DeFi Is Like Nothing Regulators Have Seen Before. How Should They Tackle It?

Without middlemen to deputize, the SEC and other regulators will have to rethink their approach to enforcement. A lot could go wrong.

AccessTimeIconOct 19, 2021 at 2:57 p.m. UTC
Updated May 11, 2023 at 4:57 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

The cryptocurrency industry is going through a period of intense growing pains. Like a lanky tween, it is running faster and jumping higher than ever before, thanks to major milestones such as bitcoin adoption in El Salvador, a continuing surge in non-fungible token (NFT) interest and ever more involvement from established players like Visa.

But, again like an ambitious adolescent, the newly empowered crypto sector is also bumping awkwardly into the constraints imposed by society. Gary Gensler’s Securities and Exchange Commission seems determined to be crypto’s strict disciplinarian, laying down the law about curfews, hemlines and exchange-traded funds. For nearly a decade, crypto regulation was absent or scattershot. The trade-off for crypto’s adulthood will be much stricter oversight by the graybeards who make the rules.

This feature story is part of CoinDesk’s Policy Week, a forum for discussing how regulators are reckoning with crypto (and vice versa).

The metaphor of crypto-as-teenager, though, breaks down on one front: decentralized finance (DeFi). In functional terms, DeFi protocols are venues for trading or lending crypto tokens and derivatives. But unlike a conventional crypto exchange like Coinbase or Kraken, DeFi protocols exist across a swarm of validating and coordinating nodes rather than as a single portal and matching engine run by an incorporated legal entity.

Furthermore, at least in theory, a DeFi protocol can exist without the formal leadership with which regulators would normally interact. This is a particular challenge for regulators because many existing DeFi systems are designed without any requirement that users reveal their identities. Again, that’s a stark contrast with entities like Coinbase and Kraken, which have comprehensive “know your customer” processes.

This matters because DeFi is a potential vector for all three of the key risks that financial regulators are tasked with controlling. One is criminal activity, including money laundering, tax evasion and terrorist financing (though these activities already appear very limited across crypto systems). The second is fraud, which was on major display with a series of fake or deceptive token sales during the 2017 initial coin offering (ICO) boom – facilitated by early iterations of DeFi. The third target is systemic risk. DeFi and crypto still probably aren’t large or influential enough to trigger broader financial contagion in the event of a major market collapse or system failure, but you no longer have to engage in wild speculation to foresee that level of influence in the future.

Traditionally, regulators rely immensely on the people running trading services to control those risks by monitoring their customers and suspicious activity on their platforms. The leaders of traditional financial services themselves sometimes become the linchpin of enforcement – the responsible arm the SEC twists to get what it wants.

Without those pressure points, things will get tricky. “It’s going to be very difficult to regulate DeFi. Much harder than crypto,” says Katherine Kirkpatrick, co-chair of the financial services practice at King & Spalding. “The ultimate question, beyond how to regulate, is how do you enforce the rules? How do you make someone accountable for breaking the rules? It doesn’t make sense to regulate if you have no enforcement mechanism.”

In other words, trying to regulate DeFi is a bit like trying to parent a super-powered 14-year-old who can fly, teleport and turn invisible at will.

Should DeFi be Regulated?

Of course, that demands a question: If you had a kid like that, would you want to lay down the law at all? When something new appears in the world, should we immediately start building fences around it, or give it the space to see just how powerful it is?

Premature or misguided regulation could certainly stifle innovation and growth in DeFi. “If you try to regulate the technology itself rather than activity, you’re going to wind up having unintended consequences,” says Duane Pozza, formerly assistant director in the Division of Financial Practices at the Federal Trade Commission and now a partner at the law firm Wiley Rein. That could lead to “crushing the technology and probably not even stopping the [unlawful] activity.”

For better or for worse, though, regulators usually don’t think like that. “If they think something is enabling mass money laundering,” says Pozza, “They’re not going to sit on their hands.”

Despite the risk of misguided overreach, though, there are good reasons to want a regulatory framework for DeFi. Above all, it would make the fundamental advantages of the technology accessible to many more participants, particularly public companies and regulated institutions. That’s especially true now that the idea of private blockchains created by large banks has mostly fizzled out, according to Michael Shaulov, CEO and cofounder of Fireblocks, a DeFi custody and infrastructure provider.

“In the last 10 years, most financial institutions recognized that blockchain and DLT is the future,” says Shaulov, referring to distributed ledger technology. “Now they have quite a few good use cases, but what they all want to do is disintermediate. Uniswap is something that replaces for them the Nasdaq [market].”

Shaulov says he has frequent conversations with large players interested in DeFi, but the current U.S. regulatory landscape is a barrier. Using DeFi in its current state could expose banks like JPMorgan to money laundering or fraud risk.

That’s a major reason the DeFi platform Swarm Markets made the unusual decision to move from a largely unregulated jurisdiction to one with more oversight. The platform launched in the United States in 2018, but the ambiguity of the rules there soon became a constraint.

“The effective tone [of U.S. regulator statements] was, ‘We don’t know, and because we don’t know, we’re not going to make a ruling,’” according to Philipp Pieper, Swarm Markets’ co-founder. “It stated very clearly no one was willing to risk the current structure of the market.”

In mid-2018, Swarm started looking at alternatives, including other lightly regulated domiciles like Malta and Cyprus. “It was clear that wasn’t where things were going to happen,” Pieper chuckles.

