting-edge financial technology and the pursuit of new regulatory approaches to supervise such technology adequately. Considering that this approach in a DeFi context is in its very early stages of being discussed and explored, there is not a large amount of literature available on the specific topic of embedded supervision of DeFi, especially not from a legal perspective. The literature to be found at this point leans towards technical papers written by economists or computer scientists and is of a rather theoretical nature. I identified the following materials to be the most relevant.
Papers published by academics & policy/regulatory institutions.
a. A theoretical framework for embedded supervision.
Most notably, Auer (2022) suggests a comprehensive theoretical framework for embedded supervision, mostly from an economist’s perspective with some comments on how such an approach should be anchored in the legal system. In this paper, Auer suggests a regulatory framework that “provides for compliance in decentralized markets to be automatically monitored by reading the market’s ledger.” He argues in favor of embedded supervision in a permissioned context and states that “instead of focusing on fitting DeFi and crypto-assets into existing regulations, such as securities laws formulated long before the advent of Distributed Ledger Technology (“DLT”), it is worth asking how new technologies could serve to better monitor risks in financial markets.” A key benefit of embedded supervision, according to Auer, is the fact that “it reduces the need for firms to actively collect, verify and deliver data” and “could ease the conflict between data availability, the cost of data collection and verification, and privacy.” According to Auer, in order for embedded supervision to work, a “key element must be a watertight and potentially globally coordinated KYC identity framework that keeps illicit activity out of this novel ecosystem.”
Auer gives examples of cases embedded supervision could be used for, such as compliance monitoring and inbound data flows between public authorities and markets, used, among other uses, for price-setting. He then develops a theoretical framework to propose how “economic finality” of transactions can be ensured by balancing out incentives for the participants in a DeFi system – a critical prerequisite for automated monitoring of transactions through embedded supervision because the reliability of data depends on being certain that monitored transactions are final.
Auer concludes that the “key principle of embedded supervision is to rely on the trust-creating mechanism of decentralised markets for regulatory purposes too,” referring to economic incentive mechanisms that ensure that members of a decentralized system behave honestly. He identifies the question of “how to embed the concept of economic finality in today’s legal system, and the adjacent question of how to treat such assets on balance sheets” as critical for embedded supervision. According to Auer, only if “the principles of finality underlying the regulation and supervision of financial markets infrastructures are modified to recognise decentralised exchange could DLT ever gain traction in regulated finance.” Additionally, he notes that “regulators and supervisors would also have to design rules regarding the assignment of responsibility in decentralised markets in the case of illegal activity.” Finally, Auer remarks that “to implement embedded supervision, regulators would also be required to acquire substantial technological know-how and the willingness to adjust their operational approach to the technology that is being developed by the financial sector.”
In addition, Auer (2020) identifies that a “key early use case of embedded supervision may be in the monitoring of the full asset-backing of a blockchain-based stablecoin.” The author argues, using Libra as an example, that embedded supervision could be used “to monitor the asset backing of the global stablecoin LBR, as it involves reading the smart contract and the relevant ledger entries in real time and in an automated manner.” Again, Auer (2020) emphasizes that the connection between “the claim on or ownership in the underlying asset and the record of the digital token must ultimately be established by the legal system and relevant contractual arrangements.” The author emphasizes that “importantly, this means that just as in today’s system, a decentralised financial system needs to be backed up by an effective legal and judicial system and supporting enforcing institutions for contractual arrangements.” The author stresses that economic finality, i.e., “the notion that a transaction is final once it is no longer profitable to reverse it” is crucial for embedded supervision to work and explains that reduced compliance cost, as well as the ability to settle disputes, would be two major benefits of embedded supervision in a stablecoin context.
The qualitative data collected for the purpose of this study was partly gained by picking up on some of the conceptual ideas Auer has formulated and discussing them with relevant stakeholders in the DeFi ecosystem. This allowed for an assessment of the real-world prerequisites and consequences such an approach would have as perceived by the relevant stakeholders and enabled us to draw conclusions on the practical benefits, downsides, and potential future use cases of an embedded regulatory approach to DeFi.
b. Specific use cases for embedded supervision.
Aquilina et al. (2023) pick up on the idea of Auer (2022) and state that DeFi regulation should include, “whenever possible, the embedded supervision and embedded regulation approaches envisaged respectively by Auer and Zetzsche, Arner and Buckley.” They provide several examples of embedded supervision: “[…] [E]nsuring that smart contracts were executed correctly in line with the status of the ledger, that the disclosure of information did take place or that ‘best execution’ requirements have been met and transactions did take place close to the best available prices.” Further examples include processes for suspicious activity reports and other safeguards to prevent money laundering and terrorism financing in payment protocols, built-in compliance with anti-usury regulations for lending protocols, built-in compliance with requirements around reporting value for mutual fund protocols; generally, any tokenized representation of an asset may eventually fulfil the same conditions as its real-world counterpart, e.g. specific regulations for mortgages.
This study aims at discussing real-life use cases of DeFi regulation such as those presented in the paper by Aquilina et al. (2023) with stakeholders in DeFi in order to assess the real-life perception of such potential use cases and find out whether the industry would be willing to implement and regulators would, at this point, want and be able to use embedded tools as the ones described above.
c. Embedded supervision and stablecoins.
In addition to Auer (2020), Arner, Auer & Frost (2020) describe again in depth how embedded supervision could be used in the context of stablecoins. The authors explain that “allowing for embedded supervision could be of substantial importance for the development of so-called asset ‘tokenisation’ – the process by which claims on or ownership in real and financial assets are digitally represented by tokens, allowing for new forms of trading and improved settlements.” This is, as already laid out by Auer (2020), because “full asset backing of a blockchain-based stablecoin” could well be monitored by an embedded supervision approach. While currently stablecoins USDC and Paxos “publish monthly public auditor reports of the smart contract and of the reserve on their websites,” fraud risk could be reduced by fully automating this, “even in real-time.”
The paper emphasizes the potential of embedded supervision in the context of cryptographic assets that are just in the process of hitting the market on a larger scale. This is a valuable impulse for this study when it comes to thinking ahead and evaluating embedded supervision with stakeholders for scenarios that might seem futuristic now but could be just around the corner.
d. Embedded supervision model building.
Wu Xiangyi et al. (2022) deal with the concepts and theoretical basis of embedded supervision, construct an embedded supervision model with a lag, i.e. non-real-time but regulatory measures are taken only “once in a while,” and analyze the feasibility of embedded supervision with a lag. Regarding the paper by Auer (2022), the authors argue with regard to the model they develop that the “difference lies in that the utility of each party is clearer and the calculation formula is corrected.” According to the authors, the paper also “optimizes results and the related parameters of embedded supervision with a lag.”
The paper is of a rather theoretical nature and does not provide any deeper insights into how embedded supervision could specifically be used in a DeFi context. This emphasizes the lack of empirical research on the real-world perception of an embedded regulatory approach by the relevant stakeholders.
Opinions published by entrepreneurs and investors.
Grosskopf (2022) touches upon the possibility of embedding regulatory tools in the software infrastructure underlying decentralized systems. When summing up his vision of future DeFi regulation by “more automated regulation means less pain,” the author hints at the possibilities of automating supervision of – itself automated – DeFi. Especially when explaining that “regulators will do ‘Regulation as Code’ and sit in front of a NASA launchpad style Dune Analytics dashboard and inspect market data and participants in real time,” it becomes clear that this concept could well be achieved through an embedded regulatory monitoring tool.
BV Crypto (2022) discusses “an automatic control mechanism embedded in the network,” that “includes an automatic recording of each transaction in the network” and allows “categorization, and access to this information by the authorities at any time.” This system, “which will continuously monitor the network and platforms, ensures that the regulators be hand in glove with blockchain and DLT systems” and “will act as a monitor.” The author elaborates in detail about how this could be achieved on a technical level and summarizes that “the most significant advantage of this system is that it allows official organizations to directly participate in a common DLT infrastructure.”
These opinions further demonstrate that embedded supervision is discussed in the industry which makes it seem worth taking a closer empirical look at what the relevant stakeholders think about this regulatory concept.
Guidelines and policy papers published by regulatory authorities and political institutions.
The reviewed literature also includes materials published by regulatory authorities and political institutions. As mentioned above, DeFi supervision is currently becoming an increasingly relevant topic for policymakers, and during the conduction of the research underlying this study, several relevant materials were published.
Most notably, in addition to the abovementioned Study on Embedded Supervision of Decentralised Finance by the European Union (Commission) from October 2022, which looks to enable “automated supervisory data gathering directly from the blockchain to test the technological capabilities for supervisory monitoring of real-time DeFi activity,” the abovementioned report by the European Commission (2022) deals with some aspects of embedded supervision and points out that the “transparency of both protocols and historical activity allows in theory for an adapted form of supervision.” The report suggests a “role for a public observatory of DeFi activity operated by a public authority.” Such an institution would “deploy public investigations and issue opinions and warnings publicly about specific DeFi protocols, practices and public address activities. Inspiration for such an observatory can for instance be taken from the activity of the MIT Digital Currency Initiative which issues technical opinions and warnings on specific protocols.”
This proposal comes relatively close to an embedded regulatory tool using the transparency of a public ledger to take regulatory actions, in this case, not directly on-chain, but through traditional regulatory tools.
In a discussion paper, Banque de France (2023) briefly addressed embedded regulatory opportunities and noted that, “if DeFi were to become more regulated in the future, smart contracts could directly embed a number of regulatory requirements in their code. This would be an effective way to ensure compliance on an on-going basis. Code certification could then include verification of the correct translation of legal provisions into computer language.”
Those guidelines and policy papers are naturally written from a regulatory perspective, not from a business perspective. Therefore, the empirical research approach underlying this study helps to contextualize the statements made in these types of publications by shedding light on other perspectives, including a business angle.
There are several publications that briefly address embedded supervision without going into much detail. For instance, Garcia Ocampo et al. (2023), as an aside, touch upon the topic of embedded supervision – mostly referencing Auer (2022). The authors briefly address embedded supervision and mention that “a regulatory framework could be introduced as part of the code in DeFi protocols which would automatically monitor compliance by reading the market’s ledger and reducing the need for firms to actively collect, verify and deliver data (i.e. ‘embedded supervision’).” While it is interesting to see that embedded supervision is mentioned as one of several potential measures for DeFi regulation, the paper does not provide any further information on it.
Such papers can serve as examples of some of the potential use cases of an embedded regulatory approach, but they do not provide a deeper analysis of what the potential of embedded supervision is in the real world and how this approach is perceived by the relevant stakeholders which again emphasizes the gap in the literature that shall be addressed by this study.
Papers published by fintech companies regarding privacy mechanisms that would allow for supervisory access through an embedded tool.
Several providers of DeFi products published whitepapers describing their business models and the technology used to create their platforms. Some of these papers include information that can be helpful to illustrate how DeFi regulation – including embedded regulatory instruments – can be implemented from a technical perspective.
In particular, the Findora Litepaper (2020) published by the Findora Foundation, which offers a “fully confidential yet auditable, high-throughput, and scalable public financial infrastructure,” gives an impression of how embedded supervision in terms of exclusive monitoring abilities of the regulator, while the information remains confidential to third parties, can be achieved from a technical perspective.
Similarly, the Monero Whitepaper (2013) provides background on the function in the Monero currency system for users to optionally share view keys for third-party auditing, and thereby offers interesting perspectives on how an embedded supervisory tool could be implemented from a technical standpoint.
The insights gained from those rather technical papers were used during some interviews to exemplify how an embedded supervisory approach could be implemented on a technical level and to get an idea of the technical challenges that must be solved to realize such an approach.
Summary and contribution of this study.
Like for the literature on DeFi regulation in general, there is a lack of qualitative empirical-based legal literature on embedded supervision, contrasting the opinions of different stakeholders and experts and drawing conclusions on how these opinions should be reflected in discussions among policymakers. In any case, performing a qualitative analysis of embedded supervision and how it is perceived in the DeFi space and using this knowledge to make suggestions for potential regulatory approaches seems like a promising contribution to the topical discussions in DeFi.
D. Data Analysis
I. Overview.
As laid out above in the description of the methodology applied to collect the qualitative data, I conducted nineteen semi-structured in-depth interviews ranging from approximately thirty to sixty minutes each. The interviewees were picked from four groups:
(1) Fintech companies engaging in decentralized financial technology (e.g. founders/managers/business leaders/general counsels) (eight),
(2) Regulatory authorities (EU/Asia) (five),
(3) Technical and regulatory policy experts, think tank representatives, academics (three), and
(4) Venture capital investors (three).
Selecting those four groups of interviewees in a qualitative research approach was based on the idea of showing the current state of discussions regarding the regulation of DeFi, particularly concerning embedded supervision, from some of the most relevant angles to then draw conclusions from those insights for the ongoing regulatory efforts.
This selection allowed me to show where the views of different stakeholder groups align and where they differ. Based on these insights, it is possible to present a meaningful “snapshot” of the current discussions, which enables us to sketch out a potential approach to the future regulation of DeFi. The interview analysis in the following section breaks down the most relevant statements and highlights the various positions discovered during the interview process.
II. Main Findings.
The study yielded the following main findings that will be elaborated on in detail in Part III:
(1) DeFi regulation is a hard yet necessary task.
a. Regulation plays a crucial role for businesses engaged in DeFi.
b. DeFi creates numerous risks that need to be regulated.
c. Regulators have a complicated relationship with DeFi – Industry, and regulators should improve communication and understand DeFi regulation as a common effort.
d. The collapse of FTX influenced regulatory discussions.
e. DeFi startup governance/compliance with regulatory rules is better than one might think – But it depends on the type of company.
f. The regulatory framework for DeFi in 5 to 10 years will ideally be transparent, comprehensive, and leave DeFi room to breathe.
g. Regulatory code audits could be a way to prevent faulty code that creates the risk of exploitation by malicious actors.
h. Targeting coders for regulatory purposes is not a promising approach.
(2) Embedded supervision could become a promising concept for DeFi regulation.
a. Embedded supervision can be used in several ways – But should it?
b. Identification is a critical aspect of DeFi regulation, and there are practical ways for regulators to identify users.
c. It is at this point technically feasible to use embedded supervision, but regulators do not have the necessary resources – Or risk appetite.
d. A “safe harbor” of embedded supervision can incentivize DeFi businesses to become more innovative, VC funds to increase investments in DeFi, and customers to use a DeFi service.
III. DeFi Regulation as Perceived by Stakeholders and Experts: A Qualitative Analysis.
The information gained through the interviews is organized by core topics that I covered in the conversations based on a questionnaire developed in advance of the interviews and by the categories of interviewees that participated in the study.
In line with the questionnaire design, the discussions first covered the more general questions of what risks DeFi can cause and what a regulatory reaction to such risks could look like (1.) and then proceeded to the more specific issue of whether and how an embedded supervisory approach could be useful in ensuring a transparent and efficient regulation of DeFi that leaves enough room for innovative business models to thrive while also reducing risks (2.).
DeFi regulation is a hard yet necessary task.
The conversations allowed us to clearly show that DeFi regulation is commonly perceived as a highly complex issue that is crucial when it comes to the mid- and long-term commercial prospects of the disruptive technology of DeFi.
a. Regulation plays a crucial role for businesses engaged in DeFi.
The representatives of businesses engaged in DeFi, offering services relating to DeFi, or investing in DeFi business models clearly agreed that regulation plays a very important role for their businesses; in particular, the lack of transparency and legal certainty when it comes to the regulatory regime is perceived as harmful. This is true for businesses offering core DeFi services as well as for businesses offering services supporting DeFi products, and for VC investors looking to invest in companies engaging in DeFi business models.
Specifically, the following statements underpin this finding:
When asked about the role regulation plays for their DeFi business and DeFi in general, the founder of a DeFi wallet provider emphasized the organic growth process of regulatory frameworks and stressed the relevance of reliable regulation for the commercial success of DeFi. The participant elaborated that:
Regulation is something that grows over time. In the crypto industry, there have been two big waves; first, Bitcoin was created as a decentralized means of payment, and people actually trade Bitcoins on centralized exchanges, which is relatively comparable to traditional exchange trading. Against that background, for players from this CeFi crypto area, regulation plays an important role. The second wave of crypto and blockchain infrastructure is used for what it was actually designed for, decentralized activities, people being their own bank, smart contracts, etc. This disintermediation and new definition of roles create new questions for regulators. Therefore, for us as a company in the DeFi space, we can still say that regulation does not apply to us. In Europe, DeFi is still largely excluded from regulatory projects such as MiCA; I think this is, for now, the correct way to go because, thinking about regulation as something that grows organically, we are still in the complex and time-consuming process of understanding the regulatory needs for DeFi.
But going forward, in order to scale DeFi to a sustainable mainstream adaption, we believe that finding the right regulatory answers for DeFi will be very important, and it is important for us to be part of that discussion with our practical experience. For instance, for the German market, we try to look at the German regulator BaFin’s regulatory goals and think about how to reach these goals in a technology-neutral way. In summary, regulation will play an important role as a “trust builder” for DeFi to become more mainstream.
A computer scientist with a company offering DeFi services mentioned with regard to the role that regulation plays for their business that there is “not a lot of clarity yet,” even big players like Coinbase are “struggling to get more regulatory clarity.” DeFi has “even less idea of what is going on” since it is a little more experimental. Companies are trying to do things the right way and, of course, depending on the jurisdiction of the team, the approach to regulation can be different.
A lawyer with a company providing a global DeFi platform confirmed the current lack of clarity, stressed that this lack of clarity might have a potentially negative impact on the way DeFi businesses operate, and elaborated that:
DeFi sits in this weird position where the services that are being provided are clearly substitutes for what is very clearly regulated. But, due to a variety of reasons, which we will get into, it’s not currently regulated. And so, we attempt to, where possible, try to line up what we do with what would be expected from a regulated entity. And where we can’t, we don’t. So, it’s by nature incomplete compliance, both because full compliance would be technically impossible and because it’s not mandatory, and it is hard to convince people in the space to do something when there’s no clear obligation to do so.
A lawyer with a company offering services relating to crypto currencies confirmed the high relevance of regulation for the crypto industry, stressed the importance of regulators and industry working together to define good regulatory standards, and explained that:
Regulation of this entire industry is really important. When Bitcoin first started, it was very limited in use. With the implementation of new blockchains, and new digital assets, the use of these tokens as well as our interactions within the different blockchains, has really highlighted the need for regulation. How much regulation is needed? Today, what we are seeing in the industry, there’s a lot of confusion still around how to regulate DeFi. As with any nascent technology, there’s a lot of concern that this is going to be used to promote illegal activity, money laundering, and terrorist financing. But if you look back, when payments disruptors, such as PayPal, Stripe, and others, came to the market, there was a similar hesitation from the regulators to adopt these technologies, with the same reasoning. By understanding, over time, what the risks are, you can implement appropriate controls over these risks. So, for me, regulation is needed; but it’s the right level of regulation, which is still to be designed.
I think it behooves the industry to continue working with the regulators, and it behooves the regulators to be open to working with the industry. They really need to understand what the risks are because right now, I don’t think that they do; there are a lot of assumptions, and people just assume that things are bad without understanding (1) “Are they bad? Yes or no?” and (2) “If they are, how bad are they? And how can I make that better?” That’s, I think, where we are right now; I do believe that regulation is really important.
Supporting this observation, a lawyer with a cryptocurrency exchange platform and provider for DeFi payments in Latin America stressed the relevance of regulation for their business, including day-to-day operations, and responded that:
Right now, for us, it’s crucial; for example, we depend a lot on our USD ramps, and with all the mess that happened with the banks serving crypto companies, Signature, Silvergate, and Silicon Valley Bank going down, we cannot serve clients on USD. Many Latin Americans hedge the inflation of their local currency using crypto and USD. But, with all this uncertainty in terms of regulatory framework in the U.S., right now, part of our operation has been paused for U.S. matters, and this is super detrimental to the business.
The participant further mentioned that there are many consequences of a lack of transparent regulation for the day-to-day business, for instance, “even to open a bank account; the banks sometimes don’t want to take the risk, which could be observed especially after the collapse of FTX. We cannot give assurances to our clients, to the institutional investors, that this is a legit business that they can perform payments, if there’s no regulation.”
A lawyer with a company providing software tools for monitoring digital assets trading and compliance criticized the current lack of clarity: “We have a big challenge in DeFi in terms of even just defining what DeFi means.” To define DeFi more precisely, it would be helpful to clarify the difference between a finance-focused activity and a tech-focused activity:
Trying to be an intermediary, to build a service on top of the protocol, gets you the difference between the tech and the finance. Clarity around that distinction is something that I think would be beneficial, even though many open questions remain, for instance, concerning the U.S., what the correct authority would be to register with depending on the business model.
A founder of a company providing software tools to financial institutions related to payments and identity added a slightly less DeFi-focused perspective, stressing the importance of regulatory rules even for this type of company not standing in the front row of regulatory targets and explained that:
Our business is built to work within the two-tier banking system and within the current regulatory environment. Regulation plays a big part in that we are helping banks innovate within the current regulatory environment, our technology uses the building blocks of cryptography, things that I think a lot of blockchains and cryptocurrencies are trying to achieve, but without having to have new regulations for it. It plays a big part in that we are actually working alongside current regulatory structures. And the other way that it would play a part would be the fact that our system is built to work with systems currently used by banks, but it is also built to be interoperable with future systems that might require different regulations than us because we fall within the regulatory environment. What we are interested in is if our clients, these big banks, are adopting unregulated platforms and types of assets, and we are allowed to be interoperable with them, then how those new regulations might affect us.
Beyond transfers of assets and payments, both really important to us, from a regulatory standpoint, I think the other thing is identity. We do a lot of stuff with helping bridge traditional identity accounts to a new public key infrastructure (PKI) system to be interoperable with our product. We’re really thinking about regulatory from an identity perspective, from a payments and transfer and settlement perspective.
Similarly, a lawyer with a company offering infrastructure services relating to crypto products and DeFi for institutional clients, when asked about what role regulation played for their business, made it clear that, depending on the business model, providers of software and services supporting DeFi applications can be unregulated and still care about regulation because their customers are regulated:
We offer a platform for the secure custody and transfer of digital assets. Our customers use it themselves for direct custody. They self-custody the assets using our software, but we do not custody the assets for them. We are purely a tech provider, purely an infrastructure provider. And so, we are not ourselves regulated, although many of our customers are themselves regulated.
Regulation not only matters to the affected business itself but also to investors: A lawyer with a hedge fund focused on crypto assets stressed that regulatory strategies of potential investment targets are important when it comes to making investment decisions. For example, the fund wants to ensure before investing in a token issuer that their token initiative and launch strategy complies with regulations while “operating under the lens, unfortunately, right now that the U.S. government is treating everything as a security.” This also includes a “high-level regulatory analysis verifying which regulatory regime applies, for instance, in a U.S. context, for derivatives markets, it is assumed that CFTC jurisdiction applies in the first place.”
A General Partner with a VC fund investing in blockchain technology stated that before 2023, the consensus was that regulation is coming, but it was “not the biggest thing to impact an investment decision.” That has changed in 2023: “Regulation has become a critical consideration, an active factor, especially in the last three months.”
b. DeFi creates numerous risks that need to be regulated.
The participants in the study identified various specific risks associated with DeFi. I could observe that, while regulators might slightly tend to see the biggest risk in the absence of intermediary entities and the resulting difficulties for regulators to request information and enforce actions (“no throat to choke”), businesses tend to emphasize the technological risks of hacks and loss of assets. But overall, regulators, businesses, and other experts agreed that three main risk categories need to be mitigated through regulation:
(i) Most notably, the interviewees stressed cyber risks, in particular, hacks and generally the exploitation of bugs in the software code that malicious actors can use to manipulate decentralized systems and take control over assets. Risks caused by flaws in the code could be mitigated by regulatory code audits, which were mentioned by several participants as a potential solution; given, the regulator has the resources to perform such audits, and they do not present too much of an economic burden to younger companies.
(ii) Related to this, the second biggest risk was mainly identified as the risk caused by the lack of an intermediary that could step in if something goes wrong when transacting on a financial infrastructure and the resulting regulatory gaps; this can result, for instance, in users losing assets. To close these gaps, clear definitions and a stringent regulatory framework are required.
(iii) The third biggest risk category that most participants mentioned is the risk of illegal activity being conducted on a decentralized financial infrastructure, particularly regarding money laundering and terrorism financing; this is closely related to the risk of regulatory gaps.
(iv) It was further mentioned by a founder of a company providing software tools to financial institutions related to payments and identity, that in DeFi, it is common that few people hold a large number of assets (“whale money”), for instance, specific tokens associated with a DeFi infrastructure, which may allow them to move and thereby manipulate a market more easily than in traditional financial systems. This participant also added that the lack of interoperability, as well as privacy, and scalability in the systems makes DeFi likely less attractive from a technology and security perspective. Furthermore, according to this participant, the potential lack of reserves backing a token traded on a DeFi infrastructure can be a risk because it reduces the stability of the value of an investment in such tokens.
In summary, DeFi is perceived as risky on multiple levels by all participants, and all stakeholders and experts agreed that reducing these risks is crucial to allow DeFi to be used on a broader scale.
In detail, the following statements substantiate those observations:
From the regulator’s perspective, two agents of the National Financial Supervisory Authority of an EU Member State elaborated that there are two major risk categories – cyber risks and governance risks:
First of all, cyber security, as exemplified by several spectacular hacks in the past few years, is one of the most relevant risk categories; these hacks show that DeFi is still in its early stages and not yet developed to a degree that would allow to release it to consumers on a large scale, it is not “investment grade” yet. This is also emphasized by the fact that some of those hacks are rather simple and only enabled through sloppy design. What makes us optimistic is that there are large (re)insurers that are willing to insure smart contracts, which includes conducting an audit and accounting for cyber risks.
