European Union states continue to take significant steps towards improving crypto assets regulation.
Regulation of operations with crypto assets at the EU level is extremely important for participants in the crypto market. As of today, different countries of the European Union have different rules and approaches to the regulation of operations with crypto assets. The EU sees a clear need for harmonising international rules to combat money laundering and terrorist financing.
After two years of negotiations, the European Council and Parliament introduced new crypto legislation in June 2022 that ensures traceability of crypto-assets and, for the first time, offers a regulatory framework for digital asset businesses. The document that has been prepared and (almost) adopted is known as the Markets in Crypto Assets Regulation (MiCA). It will define a unified legal field of activity and regulate the operations of various players in the cryptocurrency market (crypto exchanges, issuers of crypto assets, crypto service providers, etc.). The new MiCA rules are expected to take effect in 2024, following final agreement in February 2023.
However, the long procedure of coordination and adoption of regulatory documents, and the rapid development of new areas in the crypto-asset market, have led to a situation in which the document already needs some improvement before it has even taken effect.
MiCA Rules: overview
The MiCA rules establish the creation of a public register for non-supervised and non-compliant crypto asset service providers, without which EU providers would not be allowed to trade. The MiCA framework covers crypto assets that are not yet regulated by other EU financial legislation. Under the new MiCA rules, crypto service providers will be liable in case of loss of investors’ assets and will be subject to European rules on market abuse, including market manipulation and insider trading. Lawmakers have hailed MiCA rules as the world’s first comprehensive regime for crypto assets.
For stablecoins, the rules set out strict requirements for creation, authorisation, and reserve management, including EU oversight of significant stablecoins that are of systemic importance. Crypto Asset Service Providers (CASPs) must also be authorised in the EU, and they should be able to provide their services throughout the Union using an EU passport. As a result MiCA rules provide legal certainty for market participants and encourage innovation in the single market, with a new EU passport for cryptocurrency service providers.
The MiCA rules don’t cover some emergent developments in the crypto space, such as non-fungible tokens and decentralised finance (DeFi) projects. In this blog we want to focus on a new area of the crypto-assets market that is not yet regulated by legal norms, namely DeFi.
What is DeFi?
Decentralised finance has brought a new and rapid stage in the development of the crypto market. There is no single definition of DeFi. Decentralised finances imitate many traditional financial transactions and services (such as lending, exchanges, saving, investing, sending remittances and insurance), but with one key difference – DeFi transactions are carried out in the absence of any intermediaries. All DeFi services are created using smart contracts on various blockchains. The peculiarity of DeFi operations is the absence of any national borders and the possibility for almost any person (with internet access and minimal computer knowledge) to download one or several DeFi crypto wallets for free and start using DeFi opportunities.
The DeFi market is developing rapidly. We have been observing its active development for only 2 years – starting in the second half of 2020 (Figure 1). DeFi market capitalization and volumes are tiny compared to traditional financial markets. However, the growth potential of the DeFi market is significantly greater than the potential of traditional finance markets. Even in 2022, a difficult year for global financial markets, the DeFi market demonstrated a certain stability and significant development potential.
Figure 1. Total Value Locked (USD) in DeFi Applications
(Source: BanklessTimes, 2022, https://www.banklesstimes.com/defi-statistics)
2022’s ‘Crypto winter’, in which there were multiple significant drops in the value of various DeFi assets and bankruptcy for many DeFi market projects (such as Terra [involving Luna and their stablecoin UST], Celsius Network, 3 Arrows Capital, Babel Finance, Voyager Digital, BlockFi etc.) did not reduce the popularity of the DeFi industry. The number of users of this industry is constantly growing (to more than 5 million people so far), and new projects are appearing. The amount of funds on the market is still estimated at tens of billions of US dollars.
Two years ago the majority of all DeFi operations were carried out on the Etherium blockchain, but in the last two years alone we have seen the creation and development of thousands of projects on various blockchains. There are already more than one hundred (see Figure 2).
Figure 2. The Value Locked (USD) in different DeFi Blockchains (%)
(Source: https://defillama.com, 2022)
Thanks to the DeFi market, users have the opportunity (in addition to the trade of various cryptocurrencies) to carry out financial operations such as yield farming, crypto staking, margin trading and liquidity mining on different distributed ledger platforms. However, it is worth noting that the implementation of all DeFi transactions involves many risks that cannot be eliminated or compensated. None of the users is immune from mistakes. Most of the users are inexperienced (or less experienced), so errors in DeFi transactions are quite common.
A significant problem area in DeFi is smart contracts. Many projects are created quickly and their smart contracts are not properly audited, so there is a significant possibility of errors in smart contract codes. Fraudsters often use these errors and steal all the funds. 90% of lost funds in DeFi were related to bug exploits. The almost complete anonymity of DeFi transaction participants makes them vulnerable to cyberattacks, hacks, and scams. In case of theft of their funds, it is impossible not only to return the lost funds but often even to prove the fact of theft. There is no consumer protection on the anonymous market.
