DeFi Regulation: With Rapid Growth, Regulatory Status and Compliance Requirements Remain Unclear

DeFi’s extraordinary growth has been one of cryptocurrency’s biggest stories of 2020. The total value received by DeFi protocols has risen substantially throughout the year, with September’s total tripling month-over-month to more than $26 billion. Despite a slight overall dip in October, the weekly figures reveal that activity is picking up again now at the end of the month.

However, questions abound as to how DeFi platforms should be treated under the Bank Secrecy Act, securities laws, and other regulations pertaining to compliance and safety. DeFi platforms can theoretically run autonomously without human intervention and generally never take custody of funds, leading some to argue that they can’t be regulated. However, many DeFi platforms are, in fact, centralized enough that the teams behind them can block risky transactions and take other actions against potential criminal activity, suggesting that they can be regulated like other cryptocurrency platforms.

Below, we’ll discuss DeFi’s growth to date and some of the questions around decentralized platforms’ regulatory obligations.

Breaking down DeFi and its explosive growth

DeFi stands for decentralized finance, and most DeFi platforms fall into the category of decentralized applications (dApps or DeFi applications) built on top of smart contract-enriched blockchains — primarily the Ethereum network. dApps can fulfill specific financial service functions governed by underlying smart contracts, meaning they can execute transactions — trades, loans, etc. — automatically when specific conditions are met. Most dApps build liquidity by crowdsourcing funds from users who believe in the project’s mission, and from there can put those funds to productive use as governed by the protocol. Without the need for centralized infrastructure or human governance, dApps can enable users to execute financial transactions with lower fees than other fintech applications or financial institutions.

Decentralized exchanges (DEXs) are the most popular type of dApp, as we see in the chart below breaking down DeFi’s growth by platform. DEXs allow users to buy, sell, and swap different tokens built on a specific blockchain (again, primarily Ethereum) directly between one another’s wallets for greater privacy and security.

Most DeFi growth this year can be attributed to four platforms: Uniswap (both its first and second version), Kyber, Curve Finance, and 1inch Exchange. All five are DEXs, with 1inch Exchange being an aggregator that gives users access to a variety of assets across several different DEXs.

The chart above shows the total value received in 2020 by DeFi platforms broken down by average transfer size. The data suggests that most individuals sending funds to DeFi platforms are retail users, as the vast majority of transfers are under $10,000 worth of cryptocurrency. However, professionals drive the DeFi market, with most of the value sent to platforms coming in transfers above $10,000, and 47% of the total coming from transfers above $100,000.

Finally, in the chart below, we see funds sent to DeFi platforms from illicit sources throughout 2020.

The data shows that DeFi platforms have less exposure to illicit activity than the cryptocurrency ecosystem as a whole. In our 2020 Crypto Crime Report, we found that 1.1% of all cryptocurrency transaction volume was received or sent by an address associated with illicit activity. Overall in 2020, just 0.05% of all funds received by DeFi platforms came from addresses associated with criminal activity, and 0.07% of all funds sent by DeFi platforms went to such addresses.

What are the regulatory responsibilities of DeFi platforms?

Most cryptocurrency platforms take custody of users’ funds and have teams in place to internally manage funds that have been deposited, maintain order books, and address problems that arise for customers, much like a conventional financial institution. But DeFi platforms are, at least in theory, governed by self-executing blockchain code, meaning they can run on their own without any team or company maintaining them. They don’t generally take custody of users’ funds at any point, instead routing them between individual wallets based on the platform’s underlying protocol. And since they don’t behave as an active intermediary in the same way other cryptocurrency platforms do, some argue that DeFi platforms aren’t subject to the same regulations as conventional money services businesses, such as the Bank Secrecy Act, U.S. securities laws, and other compliance requirements.

Of course, even operating under the premise that DeFi platforms are truly decentralized in this way, there would likely still be questions regulators need to clear up. Who audits a DeFi platform’s code? Who deals with vulnerabilities? Who helps victims of DeFi-related scams and other forms of financial crime? That’s why others have argued that regulatory agencies would likely explore other means of enforcing the law on DeFi platforms, regardless of whether or not they’re associated with a formal company.

But, as cryptocurrency researcher Ryan Selkis points out in a recent newsletter, the argument is moot at the moment, because most DeFi platforms do currently have core teams behind them capable of updating protocols to freeze user funds or block transactions if need be. This became most evident in the aftermath of the KuCoin hack in September, when cybercriminals attempted to launder stolen funds by swapping them on DEXs like Uniswap and Kyber. The teams behind those projects froze some of the digital assets controlled by the hackers, showing that the platforms are not as decentralized as some narratives would suggest.

Ultimately, regulators will determine how to enforce existing DeFi regulations on platforms, or, if necessary, create new ones to protect the integrity of the financial system. Given the fact that the biggest DeFi platforms have the ability to do things such as freeze funds, and have demonstrated their willingness to do so in cases of egregious cybercrime (such as the KuCoin hack), DeFi teams have the ability to be proactive in taking preventative action and cooperating with law enforcement in situations that call for it.

 DeFi teams that implement transaction monitoring, know your customer (KYC), and anti-money laundering (AML) protocols, as well as traditional compliance programs, will likely be in a much better position when DeFi regulations are put into place.