In this context, the participants mentioned flash loans and governance token attacks as specific potential risks. They went on to describe the second big risk category, governance risks:
The second important risk category is decentralized governance, the lack of standards in this regard. If there is a DAO involved in a DeFi system, this is untransparent for the users, and it is hard to detect “hidden centralization,” or “decentralized in name only.” For instance, the best decentralization does not get far, when all the relevant control keys are controlled by one party, or when the governance tokens are pre-mined and concentrated with one or few entities. In addition, it is problematic that there is a lack of interoperability and standards in this regard; DeFi is, at this point, self-referential because it is focused on blockchain-native assets.
The participants then emphasized the basic regulatory issue of DeFi being the lack of a clear regulatory target: “Whom are we even supposed to supervise?” In traditional financial regulation, for efficiency reasons, intermediaries are heavily regulated; when intermediaries are eliminated from business models, the core question becomes, “Whom do we supervise? You can conduct a thought experiment and ask, should we supervise internet service providers, miners, coders, nodes, validators?”
An agent of the National Financial Supervisory Authority of an EEA Member State identified technological risks and regulatory gaps due to disintermediation as relevant risk categories, and stated that the important initial questions are whether DeFi can be regulated at all, who is responsible to regulate it from a jurisdictional standpoint, and [to] whom regulators can actually “send the letter.” These questions are frequently ignored when dealing with “fake DeFi,” meaning not truly decentralized systems. If we talk about “true” DeFi, this means full decentralization, “it does not have an address etc.” If we talk about the biggest risks, “these are not on the classic regulatory side but rather on the technical side.” Due to the decentralization, there is a strong technical component which, according to the participant, “poses the biggest risk.” For the traditional business models, “we have the European regulatory instruments such as the EU Markets in Financial Instruments Directive (MiFID), the EU Markets in Crypto-Assets Regulation (MiCA), etc., so the actions are regulated, but there is a regulatory gap when it comes to the technical component of DeFi.” According to the participant, the regulation of DeFi and CeFi share similar issues, in particular, the question of sound judgment when applying regulatory rules. The participant explained:
Could we just say, “This is MiFID, this is a financial instrument, centralized or decentralized, MiFID is applicable.” To put it slightly provocatively, had we applied MiFID thoroughly, we would not need MiCA. The same is true for the U.S.: If the SEC and CFTC had decided on a common stance and communicated it clearly, all the discussions now would be unnecessary.
The participant concluded that:
To be honest, I do not see the big difference between CeFi and DeFi. I have never seen a truly decentralized business model. There are many who claim to be decentralized but when you take a closer look, they are not.
An agent of the National Supervisory Authority of a large Asian country further emphasized the inherent risk of disintermediation in DeFi, confirmed that “true” DeFi has not even arrived in the market yet, and emphasized how challenging it is for regulators:
It’s risky by nature. For us regulators, it’s hard to regulate because there is no single central point that we can look at. Regulators will look at it even closer once more fully decentralized systems appear, because, so far, we still haven’t seen that realized. Right now, there are many other risks in web3.
A former agent of the National Financial Supervisory Authority of an EU Member State stressed the riskiness of the lack of regulatory standards, in agreement with most participants mentioned above identified technology risks and prudential risks caused by disintermediation as the most critical categories, and elaborated that:
First of all, we need to properly define DeFi and differentiate between fully decentralized systems as opposed to semi-decentralized systems, which would be covered by the EU MiCA. Indeed, fully decentralized systems do pose certain specific risks, in particular, technological risks. This is because, for fully decentralized systems, there are no regulated intermediaries which the regulator could target as “gatekeepers.” This gatekeeping regulation has been around for centuries, and MiCA is essentially based on the same principles. Such an approach relies on intermediaries that have been screened under regulatory rules and fulfill certain criteria. This does not exist in “true” DeFi. Against this background, there are purely technology risks as well as prudential risks. The only thing between the user and potential problems is the technology. This makes me wonder whether the traditional regulatory standard of “same business, same risk, same regulation” needs to be amended for such business models and become “same business, different risks, different regulation.”
The founder of a DeFi wallet provider stressed the technological risk, conceptional flaws and the involvement of oracles as critical risk categories in DeFi and elaborated that:
The big difference between TradFi and DeFi is the technological risk. A smart contract as a service is directly accessible, there is no firewall, no protection; therefore, hacks are a danger, especially in case of sloppy coding. Equally problematic are conceptional flaws, e.g., in the case of Mango Markets, when used by attackers in order to trick the system, or when leading to a crumbling of the system in specific situations due to mistakes in the business model, e.g. Terra Luna.
When thinking about how to avoid such problems, the “organizational structure of a provider plays an important role,” according to the participant. In Germany, this is regulated, for instance, in the German Supervisory Requirements for IT in Financial Institutions (BAIT) and the German Minimum Requirements for Risk Management (MARisk). At the end of the day, such regulations aim at making sure that development, deployment, and business organization processes always hold true to a certain standard. The participant further explained:
A founder of a company providing software tools to financial institutions related to payments and identity identified conceptual design risks (concentration of assets, no rules for reserves) and technological risks as relevant categories and elaborated that:
The biggest risk with DeFi is, first of all, “whale money” in the system where a few can really move the market. It’s kind of ironic that DeFi is supposed to be decentralized finance for everyone, but it’s really not. I also think that there’s an extreme lack of interoperability, privacy and scalability in the systems that make DeFi, from a technology and security perspective, less attractive. The other risk is the reserves. We talk about all of these problems with tokens, what we saw with FTX, or even what we’re seeing right now, in the stablecoin industry, when we’re thinking about algorithmic stablecoins, or crypto-backed stablecoins. There’s not a lot of regulation around what the token represents today. Therefore, until all of the tokens, whatever’s backing them, are more regulated, or there’s a standard, DeFi is going to continue to be risky. I think, that’s inherently where regulation is needed.
I also think regulation is needed more proactively on how data is stored and shared. And then regulation around interoperability: Now we have all of these projects and different tokens and different chains and different protocols that need to be able to talk to one another, so they can start doing business across these different DeFi ecosystems; and interoperability is already a problem within the normal financial ecosystem. Everything is very siloed. I think a vital question for the future of finance, DeFi, web3, and traditional, is “How are all of these things going to coexist?” and “How can you find interoperability between these platforms?” You can build interoperability technically; interoperability can be easily or less easily achieved, depending on what types of bridges you’re building. But the regulation around that is going to become really hard because those two systems could be under two completely different regulatory regimes, in different countries, they could be across two different reserve type systems, one set of reserves is backed by a government, the other set of reserves is just a basic crypto token. So, when we’re really thinking about interoperability as being inherent to the future of all digital assets and money, we need to be thinking about the regulation of interoperability.
A computer scientist with a company offering DeFi services stated that fraudulent schemes like “rug pulls” are problematic, but more relevant for custodial businesses than “pure” DeFi. Introducing proof of reserve and proof of liability mechanisms to ensure that deposits are backed 1:1 and not used to buy other assets “could help prevent fraud cases in custodial business, e.g., the FTX situation.”
A lawyer with a company providing a global DeFi platform identified “multiple” risks, in particular, coding flaws, and stressed that we should not forget risks in the traditional financial system that can extend to DeFi:
One of the standard talking points in DeFi is that because it’s non-custodial, many of the traditional risks don’t apply. I think that is true just as to certain risks. Other risks are fundamental to the nature of the services provided, whether it’s lending activity or trading activity or margin trading activity, or derivatives, and that’s why it is regulated in the first place. Essentially, many of the risks in DeFi are the same as the ones in TradFi, and for the services to truly be effective substitutes for the TradFi legacy institutions, there has to be some regulation.
The other thing that’s not expressly tied to regulation, though, but it is a concern that we think about a lot is, because smart contracts are self-executing, and because they’re frequently immutable, it kind of raises the stakes of getting the code right in the first place and knowing all of the unintended consequences in advance. That’s kind of fundamentally impossible. I think that there’s no way anyone could ever do that and plan for every scenario. So, that’s, to me, almost as strong as the regulatory risk, when it isn’t designed well, either because of gross incompetence or negligence, or simply lack of omniscience when no one expected that an application is going to be used a certain way. I’m not an expert on, for example, the recent exploit on Euler, why that happened, and whether that was a pure negligence failure, or they didn’t plan for this properly. And unfortunately, once you deploy one of these things, that’s kind of it. So, the only way to fix it is to deploy a new version. But in the meantime, there may be actual harm, an actual injury, and of course, reputationally, there’s a lot of things that can happen that make the thing basically unusable after that.
A lawyer with a company offering services relating to crypto currencies elaborated that from the regulator’s perspective, the biggest fears are anonymity of the transactions and not having what the regulators like to call “one throat to choke.” Interestingly, the participant believes that the regulators may not be worried that identifying regulatory targets is impossible in DeFi but rather that they cannot rely on the traditional instruments to do so:
In the traditional banking system, it’s easy to identify the parties involved in the transaction; so you go to that throat, and you choke like “I need you to help me address this issue.” When you are dealing with a decentralized ecosystem, where do you go? You don’t know. I think that the fact that there isn’t a place to go to get the answers is actually the biggest problem regulators see. And it’s not because the answers couldn’t be found in a different way, it is because they have always done it in a certain way; so they don’t know how to do it differently yet. You always had Bank of America, Wells Fargo, J.P. Morgan to go to and get the answers, but when you have just a DAO, or something else behind a DeFi system, whom do I call? Whom do I email? Whom do I send a letter to? And how do I get information quickly? I think the lack of access to that information is probably one of the biggest things. It’s a “known unknown,” the regulators know that they don’t know who to go to. And I think that’s the biggest problem.
A lawyer with a company offering infrastructure services relating to crypto products and DeFi for institutional clients responded that the risk that makes the most headlines is hacking, but the role of regulation to mitigate this risk is questionable:
I’m not sure that regulation has a role to play there. When we talk to customers who are thinking about engaging with DeFi protocols or using smart contracts, what they’re most concerned about is the risk that the protocol or the contract will be set up in a way that is susceptible to hack. And I think that’s certainly not as a result of regulation. And I don’t think it probably can be solved by regulation. From the regulatory angle, I don’t know if I would describe this as a risk so much, but as a reality of what’s called DeFi these days. Many instances right now of supposed DeFi are not decentralized; they may have aspirations to be, or, they may, in theory, want to be, they may even say that they are, but I think that there are a number of DeFi protocols that are not decentralized; they do have a person or group of people who are either actively managing the assets or are able to.
A lawyer with a cryptocurrency exchange platform and provider for DeFi payments in Latin America emphasized the risk of illicit activities and stressed that proper regulation that prevents illicit activities will be an important steppingstone for DeFi to go mainstream:
One of the biggest risks to me is money laundering and all the illegal activities that can happen in case of improper onboarding. For example, we follow the Travel Rule, but it is very difficult for us to provide information from wallets that are embedded in DeFi; in terms of investigation, we find a dead-end in many circumstances. What I absolutely love about DeFi is the lending part, including staking. You don’t only have access to loans in your home country or your market, you have access to the whole world and the best possible rates, and I think this is a global financial solution. But for that to evolve, you need to take the precautions to make the system serious, and respected by the regulators so that the global financial system even uses it eventually. I don’t exclude the possibility that ten years from now, banks are using DeFi and have embedded financial products in DeFi. If this works well, and if you have the identification of the users, you should be able to monitor and block certain transactions.
An expert on financial regulatory policy (U.S. Think Tank), interestingly, stated that a main risk of DeFi can be seen in the lack of clear definitions which results in misunderstandings when it comes to DeFi’s regulatory approach:
One of the biggest risks at the moment is considering DeFi to be the exact same thing as traditional finance, or centralized finance, and treating them similarly from a regulatory perspective, where it’s not necessarily warranted. Many of the aims of DeFi are to mitigate a lot of the centralized finance risks through software, through technology, it doesn’t make sense to treat them as centralized.
Moreover, the participant highlighted the “obvious risk of cybersecurity and the security of the software itself” and “the idea that people that are interacting in the DeFi space may not be familiar with these types of risks and with the type of due diligence that they need to do in order to be smart consumers in the space.”
In addition to that, the participant mentioned that there are “other risks that look similar to traditional finance risks but are operationally different; different in terms of what frustratingly people refer to as ‘front running’ in the DeFi space, which is not actually front running in a traditional finance space. There is also potential for market manipulation and fraud.” According to the participant, all that does not necessarily mean that the solutions in the DeFi space are the same as those in the traditional space.
A former European regulator and expert on regulatory policy (blockchain organization in Europe) mentioned flaws in the code as a big risk. When it comes to measures to mitigate DeFi risks, the participant mentioned regulatory code audits and stated that these could work provided the regulators have the kind of capacity in-house to cover them:
I don’t think that audits should be an overly burdensome cost. If you’re going to go the audit route, make audits affordable for all protocols. Otherwise, it’s crowding out; you’re setting an economic moat.
As a second measure, according to the participant, we might need to compromise on pseudonymity, or at least how we approach pseudonymity:
Regulators have issues dealing with DeFi given that pretty much everything in finance is about you know your counterparty, you know your counterparty’s obligations, you know your obligations; you oftentimes have no clue about the counterparty in DeFi, obviously. Using soulbound tokens or finding a way to integrate decentralized identifiers into the web3 space, adding Legal Entity Identifiers (LEIs) could be ways to go.
The participant further identified standardization and clear definitions as an important step to reduce DeFi risks, stating that “we need to start calling things what they are, not what they’re not. For example, there are a million things out there that are called ‘staking’, that are, in principle, not staking and have nothing to do with staking”:
As an industry, we must be mindful that we start calling “a horse a horse.” Otherwise, don’t be surprised when the SEC, for whatever reason, comes in and says, “Hey, listen, this is an investment contract,” because you are calling things that are not staking “staking.” Once we can establish the standards, and we can establish the definitions, for example, what does “fully decentralized” actually mean, then we can start going and doing an analysis underneath. Until we do, we can keep having these conversations, and regulators are going to keep issuing regulations that are incomplete and frustrating. At the end of the day, these are all costs that we will incur, marginal costs that will continue in perpetuity.
In summary, the participant considers (i) code audits and robust code, (ii) standards and definitions, and (iii) identity management in a way that still protects privacy but provides enough information to get a better picture of the user from a consumer protection perspective, the three most relevant measures for risk mitigation in DeFi.
A lawyer with a VC investment company focused on blockchain technology elaborated that DeFi is still somewhat a “Wild West” and there is “no way to know whom I am transacting with”; there is “nobody around if there is a problem,” which is difficult for consumers. It all comes down to “trusting code instead of people,” which emphasizes the technology and design risk as well as the risk of criminal activity mentioned by many participants. The participant is convinced that there is a better way to mitigate those risks than what is available today, especially identification for KYC purposes through Zero-Knowledge proof technology which allows the identification for regulatory purposes without revealing the identity of a user to the public. In addition, “code audits by regulators” seem promising, but realistically, the “lack of resources” on the regulatory side will not allow for this to be performed on a large scale at this point. To solve this, the government “should agree on standards with private audit companies and then oversee those companies performing code audits. Also, embedded technology is the way forward here.”
A lawyer with a hedge fund focused on crypto assets emphasized that when it comes to risks created by DeFi, since DeFi often means recreating traditional systems using new technologies, some of the “common themes that you see in the traditional banking system and traditional financial sector apply here. I think money laundering is a big one, for example presumably by the North Korean government.” The lawyer also mentioned financing terrorism as a central risk. Especially in the face of privacy enhancement tools such as mixers, e.g. Tornado Cash, which can have a legitimate function in ensuring privacy for lawful actors, it is a “balancing act between maintaining privacy and mitigating financial crimes.”
A General Partner with a VC fund investing in blockchain technology responded that the types of risk that apply generally depend on the specific use case, but the “entire design philosophy behind crypto” aiming at a pseudo/anonymous ecosystem is “naturally rather prone to creating regulatory risk.” There is a lot of uncertainty in the field regarding the regulatory treatment of basic things such as user onboarding, AML regulations, unclear licensing regimes, and auditing questions. That said, from an investor’s perspective, it would certainly be “considered risky if a provider does not even have basic KYC or a mechanism for AML checks in place.” At this point, from an investor’s perspective, “the legal uncertainty in DeFi regulation is particularly risky; it needs to be clarified what types of tokens are securities or commodities under U.S. law, and the jurisdiction of the SEC and the CFTC seems untransparent.” The SEC “throws enforcement actions but does not clearly state the rules so that companies must spend a lot of money to dig themselves out of enforcement actions.”
c. Regulators have a complicated relationship with DeFi – Industry, and regulators should improve communication and understand DeFi regulation as a common effort.
Fully decentralized DeFi is a disruptive idea that challenges regulatory tools that have been mostly created for a financial system marked by intermediaries. Regulators seem to be well aware of this and try, with the resources they have, to monitor the developments in DeFi as close as possible. Overall, it seems that many regulators have (few) specialized agents who focus on DeFi and are up to date with the technical and business developments in this realm. Several participants mentioned that regulators, at this point, lack the resources and manpower to deal with complex DeFi products that are hard to understand and do not (yet) have the economic relevance that would justify a larger deployment of resources. This leads to a situation where, while there is generally a willingness on the regulator’s side to be open toward new technology and give it the opportunity to prove its worth in the market; while certain individuals on the regulatory side have the required know-how to deal with specialized DeFi products, broad enforcement is hard to achieve due to the lack of resources.
When it comes to regulatory policy development, even though authorities in some jurisdictions do not yet have a clear approach to DeFi, others are pushing to establish more transparent regulation. This is indicative of the problem that borderless technologies like DeFi can hardly be regulated on a single-jurisdiction basis. It will be necessary to find common ground on an international basis, e.g., the G20 and, based on that, to develop a regulatory framework that spans across multiple jurisdictions and prevents regulatory arbitrage.
Regarding the relationship between regulators and the industry, representatives of DeFi businesses mostly mentioned a collegial relationship with regulators – mainly for the European market – and explicitly stressed how important it is for the DeFi space to gain clarity and transparency on future regulation of DeFi in order to be able to plan when it comes to compliance with regulatory rules and the way DeFi products are developed and built. It became clear that communication matters and that DeFi regulation is understood as a mutual challenge that can only be mastered in a collaborative spirit between regulators and industry, requiring the willingness to compromise from both sides.
In detail, I want to highlight the following statements:
When it comes to the regulator’s perspective, asked about the relationship of the regulators and lawmakers with DeFi, two agents of the National Financial Supervisory Authority of an EU Member State elaborated, that there is a rather wide spectrum of positions. For instance, the European Commission is a positive example of openness when it comes to the potential of DeFi; this is illustrated by the DLT Pilot Project, which contains a regulatory sandbox that allows certain regulatory exceptions to build DLT-based systems; furthermore, the European Commission in collaboration with Katholieke Universiteit Leuven published a paper on DeFi, addressing the relevance of and potential regulatory approaches to oracles:
For our jurisdiction, I think, DeFi is at least partly positively perceived by the regulator. For instance, in our jurisdiction, electronic securities, including tokenized fund shares and bonds, are now legally possible. We, as regulators, are mandated to protect consumer interests, which is why we naturally tend to have a slightly conservative stance, but we actively remain open to innovation.
The participants added with regard to the regulator’s relationship with DeFi that:
The better the people involved understand DeFi, the more precise the stance of the respective party becomes. A different approach is taken by the SEC by generally heavily relying on the Howey Test, and a lot of their competency to act depends on whether a product is a security. From our experience, the SEC has a deep understanding of DeFi but is very restrictive in their regulatory stance on DeFi and implements a “one-size-fits-all approach.” On the other hand, the FATF, after pushing the Travel Rule rather aggressively at first, made its approach more precise over time when gaining more experience with crypto. The Financial Stability Board (FSB) seemed to be rather imprecise at first, too, but is getting more precise and seems to be working hard on developing a differentiated stance on DeFi. The degree of knowledge, I think, is a main distinguishing factor when it comes to how regulatory authorities position themselves regarding crypto.
The principle of “same rules, same risk, same regulation” is taken seriously by the big regulatory players; if DeFi offers products similar to products in the TradFi world, they should be regulated the same way. At the same time, it is important to acknowledge that from a technological perspective, DeFi differs from TradFi in many regards. The president of our authority is rather open towards DeFi and acknowledges its benefits and potential while at the same time being skeptical of the way DeFi business models work at the moment. We, as an authority, are well-informed on DeFi and were at the forefront of qualifying Bitcoin under financial regulatory law when authorities in other jurisdictions were far from dealing with crypto in detail. The industry feedback regarding our work is quite positive when it comes to how informed we are.
Adding to the regulator’s perspective, asked about the relationship of regulators to DeFi, an agent of the National Financial Supervisory Authority of an EEA Member State confirmed this perception and elaborated:
We cannot put all countries in the EU in one bucket; there are significant regional differences in approach and mindset. It is important to understand that DeFi is a new thing for everybody, including the regulators. We, as regulators, have to be open towards it and may not be closed-minded about it only because it is a new thing. We have come to a point where we must think about new business models and new regulatory approaches.
The participant explained further that:
The issues between regulators and industry result from both sides not being willing to understand the other side and the hesitation this creates. We, as regulators, come from the traditional world of regulation, but we also have to accept that there is technological evolvement. In practice, I think, the industry often forgets that we as regulators have no insight into the conceptual ideas of young companies; we usually only see presentations and certain documents further down the road. Companies often forget to show us the big picture.
Contributing to the regulator’s perspective, an agent of the National Supervisory Authority of a large Asian country stressed that regulators operate with limited resources and mentioned that:
We are doing research, we are talking to the business players in the field and see what is happening, we are talking with academics and the other regulators. I think everybody is looking for answers. But DeFi is still not our biggest concern. We have more things, other than DeFi, to regulate that need urgent attention.
Interestingly, a former agent of the National Financial Supervisory Authority of an EU Member State elaborated regarding the lawmaker’s and regulator’s relationship with DeFi that, especially for the lawmakers,
This is oftentimes a relationship based on fear. From my personal experience, the first time “true” DeFi was brought up during discussions in the EU regarding the EU digital finance package, which has in the meantime resulted, among others, in the creation of MiCA, one could sense the fear that some EU member states had. It was decided not to include “true” DeFi in MiCA. I observe a slightly disturbed relationship regulators and lawmakers have with DeFi; this is mainly based on the fact that governmental institutions are concerned that they could lose the power to enforce decisions which is potentially the case for true DeFi.
For the regulator’s relationship to DeFi, my feeling is that Europe is very open when it comes to their approach to DeFi regulation; they do not want to break potentially good ideas and do not want to restrict them too much. I was part of an advisory group that consulted with the German regulators, and it shows that they are open to finding good regulatory solutions and enabling DeFi to thrive. But I do believe that in order for regulation to be successful, it is helpful to work with regulatory tools that the regulators already know, e.g., in Germany, parts of the German Supervisory Requirements for IT in Financial Institutions (BAIT) that could be applied to decentralized systems. But we cannot just apply all the old tools, this would only work for some aspects; if we just applied all the traditional regulatory laws in their totality, this would crush DeFi.
Contributing to the business perspective, asked about the perception of the regulator’s relationship with DeFi, a lawyer with a company providing a global DeFi platform elaborated that:
When I started in DeFi in 2021, they knew very little; I’m quite impressed: Now there has been a torrent of reports written by World Bank, OECD, BIS, all the multilaterals as well as national governments, UK, EU, U.S., everyone is looking at this pretty hard and has actually a really sophisticated understanding of this. And I think that that’s been a change just in the last eighteen months, I would say.
d. The collapse of FTX influenced regulatory discussions.
Interestingly, multiple interviewees pointed out that the topical discussions on DeFi regulation are at least partly influenced by the current events revolving around the fall of the centralized exchange and custody service provider FTX. This shows how policy discussions revolving around DeFi are partly influenced by a certain lack of knowledge and/or deliberate instrumentalization of certain events in the world of innovative financial technology to push specific policy agendas. In fact, the problems that, to our current knowledge, led to the crumbling of FTX – strong centralization and combining an exchange function with custody of customer assets – can be reduced by decentralizing and disintermediating an exchange platform. A participant pointed out that the regulators’ and lawmakers’ relationship with DeFi is partly marked by “fear” since they might become increasingly concerned about business models that they cannot properly regulate with the current toolkits and try to influence discussion for the benefit of stricter regulatory rules. The post-FTX discussions could be evidence of this.
It was further mentioned that, when it comes to the world of crypto assets and other blockchain-based products, it can frequently be observed that different products and business models are lumped together and discussed in an undifferentiated way by certain policymakers and regulators. This may partly be caused by the lack of knowledge and partly be driven by the desire to create one big regulatory regime for different types of products that, on a closer look, do not have too much in common. Multiple participants mentioned that FTX influenced the way they are perceived in the market and by regulators.
In detail, I want to highlight the following statements:
A former agent of the National Financial Supervisory Authority of an EU Member State elaborated that an effect of FTX on DeFi policy discussions is “certainly the case.” The participant went on to elaborate that:
Such events are always instrumentalized for political purposes in one way or the other; it does not stop there but also affects the institutions closely related to politics, i.e., the administration of ministries/departments, which is then reflected in the specific regulatory policies that are mainly influenced by the ministries/departments. FTX definitely had a negative effect, this can, for instance, be observed when high-ranked regulators now speak of a “crypto winter” and, in the context of FTX, stress that they are worried about the risks related to crypto.