DeFi and Know Your Customer rules
The availability of operations on the DeFi market, their decentralisation, speed, ease of implementation, the absence of any borders and any restrictions make this market attractive not only for honest participants. Illicit actors have been active participants in the DeFi market from the very beginning. Their purpose is diverse – starting with fraudulent operations aimed at deceiving users and seizing their funds (for example, creating fake crypto assets and trying to sell their tokens, fraudulently obtaining access passwords to crypto wallets, stealing funds from smart contracts in which bugs have been identified etc.) to the implementation of operations related to money laundering and terrorist financing.
DeFi is a new market. Accordingly, the rules and norms of its regulation practically do not exist. A decentralised market also means that KYC (Know Your Customer) and due diligence procedures are either not carried out at all, or are carried out by certain projects at their own discretion (in most cases informally) since there are no regulatory requirements as yet.
For example, let’s compare the possibility of opening an account on a centralised crypto exchange (e.g. Binance, Huobi, Kraken) and a decentralised account (e.g. Metamask, Trust Wallet, Coinbase Wallet). Registering accounts on a centralised exchange and opening a DeFi wallet is equally easy (it takes a few minutes), but there are differences. Usually, most centralised crypto exchanges (especially those registered in the USA and the EU) will allow you to carry out any operations (funding, withdrawal, trading operations, etc.) only after passing the proper KYC procedure. At the same time, going through the KYC procedure in centralised crypto exchanges often is not much different from the same procedure in banks. The client of a crypto exchange is usually identified, although there are many cases of registration of accounts on crypto exchanges with fictitious persons.
The opposite is the case with DeFi crypto wallet registration. In the vast majority of cases, no customer identification procedure is applied. To register, you only need to create a password (preferably a complex one) and remember a seed phrase (a set of 15-20 random words). Usually, this is enough to create a DeFi wallet and carry out any operations. However, most wallets don’t even ask for your email or other contact details. One person can create many crypto wallets (the main thing is not to forget the passwords and seed phrases, otherwise access to the funds will be lost completely). With the help of DeFi exchanges (DEXs) or different DeFi platforms, you can carry out almost any operation on the crypto market.
Such opportunities are extremely attractive to criminals, as it is extremely difficult to track transactions from many unverified DeFi wallets. Of course, if you have the wallet address, you can view all the transactions made. This information is public. However, it is extremely difficult to prove who exactly carried out these transactions, especially if criminals use different blockchains, cryptomixers, or open new DeFi wallets every time they carry out transactions.
DeFi regulation: challenges
Regulatory bodies and central banks in many countries of the world (in particular in the USA, the European Union, the UK) have begun to focus their attention on the DeFi market and the potential challenges that decentralised autonomous organisations (DAOs) and anonymous DeFi market participants create for governance and oversight.
Regulatory bodies have made significant progress in creating a legal framework for regulating transactions with crypto assets for centralised intermediaries (e.g. 6AML Directive, Travel Rules, MiCA rules). Increasingly, we see crypto exchanges being penalised for violating AML/CFT legislation. For example, in November 2022, US-based crypto exchange Kraken agreed to pay $362,158 to settle OFAC’s claims of violating sanctions against Iran. Kraken had violated US sanctions by allowing Iranian citizens to be customers of the exchange. In the period from October 2015 to June 2019, such clients conducted transactions worth more than $1.68 million. US sanctions prohibit the export of any American goods, technologies and services to Iran, and particularly digital ones. OFAC found that Kraken misused tools that identify users’ geolocation and IP addresses. This allowed them to bypass the blocking of users from countries that are subject to sanctions. As part of the settlement, crypto exchange Kraken has agreed to invest $100,000 in sanctions compliance tools. They plan to spend this money on training and technical measures to help them more thoroughly check the sanctions rules.
There are already quite a few examples of fines being imposed on centralised crypto market participants. In 2021, the crypto exchange BitMex agreed to pay a $100 million fine to settle charges with the Financial Crimes Enforcement Network (FinCEN). BitMex failed to maintain AML controls and procedures and was found to have facilitated over $209 million in illegal transactions with darknet markets and unregistered money service businesses. The cryptocurrency arm of Robinhood Markets Inc reached a $30 million settlement agreement with the New York Department of Financial Services (NYDFS) after a probe into its cybersecurity and anti-money laundering (AML) practices. It is worth noting that sanctions are mainly applied to those institutions in the crypto assets market that are registered in the USA or the European Union. Typically, most crypto exchanges are registered in countries with liberal crypto market regulation, and sanctions for AML/CFT violations are difficult to apply to them.
