Decentralized finance, known as DeFi, is a new use of blockchain technology that is growing rapidly, with over $237 billion in value locked up in DeFi projects as of January 2022. Regulators are aware of this phenomenon and are beginning to act to regulate it. In this article, we briefly review the fundamentals and risks of DeFi before presenting the regulatory context.
The fundamentals of DeFi
DeFi is a set of alternative financial systems based on the blockchain that allows for more advanced financial operations than the simple transfer of value, such as currency exchange, lending or borrowing, in a decentralized manner, i.e., directly between peers, without going through a financial intermediary (a centralized exchange, for example).
Schematically, a protocol called a DApp (for decentralized application), such as Uniswap or Aave, is developed in open source code on a public blockchain such as Ethereum. This protocol is powered by smart contracts, i.e., contracts that are executed automatically when certain conditions are met. For example, on the Uniswap DApp, it is possible to exchange money between two cryptocurrencies in the Ethereum ecosystem, thanks to the smart contracts designed to perform this operation automatically.
Users are incentivized to bring in liquidity, as they receive a portion of the transaction fee. As for lending and borrowing, smart contracts allow those who want to lend their funds to make them available to borrowers and borrowers to directly borrow the money made available by guaranteeing the loan with collateral (or not). The exchange and interest rates are determined by supply and demand and arbitrated between the DApps.
The great particularity of DeFi protocols is that there is no centralized institution in charge of verifying and carrying out the transactions. All transactions are performed on the blockchain and are irreversible. Smart contracts replace the intermediary role of centralized financial institutions. The code of DeFi applications is open source, which allows users to verify the protocols, build on them and make copies.
The risks of DeFi
Blockchain gives more power to the individual. But with more power comes more responsibility. The risks DeFi are of several kinds:
Technological risks. DeFi protocols are dependent on the blockchains on which they are built, and blockchains can experience attacks (known as “51% attacks”), bugs and network congestion problems that slow down transactions, making them more costly or even impossible. The DeFi protocols, themselves, are also the target of cyberattacks, such as the exploitation of a protocol-specific bug. Some attacks are at the intersection of technology and finance. These attacks are carried out through “flash loans.” These are loans of tokens without collateral that can then be used to influence the price of the tokens and make a profit, before quickly repaying the loan.

Financial risks. The cryptocurrency market is very volatile and a rapid price drop can occur. Liquidity can run out if everyone withdraws their cryptocurrencies from liquidity pools at the same time (a “bank run” scenario). Some malicious developers of DeFi protocols have “back doors” that allow them to appropriate the tokens locked in the smart contracts and thus steal from users (this phenomenon is called “rug-pull”).
Regulatory risks. Regulatory risks are even greater because the reach of DeFi is global, peer-to-peer transactions are generally anonymous, and there are no identified intermediaries (most often). As we will see below, two topics are particularly important for the regulator: the fight against money laundering and terrorist financing, on the one hand, and consumer protection, on the other.
The FATF “test”: Truly decentralized?
As of Oct. 28, 2021, the Financial Action Task Force (FATF) issued its latest guidance on digital assets. This international organization sought to define rules for identifying responsible actors in DeFi projects by proposing a test to determine whether DeFi operators should be subject to the Virtual Asset Service Provider or “VASP” regime. This regime imposes, among other things, Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) obligations.

The FATF had initially considered, last March, that if the decentralized application (the DApp) is not a VASP, the entities “involved” in the application may be, which is the case when “the entities engage as a business to facilitate or conduct activities” on the DApp.
The new FATF guidance drops the term “facilitate” and instead adopts a more functional “owner/operator” criterion, whereby “creators, owners, and operators … who retain control or influence” over the DApp may be VASPs even though the project may appear decentralized.
Related: FATF guidance on virtual assets: NFTs win, DeFi loses, rest remains unchanged
FATF, under the new “owner/operator” test, states that indicia of control include exercising control over the project or maintaining an ongoing relationship with users.
The test is this:
- Does a person or entity have control over the assets or the protocol itself?
- Does a person or entity have “a commercial relationship between it and customers, even if exercised through a smart contract”?
- Does a person or entity profit from the service provided to customers?
- Are there other indications of an owner/operator?
FATF makes clear that a state must interpret the test broadly. It adds:
“Owners/operators should undertake ML/TF [money laundering and terrorist financing] risk assessments prior to the launch or use of the software or platform and take appropriate measures to manage and mitigate these risks in an ongoing and forward-looking manner.”
The FATF even states that, if there is no “owner/operator,” states may require a regulated VASP to be “involved” in DeFi project-related activities… Only if a DeFi project is completely decentralized, i.e., fully automated and outside the control of an owner/operator, is it not a VASP under the latest FATF guidance.