An agent of the National Financial Supervisory Authority of an EEA Member State elaborated that, surprisingly, even though billions of USD in assets were annihilated in the downfall of FTX “little to nothing” actually happened on the regulatory side as a consequence. This might have to do with the lack of economic relevance of DeFi as compared to TradFi. And, indeed, cases like FTX and Binance represent CeFi, not DeFi. The participant mentioned that:
To the contrary, the blockchain creates a level of transparency that can help avoid situations like FTX; the FTX collapse did not happen on the blockchain level but on the classic fiat level when exchanging assets with Alameda.
An agent of the National Supervisory Authority of a large Asian country does not see any significant progress in DeFi regulation and mentioned that:
I wouldn’t go that far to say FTX affected decentralized finance regulation discussions, because we still haven’t really started it; right now, we’re looking at the crypto industry. We’re still dealing with a simple level such as a lack of segregation rules, and security for customers. It’s not good.
A computer scientist with a company offering DeFi services mentioned that mixing centralized and decentralized finance for policy discussions is “either dishonest or incompetent.” The participant believes that “regulators often have their view from the beginning and use events like FTX to push that agenda.”
A lawyer with a company providing a global DeFi platform elaborated that the events surrounding FTX have influenced the way their company is perceived:
We’ve gotten a frostier reception everywhere because of that. Even though it had really very little to do with DeFi; or maybe almost nothing to do with DeFi. Other than Alameda Research made a lot of money trading, using DeFi. So, you can’t say that there’s no connection to DeFi at all, that’s my unvarnished opinion. In any case, I think, a lot of regulators are not making these fine distinctions anymore. They’re seeing it all as the same and paint with the same brush. And then again, what I’ve seen is, even in some policy conversations with the multilaterals, OECD, BIS, etc., they’re pretty smart, too. They understand that a lot of these problems are originating in DeFi, and then they’re spreading to CeFi, that they’re linked and not totally separate.
A lawyer with a company providing software tools for monitoring digital assets trading and compliance has a similar perception and commented on the FTX situation that it had a:
Massive impact on the tenor around crypto in general and how this ecosystem is perceived as one big scam, one big fraud, particularly in the U.S., because the reaction in the U.S. has been just overwhelmingly negative as opposed to what you see in other countries.
A lawyer with a company offering infrastructure services relating to crypto products and DeFi for institutional clients agrees with this assessment and responded that:
FTX is going to and, in fact, already has had a major impact on how everyone is looking at the space, but especially regulators. What happened with FTX did not take people who have been in the industry and know the industry very well by surprise. Of course, the fraud aspect of it did. But the fact that FTX was centralized and there are risks in leaving your assets with a centralized party, those risks were well known. The fact that leaving your assets with a counterparty exposes those assets to risks is not, frankly, very surprising.
The way that it’ll shape regulation is pretty complex, and I think it depends on the country. As a provider of infrastructure, it’s always been part of our mission statement that controlling your assets yourself, self-custody, is the best and, arguably, the only way to go in crypto. There’s the famous line, “not your key, not your coin,” and that’s always been part of our company DNA.
One of the interesting things we’ve seen from the last year, and the collapse of many of these centralized platforms, not just FTX but also Celsius and Voyager, is that, if anything, people and institutions now are more likely to seek out a solution where they don’t have counterparty risk to the holder of the assets when they take that responsibility on themselves. What I’ve seen from regulators on this is mixed. I’ve seen from some regulators that there is a greater interest in allowing at least for that possibility to be able to self-custody; but there is a view in some circles, that if you, as a financial institution, are holding assets on behalf of customers then, depending on your licenses, you should be required to use a sub-custodian for that. It varies a bit by country, but I think the impact of FTX is that regulators are, in many places, taking a slower and more careful look at the regulation of crypto generally, but I think in the market, there’s a much greater interest in self-custody or a solution that doesn’t require you to expose yourself to counterparty risks.
A lawyer with a company offering services relating to crypto currencies added that reacting to turbulence in the industry is one way to go for the regulator but a more balanced and well-thought out approach is preferable:
You can react with regulation to an incident, for example, when FTX collapsed, it would have been very easy to pass a law to ban the entire thing, because this huge collapse just happened, along the lines of “let’s block everything else from happening,” instead of taking a step back saying “we don’t want to kill it, but we want to make sure that we regulate it the right way.”
An expert on financial regulatory policy (U.S. Think Tank) stated that FTX was, as a centralized financial institution, “very different from a DeFi platform or a DeFi protocol.” Treating the two the same, according to the participant, “doesn’t make a lot of sense; in fact, when you look at the problems at FTX, those problems happened in the centralized portions of what FTX was doing.” According to the participant, a truly decentralized protocol does “not have Sam Bankman-Fried in the middle holding your money.” The way the policy debate tends to happen and things getting “lumped together without a lot of nuances” is unfortunate, according to the participant, and:
In the wake of FTX, we’re talking about crypto like this giant concept and treating all crypto the same, regardless of all of the variation in the space that leads to the need for different approaches from a regulatory standpoint for different functions, different risks, different products.
A lawyer with a hedge fund focused on crypto assets has a similarly strong impression of the effects of FTX and mentioned that “basically, what FTX did was trigger a panic throughout the entire crypto industry and give people the political will to start cracking down on the entire ecosystem.” This led to “regulators and even the American public conflating FTX with crypto pretty often.”
A General Partner with a VC fund investing in blockchain technology said that FTX shows “how things are mixed up” since FTX was centralized, it factored in willful fraud. The political framing now is that “FTX is put in the same bucket as DeFi.” The examples of Celsius and BlockFi show that the “people who were made whole were people on the DeFi side, which was fully collateralized.”
e. DeFi startup governance/compliance with regulatory rules is better than one might think – But it depends on the type of company.
Pursuant to several interviewees, there is an increasingly high awareness on behalf of young companies in the DeFi space when it comes to the importance of good governance structures and compliance with regulatory rules. This may be because, in recent times, there have been several scandals or at least problematic episodes in companies in the innovative financial sector, such as FTX or Terra Luna.
It was further mentioned by multiple participants from the DeFi space that the regulatory compliance culture in a DeFi company depends strongly on the self-image a company has. While some see themselves rather as software companies than financial service providers and consequently are hesitant to fully step under a regulatory umbrella, others, from the start, embrace their role as financial services providers and make sure to meet regulatory requirements with professionalism and the deployment of significant resources.
Some participants stressed that the very specific culture in DeFi, originally driven by a certain mistrust in governmental structures and a strong emphasis on individual rights and freedoms, can contribute to DeFi companies sometimes being rather hesitant when it comes to embracing regulatory requirements. A participant observed that the lack of legal certainty in the U.S. tends to drive younger DeFi companies offshore because they are not able or willing to carry the significant costs of regulatory compliance that they have to face, even when not knowing for sure whether certain regulatory obligations even apply to them.
An agent of the National Financial Supervisory Authority of an EEA Member State elaborated that, it is an “either, or” between companies that take regulation seriously and those that do not:
It begins with the mindset: Am I regulated or not? A year ago, I would have hinted at FTX and Kraken, where one (FTX) considered itself regulated, whereas the other (Kraken) did not, but this may be a bad time to take FTX as an example.
The participant mentioned that, when companies see themselves as regulated and want to fulfill regulatory obligations, they usually have a compliance structure that allows them to fulfill these obligations. In these cases, the participant observes “high professionalism” and that “a lot of resources are committed to regulatory compliance.” On the other hand, there are the “classic” software companies that see themselves as unregulated; in those cases, regulatory compliance is oftentimes “catastrophic,” and the same is true for other aspects such as AML, KYC, etc. So, in summary:
Either, DeFi companies are very serious about regulation and commit substantial resources to be compliant, or they focus heavily on software and lack heavily on the regulatory side. Years ago, we had more cases in between, but now we only see the two extremes; and the companies usually present themselves aggressively as one of the two extremes right from the start vis-à-vis us as the regulators. When we try to convince them to build compliance, KYC, etc., this is usually doomed to fail. There is no understanding, and no understanding means no deployment of resources, which usually leads to massive problems.
An agent of the National Supervisory Authority of a large Asian country confirmed the impression that both extreme scenarios exist and mentioned with regard to compliance culture in DeFi companies that:
It really depends on the protocol, some DeFi protocols tend to self-regulate, they want to be as stable as possible and try to really be decentralized. Others claim to be fully decentralized DAOs, but then their governance itself remains centralized. I think you really need to look closely at what the startup is saying in terms of decentralization.
A former agent of the National Financial Supervisory Authority of an EU Member State elaborated that the impression of DeFi regulatory compliance culture is “surprisingly good” and that the positive extreme in terms of companies that invest a lot in regulatory compliance from the start seems to be growing in numbers. The participant elaborated that:
There is a visible difference between DeFi and “pure” crypto projects; DeFi startups, to be precise partly even just the protocols, they are very aware that governance is very important, and that a lot depends on the technology and, therefore, the regulator and the policy maker look very closely at the technology side. My impression of governance, compliance, and technology development in DeFi businesses is positive; it seems to me that DeFi businesses tend to commit more and more resources to those areas because they acknowledge their relevance and realized how all this falls into the larger regulatory framework.
A lawyer with a company providing a global DeFi platform emphasized the fact that regulatory compliance strongly depends on the individual company and what its self-image is; the participant mentioned that “it’s definitely a spectrum,” referring to companies that rather see themselves as software companies as opposed to others that embrace the role as financial service providers. The participant further elaborated that “I would say even those that understand the difference, still try to position themselves as software developers; everywhere, if you look on LinkedIn.” The participant went on to elaborate that there are indeed differences between DeFi companies and companies in the traditional financial industry that can justify a different regulatory standard:
Because, for instance, “exchange” is very clearly a regulated function and, in fairness, there are very important distinctions between how a decentralized exchange (DEX) works and how a traditional exchange works. I think that there should be a custom set of rules for this new stuff. I see that as less and less likely, as time goes on, I think, with the various set of scandals. But I would say that from talking to a lot of multilaterals as well as national regulators, I think they thought this was pretty exciting and pretty interesting, and that it could represent a revolution in the way that certain services are offered.
A lawyer with a company providing software tools for monitoring digital assets trading and compliance mentioned that it is “a mixed bag.” It all comes down to “Is this technology or is this finance?” And if one is going to “take other people’s money,” one is in the world of financial regulation, which seems justified according to the participant. However, regulation should not be the “front end of an entrepreneur’s thinking about what an exciting business opportunity is,” and it is a “macro issue” that regulation is often so complex that it tends to be the focal point before a business idea is fully developed.
A lawyer with a company offering services relating to crypto currencies stressed that the issue – namely, that providers of financial services delivered via the internet do not consider themselves to be regulated – is not new and not a specific DeFi issue. The participant elaborated that:
A lot of the businesses and participants in this industry see this as a technology service, as a piece of software that is not regulated. If I take you back to last year, to Tornado Cash, when the designation came, people said, “How do you designate software?” The problem is that this software was tumbling money and sent it to North Korea. The perception still is, when dealing with software, “I don’t need to put these controls in place, because I’m not providing a financial service, I’m providing just software.”
This issue is not new. It’s not just in this industry; similarly, in traditional payment services, including money transmission, money remittance services like Western Union, MoneyGram, but also gift cards and stuff like that, there are a lot of businesses that think, “I’m providing this service to my customers; through this service, they’re going to be able to send money to somebody else or make a bill payment, but I’m not a bank, I’m not moving the money, all that I’m doing is sending wire instructions to those banks to make the transaction between themselves, I’m really not regulated because I don’t touch the money, I’m not in the flow of funds, the banks are.”
But the underlying issue is that the customer that is interacting with you is expecting you to act on the request that they make, they don’t know which banks are behind you, and they don’t care; all they want is for you, the company, to process the requests that they made. So, a lot of companies say, “Well, I’m just providing software” while the customer’s expectation is that you actually deliver a financial service, you are actually engaging with this transaction.
There has been a lot of confusion for many years; this is not just for crypto. It goes for any financial services that are provided over the internet. What I like to remind people of is that, yes, you may be providing a piece of software technology, but if the person that is engaging with you believes that they are engaging in a financial service transaction, be payment, be trading, be issuance of a stablecoin, be whatever it is, you are providing a financial service.
A lot of these companies believe that they don’t need to have compliance. And that’s where they fall behind and end up hurting their customers, because they are not monitoring the transactions the way that they should, or they may enable transactions that shouldn’t be enabled through their system because they’re not doing proper KYC or things like that. It is an ongoing problem. But again, I like to clarify that it has nothing to do with digital assets or web3 or blockchains. This is pervasive in traditional financial services as well, as long as these transactions are enabled through the internet.
A lawyer with a company offering infrastructure services relating to crypto products and DeFi for institutional clients responded that:
The customers and prospects that we worked with, really across the board, including folks that are in the DeFi space, take regulation very seriously in the sense that they very much want to know what the rules are. And to the extent the rules apply to them, they want to comply. I think the biggest pain point many of them have is not knowing what rules do apply, and not being able to get clarity from regulators on that. They certainly take governance very seriously, in the sense of how a company should make decisions.
An expert on financial regulatory policy (U.S. Think Tank) stated that, with regard to regulatory compliance culture in DeFi, there is a “spectrum,” ranging from DeFi protocols that are “aimed at avoiding compliance” while others “have been built to be safe, more compliant.” And the same way, there is DeFi that “has better code and is more resistant to hacking versus sloppy code that is dangerous.” The participant stated that it is an “open question,” what laws apply to DeFi, particularly securities laws, derivatives laws, and banking laws aiming at regulating the intermediary, and it would be “dangerous” to assume that platforms that are not compliant with all those regulations are attempting to evade compliance since this could also be owed to the lack of legal certainty when it comes to DeFi regulation. This is another example of how important more transparency and legal certainty is for the DeFi space.
A lawyer with a VC investment company focused on blockchain technology stressed that some companies still underestimate the relevance of regulatory compliance. For example, “in a layer 2 context, if you say you’re decentralized but are actually in charge of the sequencing, does that make you centralized? If you take assets onto a bridge and control a key to the bridge, is it really decentralized?” The situation seems to be “binary”: Some DeFi companies take regulation very seriously, some not at all; this also depends on the jurisdiction a company is located in.
A lawyer with a hedge fund focused on crypto assets observes that regulatory compliance in DeFi has evolved. The ethos of crypto in the beginning days was “highly libertarian,” and “later in 2016 and 2017 during the boom of Initial Coin Offerings (ICOs),” it was seemingly “very anti-authority and anti-establishment,” and people were taking regulation not very seriously. According to the participant, that has changed as the industry has matured over the past few years. By now, “very pre-emptive compliance” can be observed in the industry. The participant mentioned portfolio companies that operate “on-chain through the existing regimes, just assuming that those regulations apply.” It depends on the “specific company, the team, and the protocol,” but overall “companies are getting a lot more serious about compliance and regulation.” This can, for instance, be seen in the case of Tornado Cash which showed that “you can’t claim that you’re just an open-source protocol. They’ll sanction you; they’ll arrest the founders, and folks are taking that seriously.”
A General Partner with a VC fund investing in blockchain technology explained that regulatory compliance in DeFi should be understood as a spectrum: Some companies are “clearly situated on the technology side, have a single founder, often with an IT background, etc.” Most venture capital-backed companies, especially if operating in the U.S., “try to be compliant, but more and more of them are moving offshore because the regulatory rules in the U.S. are unclear.” They are “not all ‘cowboys’, but the regulatory burden in the U.S. has become so high, legal compliance cost so high, that more of those smaller companies are moving abroad while institutional founders try harder to build a U.S. business.” A rather “disheartening” example of all this is Coinbase because “even they can’t get clarity but create offshore exchanges (costly redundancies)” to hedge against regulatory uncertainty.
f. The regulatory framework for DeFi in 5 to 10 years will ideally be transparent, comprehensive, and leave DeFi breathing room.
All participants stressed that clear definitions, legal certainty, and transparency regarding a future regulatory framework are critical for DeFi businesses to operate under a certain sense of certainty and plannability, and to give DeFi the chance to thrive commercially. Interviewees agreed that in the future, there will ideally be a regulatory framework for DeFi that is marked by its comprehensiveness and that will combine different (old and new) instruments to guarantee a proper regulation of decentralized business models in the financial sector. When thinking about this question, one must keep in mind that “true” DeFi is a type of business model that is entirely new and revolutionary and does not fully fit under “old” regulatory rules developed over the past decades in a world that was marked by intermediaries and “gatekeepers.” As far as DeFi involves centralized entities or other relevant parts that could be targeted for regulatory purposes, such as oracles, several participants pointed out that one should use the regulatory instruments already in place to regulate these aspects of DeFi. When thinking about new instruments that could involve the regulator taking on a more active role on-chain, participants mentioned that this question of responsibilities will have to be looked at closely in future debates on DeFi regulatory policy.
It was further stressed that interoperability among different DeFi systems will play an important role in the future: Does regulation under one system translate to regulation under another system? This may be particularly important for interoperable systems that combine different business models and services, which are, up until now, regulated separately but may need to be regulated under a common framework in the future in order to prevent the spillage of risks from one system into the other. The same is true for questions of scalability and data protection.
These factors will have a strong impact on the development of a future regulatory regime for DeFi which may include regulatory instruments that have in the past not existed. In addition, a participant stressed that for good regulation one needs good real-life data and knowledge of the regulatory targets; it is the regulator’s job to make sure that sufficient data and knowledge are available to create the best regulatory practice.
I want to emphasize the following statements that support the findings summarized above:
Two agents of the National Financial Supervisory Authority of an EU Member State elaborated that the financial market of the future will become more hybrid, including centralized and decentralized structures. “It seems very possible that DeFi will play an increasingly important role; already today, we see an increasing number of DeFi applications being developed.”
With regard to a future regulatory framework fit to meet the challenges posed by such a future market structure, the participants explained that:
What the regulatory framework will look like depends a lot on solving the issue of responsibility; some responsibility might be shifted to the regulators, then we would have to figure out in detail which responsibilities we are willing and able to bear. I could imagine that there will be a number of items that a DeFi provider will have to implement, for instance, an “on-off-switch” controlled by the regulator, and regulatory audits; it also depends on whether there will still be some sort of intermediaries or not. We will also have to regulate centralized players such as oracles. When real-world assets are tokenized, the process of tokenization will have to be regulated more closely. Generally, any centralized component in a DeFi system will have to be looked at closely regarding the risk potential and regulated accordingly.
An agent of the National Financial Supervisory Authority of an EEA Member State emphasized the relevance of using the regulatory tools we already have, as far as possible, and elaborated that:
I would build such a framework from regulatory instruments that exist already today. When we discuss DeFi, we first need to clarify who is responsible for regulation from a jurisdiction standpoint; to this question, for instance, the EU Prospectus Regulation provides answers and identifies the first point of contact as the responsible regulator. From that point on, the framework should consist of pieces of the classic financial markets regulation and the technical component would have to be covered; we should not underestimate that we already have certain in-depth technical regulation, e.g., the EU General Data Protection Regulation (GDPR). So, all we would have to do is write a law that clarifies the jurisdiction and the different pieces of legislation already written that apply to DeFi and how they are applied to DeFi. We need to clarify how we want to approach it and then, for instance, if we have “financial instruments” in a DeFi context, MiFID is applied; if we have DeFi business models not involving “financial instruments,” MiCA is applied; if something is then not covered, it is not regulated.
An agent of the National Supervisory Authority of a large Asian country mentioned with regard to the timeframe in which a framework for DeFi regulation may be expected that this strongly depends on the economic relevance of DeFi:
My jurisdiction tends to focus more on consumer protection compared to the American market. Europe is similar to us; I think they tend to put in the regulation first before they see the innovation go crazy. It really depends on how the business side evolves. I think if it evolves really quickly, and if it becomes everybody’s day-to-day life that they access DeFi, then it will need to be addressed much more quickly. But if it’s not, then we’ll keep studying.
A former agent of the National Financial Supervisory Authority of an EU Member State elaborated:
I hope we will have something that sets the frame but does not regulate DeFi itself too much; when software is regulated, ultimately nobody really benefits from that. I agree that the front end must be regulated in some way, but I would hope that in 5 to 10 years, we have a framework that finds a good compromise. This could mean that the protocol layer is left alone, but there are instruments such as voluntary compliance, voluntary regulation, embedded supervision, regulated oracles, soulbound tokens for identity management, that link into the legal framework without targeting the actual DeFi applications. “Regulatory carpet bombing” and the creation of catch-all clauses that result in a quasi-gatekeeper regulation that targets, i.a., coders, potentially even end-users, is ultimately not a good solution but could serve as a bridge solution that is in place before a better and more refined regulatory framework for DeFi is developed. DeFi is still a very young area of finance, and we should be wary not to overregulate.
We should allow DeFi to develop its potential; we should not let DeFi run free, but at the same time, give it enough space to develop. While sandboxes can be a helpful tool, they are restricted by limited capacities; therefore, letting the market develop in the real world is important to give DeFi a chance to grow. We should appreciate and respect the DeFi market and not drive innovation out of our jurisdictions.
The founder of a DeFi wallet provider is of the opinion that proper regulation is crucial in order for DeFi to grow and become a mainstream business model. The participant stressed that one should align the future regulatory framework with the regulatory goals and target the front-end as well as the back-end. The participant emphasized that one should think about introducing a multi-layer regulatory approach that starts with lighter regulatory burdens for young companies, which lack the size for creating systemic relevance, and then becomes stricter as the company grows its customer base and products. Specifically, the participant elaborated that:
My wish is that the future regulation of DeFi will be inspired by “goal-based regulation”; analyzing DeFi against the background of regulatory goals such as operational resilience, customer protection, etc., and looking for who plays what role in a DeFi business model is essential to finding regulatory answers.
I think, we will see certain requirements on the front-end level, and this will likely affect products like ours. For instance, there might be regulatory requirements for the development process of a front-end, and I believe that is the right step because a high quality in the product leads to a smaller risk of technological failure and hacking. The user needs to be able to trust the technology and to be sure that it has been developed and audited properly.
On the back-end level, the argument that DeFi platforms are just open-source software and, therefore, the developers should not be responsible under regulatory law, does not convince me. I grew up with open source, the Linux days, and I believe that if someone created something based on open-source software and instantiates the code and has it run in memory to offer a service, they have some kind of responsibility as to what happens with it. Therefore, we have to ask who the developer is and who runs code in memory.
Against that background, I think DeFi is more than just open-source software development; if someone takes software code and puts it on the Ethereum Virtual Machine (EVM), this creates a kind of responsibility of the individual, or DAO, or generally the group of people who can change things on the system, or deploy new things, or manipulate assets on the smart contract treasury. This group of people should be regulated with organizational rules (“Who has which powers, how is this documented?”, etc.). We have to ask ourselves whether an individual coder should be regulated or the group behind a DeFi system. Software at scale is mostly a group task and, therefore, I think addressing the group is the way to go.
When it comes to the effects of regulation on innovation, I think it would be helpful to think about the systemic relevance of a product and with that in mind introduce a multi-layer regulation system that starts with a lighter entry program: If an individual coder builds a product, this can by no means from the start be of systemic relevance because it does not have any users, so we could start with a first layer of regulation that covers only basic points; when the product becomes more mature, gains more users, more advanced regulatory layers could kick in. This would allow young companies with promising ideas to start with a lighter regulatory burden that becomes more intense the bigger the product gets. This would create transparency for regulated entities and give them space to breathe when they start their endeavor. If the potential damage is low since the product has no or just few users, it seems justified to start with a lighter regulatory stance.
If DeFi goes mainstream, DeFi needs a professional and regulated infrastructure. Think about a marketplace, e.g. Uniswap, that offers essentially the services that an exchange would offer in the traditional world; I personally have a hard time believing that when such a marketplace is offered through a smart contract that allows me to exchange financial instruments, this will in the future not be treated under regulatory law like a marketplace for financial instruments in the traditional world.
A founder of a company providing software tools to financial institutions related to payments and identity stressed that regulation must be based on real-life data and such data is not yet available for the regulators, due to the young nature of DeFi. The participant further stated that:
I’ve sat in the room with central banks, and a lot of different banks over the last five years; the biggest thing I learned is that regulation and policy also comes from data. We had cars, then someone had a car crash, and then we made seatbelts and made it a law that you need to wear a seatbelt. All regulation and policy come from things that are happening in the world and data. What is wrong with the system right now is that we’re still very early in this technology, where you need more data to make the right rules and regulations. And I think a lot of people are sitting behind closed doors, who don’t even understand the tack and are trying to make rules and policies around technology, that (a) they don’t understand, (b) is still fairly young; so, we actually don’t know the full extent of what we should be regulating. It’s a little bit hard to make policy and regulation, I think, without having more people who are making policy and regulation understand the technology and having sandboxes where they can see where the technology might go wrong, have a better understanding of what the rules need to be; governing bodies, I think, are going to need to start changing a little bit as well.
A computer scientist with a company offering DeFi services mentioned that the next step in light of KYC/AML enforcement could be the ability to revert transactions. For example, “when you send currency on base layer 2 to a party like Iran, the transaction could be changed back.” This could also be helpful in the case of hacks to revert illicit transactions. But it remains a “double-edged sword, a pandora’s box” even, because it hurts the idea of irreversibility, which is crucial for blockchain-based transactions. Overall, the first step should be more transparency on what the regulators want; the second step could be establishing standards and potentially embedding them into the system.