While noting the progress in the regulation of the centralized crypto market, we also see that the regulation of the DeFi market has been largely ignored. Formally, all DeFi transactions are regulated today by the same rules as all operations with crypto assets through centralised intermediaries. At the same time, the specifics of the DeFi market (anonymity and the absence of intermediaries) are not taken into account. Considering that DeFi transactions are usually anonymous, it is quite difficult to create a legal framework and define the regulation of DeFi transactions. It is difficult to determine to whom to apply sanctions, if the DeFi market projects do not have legal registration at all.
The regulators are faced with a serious problem – the modern system of regulation (i.e. centralised finance) provides for the presence of intermediaries whose activities are regulated and who are required to control their clients’ transactions. The regulation of centralised crypto exchanges followed the same path. In fact, the requirements for the regulation of centralised crypto intermediaries will, in the near future, be identical to the requirements for banks (especially in the area of AML/CFT). Yet, the DeFi market is decentralised and global. Its participants do not interact with any centralised financial institutions. In fact, the DeFi ecosystem is a closed type system and can rarely interact with traditional finance. At the same time, the participants of the DeFi ecosystem are anonymous and do not need to identify themselves.
For regulators, anonymity of transactions is a significant problem. In the case of DeFi transactions, it is practically impossible to block user accounts that have received AML/CFT funds. For example, if such funds were received as a result of an exchange (swap) on decentralised platforms (DEXs), the recipient of the funds does not know from whom they received the funds. Accordingly it is impossible to bring the recipient to justice and there are no legal grounds to block their account. Even if desired, the account holder will not be able to indicate from where they received the questionable funds.
New DeFi regulation approach
Considering the fact that the DeFi market functions without financial intermediaries and anonymously, regulatory bodies need to radically change the approach to building a regulatory framework. MiCA rules is a progressive document regarding the regulation of the activities of the participants of the centralised crypto market, but the regulation of the DeFi market is practically ignored. Taking into account all the problematic aspects of DeFi market regulation, we believe that promoting the introduction of voluntary standards for DeFi market participants is one of the first steps. A voluntary regulatory framework for DAOs might be a good approach.
The introduction of certain self-regulatory standards for DeFi market participants (dApps developers) is important. Such standards should be introduced primarily for the purpose of protecting market participants, not for regulatory purposes. These might include standards for capital, standards for integrity and openness of operations, standards for the quality and security of smart contracts, and standards in the field of auditing. We have a positive example recently in the field of centralised crypto exchanges, namely the collapse of the FTX crypto exchange. One of the reasons for the collapse was the use of customer funds for risky operations, which undermined trust in centralised exchanges and caused the outflow of funds to DeFi wallets. Other market participants (Binance, KuCoin, OKX, etc.) independently initiated the creation of reserve funds and disclosed information about the formed level of reserves with the possibility of their control by clients.
The introduction of voluntary standards for DeFi software developers and other market participants, the implementation of which would be considered as ‘rules of good tone’ for the market and could contribute to the development of a certain project, would be positive for the development of the DeFi market. Over time, all market participants will be able to follow such voluntary rules, which will reduce the level of fraud in the market and the number of unscrupulous players.
DeFi project developers can independently raise the standards of the DeFi market. Developers can independently include in their software programs the need to undergo KYC and due diligence for their clients, and the possibility of checking compliance with AML/CFT requirements. In addition, the introduction of certain standards in the DeFi market will have a positive effect not only on the developers of DeFi programs, but on all market participants. In the vast majority of cases, a DeFi project will have better development if it conforms to generally accepted industry standards. Bona fide market participants will not worry that their accounts may be blocked or compromised.
Prosecuting the anonymous actors of the DeFi market is difficult, but possible. In our opinion, the developers of DeFi programs can be prosecuted for non-compliance with the requirements of regulatory bodies. Some active DeFi market participants (creators, owners, operators or others who maintain control or sufficient influence in the DeFi arrangements), may fall under the FATF definition of a virtual assets service providers (VASP) where they are providing or actively facilitating VASP services.
In summary, we see the need for the regulatory authorities to comprehensively study the DeFi market and its development potential. Many steps need to be taken to introduce performance standards for many participants of this market. In our opinion, self-regulation of the DeFi market at this stage can be effective. It is important to create prerequisites for the development of self-regulatory standards.
 Department of the Treasure (2022) ‘Enforcement Release: November 28, 2022. OFAC Settles with Virtual Currency Exchange Kraken for $362,158.70 Related to Apparent Violations of the Iranian Transactions and Sanctions Regulations. Available at: https://home.treasury.gov/system/files/126/20221128_kraken.pdf (Accessed: 29 November 2022).
 Kyckr (2021) ‘White Paper: AML Fines Report 2021’, 7 November. Available at: https://www.kyckr.com/resourcegated/aml-fines-report-2021(Accessed: 29 November 2022).
Authors: Bogdan Adamyk and Vladlena Benson, Aston University