It is regrettable that a principle of neutrality of blockchain networks has not been established, similar to the principle of neutrality of networks and technical intermediaries of the internet (established by the European directive on electronic commerce more than 20 ago).
Indeed, the purely technical developers of DeFi solutions often do not have the physical possibility to perform the checks imposed by the AML/CFT procedures in the design of current DApps. The new FATF guidance will likely require DApp developers to put in Know Your Customer (KYC) portals before users can use the DApps.
Application of security law?
We are all familiar with the legal debate that has become classic when it comes to qualifying a token: Is it a utility token, now subject to the regulation of digital assets (ICOs and VASPs), or is it a security token that is likely to be governed by financial law?
We know that the approach is very different in the United States where the Securities Exchange Commission (by applying the famous “Howey Test”) qualifies tokens as securities that would be seen as digital assets in Europe. Their approach is, therefore, more severe, and this will certainly result in more prosecutions of “owners” of DeFi platforms in the U.S. than in Europe.
Thus, if DeFi services do not involve digital assets, but tokenized financial securities as defined by the European Markets in Financial Instruments Directive (MiFID Directive), the rules for investment services providers (ISPs) will have to be applied. In Europe, this will be a rare case as the tokens traded would have to be actual financial securities (company shares, debt or investment fund units).
Related: Collateral damage: DeFi’s ticking time bomb
However, national regulations are likely to apply. For example, in France, it will be necessary to determine whether the regulation on intermediaries in various goods (Article L551-1 of the Monetary Code and following) applies to liquidity pools.
Indeed, pools allow clients to acquire rights on intangible assets and put forward a financial return. Theoretically, it would no longer be excluded that the Autorité des marchés financiers (AMF) decides to apply this regime. As a consequence, an information document will have to be approved by the AMF before any marketing.
However, in practice, there is not one person who proposes the investment, but a multitude of users of the DApp who bring their liquidity in a smart contract coded in open source. This brings us back to the test proposed by the FATF: Is there an “owner” of the platform who can be held accountable for compliance with the regulations?
The MiCA regulation
On November 24, the European Council decided its position on the “Regulation on Cryptoasset Markets” (MiCA), before submitting it to the European Parliament. It is expected that this fundamental text for the cryptosphere will be adopted by the end of 2022 (if all goes well…).
The draft EU regulation is based on a centralized approach by identifying a provider responsible for operations for each service, which does not work for a decentralized exchange platform (like Uniswap) or a decentralized stablecoin.
Related: Europe awaits implementation of regulatory framework for crypto assets
We should think about a legal system that takes into account the automated and decentralized nature of systems based on blockchain, so as not to impose obligations on operators who do not have the material possibility of respecting them or who run the risk of hindering innovation by removing the reason for progress: decentralization.
Europe has already shown itself capable of subtle arbitration in matters of technological regulation if we refer in particular to the proposal for a European Union regulation on artificial intelligence. This approach could serve as a source of inspiration.
Regardless of the balance chosen by the regulator, investors should become as informed as possible and pay attention to the technological, financial and compliance risks before undertaking a DeFi transaction.
As for DeFi application developers and service providers in this field, they must remain attentive to regulatory developments and cultivate a culture of transparency in their operations to anticipate regulatory risk as much as possible.
This article was co-authored by Thibault Verbiest and Jérémy Fluxman.
This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.
The views, thoughts and opinions expressed here are the authors’ alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Thibault Verbiest, an attorney in Paris and Brussels since 1993, is a partner with Metalaw, where he heads the department dedicated to fintech, digital banking and crypto finance. He is the co-author of several books, including the first book on blockchain in French. He acts as an expert with the European Blockchain Observatory and Forum and the World Bank. Thibault is also an entrepreneur, as he co-founded CopyrightCoins and Parabolic Digital. In 2020, he became chairman of the IOUR Foundation, a public utility foundation aimed at promoting the adoption of a new internet, merging TCP/IP and blockchain.
Jérémy Fluxman has been an associate at international law firms in Paris and Luxembourg in the fields of private equity and investment funds, as well as at a Monaco law firm since 2017. He holds a master II in international business law and is currently an associate at the Metalaw firm in Paris, France where he advises on fintech, blockchain and crypto-finance.

 
			 
                                     
                                    