A lawyer with a company providing a global DeFi platform strongly emphasized the relevance of jurisdiction when it comes to a coherent regulatory framework for DeFi. It became clear that without agreeing on regulatory standards internationally, there will always be an option to evade strict regulation and enjoy regulatory arbitrage. This is not an issue specific to DeFi, but a general issue in the financial industry. Moreover, the participant stressed that it will be crucial to find a way to reliably define and identify regulatory targets and align their regulatory obligations with the actions those parties can in fact take; for instance, one must differentiate between the nodes of a network and the provider of a protocol and the actions each of those can take on a DeFi platform. The participant elaborated with regard to those “tow pieces” of the future regulatory framework for DeFi:
The first one is a bigger issue than DeFi itself and doesn’t get talked about enough: The question of jurisdiction, or domicile. Where is the service being offered, and which countries are going to take the view that, if it’s offered, even from offshore into our country, we have the right to regulate it? That’s a big issue because it means that even if you find some Banana Republic that’s going to be lighter on the regulatory side, which everyone does, you’re still ultimately going to have to kind of bow to the U.S.-only regulatory regime because of this. In terms of where global regulation goes, the question is, what is the position on jurisdiction that all these countries have; ultimately, people are going to go and forum shop and find the most permissive jurisdiction. And then, what do we do? Because then it will still be available to everybody because it’s all open-source software. Clearly, the U.S. is keen on targeting that stuff, no matter where it sits, if any U.S. person touches it. I think there are limits to this. Probably every one of these protocols and companies, people have found ways to circumvent the IP controls and other controls by using tools like VPNs. Perhaps none are as brazen as Binance or whoever, in terms of telling people, “Here’s the guide to avoid those rules.” Even if companies say, “If you’re in the U.S., don’t use our product,” someone will still get through. And the stance is going to be from the U.S. perspective or from whatever jurisdiction, “I still want to know which countries care about that.” And those are the countries that will dictate how DeFi takes off globally or doesn’t. So that’s the jurisdictional point. And I make that point just because no one says enough about that one; it’s not even specific to DeFi or crypto, but generally jurisdictionally, it is relevant to understand what it is going to take for our country to exercise jurisdiction over a product or service that’s offered within their borders.
Second, let’s talk about DeFi-specific things. I think that two of the key premises are: (1) There has to be an identifiable party, and (2) that party has to be able to conform their behavior to the rules. Those are both real challenges. I have not heard any good explanation to solve this in the industry, other than, “Oh, we’ll upgrade it the next time we do it, when we launch another version, that will improve.” But for (1), technically, a DEX provider is not offering the protocol services, that’s just all these nodes on Ethereum. And for (2), neither they nor the DEX provider has the ability to change their behavior in response to a rule. How is that consistent with ongoing supervision or ongoing regulation?
Something that has been discussed last year in the U.S. was a pre-certification regime saying that, before we launch something, we’ll certify that it’s going to meet certain kinds of market-based principles. Basically, we will certify to you that there will be some general sort of fairness, or there won’t be front-running, or all customers are treated equally and without discrimination. And then you can come after us if we break that.
A lawyer with a company providing software tools for monitoring digital assets trading and compliance stressed that it is crucial to have a “safe harbor, some opportunity for builders to build,” so they can build a product and see if it even works before they “hire tons of lawyers and have millions of dollars of expenses around compliance when they don’t even know if something works.” This could be “akin to what SEC Commissioner Peirce proposed, it’s akin to sandboxes.”
A lawyer with a company offering services relating to crypto currencies believes that cooperation between regulators and the industry will be crucial in the process of finding a suitable regulatory framework for DeFi. The participant stressed that this is a process that takes time and the willingness on both sides to sit down together and find a compromise that works for everyone. The participant elaborated that:
Taking you back to when PayPal, Venmo, and Stripe were created, I believe that we are going to see web3, blockchains, and DeFi transactions being part of the traditional financial services. But this is going to take time. You don’t change an industry that is a century or so old in two years. And it takes time to educate the regulators on how to do this. I don’t believe that it will be implemented the way that is being offered today; it’s too distant from the protections that some of these regulators would expect. So, there will be adjustments on both sides. I think the regulators are going to come halfway, and the industry is going to come the other halfway and implement some controls.
DeFi, as it is today, is very decentralized; it may remain decentralized, just not to that extent; maybe there are other ways to enable decentralization while access to information and stopping illicit transactions, and being able to identify, follow through with any activity that we believe not to be permitted is guaranteed; that’s what the regulators care about, they are not here to stop services from being provided, they are here to stop people from getting hurt, and national security from being jeopardized. They don’t care about anyone creating technology, as long as it’s not hurting anyone or threatening national security. I think that, at the end of the day, if both parties can agree on this understanding, they can come halfway and get there. But it’s going to take time because what you have on one side is a very old industry with very narrow ways of thinking. And then, on the other side, you have a very new industry with a lot of advanced technology. And you need to bring the two together.
A lawyer with a company offering infrastructure services relating to crypto products and DeFi for institutional clients is skeptical of the possibility of regulating “true” DeFi and explained that it might not even be necessary to regulate the DeFi protocol itself because a main reason for regulation is the human element that is flawed because humans make mistakes and can act with bad intentions. If this human element is erased from the equation through disintermediation and automation, regulation of DeFi itself might not be required at all:
If you have a setup that is truly decentralized, purely code-based, just software, and it is set up correctly, in other words, decentralized and doing what it says it’s going to do, I think it’s very difficult and potentially impossible to regulate that in any centralized way. It wouldn’t help to regulate, for example, the creators of the code, because they may have written it and are not using it anymore; they may make it open source, and others are using it, but they have no control over it.
But I also think regulation would not be needed. The whole reason that regulation is required of a centralized exchange or a centralized financial institution is that, for better or worse, and this has been true for thousands of years, and it will be true for the rest of humanity, people make mistakes; there are bad actors who need supervision, and anytime you have humans involved in the decision-making process, you will need some sort of regulation. But if you eliminate that human element, it would not be needed in the DeFi protocol.
Now, I realize that is, for some, perhaps a frightening realization, certainly for regulators. At least for certain applications, it may make sense to regulate people engaging with the DeFi protocol. If you’re a broker-dealer, that is, on behalf of a client, interacting with a DeFi protocol for some loan, you, as the broker-dealer, can continue to be regulated. And it may make sense to do that, for all the same reasons it makes sense to regulate broker-dealers now. It’s not that in respect of DeFi, there will be no space or no opportunity for regulation and that it wouldn’t make sense at all, but I don’t see either a need or a particularly effective way to regulate the decentralized protocol itself.
A lawyer with a cryptocurrency exchange platform and provider for DeFi payments in Latin America stated about the development of the regulatory framework for DeFi that a first step will likely include the regulation of ramps and other service providers related to DeFi:
The expectation here is that DeFi will at first not be directly regulated, but what we understand will be regulated is the “entrance” to DeFi; so whatever ramps are connected to MetaMask, or Uniswap, we’ll have a lot of scrutiny to onboard clients. Companies involved in supporting and providing the infrastructure for DeFi platforms will likely also be targeted. DeFi is not very significant in terms of number of users in my jurisdiction. I think the central bank is scared, like, “Wow, this is something that can be very tricky to enforce or regulate; we have to keep a close look at it.”
The participant further elaborated that “the way the regulation for CeFi is evolving, that started with compliance, I would say the same thing for DeFi.” The participant stressed that international standardization will be a very important factor and that the international organizations should draft key concepts:
For example, an exchange that is operating in several countries, it’s a mess when you have completely different rules, because it makes the operational burden absurd. I think for everything that we see as borderless, the regulatory key concepts, they need to be aligned. This is especially important for DeFi since this is the next level of borderless because it doesn’t matter where you reside, or where you hold your assets. Otherwise, I don’t see this advancing, in terms of policy; I think, then people will just do regulatory arbitrage.
An expert on financial regulatory policy (U.S. Think Tank) stated that, with regard to the U.S. regulators, it would be a helpful first step to recognize that, while not all business models claiming to be decentralized truly are, DeFi as a concept exists and should be recognized as its own regulatory category. Concerning the vision for the regulatory framework for DeFi in 5 to 10 years, the participant is skeptical with regard to the U.S. and expects the U.S. regulators to remain somewhat hostile towards DeFi which may drive DeFi business overseas. Specifically, the participant stated that:
I don’t have a lot of optimism for the U.S. system being able to have a deep conversation about the differences between centralized finance and decentralized finance right now. In part, because I don’t see a particular pathway to having regulators become interested in tackling the nuances, because we’re stuck at the, I call it, the “ridiculous 2014 conversation of can we ban it?”
Long term, the participant’s prediction on this is that “the U.S. is going to remain kind of a hostile jurisdiction, but that we will see a DeFi-friendlier space overseas, potentially in Europe.” In the EU and some Asian countries, Japan, Singapore, and others, “we will see higher regulatory requirements on DeFi, but I’m hopeful that those types of requirements can be programmed in, rather than requiring additional centralization in order to make the regulatory requirements be met.” Ideally, the transparency created by blockchains will be used by regulators so that “you don’t have to send a subpoena, you don’t have to send a request for information, you can just take a look yourself.”
The participant stated that “my perfect world for DeFi entails an optional registration system where DeFi protocols can register and say that they are part of the regulatory apparatus; in those circumstances, someone is on the hook because you are working with the regulator, but that’s a choice, and other circumstances where the DeFi protocol would choose not to seek this ‘stamp of approval,’ no one would be on the hook in terms of the financial regulations.” The participant further explained, “I think there’s always an opportunity for general fraud statutes or consumer protection rules to the extent that you can identify someone that has wronged you. But I think in most circumstances, that is still not the programmer, although for massive negligence, maybe it is.”
A former European regulator and expert on regulatory policy (blockchain organization in Europe) explained that before talking about complex regulatory solutions, in a first step, we need proper definitions (“walk before we run”). The participant sees a chance that the regulator will target the pseudonymity and immutability of DeFi systems and might think about product licensing requirements. In detail, the participant stated about the lack of a coherent regulatory framework for DeFi that:
For example, under MiCA, fully decentralized finance is out of scope; now, in the draft AML Regulation, NFT service providers and DeFi applications are technically in scope, but it doesn’t tell you what “fully decentralized” means. If we want to start establishing a duty of care, let’s first establish a standardized definition of “fully decentralized.”
The participant then mentioned that the impression from current regulatory discussions in Europe is that regulators tend to think that “somewhere somebody pushed a button at some point; therefore, somebody somewhere is liable” and that the argument about centralization versus decentralization will not likely be enough to do away with establishing a duty of care.
The participant also stressed that for the regulators, “pseudonymity, whenever financial services are involved, is in question.” There are potential solutions to the pseudonymity issue:
At the very extreme, we have only permissioned DeFi that is allowed to touch financial services with the necessary KYC and AML obligations, and on the other side, we have the allowance of permissionless DeFi, but we will need to have a new system of identifying beyond wallet addresses.
The participant added, “regulators increasingly view the immutability of blockchains as an obstacle rather than as an advantage, but it’s the thing that makes them commercially viable in the first place.” The participant mentioned that, for instance, the way that interoperability is judged under Articles 28 and 29 of the EU Data Act, speaks to a “lack of understanding” of how, at least on the permissionless side, “DeFi applications and smart contracts even work.”
Another aspect that the participant noted “regulators increasingly talk about” is product licensing requirements for smart contracts:
I am personally not for or against product licensing for smart contracts, but I feel that developers could probably do a better job of backtesting their code and figuring out what might be the loopholes. But it is also a problem that a lot of developers aren’t economists, and they’re not policy people. So again, we have an information asymmetry problem just from the other side. But I don’t think the product licensing is necessarily bad, I think that it needs to be done in a way that is ethical and equitable for the industry, and I don’t think that, for example, you should ban all protocols that are not licensed; when we talked about setting up an EU watchdog, for example, to issue advisory opinions and warning labels on protocols that have suffered hacks, I think that that’s maybe in the short to medium term, a better way than product licensing because you first have to figure out what the product licensing regulations are going to look like. And this is going to be a whole thing. But it’s a lot easier to set up a watchdog. It would not have to be a new institution; it could just be an extension; this can be done by the CFTC, or the SEC, for example. It doesn’t need to be embedded supervision from the get-go either. Maybe walk, before you can run.
The participant stressed that before thinking about complex embedded instruments, “using the DLT infrastructure that is transparent by design, having APIs to analytics providers, working with industry, and encouraging the development of more solutions to counter money laundering and related issues is a promising first step.”
A lawyer with a VC investment company focused on blockchain technology stated that DeFi will, in some form, have to be regulated more transparently. Of particular importance is a transparent regulation of the front ends, “especially non-custodial exchanges.” One major challenge is how to deal with a situation where code is developed by someone and deployed and then “left alone” by the developer: Since “code is speech” and, therefore, protected under the first amendment, “how can such a situation best be addressed?”
A lawyer with a company providing software tools for monitoring digital assets trading and compliance added that decentralization is a “fundamental transformation opportunity for the way that regulation happens” but also “a real opportunity to kill DeFi by trying to force it into the current structure, which only intermediaries actually can operate in.” The participant mentioned that a new regulatory framework would be a chance because the “amount of money spent on compliance in traditional finance and the lack of results that gets us in terms of mitigating financial crime, in terms of preventing consumer harm, in terms of just the administrative burdens” is “pretty ridiculous.”
g. Regulatory code audits could be a way to prevent faulty code that creates the risk of exploitation by malicious actors.
As already presented above, several participants mentioned that the code underlying DeFi protocols could be audited before going live; this could either be done by the regulator, or by a third-party provider that is supervised by the regulator. Most participants agreed that this would generally be beneficial. In terms of practical feasibility, while businesses seemed open to the idea – given that this would not create massive additional regulatory cost – regulators seemed to generally agree but were slightly more cautious about taking on additional direct responsibility in the form of code audits.
A lawyer with a company providing a global DeFi platform elaborated that their company strongly supports code audits and communicates this to the regulators while, on the other hand, acknowledging that code audits are not able to reveal macro conceptual issues in a protocol:
We have said in our conversations to regulators that all projects should go through a comprehensive code audit before they launch. And that’s definitely what we consider to be a very strong best practice in the space. But there’s no obligation to do that right now, that’s the whole issue. And so not everyone’s doing it. But even if they were, again, I’m not the best technical person, some of the details are just technical, but just fundamentally, from an economics or mechanism design standpoint, does this code make sense? Is it going to work? Does it solve a problem? Are there any unintended consequences? Those are just design questions and high-level thinking questions, and no code audit is going to reveal that. Anyway, we strongly encourage that. We also agree that if a regulator wanted to do a code audit, that would be fine. But regulators are looking at this from the legal and economic perspective, like “But what is the impact here? I don’t really care what line 76 of some scripts says.” Very often, from what I’ve seen, many founders have not thought about that at all; they don’t care, or they don’t know enough about economics, mechanism design, or the law or TradFi to even know what they’re trying to imitate or improve on. I see that being a bigger issue, at least an equal issue.
h. Targeting coders for regulatory purposes is rather not a promising approach.
Even a fully decentralized system must be created by someone before it can run by itself: The protocol is first written by coders and then deployed. This makes one wonder whether targeting those coders for regulatory purposes would be a good way to mitigate the risks created by DeFi, as already hinted above, in the broader context of DeFi regulation. While targeting coders might be a viable interim solution before a comprehensive regulatory framework is in place, most participants in the study agreed that this is not an ideal solution. First of all, regulatory law is supposed to be proactive and preventive; once a protocol has been deployed and cannot be stopped anymore by the coders, one is acting in the realm of repressive action and can, at best, hold coders responsible for potential damage that results from the deployed protocol.
Coders will in many instances not be the “masterminds” behind a protocol and it seems like an ineffective way of regulation to target people working on the mechanics of a protocol instead of the creator of the idea that is ultimately responsible for the product.
Furthermore, targeting coders would likely have a strong deterrent effect on people engaging in DeFi and would, thus, slow down innovation in jurisdictions that target coders – and drive business in jurisdictions that do not.
In detail, the following statements illustrate the above evaluation:
Two agents of the National Financial Supervisory Authority of an EU Member State elaborated that targeting coders for regulatory purposes is heavily debated, and Tornado Cash was certainly a vivid example of this. The participants clarified that targeting coders does, at this point, not seem necessary or promising because there are more suitable enforcement tools available to the regulator; at the same time, coders should be aware that creating a protocol and deploying it in a financial market context can create obligations and liabilities under regulatory laws:
When it comes to DeFi regulation, it makes sense to ask where exactly the threshold of danger is crossed; when applying this test, theoretically, a coder could be liable under regulatory law, but one would then have to ask whether the coder who deployed a smart contract can reverse the effects of the deployment. If he cannot do this, we would have to ask ourselves whether it makes sense to target him for enforcement measures; when it comes to preventive measures, it probably does not make sense in that case, but the situation is different for potential criminal prosecution. If a protocol is deployed, instead of targeting the coders, we have more suitable enforcement powers like issuing a warning or restricting access to protocols through web interfaces; in extreme cases, we could even target the entire infrastructure.
In case of “truly” decentralized DeFi where enforcement by traditional means is not possible, we do have to reconsider our enforcement tools and think about how we can deal with that in the future. So far, for 99.9% of the DeFi protocols, there is a way of enforcement for us; the issue in those cases is rather identifying the parties we want to target and figuring out how to target them when they are in a foreign jurisdiction. Generally, coders should be aware that, if they build a financial market product and deploy it, they are generally responsible under financial regulatory law.
An agent of the National Financial Supervisory Authority of an EEA Member State elaborated that one should target the “mastermind” behind a protocol instead of employee coders:
I would rather target the people who are responsible for the system. For instance, in the case of duties of care, not the compliance officer as an employee is responsible, but the management is. We have to ask whether someone is the “spiritus rector” or just an executing employee. We always have to target the creator of the idea, the initiator, the mastermind. It would be wrong to target a regular employee only because he wrote the code; he wrote the code because it was his job.
A former agent of the National Financial Supervisory Authority of an EU Member State sees a potentially negative effect on innovation of targeting coders and does not consider it to be an effective measure for regulatory purposes since regulation is supposed to be proactive. The participant elaborated:
This would most likely slow down innovation because people would be scared of or at least worried about potential regulatory consequences and might refrain from coding. In my experience, coders tend to be rather risk friendly, which is why I do not think that it would entirely kill off innovation, but it would certainly have negative effects. We also have to ask ourselves what this would even achieve; coders may have a certain power to deploy a protocol, but how would the regulator actually target the coder? Regulatory law is proactive and must have an effect before a risk materialized, not afterward.
There is an argument that entities could be made liable if they do not update the code they use, comparably, e.g., to a car manufacturer that has to make sure the brakes in the cars they sell function properly; this could be a potential approach for financial regulatory law when it comes to DeFi protocols that are deployed.
When asked about potentially targeting entities such as foundations that are often involved to set up DeFi business models, the participant elaborated that “this depends on how one would try to target such entities. In a DeFi context, oftentimes Swiss foundations are used, which presents us with jurisdictional problems. It would be similarly problematic as relying on gatekeeper regulation because it does not help with regulating the actual activity or product.”
A computer scientist with a company offering DeFi services differentiates between the types of failures a coder could be accused of and argued that “if you create a smart contract that has to have KYC and AML checks and fails, responsibility could be justified, for permissionless contracts, it is different.”
A lawyer with a company providing software tools for monitoring digital assets trading and compliance stressed that targeting coders is a “slippery slope” and that the rule of “code is speech,” should be honored instead of giving all “federal agencies more power than they already have in that space.” The participant also sees a need for clarification regarding the legal treatment of decentralized organizational structures such as DAOs in that context.
A lawyer with a company offering services relating to crypto currencies sees the risk of suggesting to coders that they can build and release whatever they want without any consequences but at the same time does not consider coders to be the right target for regulatory action. The participant elaborated that:
Coders are not equipped to handle the liability for this. But I also am hesitant to say just let people create things without worrying about the risks associated with it. Because if you just say, “Go ahead and do whatever you want, you’re never going to be liable for it,” then people are going to do whatever, and they don’t really care about whether they’re hurting others or threatening national security.
I do agree that there should be an identification of an individual or corporation or whoever it is that is responsible for that. So, it will remain decentralized but somehow centralized; that’s the whole thing about DeFi, it’s really not “decentralized,” someone created it. It did not drop from the sky, someone had to create it. It is centralized that way. But that doesn’t mean that because a coder created it, that is the right person to be responsible. I mean, we have several engineers at my company, they are not the ones who are liable for our business operations.
It is really about identifying who is the right target, is it an entity, is it an individual? I also believe that just letting people create things without understanding the risks associated with what they are doing can be highly irresponsible. And this is why, for example, at my company, our engineering team is trained on financial services when they started working for us; I’m not asking anyone to be an expert, but you need to understand what the Bank Secrecy Act is, you need to understand our obligations to regulators.
An expert on financial regulatory policy (U.S. Think Tank) is “generally not crazy about the idea of putting the programmers on the hook. If for no other reason, then that’s not how we’ve designed the rest of the financial laws. It is not the expectation that the programmer is on the hook for how the J.P. Morgan system works, and I think it’s kind of an unfair disadvantage in the DeFi space if you are to make the software developers the ones that are responsible for that circumstance.”
A lawyer with a VC investment company focused on blockchain technology argued that “you should not be allowed to put whatever into the universe and not be held responsible; this does slow down innovation, but you can’t just do whatever, similar to the First Amendment: There is a lot of freedom, but you can’t just say whatever you want.”
i. Summary: Differences and common ground among the interviewees.
aa. The Regulatory Perspective.
Several agents of regulatory authorities made it clear that DeFi is “by nature” a model that brings traditional regulatory concepts to their limits. This is because, until now, such concepts are mainly based on targeting intermediary entities (“gatekeepers”) to regulate financial business models; this is very difficult, if at all possible, for truly decentralized DeFi business models, which are marked by the fact that there is no intermediary entity. Several regulators expressed the opinion that the economic relevance of DeFi is currently just a fraction of the traditional financial system, which is why it is not a main priority of most regulators, especially in times when the traditional banking system faces increased risks through inflation, rising interest rates and potential systemic shocks. Nevertheless, all regulators acknowledged the disruptive potential of DeFi and stressed the relevance of finding a functional and transparent regulatory approach suitable to mitigate the risks that come with DeFi, especially cyber risks like hacks, regulatory gaps, risks for consumers, and the risk of criminal activity like money laundering and terrorism financing. The regulators who participated in this study expressed their openness regarding conversations with the industry and acknowledged that good communication is crucial for finding a good regulatory approach that eases the regulator’s concerns and leaves the industry enough room to breathe.
bb. The Industry Perspective & Other Expert Views.
Representatives of DeFi providers, including services for the operation of exchanges, wallets, and transaction monitoring, mostly agreed that a certain degree of regulation is necessary in order to create trust, at least for blockchain-based products that mirror financial instruments that are regulated in the traditional financial industry. Proper and transparent regulation is, according to multiple business representatives, likely a prerequisite for the mainstream commercial success of DeFi. All DeFi business representatives agreed that while regulation can be a burden, uncertainty regarding the future of regulation is more concerning than potentially partly strict regulations. A lawyer with a company providing software tools for monitoring digital assets trading and compliance even mentioned the “ridiculous amount of money spent on compliance in traditional finance and the lack of results in terms of mitigating financial crime and preventing consumer harm” and expressed that DeFi could be understood as an opportunity to find a functional and efficient regulatory approach. The business representatives emphasized that good communication between regulators and the industry is crucial, and several mentioned that finding promising solutions for DeFi regulation is a common effort by regulators and the industry.
cc. The Investor Perspective.
The VC investors interviewed for this paper acknowledged the relevance of regulatory compliance in companies they invest in. From the investors’ perspective, it seems to be critical to reduce the risk of an unclear regulatory framework that puts portfolio companies in danger of sanctions or even the shutdown of the entire company. At the same time, representatives of DeFi companies hinted that – at least during the peak times of VC funding up until 2022 – VC investors were, in some cases, not too concerned about regulatory frameworks as long as they deemed the respective business models convincing.
dd. Common Ground.
There are several potential regulatory approaches for DeFi, and a combination of different tools will likely be the most promising approach. The interviewees agreed that it is, until now, very rare that not a single subject involved in the creation of a DeFi system can be identified, in other words, “truly” decentralized DeFi has not really arrived in the mainstream yet. Consequently, it is often possible to target certain individuals or entities as the responsible creators of a DeFi system. It is a different question, however, whether it seems justifiable and effective to target, for instance, coders who helped create the protocol that is the foundation of the respective DeFi system. A particular concern is that this could deter coders from engaging in working on DeFi protocols which might ultimately prevent new business ideas from being created and thereby hinder innovation.
For “truly” decentralized DeFi, there will have to be new tools and approaches in order to ensure effective regulation. Against this background, using embedded regulatory instruments could be one important building block in the future regulatory framework for DeFi.
All participants agreed that regulators and the industry must work together and, to a certain extent, accept compromises in order to make true progress in DeFi regulation and give DeFi a chance to prove its worth in the market.
ee. Differences.
The main difference in perspective between regulators and business representatives is likely the perception of how clear the regulatory rules that apply to DeFi are today. While most business representatives were vocal about how problematic the lack of clear rules is for them, the regulatory side was slightly more optimistic about the progress made in clarifying what rules apply to DeFi. I want to emphasize that the representatives of regulatory authorities who participated in the study underlying this paper were European and Asian. U.S. regulators seemed more cautious to engage in a conversation for the study. This may explain the difference in perception since most business representatives I spoke to have a nexus to the U.S. markets and, therefore, their criticism mainly aimed at the U.S. regulators, while there might indeed be slightly better progress in the EU and Asia regarding clarity and legal certainty of DeFi regulation.
Embedded supervision as a promising concept for DeFi regulation.
a. Embedded supervision can be used in several ways – But should it?