Then in 2019, Germany passed new rules clarifying regulation of a variety of crypto-assets, including tokenized securities. Swarm Markets chose to relocate to Germany because that clarity gave it a firm platform for growth, while maintaining the key advantages of DeFi for institutions, including self-custody, decentralized liquidity provision and transparency.

“Controlling my own assets … and choosing whatever custody provider I see fit, that’s a huge differentiator versus putting a couple hundred thousand into a centralized exchange,” says Timo Lehes, managing director at Swarm Markets. Swarm users can also contribute to a liquidity pool and earn fees or yield much as through other DeFi protocols.

Finally, the transparency of a system that records orders to a public blockchain improves market fairness by making manipulation easier to spot. Running a regulated centralized exchange “involves all these questions about how you create an unbiased system,” says Pieper. But “all of that is answered very cleanly if you build transparently, and show all that to the regulator. Our [regulatory] application documents got thinner and thinner.”

Know your customer

Of course, there is a trade-off here and one that will understandably raise the ire of crypto purists. “The result of being a licensed outfit is that we have to do an extensive amount of customer due diligence,” says Pieper. “KYC [know your customer], AML [anti money laundering] and chain analytics. From a customer perspective, it’s no different from what you get today on a centralized exchange.”

By the same token, Swarm Markets has a degree of centralized control built into its system. “If we’re forced by regulators [we can] suspend a user. It could follow that basically funds are frozen, but it’s not that we can then take control of those funds.”

Customer oversight also impacts flows between DeFi protocols and pools, which could soon involve a sharp divide between “clean” and “dirty” operations. Funds from a platform with weak KYC likely won’t be free to flow into regulated and “whitelisted” pools like Swarm Markets’ because it would re-introduce the counterparty risk institutions want to avoid.

It’s an undeniably bitter pill. However, DeFi and crypto technologies also promise a variety of advancements to the KYC process that could make it more palatable. For instance, zero-knowledge proofs could be used to provide verification of a trader’s eligibility without revealing their identity to a regulated DeFi protocol. Under such a regime, traders could remain completely anonymous unless and until law enforcement subpoenaed their identity records from a protocol, substantially preserving user anonymity.

A related idea is “portable” KYC, which could allow a clearance from one trading venue to be used on another; that could include getting cleared by a centralized exchange like Coinbase and then using that credential elsewhere, possibly with an NFT housed in the KYC’d wallet. Both innovations, though, would require significant regulatory reform to enact.

(Yunha Lee/CoinDesk)

Is a DAO a person?

The return of some sort of end-user KYC may be inevitable for any workable DeFi regulation. But on other frontiers, there are strikingly new questions that deserve innovative regulatory approaches.

Biggest among these is the question of how regulators should approach truly decentralized systems. In principle, DeFi systems have bootstrapping mechanisms that rhyme with Bitcoin’s, with protocols that distribute native tokens in exchange for liquidity deposits. That means a system can have basic rules written by one developer or a small team and potentially grow to the size of a major hedge fund or beyond. In theory this could also include decentralized governance by the user community, making such platforms a species of decentralized autonomous organization (DAO).

To be clear, not all DeFi systems are as decentralized as advertised. But some truly do seem to be exactly what they say: asset markets run by a distributed community rather than a middleman. SushiSwap, which arose from a fork of the more centrally run Uniswap, was one example sources considered on the more authentically decentralized end of the scale.

On one level, this isn’t as complex to regulate as it might sound, according to Stephen Palley, a partner specializing in crypto at the law firm Anderson Kill.

“Lawyers invented robots,” he says. “The corporation is a legal fiction – it has personhood under the law. We have a very robust series of laws that explain what that means.”

That means a DAO, like a corporation, could be the target of legal or regulatory judgments, even if it had no formal leaders.

“We’re starting to see that – who’s responsible for decisions made by an AI? Is it a software developer, is it code?” asks Palley. “For it to be a code, you have to recognize legal personhood for software. It sounds goofy and science-fictiony, but it’s not too far over the horizon.”

That leaves the question of enforcement a bit up in the air, since there’s no clear mechanism for a national regulator to force decisions onto an effectively stateless entity. But the variety of on-and-off ramps to any crypto system could become chokepoints for enforcement. At an extreme, a government could make it illegal for citizens to transact with a rogue DAO.

The state I’m in

The unhappy truth is that such hypothetical extremes will likely become reality if DeFi continues to grow. Regulators exist to regulate and have little stomach for powerful entities floating beyond their oversight. The modern state’s monopoly on violence as the endpoint of law enforcement will likely find some way to control your access to protocols living in the cloud.

There will undoubtedly be plenty of committed crypto-anarchists willing to test the resolve of regulators. For operators of DeFi systems, there will always be jurisdictions beyond the reach of tough regulation, and it seems plausible that small-time users who take sufficient privacy precautions will continue to take the risk of using them.

Even if they get pushed to the margins, such “pure” DeFi systems will continue to have social value as borderlands of innovation and privacy. In the broader sweep of history, they will be testing grounds for new forms of digital statelessness.

But for those interested in building on DeFi and leveraging most of its advantages to improve the financial system, there will be trade-offs even in the best-case scenario. That may not sound like much fun, but growing up rarely is.

More from Policy Week


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

David Z. Morris

David Z. Morris was CoinDesk's Chief Insights Columnist. He holds Bitcoin, Ethereum, and small amounts of other crypto assets.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.