Embedded supervision could reach from a “big” solution in terms of a governmental entity providing the entire blockchain infrastructure to a “smaller” solution in terms of access rights being granted to supervisory authorities by the entity responsible for a commercially used blockchain. An embedded supervisory approach can be used for different purposes. Important use cases include three main categories: (i) real-time monitoring of data that is relevant for financial regulatory purposes, (ii) enforcement actions such as “circuit breakers” that allow regulators, for instance, to block certain illicit transactions, and (iii) feeding certain data that is officially certified by a governmental entity, for instance, a central bank, into the blockchain, which could, e.g., include interest rate data used to calculate prices of certain financial products (“regulatory oracle”).
A Ph.D. candidate in Computer Science at Stanford University, who was interviewed as a mere technical expert without assessing regulatory policy considerations, stressed that when thinking about embedded regulatory instruments, it is important to differentiate between potential use cases and scenarios and to keep in mind that on publicly transparent blockchains, everyone can see the transactions on the ledger. Consequently, embedded monitoring tools can be split into two groups: (i) Real-time monitoring of publicly available data that can then potentially be further analyzed by using tools such as Chainalysis, and (ii) access to information that is not publicly available and protected through privacy tools, e.g., fully anonymous payments.
At this point, based on KYC information collected by centralized regulated entities such as banks, authorities can usually de-anonymize users on the on- and off-ramps to DeFi platforms, where digital assets are exchanged for fiat money. From a technological perspective, according to the participant, de-anonymization is hardly possible if there has not been a prior identification, e.g., through a KYC process; however, when putting in the effort, it might be possible to identify users through their IP addresses by looking at where a transaction was initiated.
When it comes to the voluntary embedding of regulatory tools, for instance, in the case of Coinbase, which tracks the Office of Foreign Assets Control (OFAC)-sanctioning blacklist and blocks addresses on that list so that transactions of such addresses are banned, it seems questionable whether existing decentralized platforms such as Ethereum would be willing to implement such tools on their consensus layer.
When talking about embedded real-time monitoring, one must ask for what scenario real-time monitoring would be useful. In most cases, a forensic analysis with tools such as Chainalysis will likely be fast enough for regulatory purposes, as confirmed by two agents of the National Financial Supervisory Authority of an EU Member State. In such cases, a simple API solution might be sufficient. An active real-time monitoring by the regulator might be helpful in time-critical scenarios and when rapid regulatory action might be necessary.
According to a Ph.D. candidate in Computer Science at Stanford University, individual “accounts” on a blockchain do usually not reveal the real-life identity of the user. Therefore, one would have to regulate the ramps and oblige them to collect KYC data and reveal such data to the authorities if lawfully requested. This could be a prerequisite for creating an “account” in a DeFi system. This would require centralized KYC providers because otherwise, the individual users would have to KYC check each other, which does not seem reliable. Performing centralized KYC for a chain only seems realistic for permissioned “government chains” allowing transfers only to accounts that have successfully been KYCed. This would, however, be very limited in local reach because it would likely only work for individual jurisdictions that have national IDs or similar means of reliably identifying users; this does not seem very helpful for DeFi, which is by nature globalized and enables cross-border action.
According to the participant, when it comes to the spectrum of potential embedded instruments, from a technological perspective in particular, “the idea of a governmental oracle seems promising.” The participant stressed that the “crypto industry, in general, would likely be open to the idea of implementing officially curated blacklists into their systems, e.g., through a regulatory oracle”; the willingness to comply with regulatory rules in the crypto world seems to grow, but up until now there is a lack of legal certainty, and it is not always clear what regulatory rules even apply. Ironically, this could foster a self-regulatory approach because crypto companies may want to avoid taking the risk of infringing on regulatory rules and, therefore, take action themselves to prevent this from happening.
From a technical perspective, according to the participant, it is helpful to differentiate between different types of infrastructure and four types of potential embedded regulatory powers, ranging from passive monitoring over inbound data feeds, pre-onboarding KYC by a governmental entity to active enforcement by a regulatory authority:
(i) Monitoring of public blockchains that do not have any privacy enhancement mechanisms in place is already possible because all the transaction data is publicly available and can be monitored in depth by using tools such as Chainalysis, which enables the regulator, among others, to identify certain addresses affiliated with large providers such as Coinbase. This entails information such as open positions in a lending protocol or transactions on an exchange. However, one cannot identify the persons involved in such transactions. At this point, this is only possible through regulating the ramps used to exchange digital tokens for fiat currency or, as mentioned, potentially through a governmental KYC provider. KYC could, in the future, for instance, be achieved as follows: Before transferring digital assets, e.g. ETH, from the exchange to a Coinbase account, one would have to go through a KYC process, and “Coinbase would then send a data package to the regulator and report the transaction plus the related KYC data; one could also selectively grant the right to the government to request KYC data.” Alternatively, one could introduce monthly reporting requirements for KYC for providers such as Coinbase. The participant stated that embedding would then not affect the base layer “but the exchange protocol layer.”
(ii) Monitoring transactions veiled by privacy-enhancing tools such as mixers, e.g., Tornado Cash, that are consequently entirely anonymous is more challenging for regulators. For such scenarios, regulatory insight could be achieved by implementing a “backdoor” that allows the regulator to “optionally decrypt every valid transaction processed through the mixer to find the link between the payment inflow into the mixer and the matching outflow.” The regulator would need a key for this; this would have to be defined in the smart contract accordingly. This would thus “guarantee anonymity towards third parties, but the regulator could establish the link between the deposit and the payout involved in the mixer.” This could, in detail, be constructed as follows: If there is a “deposit in the mixer and no corresponding payout yet – this can be proved based on Zero-Knowledge proofs without deanonymization – an encrypted version of the sender address would be provided to the regulator (appended to the payout request), and an encrypted pointer from the payout to the deposit for which only the regulator has the decryption key.” Another example in the mixer context could involve blacklists: “It could be introduced as a duty to prove to the regulator that the key that deposited tokens in the mixer is not on a blacklist, for example on the day of the deposit or within a certain timeframe, so that the mixer can then neither perform transactions to/from actors who are on a blacklist.” This could be achieved by the regulator “feeding a blacklist in the mixer so that it would only have to be proved in an encrypted form that the sender is not blacklisted, for instance, based on Zero-Knowledge proofs.” Having the regulator provide such a list would be the most efficient and secure way since, otherwise, the users would “have to agree to protocol updates to implement a new list.” According to the participant, this solution is “technically very feasible,” and it is “surprising that the regulators do not explore this option yet.” Since blockchain transaction verification happens in an automated way as defined in the protocol, the “risk for unforeseen events is lower, since there is little delay in the availability of data, and everyone can see everything immediately; this is advantageous for supervision, also for systemic problems like liquidity issues caused by interest rate developments” as could be observed in the case of Silicon Valley Bank.
Overall, it is technically feasible to use an embedded approach for the examples mentioned above. Embedded real-time monitoring mostly makes sense to make supervision more efficient and thereby less costly for regulated entities or if the information is not publicly visible, e.g., in Zero-Knowledge proof scenarios, if the underlying data is obfuscated. A main question for embedded solutions will be how the regulator should be represented as an actor, e.g., through a special key that allows the regulator to decrypt certain information; it has then to be clarified who exactly holds such key, what happens if the key has to be updated and how key management can be constructed reliably.
Against this technical background, the interviews revealed several insights. The interviewees generally agreed that embedded supervision could be a helpful addition to the regulatory toolkit and could be used in different ways; while the idea of a regulatory oracle was mostly perceived positively by the participants, and real-time monitoring tools were perceived rather positively but with certain doubts as to the ability of the regulators to actually effectively use the data collected, embedded enforcement tools were met with quite some skepticism. I observed that some business representatives are cautious about giving the regulators a more active role on-chain and introducing a “hidden” centralization through an embedded regulatory approach because this would somewhat counteract the original ideas of DeFi, permissionlessness and, at least to a reasonable extent, privacy.
While using embedded regulatory instruments generally seemed preferable to a regulator participating in the study over using APIs because it would be a simpler, more efficient, and likely cheaper way of access, regulators participating in the study were overall skeptical regarding the additional resources they would have to commit to enable an embedded regulatory approach, and they mostly did not see a decisive benefit of an embedded regulatory approach at this point: For now, “true” DeFi is extremely rare, and regulators are able to enforce against the current DeFi business models with the tools they have. In the future, however, embedded supervision might become more relevant. All participants agreed that, at this point, regulators would not have the required resources and know-how to use embedded regulatory instruments on a broad scale; it was also mentioned that embedded regulatory instruments increase the risk of faulty regulatory decisions because, in practice, the regulator makes mistakes too, and having another step involved in an enforcement process, e.g. contacting a wallet provider, can help rule out potential errors.
I want to highlight the following statements on embedded supervision by stakeholders and other experts:
Two agents of the National Financial Supervisory Authority of an EU Member State started by stressing the value of on-chain data for regulatory purposes and elaborated that:
With regard to information analysis capabilities, we are actively in the process of looking at potential solutions because it would be wasted potential to not use the open ledger and the information available on it. We are currently in conversations with blockchain analysis providers and internally checking what types of data we want to look at; for instance, our market integrity mandate will be strengthened with the new MiCA as well as our mandate regarding other areas such as crypto asset service providers, product intervention for crypto assets, stablecoin emission and of course AML. The blockchain as an open ledger is a critical source of information when it comes to these areas.
When thinking about embedded supervision, the participants further elaborated that one could think very big and consider a common effort of regulators in setting up a private permissioned blockchain so that certain transactions can be reversed:
This could be imagined as an Ethereum with proof of authority. It could then be argued by the regulators that everyone who uses a public unpermissioned blockchain is subject to stricter regulatory standards since there would be the alternative of using the chain provided by the regulators. This is probably not realistic in practice, but at least an alternative one could consider.
Generally, the participants are very conscious of the fact that the DeFi ecosystem may ask for new approaches to regulation, requiring the regulator to take a more active role, which can be understood as an opportunity to explore new regulatory tools, although, at this point, mostly as mere thought experiments:
Taking into consideration that DeFi does not only allow new types of transactions but also leads to the creation of an entirely new ecosystem, the most practical solution from a holistic perspective, in my view, is to ask whether regulators should play a more active role in such ecosystems. Thinking further in that direction, this leads us to the hypothetical consideration of creating an official “regulatory smart contract”; in this scenario, everyone interested in participating in DeFi transactions would have the certainty that, for a minimal fee that covers the regulator’s cost, when transacting through this contract, a certain set of rules and criteria is applied, which creates a sense of trust and legal certainty.
We could look at the limitation of our resources from an efficiency perspective: Hypothetically, if ten years from now, Ethereum, with all its layer 2 solutions, is the dominating global platform for financial transactions, and given that most people do not want to engage in illegal transactions but want a certain stability, would it not be a good idea under efficiency aspects, to create a regulatory smart contract on which people can conduct their transactions so that we need fewer resources for day-to-day supervision to protect consumers and financial stability? Since we are bound by resource restrictions and need to work strategically, this could be an interesting thought experiment. In this scenario, supervision would be scalable because the number of transactions would not matter; however, the problem with this idea would be that the innovative character of DeFi created by its open-source concept and the possibility to freely build new products on top would get lost. It is the regulator’s job to ensure that market integrity and security are balanced with the need for innovation, we have to face this question every day.
We could also work with “regulatory whitelists” that contain addresses that have been KYCed or work with banks that could manage smart contracts with KYCed customers, where the KYCed addresses could transact with each other while the regulator could track transactions back if necessary. At this point, it seems unlikely that we will play this much of an active role since our mandate is focused on consumer protection, market integrity, and financial stability.
The participants also addressed the option of conducting code audits and introducing some sort of certificate regime, as discussed above. In this context, they again stressed the relevance of oracles and mentioned that the regulation of oracles is a crucial piece of the regulatory framework for DeFi:
In any case, we as regulators need to compensate for the fact that in the wake of decentralization, it gets harder or even impossible to target specific entities for regulatory purposes, e.g., for a fit and proper check; we can think about smart contract audits, which could be done directly by the regulator or by specialized auditing companies. This means we could introduce a type of “certificate” that guarantees that a smart contract has been audited and is accepted under regulatory standards, even if it is unknown who developed it. This would entail that the entire ecosystem is subject to a coherent regulatory framework, which would have to include all relevant functions, including, e.g., oracles; it would not be of much use if the smart contract itself has been audited, but the data that is critical for the transactions is offered by a centralized entity that is not subject to regulation.
The participants then addressed embedded enforcement instruments and clarified that, while the regulator potentially can, in the jurisdiction in question, legally request such types of advanced regulatory tools to be implemented by regulated entities, DeFi does not have a sufficiently high priority to take this step at this point:
When it comes to embedded enforcement, we could, under regulatory laws, demand companies to implement some kind of kill switch; but the question is whether this would make sense for the regulators at this point. DeFi is currently still a niche topic for us, even the markets for crypto assets are still rather small and not that relevant for financial market stability. As a regulator, we have to prioritize and cannot dedicate too many resources that are needed elsewhere to a market that is, at this point, still economically insignificant; on the other hand, we have to keep observing DeFi because we are aware of how rapid the growth in this area can be.
When asked about embedded monitoring tools integrated into blockchain infrastructure, the participants elaborated, that, at this point, embedded regulatory APIs are not introduced yet in practice; interestingly, the participants stressed that with more access to data, the regulator carries more responsibility to use such data. This would likely require additional resources on behalf of the regulator:
We do analyze the data that is on the public ledger, and blockchain analysis companies offer possibilities to connect such data with real-world information in order to identify entities. Additionally, we have the option to request information. An example of where real-time monitoring could be helpful would be the FTX situation, where it was claimed that certain crypto assets were held for the customers, when, in fact, they had been transferred. Such cases could be fairly easily tracked by regulators by requesting all wallet addresses from the regulated entity to then verify whether the assets in question actually exist; we have done this in some cases. A similar thing can be done for stablecoins, in order to verify whether the reserves, which have to exist for stablecoins under EU regulatory laws (MiCA), actually correspond with the number of coins that have been issued.
Regarding APIs, it obviously is helpful for the regulator to have a lot of data for the sake of transparency; however, the problem for us as the regulator is that the more knowledge we have, the more responsibility we bear in that regard. If we gain additional information through an embedded monitoring approach, we have to do something with the data. It would have to be carefully thought about whether we want to give up the layer of responsibility that currently lies with the regulated entities. Shifting the burden of responsibility to the regulator would require implementing additional risk management; this would likely require more resources than we are able to commit. One could think further and argue that once these resources have been committed and there is some kind of “regulatory smart contract” this would be efficient in the long term.
Until now, in any case, financial regulation relies on holding financial intermediaries responsible; I am not sure we would want to take this responsibility. At this point, our regulatory approach is to verify the information that is provided to us by the regulated intermediary. We see the responsibility with the providers, not with us at this point. For now, DeFi is a niche, and we have not yet encountered a “truly decentralized” situation with no identifiable entity on the other side; this might happen in the future, but for now, we have always been able to identify entities and their governing bodies, and this allows us to hold someone responsible.
The participants stressed that it seems questionable whether it is necessary for the regulator to build an API or be actively involved in a blockchain through an embedded instrument and whether this would be feasible from an efficiency perspective since embedded access would likely have to be created for each individual network:
There are some pilot projects, e.g. BIS building a regulatory node in Project Atlas. But for us, I am not sure if it is necessary having an embedded approach for data analysis because building such access would only work for one network at a time and would have to be done for each network individually. If I want to see the data on the blockchain, I can use tools like Block Explorer to get it. I am not sure what benefits a regulatory node would really have. When it comes to reading the data on a ledger, there are commercial analysis providers that have large amounts of other data that can be combined with the blockchain data; these providers allow us already now the attribution of on-chain data with data we have. The regulator can also request additional data that can be combined with the blockchain data. I am not sure what the big benefits of an embedded approach would really be. For now, I do not see us engaging in such an embedded approach; it is not our strength to collect all kinds of data ourselves. Of course, we use tools like Bloomberg Terminal to look at data in the traditional financial markets, but in that context, we have not engaged in modifying such data. As long as there are commercial tools that get the job done, this is, for now, sufficient. This might change when thinking about CBDCs.
An agent of the National Financial Supervisory Authority of an EEA Member State stressed the importance of having reliable data available as a regulator and elaborated with regard to embedded supervision that:
When looking at DeFi trading systems, one should draw a comparison to traditional trading venues; those are, among others, subject to reporting obligations under the EU Markets in Financial Instruments Regulation (MiFIR) and the EU Market Infrastructure Regulation (EMIR) which aim at trading activities; this allows ex-post market surveillance regarding market abuse. This also allows collecting the informational basis to ban the trade of individual securities. When applying this to DeFi, a big advantage is that due to decentralization, an authority can read the public information in real-time, has the data automatically in-house, and does not have to think about how data is transferred or how some API works. The regulator can much rather just “read” the blockchain and perform a simple chain analysis, we just need access.
With regard to the specific data that could be monitored through an embedded monitoring approach, the participant stated that this would be the entire trade data, including what is sold, between whom, in which volume, and at what date:
This data allows us to draw conclusions regarding insider trading or market abuse; with market data, it would be easy for us to detect market abuse as it is rather easy nowadays in the traditional exchanges where powerful automated AI market monitoring tools are used. This could also be applied to DeFi.
Concerning user identification in this context, the participant mentioned that the key would be “fully regulated wallet providers.” When looking at today’s systems in the typical MiFIR and EMIR reporting:
We do not see the name and address of the person either. We see a bank account number and an ISIN; this allows us to track down the bank, and we then approach the bank in order to get the contact data of the customer. We could do the same in DeFi when knowing the wallet address, which then allows us to approach the wallet providers and demand to be provided with the user information. A big advantage of this would be that there is an eternal paper trail on the blockchain. It would make sense, insofar, to align the approaches in TradFi and DeFi since, for good reasons, we usually talk about pseudonymity in DeFi, which is not anonymous.
The participant elaborated that this could be achieved by imposing KYC and identification duties on wallet providers as they are imposed on traditional banks already. For instance, this could be imagined in the case of a fund that tokenized its shares, and those shares can be traded freely in the secondary market by the fund investors, who are then again registered with a wallet provider who whitelists the addresses of the cleared investors so the investors can trade the tokenized shares among each other freely: “This works if we make sure that the wallet provider knows the persons standing behind each wallet.”
When it comes to active enforcement actions on-chain, the participant clarified that in the traditional word, “those would be administrative acts that have to be addressed to the right party.” In this case, it would be “very convenient for the regulator to have a button that can stop, for instance, a suspicious activity”; if the button gets used, the regulator can then still issue a traditional administrative act including all the legal protections that come with it in the traditional world. The participant stressed that:
It would be more efficient to have direct access instead of relying on APIs because they can be complex to build, and there are often third-party providers involved, such as the data providers, which makes it expensive to use APIs.
When it comes to the technical feasibility of embedding such instruments, the participant stated that from a technical perspective, the regulators would be able to do it, but what is still lacking would be the “human component.” While regulators “do not lack good lawyers,” they still mostly do not have large amounts of computer science experts among their ranks, “especially when it comes to cutting edge topics such as blockchain,” although the situation seems to be improving:
But this is getting better as we speak. Embedded supervision is highly technical, which is why we need experts on board to use such an approach; this is the relevant hurdle on the regulatory side. When it comes to willingness, we already have wide reporting obligations under MiFIR and EMIR (t+1), and we could just do this same thing for DeFi in real-time. We have to consider that we don’t know yet how DeFi will develop, but I think it has vast potential to grow and might take a lot of business away from traditional financial institutions.
An agent of the National Supervisory Authority of a large Asian country is skeptical of the industry accepting embedded regulatory tools and elaborated that:
We did have this conversation with the industry, actually, when we were doing research on DeFi, and the answer from the industry was, “No way; if you want to embed, we’re not going to be part of it.” If it’s possible, I think it’s great, but technology isn’t accommodating, if we cannot enforce embedded regulation, then how strong are we? I think what could work is that the DeFi business that wants to attract customers could have this type of embedded regulation in place as a self-regulation. The customers might prefer a platform that is more secure or perceived as secure. It seems like this should be more business-led.
With regard to the overall potential of embedded supervision to foster the DeFi space and the conflict between a rather libertarian DeFi philosophy and embedded regulatory powers, the participant mentioned that:
DeFi people sound religious to me sometimes, they want decentralization, and they think they do not need government intervention. If they agree with embedded supervision, sure. But will they? That’s my big question.
Overall, it depends a lot on what regulation you’re looking for, and how far of a regulation; do you just want to avoid terrorist financing, or do you want this entity not to fail Federal Deposit Insurance Corporation (FDIC) standards? It’s a granular scope. At this point, the regulators would not have the resources to use embedded supervision on a large scale. I think the biggest challenge of embedded supervision is how to encourage businesses, and innovators, to agree with us, that public safety is important. I think the good players in the DeFi sector are also thinking about that, they want trust, and they do not want to have scammers on the field. It’s important to work collaboratively. The businesses and the regulators. We’re not fighting with each other, because there is so much we do not know that we need to rely on the industry.
A former agent of the National Financial Supervisory Authority of an EU Member State sees multiple benefits of embedded supervision, especially, for fast-changing data, for regulatory oracles, and in a KYC context, and elaborated that:
Embedded supervision could be helpful for everything prudential, meaning for information that constantly changes; having real-time updates would be helpful, and this is being thought about by some progressive regulators at the moment. With regard to the specific data that could be monitored through such an embedded tool, this depends on the regulatory target. In the case of DEXes, we would have to ask who the regulator would even be interested in monitoring; since the end-user, the retail investor, is usually not the regulatory target, in this scenario, it would most likely be providers of regulated financial services engaged in transactions on the DEX; for such providers, one could use Legal Entity Identifiers (LEIs) for the purpose of identification. I think this would be sufficient because we have to keep in mind that the government is not entitled to know everything; every additional regulatory obligation makes it harder for the affected target to start a business and participate in the market. It is important that we keep this in mind when talking about regulation, even if the goal is good, the downsides need to be kept in mind too.
A big challenge of DeFi for the regulators is the lack of a clearly identifiable regulatory target, i.e., the large number of potential targets. Embedded supervision could help in this context to focus on the relevant regulatory targets by identifying potentially problematic cases. With regard to KYC and AML, embedded supervision could be very helpful, too.
When it comes to feeding data into a decentralized system (regulatory oracle), it would certainly be helpful to provide reliable and objective data in order to reduce the risk of manipulation and, ultimately, market failure. This is an area where the regulator could efficiently use embedded instruments.
When it comes to active enforcement, such as a circuit breaker, this is a good idea, too; depending on the jurisdiction, this would be a good tool for authorities in charge of supervising exchanges. Killswitches, i.e., invalidating individual transactions, are not very far explored yet on a large regulatory scale; this tool may make sense in a gatekeeper scenario where the gatekeeper could be granted killswitch powers, but there are no gatekeepers in DeFi.
The founder of a DeFi wallet provider pointed out the benefits of the automation in DeFi that eliminates the human element and potential source for failure and explained that automated processes could well be supervised through an embedded and automated approach. The participant elaborated that:
As a starting point we have to ask ourselves, which actions in the context of a financial service are performed by humans and which actions are performed by machines. While machines always act the same way according to the way they are programmed, humans do not; human action can be harder to predict. Embedded supervision makes particular sense in contexts where machines act. If there is a human element, we need KPMG or PwC to perform individual checks and take random samples. The more automation we have when providing financial services, the more embedded supervision we can use.
With regard to the specific use cases of embedded supervision, the participant added that embedded automated monitoring could help the regulators focus more on real-time data instead of relying on complex and cumbersome end-of-year audits of financial companies:
On-chain monitoring is a good example of how it can be used, this can, for instance, include the monitoring of in- and outbound data flows regarding lending, peer-to-peer Automated Market Makers (AMMs), or many other things. The beauty of financial services that are provided entirely by a computer is that they are free of bias, as long as the source code is bias-free. The machine does not manipulate or act arbitrarily. This focus on the data is the future, in my opinion, and all the quantitative data can be monitored directly on-chain. We can also see on-chain which version of a program is running. Even when thinking about AML and terrorism financing, we can work with digital identities and Zero-Knowledge proofs on such identities to perform automated on-chain monitoring of transactions. This will allow for the regulator to focus less on the end-of-year audit of the entire entity and more on real-time data.
A founder of a company providing software tools to financial institutions related to payments and identity believes that, while embedded supervision is technically feasible and, e.g., in the case of regulatory oracles could be very helpful, it will require proper “education” for the regulators before they can operate embedded tools, especially when used for purposes that do not resemble the regulatory practice in traditional systems. The participant elaborated that:
The closest example I have to embedded supervision is what we’re doing on the identity side. We split out that the token that’s being transferred holds the transaction data but doesn’t actually hold consumer Personally Identifiable Information (PII); the consumer PII is actually held by the consumer locally in their custodial or mobile wallet, stored on a W3C standard verifiable credential. It’s a form of encryption, related to the world of homomorphic encryption, Zero-Knowledge proofs, etc., but it’s much simpler, and not as slow, it still allows our system to be scalable. So, regulators essentially can still access the information for compliance when they need AML, sanctions, and KYC. But when they access this information, they only get the end data and information that they need, they don’t get a full set of information. On top of that, this is not floating around with all the other money transaction data, it’s held locally and securely by an individual. So, the verifiable credential that represents that person’s data is always up to date. It’s only accessed when it needs to be accessed, and it can be accessed by whomever.
It is a parallel scenario, but embedded supervision is a little bit different. You’re saying having some sort of embedded way for regulators to still be a part of fully decentralized systems. I think it’s potentially technically feasible. I think in practice, it would be hard to execute on. I don’t really think it’s changing the fundamental problem that regulators are still having. If you gave a regulator today access to a decentralized system or gave them embedded abilities, I don’t even think they would know what to do with those.
From my perspective, an embedded type of regulation works when you are basically mimicking things that they already do in the real world in a new technology. For example, today, in the banking business, people need to check sanctions, KYC, AML. They do it in a certain way. In our new system, they’ll do it in a different way, in a more secure way. The regulator is still fundamentally doing something that they’ve always done before. The only thing is that they’re doing it through a different technology. Embedded supervision is even more broad-based. You’re saying there is this completely new system where you might have embedded regulatory abilities. But the system, fundamentally, is structured and works differently than the systems that they are a part of today.
I think the embedded idea is nice in theory and can be implemented technically. But it should be implemented for things that the regulators already know how to do. But if you’re going to ask them to have access to information or do things that they don’t normally do today, I think there needs to be a lot of education before you give them the ability to interact with the system. There are two levels of embedded regulation: One level is truly related to things that they know already and that they already do. The other level is a little scarier, this is a completely new system, things work a little differently, and there are new sorts of rules or functions that you’re expected to play.
With regard to feeding regulatory data into a DeFi platform, for instance, when it comes to sanction lists, the participant stressed the opportunity of programmability and automation in this context and explained that:
This is where programmability becomes really important. We’re working on a system where you can basically program all of these checks. And that’s really helpful, because if you can program it, it starts to make existing things that regulators already do much easier, much more foolproof, and much more secure. I think that’s a great idea, and that actually falls within the scope of what we’re focused on, or have done at our company. But I think sanctions would not fall under what I was saying where it’s a new role or requirement of a regulator. If it’s something that’s programmable, and it’s something that the regulators do today, it’ll likely work; if it’s not something that they do today, I think it’s going to be really hard to get the right adoption.
A computer scientist with a company offering DeFi services argued that one way to embed regulatory tools could be “multi-signature accounts that belong to a governmental entity that can call a ‘kill function which freezes’ the transaction, e.g., swapping or borrowing.” The participant considers this to be “feasible to implement and can see it happening a few years down the road.” With regard to embedding identification tools, the participant mentioned that right now DeFi protocols use existing companies which offer KYC/AML, and “once you are verified, you pass in an address, and this gets whitelisted on-chain, you get the list from the government already now.” The participant clarified that “if the government would provide the entire address, it would help skip the KYC/AML step for the companies” and that “governments already have off-chain mapping of name to address if you have to go through KYC.”
A lawyer with a company providing a global DeFi platform, who otherwise sees lending as the most prominent use case for embedded monitoring, does not consider embedded monitoring to be overly helpful in a trading context, and identifies a general issue with the potential for market-manipulation in DeFi systems. The participant elaborated that:
Embedded supervision is still a very popular topic. I understand that the BIS proposal for embedded supervision is focused basically on lending protocols like Compound. The whole idea is the monitoring of capital ratios, essentially. That actually is a perfect example of embedded supervision and how that can kind of prevent a crisis or run. It makes sense there, it just doesn’t make sense in the trading context, I think. There are a lot of potential abuses in the trading world that an embedded approach alone cannot solve: In the trading context, first of all, in crypto markets, there’s an unlimited number of venues, it’s not like traditional stock and equities markets where there’s typically only one or two places where a particular asset trades. In those traditional scenarios, there’s a lot of control and a lot of ability to monitor and know whether there is a manipulation going on. We have a multi-chain world where assets can be bridged freely across one chain to another. In this world, there is a DeFi protocol, an Automated Market Maker (AMM) protocol, a trading protocol, an options protocol, or whatever, on every one of these. There is all this potential for prices to be different on these venues. And, of course, people make money by arbitraging this, but they can also make money manipulating it. And you must consider that the oracle is dumb, it recognizes the last traded price, but probably, if it was smarter, it would take some sort of time-weighted average price of over a week and set this as the price for lending or borrowing purposes. As opposed to that, the way this is done in TradFi, some smart human will decide what the value is using intelligence, so, you’ll be able to exercise some discretion for the pricing. I think code can get there. But it has to adjust for these other things that can happen; it cannot just be the last traded price that determines the value of your collateral that you can borrow against.
All this to say that, I think, the potential abuses in the trading world, I don’t know how easily they’ll submit to embedded supervision. But again, maybe there’s something on this that I haven’t seen yet. I thought at the time when the BIS paper was written, the hottest thing in DeFi was the lending protocols. I think there’s a lot more potential for that in the lending protocol world than there is the trading protocol world, whether it’s spot or derivatives or whatever.
The participant went on to mention with regard to measures against market abuse that it is “hard at this point to convince people in the DeFi space that such mechanisms are mandatory.” The participant elaborated further:
An operational issue is, in market manipulation cases, it’s not as black and white as when a person is linked to terrorism. Somebody will look into it, and it’ll take months to resolve; DeFi companies do not have teams of people who are dedicated to patrolling these markets, looking for irregular activity. And, even if that’s always going to be an imperfect exercise, but it is an exercise that requires some human intelligence, pattern recognition, and familiarity with what market manipulation actually looks like. That requires deep familiarity with markets and a particular understanding of the crypto markets, which are different. When we try to push internally to use these kinds of methods and articulate that we need a team of people to look at this stuff to really root it out, no one wants to do it anymore.
I find that there’s a little bit of a disconnect in terms of willingness, when you present the problem and you understand it, you see how complex it is, you see how many people it will take to implement it well, I think people start to get a little bit more reluctant. Initially everybody is in favor of it and then when you explain how hard it is, not so much anymore. And it’s interesting because other people are okay with that, the crypto high-frequency traders (HFTs), or market makers, they don’t care, they’re smart enough to understand all these patterns, and they think they can meet them, and probably they can. But if the goal is to bring other TradFi institutions into the fold, traditional market makers, like Goldman or Merrill Lynch and maybe traditional HFTs, they’re going to need more surveilled markets; it can’t be a market where “anything goes” and maybe somebody somewhere down the line will detect a misconduct and add this wallet, maybe, to the list that this one company is keeping and then hopefully everybody uses their service and that information propagates out. That is not enough for a regulated TradFi player. Again, these crypto traders offshore who are not regulated, they are like, “Fine, whatever, we can make a ton of money here.”
The participant sees particular potential in the concept of a regulatory oracle, believing that the current way oracles work will not be accepted by regulators in the long run, and could imagine embedded enforcement tools as one way to ensure post-monitoring compliance. The participant elaborated that:
The oracle problem is a big one. There has to be some way that information can be provided in a tamper-free way. And also, I think, probably by some trusted party; in other words, I don’t think it can be done the way that it is done now for on-chain events, I don’t think regulators would ever get comfortable with that.
On the killswitch, I mean, that’s part of a broader set of tools, admin keys, or immutability, or whatever, that the thing can somehow be changed to fix, whatever the regulators think is a problem. That can be either a clear violation of law or just simply a threshold of illicit activity, which is the way that TradFi works as it is; obviously, there’s never going to be zero. What is the right amount? I would say that that may take the form of a killswitch, it may take more permissioning; there is more than just one option there, but I think that’s definitely one set of options for post-monitoring compliance with the rules.
The participant added that the regulator’s ability to enforce does not only depend on the question of whether a regulatory tool is powerful enough in practice – and could be improved by embedding it – but often already lacks the first step, a proper definition of regulatory powers in the law, for instance, in the context of market manipulation in the U.S.:
The only tool that’s been exercised so far, at least for the jurisdictions I am aware of, is this notion of sanctioning a wallet. That’s only possible if there is some clear nexus to some designated categories like terrorism.
But let’s talk about markets. What about market manipulation? What about what happened with Mango Markets or Beanstalk, these oracle manipulations, bidding up prices and doing wash trading, and all this stuff. The traditional way of routing this type of manipulation out was accounts, and not allowing the same person to have multiple accounts on the same venues or multiple venues. But there’s no administrative tool that I’m aware of that gives an agency the authority to sanction someone for market manipulation in DeFi. That ability to enforce is limited, other than in the case of terrorism financing, or sanctions, where you’re very clearly authorized; I am being very U.S.-focused, but those laws say you can designate this person because they have provided material assistance to a terrorist, and it’s not like Avraham Eisenberg did that; so, there’s no way that they can claim that his wallet should be sanctioned. I think the regulator’s ability to do anything at this point is still incomplete as to market-based misconduct.
When asked about embedded blacklisting checks, the participant sees potential in this idea and elaborated that this is, at this point, limited to specific use cases:
Only the sanctions thing, because that’s all everyone is doing right now. There are only a few people that even know that there are market surveillance tools of this kind that are used, e.g., on NASDAQ, every single day, for every transaction. They look very deep; machine learning looks at patterns. There is a company in the space called Solidus, they’re trying to do some of these things.
A lawyer with a company providing software tools for monitoring digital assets trading and compliance sees embedded supervision as an opportunity for improvements in regulatory compliance and more efficient regulatory infrastructure, including the software level; but the participant remains skeptical about the regulator “sitting in the blockchain” and would prefer a self-regulatory approach to embedded supervision. The participant explained that:
The amount of cost that is inherent in the current system is ridiculous, talking about billions and billions of dollars, that is not actually doing what it should do; a streamlining of software used by regulators, on the one hand, and by the industry, on the other hand, would be promising in this context, which could include an embedded approach in terms of having a shared infrastructure.
Embedded supervision, or terminologically rather embedded regulation, could, in the context of fraud, for example, be imagined as a tool that gives a warning or stops a transaction if it is identified as a “rug pull.” Such instruments could be implemented by code and would be beneficial because they could disincentivize everybody from even deploying those scams to begin with, because if nobody’s buying them. Also, in the context of sanctioning wallets, similar to stopping rug-pull transactions through embedded control tools, you could automatically prevent engagement; if you are an intermediary, you even should automatically prevent engagement.
When it comes to the idea of the regulator feeding sanction lists or blacklists into a decentralized infrastructure (a scenario of embedded supervision), the participant argued that while the regulator has to come up with a list in the first place (“we don’t make individual airlines decide who should or shouldn’t fly”), the regulator’s role should be monitoring rather than being actively “in the system.”
Overall, when it comes to embedded supervision, the participant is not convinced about having the regulator be directly involved in the system and would rather see the regulator “at an arm’s length, looking at the entire ecosystem than literally in it running nodes which does not make any sense to me.” The participant added that it remains unclear “why we would want to pay for them to have the technical expertise to do that when they don’t need it.” In the traditional financial system, not every bank transaction is provided to the government, and equally, the government should not be “in the middle” of a DeFi system, massively impacting privacy.
The participant summarized that embedded supervision should rather be understood as a self-regulatory approach instead of having the regulator actually sit in the blockchain. Regulators should instead rely on tools such as data providers and aggregators like Amberdata and blockchain analytics tools like Token Sniffer to analyze information and act accordingly. This aligns with what two regulators of an EU Member State explained regarding their regulatory practice. Embedding should be discussed in relation to “surveillance capabilities” or “embedded regulation opportunities” rather than as full-on access for regulators to see everything that happens in an infrastructure.
A lawyer with a company offering services relating to crypto currencies stressed that embedded supervision should be seen in the context of privacy. The participant elaborated that:
Thinking about embedded supervision, I start with privacy: When we provide financial services, even when we open an account with a bank, you need to have your KYC by your bank, and that information is stored by the bank, and upon a request by a regulator, that bank needs to turn over that information to the regulator.
This is where the question arises about people engaging in blockchain transactions and trying to get away from this regulatory regime. And this is where regulators fear this technology. I think as to the balance of what the initial privacy of these transactions was perceived to be and what the reality is going to have to be, I was telling you about the two positions meeting in the middle. You cannot have fully private financial services transactions because you could be engaging in illicit activity and threatening national security. There’s got to be a balance of the two factors.
The participant is optimistic about the technical feasibility and sees identification as a crucial aspect of embedding regulatory instruments:
About the technical feasibility of embedded monitoring tools, today you have Chainalysis, TRM Labs, these people scan the blockchains to find transactions and identify them. But then all they’re going to do is find the wallet in the chain, you’re not going to find the person’s name. So, what I have seen being proposed to make monitoring more effective is identification tokens (ID tokens) that follow the transaction. For example, a bank KYCs John Smith; that bank is going to have its own ID token, which is going to be in the blockchain, and John Smith is going to have access to it. That token is going to say, “I have been KYCed by Bank of America, and I’m validated.” Now, every time John Smith makes a transaction, that token follows, and you can identify him and know that he is a valid person you’re engaging with, it is not an illicit activity; that person has been KYCed by a regulated institution, and people can rely on that token in doing that. I’ve seen some proposals like that, but it is yet to be adopted.
When it comes to giving the regulator more access to information through an embedded approach, the participant is rather cautious and in doubt of whether the regulator would have the resources to evaluate such information:
What worries me about giving the government access to this information is if they are going to use it. Today, when you do suspicious activity reporting (SARs), which are required under the Bank Secrecy Act, they receive an absurd amount of information, constantly, because the threshold for SARs is low. You’re just sending out this data to them. And I don’t know if they have the manpower to handle this. So, you’re going to have to staff an entire brand-new division, at FinCEN or something like that, to be monitoring this and chasing this information and acting on it timely.
That’s the other thing, when you see transactions that get reported for fraud or theft going through the traditional banking system, it takes weeks for the thing to get resolved. It’s going through these slow wires; when it’s going through the blockchain, unless you take immediate action, that thing just keeps on going. What worries me is whether the government is actually able to effectively use this information; otherwise, it’s going to become a pile of information they’re not going to use. The question for them is, “Do you know what you’re asking for?” And if you do, “How are you going to actually use it? Are you actually going to use it? Are you just going to have it and not do anything with it?”
The participant added regarding embedded monitoring tools that “whenever you interact with Stripe, or PayPal, or anything like that, the transactions are running through lists, that’s transaction monitoring. That already exists today.”
About the three main categories of embedded supervision, the participant elaborated in detail that the regulator already has certain abilities to enforce actions:
When there’s a transaction that gets reported, or someone reports “Someone hacked into my wallet and stole my tokens,” you can follow that in the chain. And once you identify it, you can freeze that wallet, so that the token will stay in the wallet, it cannot be moved forward or backward. So, you prevent the furtherance of the illegal activity; and it is a lot faster than when you’re dealing with traditional financial services. So that already exists. We receive requests from regulators, but we also receive requests from individuals. They have a wallet, and they say someone hacked into it or stole it, and we do the investigation, and we’ll act on it promptly. When we receive a request from a regulator, enforcement agency, investigative agency, we are able to go into the chain and freeze the wallet right away. Enforcement exists already, it’s not triggered by the regulator, it is triggered by the issuer of the token. Because they’re the ones that have the key and the ability to freeze the wallet, but not the regulator itself, so they will have to work with the private industry to be able to implement that. But it already works today.
Therefore, as compared to this current system, a main difference of embedded enforcement would be that the regulator could act without taking the step “via” the token issuer. The participant elaborated that not all regulatory requests turn out to be correct: “At times, we receive some requests from the regulators and the possibility of mistakes is high.” The participant added that the regulators would not want the “headache” of having to deal with freezing and other on-chain enforcements directly themselves.
With regard to information verification through embedded instruments, the participant explained that this could work similar to the idea of an identity token:
If you can validate the information, confirm that it is issued by a regulated entity or something like this, it meets all the regulatory requirements, and you put that in there to match against the transactions, I think that there are some benefits to that. But again, you need to ensure that it’s been done accurately because people could just be relying on incorrect information. It needs to be widely accepted and implemented to be able to work, it can’t just be a few actors using it, because then it has no use; it needs to be able to be validated by the people in the chain. I think that there are a lot of benefits, and the positives of it are better than expected but it just needs wider implementation.
A lawyer with a company offering infrastructure services relating to crypto products and DeFi for institutional clients explained that the potential applications of embedded supervision, as outlined in the introduction of this paper, “potentially have promise.” The participant added that there could be additional use cases, “for example, Aave Arc, a permissioned DeFi protocol.” This protocol uses a whitelist; generally, people who want to engage with DeFi,
Want to make sure that they’re not working with counterparties who are subject to sanctions limitations or are known to be engaging in money laundering. So, the way it effectively works is that if somebody wants to participate in the protocol, they need to go through a gatekeeping mechanism where KYC is done on. Once they pass that KYC process, they can then be part of this permissioned protocol and interact with DeFi in all the ways; they have the confidence that there’s KYC done on everybody else in the protocol.
There are ways to do that; it begs the question of what DeFi really means, because all of these ideas you mentioned, even, frankly, the example of Aave Arc, it’s a little bit like getting away from decentralization; there is somebody involved in intermediating, and you can dial that up, or dial it down. But at the end of the day, is it truly DeFi? For example, the killswitch, is it truly DeFi?
What probably makes sense is to have a few different options in the market: A way to engage with DeFi that has no intermediary at all; but if you are, for example, a regulated bank and you want to engage in DeFi, you need to know that your counterparties have passed some KYC, then you can engage with a permissioned protocol, or, you may want to participate in a protocol that has some oversight from the government along the lines of the examples you just gave. In my view, the market should decide which of these options makes the most sense. Having multiple different options that are technology neutral is the way to go.
When it comes to a permissioned blockchain offered directly by the government, the participant stated that “I don’t think it’s likely to be the only solution that the market will want.” The participant added that “I think that something like that is possible now, from a technical perspective, whether it’ll be politically palatable, and whether people will want to use it is a different question.” The participant mentioned that when it comes to embedded regulatory instruments and whether they are truly innovative or just mirror things that can already be achieved by non-embedded means:
I think it depends on your goal and your purpose; because tools like Chainalysis or Elliptic or TRM, I think, provide already very useful instruments for purposes of things like monitoring and forensically figuring out the source and the destination of assets. If you’re talking about monitoring, there are probably tools in the marketplace now that are already effective enough at this. If you’re talking about embedding something for purposes of preventing transactions, I don’t think that, at least on the big public blockchains right now, there’s something like that. I’m not sure you want something like that.
When it comes to monitoring capital positions such as proof of reserve, according to the participant,
It would require them to disclose the address so that people could monitor on a real-time basis the amount of assets that are there. You could probably do something like that, at least from a technological perspective, fairly easily. Whether there’d be acceptance of that from institutions is another question.
An expert on financial regulatory policy (U.S. Think Tank) stated that “there’s a lot of opportunity for embedding; we’ve thought about it in our work with respect to a decentralized exchange (DEX) that trades securities, where you need to have a way to have the DEX delist securities, either based on the DEXs own criteria, or in case of a security becoming problematic from the regulator’s standpoint.” It would be helpful to have a “regulatory oracle that takes care of that.”
The participant could also see “a regulatory oracle that maintains sanctions lists or other things” in order to prevent trading with people who are not allowed to be engaging in that type of activity; “this gets a little bit more complicated because you’re not necessarily tied to a person, but that’s complicated in the traditional finance world too, and you don’t catch everything.” The participant also stressed that “there is a lot of worry in this space, letting the perfect be the enemy of the good, that if we can’t catch every criminal, it shouldn’t be allowed to exist. And that’s not the standard that we hold traditional finance to either.”
Overall, the participant thinks that “there are a lot of opportunities for embedded supervision and using oracles to restrict trading without having to get to direct regulatory intervention in the form of a killswitch or something else” is a helpful idea. Having an oracle that is controlled by a governmental entity would bear “smaller potential for lack of trust in the oracle,” while hacks or other situations that make that oracle untrustworthy would still not be entirely ruled out.
With regard to the specific types of data that could be monitored in real-time through an embedded approach, the participant stated that “transaction data” is the strongest use case, because, in the DeFi space,
You’re not dealing with as much proof of reserves or capital requirements, although you could be if you’re not truly decentralized and also offer custody services. I would be perfectly happy in the centralized finance space to see a lot more in terms of proof of reserves and other custody-related things. Transaction data, including real-time data on actual settlement and settlement time and that type of information, regulators want to know who that is. And we’ve seen it even in the security space now, where it has been the case for decades that the SEC has been able to get transaction data but hasn’t been able to tie it back to an individual without doing additional legwork. The new SEC CAT database looks to be able to have all the information in front of them right now, including the identity of the investor. Regulators want all that information. I’m not convinced that they should have it, but I think that where we’re dealing with information that is already transparent to people that are savvy enough to use blockchain, there’s no reason that the regulators shouldn’t have real-time access to the same information.
A former European regulator and expert on regulatory policy (blockchain organization in Europe) stressed that:
For ethical reasons, for reasons of pure democracy, we need to be careful in what way we talk about embedded supervision.
The participant stressed that when considering the technological implementation of embedded regulatory tools, one must not “crowd out compliance as an affordable opportunity for smaller players, because compliance is something that no entity incurs willingly; those are costs you are forced to incur.” Therefore, we,
Must be careful if you set minimum standards on validator nodes, or similar technical details, you start regulating technology rather than the use case. You pigeonholed it to develop in a certain direction, which could choke out innovation and smaller players even getting off the ground.
Another important aspect raised by the participant is whether embedded supervision makes the regulator a market participant and a regulator simultaneously:
So, what do we mean by embedded supervision: Is it simply an API call for on-chain analytics that you can aggregate onto a supervisory dashboard or is embedded supervision you playing a more active role, but at that point, you’re influencing the market. Specifically, the regulator as an oracle could ensure that information is trustworthy, readily available, and static. This is beneficial. On the extreme side, killswitches are probably the worst thing. Killswitches lead to human error. There have been cases last year of killswitches inadvertently locking up tokens, bankrupting protocols. At least at the protocol level, you have other protocols that do things that act like killswitches, but aren’t killswitches; Ocean Protocol, for example, if a token is blacklisted, they can be locked, sent to purgatory. I think, especially with public permissionless blockchains, killswitches are counterproductive and also technically cause more harm than good. Right now, if you said that every protocol built on Ethereum needs to have a killswitch, oracles would need to be redesigned.
There are other things that we can do instead of killswitches, for example, why don’t we expand the insurance space? I’m talking about establishing a duty of insurability. I don’t know if this is going to come from the government. I highly doubt it; this could be an industry initiative.
On the topic of officially permissioned DeFi as the most extreme form of embedding, the participant mentioned that “it is likely going to be regulated players, doing much larger transactions, tokenization of bonds and shares, promissory notes, commercial papers, all that kind of stuff. But for everyday users in permissionless applications, we’re going to need to augment that and maybe use a similar architecture, but in a way that is a little less onerous.”
When discussing Project Atlas by the BIS in this context, the participant mentioned that:
They’re using their own proprietary means of cleaning and imputing the data that they get from exchanges and aggregate this into a supervisory dashboard to get a better idea of what the cross-border flows of DeFi are, what the risks are, if protocols are approaching a systemic risk threshold, to see what potential spillover effects are. I’m not necessarily against this, as long as what they build is open-source and they allow, for example, analytics tools like Chainalysis, or Glassnode to plugin, and they have an API.
Overall, according to the participant, while embedded supervision has some interesting prospects to it, it is “probably not realizable, in the short to medium term, given that we don’t have the staff or the resources.”
A lawyer with a VC investment company focused on blockchain technology stated that one could first think about milder forms of embedding regulatory tools, such as “wrapping” tokens with KYC information so that suspicious activity reports (SARs) can be automated. However, according to the participant, instruments like SARs as parts of the traditional financial system do not necessarily fit well with embedded instruments that could have more potential. Another potential use case of embedding could be sanction enforcement. “Why can sanction compliance not be written in a smart contract?”; for instance, “Meta Mask has automated sanctions already in place, but this still requires a human element at this point.”
The idea of establishing a regulatory oracle for inbound data transfers is a “nice idea” but “not super relevant,” according to the participant. When it comes to embedded enforcement tools such as killswitches, the regulator could require DeFi providers to implement such tools, so that the regulator would not directly control the switch but could order it to be used; if the DeFi provider controls the killswitch, this leads to “more centralization.” According to the participant, a killswitch for regulators is “unlikely to happen”; the participant mentioned a proposed and failed Illinois Regulation that was trying to require smart contracts to embed the ability to reverse a transaction in order to stop terrorists which is an example of misunderstandings regarding the technical limits of certain instruments.
The participant mentioned that there are some potential embedded protective applications; for instance, you could give a provider the right to transfer assets as needed, and if they see an attack on the DeFi protocol, they put an “Iron Dome” over the assets so they cannot be transferred to an attacker’s account. Such tools could make use of analytical instruments such as Chainalysis.
The participant added that, while not being a direct regulatory tool, embedded instruments could also be “very useful in a cyber security context and could include internal cyber security controls, especially based on AI in order to check code for mistakes, and even the built-in option to have ‘white hackers’ analyze smart contracts to find potential flaws for rewards”; this does, however, create the issue of potentially untrustworthy hackers accessing a system too.
Overall, the participant stresses that, long-term, “embedding regulatory instruments in some form will be necessary to ensure that DeFi is broadly accepted by regulators.”
A lawyer with a hedge fund focused on crypto assets stated that allowing the regulator to directly enforce actions on the blockchain is “definitely not helpful or good, namely, because regulators themselves get it wrong.” The participant added, “I don’t know if the regulatory bodies just have the capacity to accurately govern in that fashion.”
When it comes to passive monitoring access, according to the participant,
Having real-time data spat out into some sort of regulatory body, I think that’s interesting; I think a lot of the issues that we’ve seen in traditional financial sectors, FTX, Silicon Valley Bank, Genesis, all of that had to do with liquidity issues and liquidity problems that were not publicized, it was just sort of a black box, a trust-me-system.
The participant stressed that “moving that on-chain, and giving some insight to the regulatory bodies that certain institutions and entities are meeting their requirements, based on real-time data, and even to the public, I think is an interesting proposition.” Specifically, “real-time policing would be difficult; coming up with an adequate framework, giving folks the tools to conduct audits, even if they’re real-time audits or expedited audits through data analytics, that would probably be a more appropriate framework.” In addition, embedded compliance checks of “KYC, AML, and the Bank Secrecy Act or similar regulations, as well as a tool to tie someone’s identity and make sure that they’re acting in accordance with the law, would be beneficial.”
A General Partner with a VC fund investing in blockchain technology stated that there is a general “philosophical issue” when it comes to DeFi regulation: DeFi is trying to create an open, permissionless, censorship-resistant financial system, and “if you look at regulation, banks are essentially an arm of the state (see OFAC).” This philosophical conflict “cannot be solved” because DeFi is supposed to be “a system where the government does not have control.” But for basic and necessary things such as KYC, an embedded approach could be helpful, e.g., in the form of lists of whitelisted pools fed into a decentralized trading infrastructure for automatic trading clearance. Generally, blockchain-based DeFi systems are supposed to be immutable, and the “beauty of crypto is its permissionlessness”; reversing transactions is already a strong compromise away from the original DeFi idea, “and any attempt to embed regulatory instruments should be seen under the lens of those original ideas that make DeFi what it is.” The special DeFi features like permissionlessness and having an open ecosystem are just what makes it “worth using a blockchain-based platform, that is rather slow and inefficient from a technological perspective.” If you take the special features of DeFi away through regulation, “why be on non-performant systems at all?” From a practical perspective, embedding depends entirely on the system, for example, whether one uses a private blockchain with trusted counterparties or a public blockchain, but it “generally seems problematic to give direct access to regulators because DeFi is supposed to be open, global, and permissionless.”
b. Identification is a critical aspect of DeFi regulation, and there are practical ways for regulators to identify users.
Identification is a major issue in DeFi, and the study showed that it is one of the primary questions to be solved when building a regulatory framework for DeFi. The big challenge is to balance the user’s wish for privacy against the regulator’s need for transparency in the financial system. A key to finding this balance will lie in the technology: Modern cryptographic tools allow for selectively providing relevant information on a need-to-know basis to regulators without giving away unnecessary information and infringing on the user’s privacy. This can be achieved by Zero-Knowledge proofs and certain other methods of encryption. Complex cryptographic instruments, at this point, however, cause significant latency, which makes it difficult to use them on a scaled day-to-day basis. Nonetheless, the promising cryptographic concepts will likely, in the future, allow regulators to identify users without compromising the privacy design of the entire decentralized system. Another important piece to the puzzle may be seen in cryptographically protected verifiable credentials and W3C DID digital identity services.
In addition, digital identities in the form of soulbound tokens could play an important role for identification purposes in the future; these can be imagined as non-transferable NFTs that contain information relating to a user’s identity. A participant mentioned that we need to be aware that such soulbound tokens are “face tattoos” that stay on-chain forever, which could be problematic from a democratic angle when thinking ahead about things like social credit systems.
Overall, participants agreed that identification is a vital factor when it comes to the future regulatory framework for DeFi and that full privacy is most likely not a realistic scenario in order for DeFi to break into mainstream finance. It will much rather be necessary for the industry and the regulators to come together and find a balanced compromise, ideally supported by privacy-protecting technology, that allows the necessary regulatory access to relevant information without compromising the legitimate privacy interest of users. One participant noted that it might be perceived to run against the idea of DeFi if certain information cannot be seen by the regulator because information on an open ledger is supposed to be visible to everyone. In order to preserve the decentralized nature of DeFi, identity verification should ideally happen in a decentralized way, not through a centralized entity.
In detail, in addition to the statements already analyzed above in connection with the general assessment of embedded supervision, the following findings illustrate these insights on identification in a DeFi context:
Two agents of the National Financial Supervisory Authority of an EU Member State elaborated that on the EU level, there are some options regarding a digital identity being discussed, but it has not been a central aspect for the regulator until now. It will be an important aspect for DeFi to have some kind of decentralized identity because without that there would always have to be a centralized entity verifying identities which would counteract the idea of decentralization:
The problem with identification in DeFi seems solvable, for instance, through whitelisting; such a list could be managed by an intermediary or by a centralized institution, this could even be a governmental authority. The lack of identification is particularly problematic for regulated financial institutions interested in doing business in DeFi that legally cannot engage in business with a counterparty before this party has been identified.
The participants added that with regard to identification, there are blockchain analysis providers specialized in web3 that allow the analysis of governance token concentration and governance structures. “This may become an important thing in the future.”
A former agent of the National Financial Supervisory Authority of an EU Member State emphasized the vital importance of identification for DeFi, stressed that it will be critical to find a viable compromise between privacy and regulation, and mentioned soulbound tokens as a potentially promising tool to achieve this. The participant explained that identification:
May well be the most relevant point and the point that should first be discussed when thinking about DeFi regulation. It will be important to find a compromise that preserves enough privacy to keep DeFi interesting to users and, at the same time, gives the regulator the ability to act in case of misconduct and protect consumers proactively. In this context, soulbound tokens could be a promising tool; these can be imagined as an NFT that cannot be transferred and contains identifying information on the “owner.” In this context, Zero-Knowledge proofs could be used to verify certain information without revealing its specific content (think confirming that you are over eighteen years old without revealing your exact birthday). These tools could be integrated into an identity framework; this is where DeFi “leaves” the world of finance and enters the world of data protection law. In Europe, the GDPR and the Data Act become relevant here. In fact, these questions on identity should be answered for DeFi before we can in detail deal with the financial regulatory questions.
The founder of a DeFi wallet provider believes that a comprehensive digital identity might be a good solution to solve the issue of identification in DeFi and balance out privacy interests and regulatory needs, especially with the help of Zero-Knowledge proofs and W3C DID digital identity services. In this context, oracles could be an important tool for identity verification. The participant is convinced that a feasible solution for identification is technically achievable and elaborated that:
A digital identity in some form will be necessary for mainstream scale DeFi and proper regulation. I do not think it is realistic to avoid identification and KYC in some form for DeFi. If it is possible to work with Zero-Knowledge proofs to protect identities, it is the best of both worlds. The “privacy junkies” get what they want, and, at the same time, payment flows are not entirely anonymous.
In this context, oracles play an important role: If a government issues an ID card that contains a certain digital signature, this is at the end of the day like a digital identity in a plastic card: Reading and verifying the digital signature on a physical ID card is basically an oracle function; against this background, I think oracle regulation will be very important in the future. We need to be able to rely on the accuracy of such trusted services.
When it comes to technical feasibility, harmonization of standards is necessary for digital identity. If we do not apply strict standards to digital identity and do not require a two-factor verification, I think digital identity is technically relatively easily manageable. For instance, providers such as Spruce ID offer W3C DID digital identity services. This has been solved already. The more layers we can put on top of this, the more trustworthy it gets, and I think that would be helpful. I think we could merge several digital identities and personas to make it more trustworthy, for instance when a bank does a KYC check, the result can be saved in a DID, and to make this more reliable this could be connected to a person’s Twitter, Facebook, Google accounts, to make it less likely that someone else claims to be the person. This would be close to un-hackable.
A founder of a company providing software tools to financial institutions related to payments and identity stressed the disadvantages of Zero-Knowledge proofs and homomorphic encryption when it comes to performance and the benefits of cryptographically protected verifiable credentials. The participant elaborated that:
I think Zero-Knowledge proofs and homomorphic encryption right now are still early days, and they really, really slow down the latency of a system. It will be incredibly, incredibly slow. Something that we use and that a lot of people in the digital identity space have been working on are these global W3C digital identity standards. And through these W3C DIDs, you’re able to do what’s called “cryptographically protected verifiable credentials”; this is a key piece to making current digital identity systems work and bridging them into the future of digital identity. And it still allows people to do programmed checks and do all the things they still need to do but still allows them to plug into the newer age technology that provides a lot of other benefits for security, auditability, etc.
A lawyer with a company providing a global DeFi platform deals with questions of identification frequently and sees a soulbound token concept and Zero-Knowledge proof as two of the most discussed. The participant explained that:
The ID part, I’ve looked at it a lot. There’s a number of solutions. (1) Whitelisting the wallet; (2) issuing an NFT to the wallet, one of the challenges with that is whether from a technical standpoint there is a way to lock it to that wallet, so the NFT is really transferable, if it follows the standard protocols; there is a proposal, if I am not mistaken, an Ethereum Improvement Proposal (EIP) for some kind of a non-transferable NFT. So, there is work being done on the open-source side to create a non-transferable credential that can serve as a KYC.
There’s another set of projects that’s trying to do this in some kind of Zero-Knowledge ways. Basically, it’s not visible on chain, I can call your wallet, and then you can just return some information that says that you’re appropriately KYCed, but that information isn’t visible on chain. One of the issues that people don’t like with NFTs or other credentials that are sitting in the wallet is then, of course, it doxes the person; these Zero-Knowledge solutions are trying to solve that somehow. I don’t think any of them are super far along. That’s my sense. But that’s a potential area that is definitely attracting a lot of investment, a lot of people think it can work. But there is a lot of tension, if, on the one hand, your wallet is your on-chain count, and is kind of an identifier, but then, on the other hand, people don’t want to be identified by that.
In light of their day-to-day experience in the industry, the participant is, overall, rather pessimistic when it comes to a timely implementation of a comprehensive privacy framework in DeFi:
For certain applications, there’s a need, or perhaps a desire, for some identification or proof of identification. This is where I’m pessimistic. I haven’t seen a really compelling solution offered out there. If you talk to any founder in this space, they will tell you “Oh, this is a technical problem. It’s solvable.” But I’m skeptical, you want to have privacy, but then you also want to have identification; you want it to be on chain, clearly visible, maybe be transferable, but then if it’s transferable then it can be sold or traded, or it won’t be provably yours.
When it comes to soulbound token solutions, the participant argues that such instruments only capture a certain moment in time but checks such as KYC have to be performed again and again:
Is there some Zero-Knowledge way to represent that you have the asset in your wallet, and you’re this person? Maybe. But I would just say that, again, especially in the context of the markets, KYC is not a one-time thing. It’s not just like, “Oh, you’re not terrorists.” It’s like, “You’re not a terrorist, but maybe you’re this really smart trader who’s going to do some crazy thing in the market,” and, if we think of DeFi as a trading facility, I need to know that you are who you are. And I might want to be able to enforce against you in case you do something crazy.
Or maybe there’s more benign reasons. One is, in TradFi, for instance, payment for order flow, the whole idea there is that these institutional traders are “toxic,” because they know more than the market makers; the market makers are just standing in there trying to make a penny here and there on spreads. And these other guys are moving the market with their huge trades based on very sophisticated information, based on the fact they’re moving huge amounts of money. That’s bad for these market makers. They want to know who they’re trading against. So, they quote different prices based on their counterparty. So, you get a different price, if you’re more sophisticated than me, because I know you might be up to something more, and it’s riskier for me to deal with you than with some dummy like me. That is another reason why identity is important in markets, at least from a market participants standpoint, even not from a regulatory standpoint, but just from, essentially, a price discrimination standpoint.
A lawyer with a company providing software tools for monitoring digital assets trading and compliance stated that the issue of identification in DeFi can only be solved with a common effort by the government and the industry. Essentially, this is a
Problem that can’t be solved without the government and the private sector coming together because the government is often the verifier of the identity information and the one who issued the identity, to begin with.
This is, according to the participant, especially true when considering the mass adoption of such an identification mechanism. While it should be acknowledged, that, for instance, in the U.S., it is a policy consideration not to have a national identification number, there is an opportunity with the “e-identity” for the individual to “maintain their identity information,” enabling the private and public sectors to verify only the pieces of information relating to an e-identity that are required for a certain process (need-to-know basis). This would be a “huge opportunity” for rethinking identification in the digital space, but it would be essential to not, for instance, “send KYC information with the transaction all over the blockchain” but restrict the identifiable information to the fact that one is a verified actor.
The participant argues that, if the government ever needs additional detailed information, they “know whom they can go back to, and have a way on the back end to do that,” but they should not be enabled to “treasure trove search through whenever they feel like it” but have to have a “legitimate government purpose law enforcement interest, and they have to go seek that out from the individual or the market participant or otherwise.”
A lawyer with a company offering infrastructure services relating to crypto products and DeFi for institutional clients elaborated with regard to the issue of anonymity and identification and how the regulator could have access to certain relevant information without revealing it to third parties that:
I have heard from people whose opinions I respect that there is a way to do this; this comes up a lot in the context of CBDCs. I’m told by people who are technologically savvy, that there would be a way to set this up such that the government or a regulator would be able to monitor what is happening with whether it’s the CBDC or with the DeFi protocol, but without having full visibility into every individual’s specific transactions. If there’s technology on that, that’s great.
I have to say that among most people I’ve talked to, they’re skeptical about that, and there’s going to be a lot of skepticism for a long time I think; in some ways, it runs counter to the whole idea of blockchain, which is that everything is visible; sure, you don’t know maybe the name that’s associated with a particular wallet, but you can see from a specific address, anybody could go right now on the Bitcoin ledger and see, for example, what amounts were sent and when and from which wallet. So, I think people are going to be skeptical about the idea that it can be set up in a way where the government or regulator does not have access to that information.
A former European regulator and expert on regulatory policy (blockchain organization in Europe) stressed the benefits of soulbound tokens but also recognized the risk of such tokens being a “face tattoo,” especially from a democratic perspective. The participant specifically mentioned that:
Soulbound tokens are kind of a substrate of the digital identity space; why not apply soulbound tokens as a form of web3 primitive identity on-chain that allows regulators to have their cake and eat it too? For example, you can use soulbound tokens to onboard users, and trace the user’s activity across the DeFi platform; but the flip side of the soulbound token is that it’s a face tattoo. So, it’s non-transferable, non-reversible, and always on-chain.
At least in Europe, because of the GDPR and the Data Act, you need means to segregate some of that activity off-chain. And then it comes to the classic question: Should we use Zero-Knowledge proofs, for example, ZK STARKS, to move some of that computation off-chain to make it scalable and make it affordable? Zero-Knowledge proofs are expensive, and when you’re moving into the layer 2 solutions, these are some things to consider.
Also, from a purely democratic perspective, you need to be careful with soulbound tokens because they are a way to record social provenance on-chain, and they’re reverse compatible with a negative reputation, you can use them for a social credit system if you want. And all of that is on-chain forever.
About the question of identification in DeFi, a lawyer with a hedge fund focused on crypto assets mentioned Worldcoin and its intended identification mechanism as a potential solution for identity management in DeFi.
c. It is at this point technically feasible to use embedded supervision, but regulators do not have the necessary resources – Or risk appetite.
The study showed that, while embedding supervisory tools, such as selective access rights for monitoring or data feeding, into blockchain infrastructure is technically possible, and such tools could be implemented, including guaranteeing certain privacy standards, the regulators have, at this point, neither the necessary resources nor the know-how to use embedded supervision. It became clear that regulators have to prioritize their energy and resources, and while DeFi is a – at least in part – promising and innovative concept, currently, the traditional financial system’s economic relevance is vastly larger than crypto and DeFi. Therefore, while regulators are interested in the topic and several pilot projects on embedded supervision have been initiated, it is currently not of the highest priority.
In addition, the study showed that the regulators have no particular interest in taking on more risk by accepting responsibility for real-time monitoring and data collection, providing data through a regulatory oracle, or on-chain enforcement. At this point, regulators, it seems, are satisfied with having parts of the responsibility carried by the regulated entities and do not desire a more active role. This stance is partly mirrored by business representatives who are skeptical of the regulator taking on a more active role on-chain due to the perceived lack of real benefits of such a step.
In addition to the elaborations presented above in connection with the broader analysis of embedded supervision, these findings are supported by the following statements:
A computer scientist with a company offering DeFi services, with regard to the technical feasibility of embedded regulatory instruments, stated that embedded solutions are “generally technically feasible”; monitoring by regulators of on-chain activity “has been going on for a while,” at least by using commercial analysis services; the only thing “that is not out there yet would be enforcing on-chain like killswitches and providing data through regulatory oracles.”
A lawyer with a company providing a global DeFi platform is convinced of the technical feasibility but not of the ability of the regulator to operate and use such embedded tools; the participant explained that monitoring data alone is not sufficient but understanding and interpreting it is decisive and this might need some input from the regulated entity. The participant elaborated that:
I don’t think it’s that hard to create basically a direct feed of data elements from a protocol to the regulator. The transmission part is not hard. Getting usable data in a format that the right people at the regulators can read and observe and make judgments on to do real-time supervision, I think there would have to be some learning on the regulatory side. I think, the economic and the legal learning is there within the regulators, but the ability to read on-chain data and look at those patterns might not be there, as opposed to the way this works in TradFi, which is the TradFi institutions have to produce this data in a usable format, exactly the format that regulators want. This is shifting the burden of it to the regulators to read this stuff. So, I don’t see a problem other than that there’s a learning curve there.
Is that information sufficient to give them the full, comparable visibility to what TradFi institutions provide? Probably not, because a lot of this is not just numbers, this is judgment, there’s thinking, there’s color, there’s explanation around like, “this happened, this is what it means”; and it’s a construction of some outside world events, as well as the trading data itself. The data itself is not the full story, to interpret it and understand it you need, again, human intelligence. And that means combining a variety of sources. The data alone from this one price or trade, it’s not going to be enough. I think that the question of whether the data is sufficient must also be answered by economists and accountants. I fear that the data analytics, part of all this is being treated as if it’s really trivial. And it’s really not, it’s pretty hard. And I think we haven’t solved it yet.
A lawyer with a company providing software tools for monitoring digital assets trading and compliance stated that, from a “technical and especially from a practical standpoint, embedding regulatory instruments seems challenging.” Therefore, embedding the regulation should not be exclusively understood as embedding the regulator in terms of action that the regulator must take but could also entail embedding “law and regulation in some respects and reporting requirements in the code.” The regulator could issue the code that says, “here’s the reporting requirements, here’s the data standard, and the entity then has to build that into their infrastructure.” In that context, one could think about a service that the regulator can “just plug it into, and that that service helps everyone implement the required embedding.” This is ultimately somewhat of a self-regulatory approach. Overall, “from a feasibility standpoint and an efficiency standpoint, and considering where I want the regulators spending their time, I just don’t think it’s worth investing in them being the technical expert.”
As mentioned above, two agents of the National Financial Supervisory Authority of an EU Member State clarified that the limitation in resources makes it very unlikely for the regulator to adopt an embedded approach at this time:
If we gain additional information through an embedded monitoring approach, we have to do something with the data. It would have to be carefully thought about whether we want to give up the layer of responsibility that currently lies with the regulated entities. Shifting the burden of responsibility to the regulator would require implementing additional risk management; this would likely require more resources than we are able to commit.
A former agent of the National Financial Supervisory Authority of an EU Member State, when asked about the regulator’s abilities to use embedded supervision on a large scale now, elaborated that there is “no chance” that the regulators could, at this point, use embedded supervision in the day-to-day business:
It lacks three important things: Infrastructure, understanding of the market, and resources, especially manpower. Most regulatory authorities very likely lack the required expertise on a broad scale to use embedded regulatory tools at this point.
d. A “safe harbor” of embedded supervision can incentivize DeFi businesses to become more innovative, VC funds to increase investments in DeFi, and customers to use a DeFi service.
The participants agreed that a transparent regulatory approach, including embedded supervision, would help foster trust and legal certainty in the DeFi space. This would likely benefit all parties in the ecosystem and promote its growth within a comprehensive and more transparent regulatory framework. The regulator’s concerns with DeFi might be at least partly eased, the industry’s worries about unclear consequences of engaging in DeFi business could be addressed, and VC investors could gain a little more clarity on the risks and opportunities of investing in DeFi companies. Whether users really care about the technicalities of regulation seems at least questionable, according to a participant’s experience.
Embedded supervision is, however, not the one magic solution to solve all problems in DeFi; it should be understood as one piece of a larger complex puzzle that can increase regulatory efficiency in some scenarios and build trust, especially when it comes to regulatory oracles. At this time, due to the factual limitations in resources, manpower, and know-how, and considering that, so far, most DeFi business models can be supervised with traditional instruments because they are not “truly” decentralized, it seems unlikely that an embedded regulatory approach will be implemented on a broader scale in the near future. The more decentralized DeFi gets, however, the more likely it seems that embedded supervision will play a more important role down the road.
This conclusion is illustrated by the following statements:
An agent of the National Financial Supervisory Authority of an EEA Member State is convinced that defining a clear standard for embedded supervision and using it in certain contexts would have a positive effect on market stability. The participant elaborated that:
This would have a very positive impact in my opinion; we will not get to a point where we can rule out situations like FTX entirely since such cases are not caused by technology alone but through potentially fraudulent actions. This is not supposed to be a prejudgment, but the human component is just there. When the human component is supplemented by a technical and fully neutral supervisory instrument, this can change a lot. The technical component does not decide to become fraudulent but just does exactly the same thing every day without an arbitrary change in behavior.
This is the big chance of automated embedded instruments; if you think about it, having immutable DeFi and an embedded, neutral supervisory instrument is very compelling from a user perspective because you can always be sure that no human actor can interfere and, for instance, take your assets. Therefore, it has a lot of benefits, but so far, nobody came up with a true, fully decentralized business model.
A former agent of the National Financial Supervisory Authority of an EU Member State believes that, all practical hurdles of lacking resources and know-how aside, a uniform regulatory standard of select embedded supervision tools would be beneficial, and elaborated with regard to the overall effects on the DeFi ecosystem that:
This would certainly have a positive impact. Embedded supervision is not the “secret weapon” that solves all issues in DeFi but could still be helpful in various ways. If you think about the big picture, getting a license in a jurisdiction with high regulatory standards can be helpful for companies because it is perceived in the market as a sign of quality and a “seal,” which can also be helpful to attract investments; applying this to DeFi and embedded supervision, introducing such an embedded regulatory standard could definitely have a positive impact on innovation.
The founder of a DeFi wallet provider elaborated with regard to standardized rules creating trust that a transparent regulatory framework, including embedded supervision, combined with the automation aspect of DeFi is a valuable opportunity to build a reliable and trustworthy ecosystem. The participant explained that:
This has already been achieved to some degree since, in DeFi, the financial service is provided by a machine, the whole business model is very objective. For DeFi, it will be essential that now the right regulatory rules are created. For instance, if a DEX provides a financial service in Germany, it could be identified as an exchange under German law so that there is transparency as to the regulatory rules for exchanges being applied to the DEX – but those rules, as they are written today, are in many instances not made to be applied to a DEX and simply cannot be applied in practice due to the completely different technological infrastructure, e.g., nodes that are spread all over the globe. It does not work; we need new rules for DeFi.
The risk I see is that the banking lobbyists, politicians, the people misunderstanding FTX get so scared of the technology and what it could accomplish that they try to shut it down. There is a lot of protectionism in the financial industry and the banks fight to keep their business going, this can also be observed in discussions around CBDCs. From a political perspective, it seems likely that jobs in banking will be somewhat protected until DeFi goes through the roof in some jurisdiction so that politicians cannot ignore it anymore.
If we ensure that regulation goes in the right direction, I think that embedded supervision will have a big potential in the large framework of new rules that need to be defined for DeFi; if we achieve this, the DeFi industry will be unstoppable. When it comes to VC investors, I think they care less about regulatory issues and tend to invest in the bigger libertarian idea. My impression is that VC investors oftentimes do not know too much about regulatory law.
A founder of a company providing software tools to financial institutions related to payments and identity believes that a common standard of embedded supervision could be helpful insofar as it reassures regulators of not missing crucial information and creates a certain sense of trust and reliability; however, the participant does not believe that users would care about such technical regulatory details and sees the issue of lacking interoperability of embedded tools across different systems. The participant elaborated that:
Consumers usually don’t even know what is happening on the back end. I think, in general, if you are going to have this embedded thing, I think the consumers likely won’t care. I do think it’ll make it easier for people to build and innovate, in a way. But I think the one thing that needs to be figured out is whether the regulators even understand what they’re supposed to do with their embedded powers. Are those embedded powers uniform across different ecosystems? We talked about the interoperability of systems. So, if one system has a totally different set of rules for embedded regulation, that’s not going to work likely. The future of the world is doing business across platforms that are built in completely different ways. They’re going to have different rules. The idea of embedded regulation might give the freedom for people to build more easily and swiftly, and might give the regulators peace of mind, but it’s only doing that just for the one product being built at that moment. It’s not really helping the overall regulation of the ecosystem. It goes back to that interoperability piece.
A lawyer with a company providing a global DeFi platform is convinced that, while it is more of a supplement than an ultimate solution, embedded supervision can be useful for regulators to receive more up-to-date information more frequently; the participant believes that it is important that, when using an embedded approach, information is presented in a way that regulators can understand. The participant thinks that a clearly defined embedded regulatory standard can “absolutely” have an overall positive impact on the DeFi ecosystem. With regard to the ability of DeFi companies to raise money from VC investors, however, the participant does not believe that it would have a vast impact. The participant specified that:
The usefulness of embedded supervision extends beyond just regulators; I think all parties could be interested in knowing that information. Again, I think having information presented in a readable format, in a human-readable format, is useful; even if there’s not going to be commentary or discussion in plain language, then at least the data itself has to be readable in some way that isn’t just like “Go, look at the blockchain” and it’s basically a shifting of the burden. But yes, I think a lot of people would be interested in that.
But ultimately, of course, the people that are going to be the most interested in this are always going to be regulators. I think the venture investors are okay with, “Here’s the money, let’s talk in a year.” They’re not as keen to follow up. That’s what I’ve seen. I would like for that not to be the case, I hope that they will become more involved, but the reality is, probably not.
The participant went on to summarize that:
Overall, I think embedded supervision is a good concept, for obvious reasons. In TradFi, regulators have to wait for these reports. They come only once a month or once a quarter. And it would be nice to have more real-time data available, it would be nice to be able to look at it yourself and not have to necessarily trust the other side to provide it presented in a certain way. I mean, there’s still a back and forth between regulators and regulated entities like “Oh, I don’t like this data, calculate it this way, show me the math.” Overall, there is definitely a very strong intuitive appeal to embedded supervision. I didn’t mean to dismiss it. I just don’t think that it can totally replace the existing structure, but I think it can definitely be a very useful supplement.
A lawyer with a company offering services relating to crypto currencies has a positive feeling about the potential impact of a common standard for embedded regulatory tools, even though it will only be one piece of a more complex regulatory puzzle. The success of this puzzle will, according to the participant, strongly depend on the regulators and the industry finding common ground. The participant elaborated that:
I think it’s really helpful, it will definitely address some of the things that I said about the fear of the unknown; at least you would have this common thing that everyone knows, and relies on, and trusts and kind of can validate. But I think it’s just a piece of the process, it is not the answer to everything, because you need the industry and the regulators to meet halfway; the regulators need to understand DeFi better and make adjustments to the way that they think and work. All this will definitely have some impact on the way DeFis operate because future regulation might, in some regards, limit the idea of decentralization. And then you have the regulators think like, “This doesn’t fit my box, so I don’t like this”; you have to open the box and try to make it work with that. It is definitely a positive step towards getting there. But we just need the parties to understand that there’s going to be a give and take on both sides to get to that place.
A lawyer with a company offering infrastructure services relating to crypto products and DeFi for institutional clients has an ambivalent impression of embedded supervision and its overall effects on the DeFi ecosystem; according to the participant, a clear regulatory standard, including embedded supervision, might benefit either large, regulated legacy financial institutions or unregulated players such as startups, depending on how it is implemented, but probably not both simultaneously. The participant elaborated that:
It’s really hard for me to give a “yes or no answer.” I think that something along the lines of what you describe could arguably have the effect of driving adoption by those who have the most to lose by engaging with crypto; many of them are regulated entities right now. Big banks, for example, many of them have been making a lot of announcements about forming groups or divisions or committees to explore things and proofs of concept, etc. But in terms of actual engagement, it’s been limited. I think the reason it’s been limited is because they think that they take on too much risk by engaging with something where the regulatory rules are unclear. So, clarity around that, I think, would drive adoption for them; doing that in a way that at the same time allows for and encourages innovation amongst those who are not regulated, startups, individuals, and software developers, I think, is tricky. So, I don’t have a clear “yes, or no answer.” I think, it’s difficult to do it in a way that’s going to do both those things, drive adoption by established players, but also encourage continued innovation by new players.
According to an expert on financial regulatory policy (U.S. Think Tank), overall, introducing embedded regulatory instruments within a clearly defined regulatory framework could be helpful and does not necessarily have to be a regulatory decision, either. The participant believes that:
If the industry could come together and create its own baselines in this space that projects are willing to live up to, that alone, even without regulatory involvement, will make the DeFi space more attractive to users who can then understand one standard instead of trying to do their diligence on every single thing that they’re trying to use to see if they’re comfortable with divergent standards. This could also help funnel additional money to developers in the space to continue to innovate.
I don’t think it has to be a regulatory requirement. I think that even if you have regulatory solutions embedded, the regulators are nervous about something decentralized, where there’s not a single point of contact where they can put in a killswitch, where they can drag someone into court. I think that takes a massive mind shift on behalf of the regulators. As DeFi grows in popularity, I think we’ll see additional nervousness from the regulators about things they fear they can’t control, that are cross-border, pseudonymous, and happening on peer-to-peer bases, that are purposefully at odds with the governmental view in this space. And I think that’s going to continue to clash.
A former European regulator and expert on regulatory policy (blockchain organization in Europe) responded that, in line with SEC Commissioner Hester Pierce’s argument, a regulatory safe harbor including embedded supervisory instruments would,
Definitely be beneficial and could establish a baseline of confidence, especially on the VC side, having a better idea of whether there is a threat with a protocol, whether it is going to blow up and your investment goes with it; but a safe harbor would again have to come down to standards at the level of the product.
The participant mentioned that the BIS thought experiments on embedded supervision do not in-depth consider the scenario of permissionless DeFi but aim at permissioned DeFi so that “there’s a lot of unknowns in the rest of the space.”
A lawyer with a VC investment company focused on blockchain technology summarized that more regulatory clarity and a safe harbor for building DeFi would be very helpful from a VC perspective and “the only way forward.” The participant – having a background in government service – considers embedded supervision an important part of this “way forward” but does not consider the regulatory authorities to have the required resources “at all.”
A lawyer with a hedge fund focused on crypto assets stated that, overall, when it comes to a regulatory framework for DeFi, with regard to the ability of DeFi companies to raise money from VC investors, “there needs to be some sort of regulatory clarity to mitigate fraud, to mitigate rug pulls, to have sensible liquidity requirements, things of that nature.”
The participant stressed that:
If you don’t have regulatory clarity, companies aren’t able to raise money, they’re not able to execute, people are wary to invest in those companies and even use the protocols. Now, every time I have conversations with people who are not in the industry, they’re getting a lot of bad news; they’re concerned. I think from a framework perspective, the environment that we’re working in right now is sending a lot of talent and capital overseas. We want to facilitate that growth and development onshore here in the United States and a sensible framework would allow us to do that.
A General Partner with a VC fund investing in blockchain technology responded that, to raise money from VC investors, in general, “regulatory certainty would be extremely helpful; the regulators are massively behind. I don’t see it happening for the next decade-plus that there will be a global regulatory standard.”
The participant mentioned that VC investors “would already be happy with basic rules in the U.S.: Are tokens securities or commodities?; How do we deal with the exchange of tokens to fiat at on- and off-ramps?; How do we regulate decentralized exchanges?; What is the basic governance around DAOs?”
The participant went on to say that when it comes to regulation, “we’re at layer zero while DeFi is layer 10, the regulator is asleep at the wheel, and the topic has become politicized, there seems to be a lack of knowledge with regulators; all this leads to innovation getting pushed offshore.”
e. Summary: Differences and Common Ground among the Interviewees.
aa. The Regulatory Perspective.
Embedded supervision is a concept that could be used in numerous ways. The regulators that participated in this study agreed that it is important to stay open to new technology in the industry as well as when it comes to regulatory technology. While the regulators agreed that embedded supervision can play an important role in scenarios of “true” DeFi, i.e., fully decentralized systems, such systems have not appeared on the regulatory radar yet. Consequently, the regulators do not see an immediate need to implement embedded regulatory instruments. DeFi does currently not have the economic significance that would justify an increased deployment of resources on DeFi regulation; therefore, there are no sufficient resources available to gather the know-how, manpower, and infrastructure to work with embedded supervisory instruments on a broad scale. While regulatory oracles would be a particularly intriguing concept, according to the participants, monitoring open ledgers is already quite effective, which reduces the immediate need for an embedded monitoring tool. The same is true for embedded enforcement tools because, so far, most DeFi business models have some centralized angle to them that allows regulators to enforce actions without an embedded tool. This may change in the future if “true,” full decentralization appears in the market.
bb. The Industry Perspective & Other Expert Views.
Industry participants are slightly ambivalent about embedded supervision. While some think that it could be a helpful tool as part of a comprehensive regulatory framework – and everybody agreed that such a clearly defined framework is critically important – others do not see clear benefits of it or are even worried about the regulator taking on a more active role in a blockchain system. With some of the foundational ideas behind DeFi in mind, especially permissionlessness and privacy, bringing the regulator this close to a DeFi system seems contradictory to some participants. Instead of embedding regulatory tools, one could think about a self-regulatory approach that has DeFi providers build in tools like killswitches that they operate themselves when asked to do so by the regulator instead of giving the regulator direct access.
cc. The Investor Perspective.
When it comes to VC investors, the interviews revealed that regulatory clarity is highly valued from an investor’s perspective. Embedded supervision can be one part of a transparent regulatory framework, and investors generally approve of the idea. Overall, it seems that the technical details of regulation are only relevant from an investor’s perspective insofar that they support the most important goals: Regulatory clarity and legal certainty for potential portfolio companies.
dd. Common Ground.
A lack of clarity regarding the regulatory rules that apply to DeFi is detrimental to everyone involved and hinders innovation. In order to give DeFi a chance to prove its worth in the market, it is crucial to define clear regulatory rules that allow DeFi businesses to operate without uncertainty and the risk of being shut down. Embedded supervision could be a piece of the future regulatory framework for DeFi, in particular, when it comes to regulatory oracles that ensure reliable and secure data feeds. Since current DeFi business models are mostly still somewhat centralized, there is no pressing need for the regulator to implement resource-intensive new tools as long as the traditional tools suffice for regulatory purposes. Still, it is critical for the industry to know what tools apply to DeFi in the first place. Furthermore, all participants agreed that identification will play a central role for DeFi regulation, which is also true for embedded supervision. While there are several promising tools for identity management in DeFi, the one common standard has not been defined yet, neither by the market nor by law.
ee. Differences.
There were more parallels than differences in perception between regulators and the industry when it comes to embedded supervision. The main difference between regulators and industry is likely that some business representatives and other experts are concerned about the regulator taking on a more active role in DeFi systems while the regulators generally do not see a “philosophical” issue with that; if they do, more so for resource reasons and reasons of dealing with additional responsibilities than for reasons of DeFi philosophy.
IV. Summary of the Results.
Regulating DeFi is a highly complex problem. Fully decentralized financial infrastructure, running without any intermediary entities, is still very rare; it is yet of high relevance because it cannot be reliably regulated by instruments developed in the traditional financial system that is based on intermediaries. There are numerous open questions and difficult aspects that need to be answered when thinking about DeFi regulation generally and embedded supervision specifically. Several points became quite clear when discussing the research questions with the interviewees.
(1) All the interviews I conducted had in common that the stakeholders acknowledge the complexity of DeFi regulation and agree that there needs to be transparent, legally certain, and effective regulation of DeFi in order for it to become successful in mainstream finance in the future. Finding such a regulatory approach is, according to most interviewees, an important prerequisite for DeFi to be accepted by governments in the long term. In order to find the right regulatory approach, the industry and the regulators will have to cooperate, and be willing to compromise. It is unlikely that any extreme position – full privacy, no regulatory liability at all vs. full governmental control over decentralized infrastructure – will lead to the success of DeFi in the long run.
(2) The interviewees agreed that there are certain risks specific to DeFi. By nature, from a regulator’s perspective, the lack of an intermediary entity makes (“true”) DeFi risky because it is hard or sometimes even impossible to identify parties that could be approached for the purpose of requesting information or enforcing regulatory actions. Emphasis was also put on technological/cyber risks, meaning that there can be outside attacks like hacks on a decentralized financial infrastructure which can lead to a total loss of customers’ assets in the system. This is more problematic than it is in a centralized scenario because, in the case of DeFi, there is no intermediary who could reimburse customers if the security breach was caused by the negligent behavior of the intermediary. This makes it rather risky for customers to use DeFi solutions. Another risk category that was stressed is the risk of criminal activity and abuse of DeFi for the purposes of money laundering and financing of illegal activities. The lack of an intermediary entity that could enforce anti-money laundering obligations that traditional banks or exchanges have to fulfill makes it easier for users to abuse the system for illegal activities and harder for authorities to identify people using a DeFi platform. Another risk category that was mentioned is the concentration risk of a relatively small group of people controlling a large number of certain assets like specific tokens. This concentration of power and influence allows certain players to move the market disproportionally strongly and thwarts the idea of decentralization. Finally, it was mentioned that there is a lack of transparency when it comes to reserves; since many digital assets are not backed by fixed reserves, it remains risky to invest in such products.
(3) The variety of risks related to DeFi suggests that embedded supervision is most likely not the magic solution to all problems created by decentralization and disintermediation in the financial sector. All interviewees agreed that an embedded approach can be a helpful piece of the puzzle of a regulatory framework for DeFi, but it is not suitable to mitigate all the risks and issues created by decentralization by itself. Embedded supervision is much rather understood within a complex combination of numerous regulatory instruments. This can include new regulations regarding the software that underlies decentralized financial infrastructure (“protocols”) and regarding oracles, regulatory audits, and certification of protocols, targeting people or entities involved in the creation of DeFi business models that are identifiable such as programmers or foundations, and more. Combining those different instruments with an embedded supervisory approach seems like the most promising and likely route future regulation of DeFi will take.
(4) When it comes to the technical feasibility of embedded regulatory instruments, the opinions of the interviewees are aligned, but there are two components that need to be differentiated. While there is agreement that it is possible from a technical perspective to build embedded instruments allowing regulators to real-time monitor, intervene in, and feed data into a decentralized financial infrastructure, the participants also agreed that, at this point, the regulatory authorities lack the resources, manpower and the technical know-how to operate such systems. Therefore, while embedded supervision may be a promising approach in the future, using it requires a commitment of resources and training for the regulators – as well as the willingness of the regulators to take a more active role in regulation and, thereby, more responsibility.
(5) In conclusion, all interviewees agreed that DeFi is a promising approach to finance that has the potential for mainstream commercial success. In order to have a chance to scale, DeFi needs a clear regulatory framework which will ideally be built by regulators and industry cooperating and defining rules that balance the different interests involved. The more decentralized a system gets and the less effective traditional financial regulatory approaches aiming at intermediaries and “gatekeepers” are, the more we will have to rely on innovative regulatory instruments, likely based on technology. Embedded supervision can be one of those instruments, but it seems that its time has not come just yet for mainstream application.
E. Policy Suggestions for the Future of DeFi Regulation
Using the insights gained in the study, I suggest the following ideas for an approach to DeFi regulation with a particular focus on embedded supervision:
It is critical to develop a comprehensive regulatory framework that acknowledges that decentralized solutions have their place in the financial industry of the future;
Transparency regarding the regulatory framework is crucial for DeFi businesses and a lack thereof may drive innovative ideas to jurisdictions that provide more certainty regarding regulatory rules that need to be followed by a DeFi business;
In order to achieve clear regulation, it must first be clearly defined what truly decentralized financial infrastructure is; not everything that seems decentralized at first truly is;
The question of identification and digital identity is essential for DeFi regulation and should be answered before engaging in discussions on details of the regulatory framework for DeFi;
Regulation can address different types of parties/entities: It seems crucial to regulate oracles to ensure reliable dataflows in DeFi; coders responsible for creating a software protocol underlying a decentralized infrastructure could be targeted by regulators in case they can be linked to a protocol, it seems justified to assume that they were responsible for deploying it, and they can still manipulate it; this might, however, make it less attractive for coders to work on such software and thereby slow down innovation in the DeFi space;
The regulatory framework will have to be made up of several instruments that each address different issues that come with DeFi, including disintermediation, inter-jurisdiction trading, pseudonymity and identification, transaction speed, the immutability of transactions, and more;
Embedded supervision can be one piece of this regulatory framework and could be used in specific use cases that make supervision particularly difficult due to pseudonymity, lack of data reliability, lack of enforcement abilities due to disintermediation, and potentially other cases; this concept will likely gain in relevance once more “truly” decentralized business models appear in the market;
While there is not one “magic” solution to regulating DeFi, defining a comprehensive regulatory framework and using embedded supervision to tackle specific issues in combination with additional instruments seems like a promising way to go forward with global DeFi regulation.
F. Summary and Concluding Thoughts
The financial industry is complex and so is the regulatory framework that surrounds it. This framework has grown over decades, as financial instruments got more advanced, regulators had to find new ways to mitigate risks and protect financial stability. During all this time, the financial system has been marked by intermediaries, gatekeepers who were a convenient and suitable regulatory target. Blockchain technology, based on cryptographic methods and game theory, led to the creation of DeFi – a concept that could, in its purest form, lead to a full disintermediation and thereby invalidate the current regulatory approach. While legal frameworks can be bent in the face of a changing world to fit the new reality, this only works to a certain extent. With DeFi, we might witness a level of disruption that cannot suitably be captured by – only – applying old rules in a modified way.
This study showed that relevant stakeholders and experts in DeFi agree that this new type of finance is too relevant and powerful to ignore it. While no one can predict the future, there are good chances that DeFi is here to stay, and it might even rise to mainstream commercial success. With that in mind, it seems critical to find a practical, fair, transparent, and workable solution for DeFi regulation. This cannot be achieved by applying or slightly amending traditional regulatory instruments alone; while some of them could be applied to DeFi or at least serve as inspiration for new regulatory instruments, there will likely have to be new ideas when it comes to regulating fully decentralized systems. This can include embedded regulatory instruments, self-regulation, auditing and certification of code, and regulation of oracles, to name a few. We will also have to find ways to define a trustworthy and practical way to deal with identity in the digital space without disregarding the desire for privacy many people have.
Most importantly, this study showed how important communication is: The industry and the regulators need to talk to each other instead of talking about each other. As far as the participants in this study go, both sides seemed very aware of this fact and very open to engaging in the discussion. It is not often that a potentially revolutionary technology is created; DeFi might be one of them and good and reliable regulation can be a decisive factor when it comes to the business decision of picking a location to operate from. Against this background, all involved stakeholders should be interested in creating the best possible regulatory framework – and do it swiftly.
G. Appendices
Questionnaire 1: Fintech Companies: Focus on Commercial Impact
Context explained to the interviewees: How can we ensure that innovation is not suffocated, i.e. business deterred, by rigid regulation of potentially promising DeFi products/systems?
What role does regulation play for your business?
Do you see any specific risks associated with DeFi and if so, what is the biggest risk that needs to be mitigated through regulation?
How did the collapse of FTX affect the relationship with supervisors, investors, and clients? Do you think this event will influence the discussions on the regulation of DeFi even though FTX is a centralized platform? What could be the consequences for regulation? (optional question)
How do you perceive the regulators’/lawmakers’/central banks’ relationship to DeFi?
What is your impression of DeFi startup governance/compliance with regulatory rules?
Where do you see DeFi and the regulatory framework in 5/10 years?
What are potential regulatory approaches for decentralized finance and how effective are they?
In case only programmers involved in the creation of a DeFi system can be identified: Does it seem promising for regulators to target these “creators” in light of the activity of coding? How would this affect innovation? (Example: Tornado Cash) (Frankenstein metaphor: Once created, it lives by itself)
In case only “abstract” entities like foundations can be identified as responsible “intermediaries”: Does it seem promising for regulators to target these entities? How would this affect innovation? (Example: Ethereum Foundation)
Is embedded supervision an effective tool to regulate decentralized financial technology without suffocating innovation? (How can it be achieved that innovation is not suffocated, i.e. business deterred, by rigid regulation?) [Show pp slide: 1. Technical feasibility, 2. Use cases, 3. Privacy and (digital) identity, 4. Safe harbor]
In what ways could embedded supervision/regulation be used? [E.g. Real-time monitoring (e.g. Findora: proof of positions in mutual fund) + actions based on that (e.g. audit specific customer of a broker-dealer), circuit breaker, feeding official data into an exchange, …?] [Introduction: Identity Depending on the application: payment system: KYC/AML info; how to achieve deanonymization only with respect to the regulator?]
What specific data could be accessed through an embedded regulatory instrument and how can supervision and user privacy be balanced (e.g. through Zero-Knowledge proof technology)?
What could be feasible ways for regulators to identify users? (KYC/AML info? IP addresses? Findora system?, …)? Will an embedded regulatory approach eventually require an official “digital identity” for users?
Is it at this point technically feasible to use embedded supervision? If not, what are the missing links, and who can provide them?
How would embedded supervision affect fintech businesses and consumers (creation of trust through a “regulatory seal” or deterrent effect because of breach of anonymity)?
Can a “safe harbor” of embedded supervision incentivize DeFi businesses to become more innovative (less uncertainty/risk of creating new products), VC funds to increase investments in DeFi (less risky investment, more customer engagement), and customers to use a DeFi service (more consumer protection through supervision creates trust but reduces anonymity)?
What is your overall opinion on embedded supervision after this conversation?
Does anybody else from the space whom I should talk to come to mind?
Questionnaire 2: Regulatory Authorities (& lawmakers): Focus on Effectiveness & Feasibility
Context explained to the interviewees: How can we ensure that innovation is not suffocated, i.e. business deterred, by rigid regulation of potentially promising DeFi products/systems?
Do you see any specific risks associated with DeFi and if so, what is the biggest risk that needs to be mitigated through regulation?
How did the collapse of FTX affect your relationship with fintech businesses? Do you think this event will influence the discussions on the regulation of DeFi even though FTX is a centralized platform? What could be the consequences for regulation? (optional question)
How does decentralization challenge regulation/supervision of financial products?
How do you perceive the regulators’/lawmakers’/central banks’ relationship to DeFi?
What is your impression of DeFi startup governance/compliance with regulatory rules?
Where do you see DeFi and the regulatory framework in 5/10 years?
What are potential regulatory approaches for decentralized finance and how effective are they?
In case only programmers involved in the creation of a DeFi system can be identified: Does it seem promising for regulators to target these “creators” in light of the activity of coding? How would this affect innovation? (Example: Tornado Cash) (Frankenstein metaphor: Once created, it lives by itself)
In case only “abstract” entities like foundations can be identified as responsible “intermediaries”: Does it seem promising for regulators to target these entities? How would this affect innovation? (Example: Ethereum Foundation)
Is embedded supervision an effective tool to regulate decentralized financial technology without suffocating innovation? (How can it be achieved that innovation is not suffocated, i.e. business deterred, by rigid regulation?) [Show pp slide: 1. Technical feasibility, 2. Use cases, 3. Privacy and (digital) identity, 4. Safe harbor]
In what ways could embedded supervision/regulation be used? [Real-time monitoring (e.g. Findora: proof of positions in mutual fund) + actions based on that (e.g. audit specific customer of a broker-dealer), circuit breaker, feeding official data into an exchange, …?] [Introduction: Identity Depending on the application: payment system: KYC/AML info; how to achieve deanonymization only with respect to the regulator?]
What specific data could be accessed through an embedded regulatory instrument and how can supervision and user privacy be balanced (e.g. through Zero-Knowledge proof technology)?
What could be feasible ways for regulators to identify users? (KYC/AML info? IP addresses? Findora system?, …)? Will such an embedded regulatory approach eventually require an official “digital identity” for users?
Is it at this point technically feasible to use embedded supervision? If not, what are the missing links, and who can provide them?
Do supervisory authorities have the required technical knowledge to operate embedded supervisory tools yet?
Can a “safe harbor” of embedded supervision incentivize DeFi businesses to become more innovative (less uncertainty/risk of creating new products), VC funds to increase investments in DeFi (less risky investment, more customer engagement), and customers to use a DeFi service (more consumer protection through supervision creates trust but reduces anonymity)?
What is your overall opinion on embedded supervision after this conversation?
Does anybody else from the space whom I should talk to come to mind?
Questionnaire 3: Venture Capital Investors: Focus on Investment Impact
Context explained to the interviewees: How can we ensure that innovation is not suffocated, i.e. business deterred, by rigid regulation of potentially promising DeFi products/systems?
What role does regulation play for your business/your portfolio companies? How do regulation and the regulatory strategies of portfolio companies affect your investment decisions?
Do you see any specific risks associated with DeFi and if so, what is the biggest risk that needs to be mitigated through regulation?
How did the collapse of FTX affect the relationship with supervisors and portfolio companies? Do you think this event will influence the discussions on the regulation of DeFi even though FTX is a centralized platform? What could be the consequences for regulation? (optional question)
What is your impression of DeFi startup governance/compliance with regulatory rules?
Is embedded supervision an effective tool to regulate decentralized financial technology without suffocating innovation? (How can it be achieved that innovation is not suffocated, i.e. business deterred, by rigid regulation?) [Show pp slide: 1. Technical feasibility, 2. Use cases, 3. Privacy and (digital) identity, 4. Safe harbor]
In what ways could embedded supervision/regulation be used? [Real-time monitoring (e.g. Findora: proof of positions in mutual fund) + actions based on that (e.g. audit specific customer of a broker-dealer), circuit breaker, feeding official data into an exchange, …?] [Introduction: Identity Depending on the application: payment system: KYC/AML info; how to achieve deanonymization only with respect to the regulator?]
What specific data could be accessed through an embedded regulatory instrument and how can supervision and user privacy be balanced (e.g. through Zero-Knowledge proof technology)? (optional question)
What could be feasible ways for regulators to identify parties (KYC/AML info? IP addresses? Findora system?, …)? Will such an embedded regulatory approach eventually require an official “digital identity” for users? (optional question)
Is it at this point technically feasible to use embedded supervision? If not, what are the missing links, and who can provide them? (optional question)
How would embedded supervision affect fintech businesses and consumers (creation of trust through a “regulatory seal” or deterrent effect because of breach of anonymity)?
How would embedded supervision affect the ability to raise money from VC funds (more promising investment through “regulatory seal”)?
Can a “safe harbor” of embedded supervision incentivize DeFi businesses to become more innovative (less uncertainty/risk of creating new products), VC funds to increase investments in DeFi (less risky investment, more customer engagement), and customers to use a DeFi service (more consumer protection through supervision creates trust but reduces anonymity)?
What is your overall opinion on embedded supervision after this conversation?
Does anybody else from the space whom I should talk to come to mind?