Decentralized Finance (DeFi) is a rapidly growing but nascent industry. It utilizes blockchain technology to add functionality to the next iteration of the Internet–Web3, that empowers consumers and businesses to use financial services in a cost efficient and independent manner, and provides them with an opportunity to participate in a new financial system. If properly developed and deployed, the proliferation of DeFi will lead to greater financial inclusion, consumer participation, and market efficiencies than the legacy financial system. At the time of writing, the total market capitalization of DeFi projects is approximately $42 billion (with an all-time high of approximately $173 billion) while total value locked (TVL) in such projects sits at approximately $38 billion (with an all-time high of approximately $178 billion). While these nominal amounts are not large when compared to total amounts in the global financial system, DeFi’s exponential growth, along with its novel approach to financial services, have caught the eyes and concerns of policymakers around the globe.

The G20, the Financial Stability Board, and other international standards setters, along with central banks, regulators, and finance ministries worldwide are currently studying how DeFi works and its benefits and risks. However, DeFi is often misunderstood both as a concept and as a sector. We at the Crypto Council for Innovation (CCI) prepared this white paper to contribute to the public discourse on DeFi.

As policymakers consider regulatory approaches to DeFi and the challenges to regulating decentralized financial services that have no obvious entities in control, we put forward a regulatory approach to DeFi that mitigates financial safety and soundness concerns, and financial stability risks, while also protecting consumer end-users and fostering innovation. We outline critical elements for an effective DeFi regulatory framework that are feasible, suitable, and proportionate for regulators and DeFi innovators.

CCI’s Key Elements of an Effective DeFi Framework: Summary Points

• A DeFi regulatory approach should adhere to the principle: ‘Same Activity, Different Risks, Different Regulation BUT Same Regulatory Outcome’ (NOT ‘Same Activity, Same Regulatory Outcome’). DeFi may provide services similar to those provided by traditional finance (TradFi), but the risks can be fundamentally different For example, traditional lending activities have credit and liquidity risks, while DeFi lending has novel operational and market risks. Therefore, the longstanding regulatory principle ‘Same activity, Same risk, Same regulation’ does not apply well where the risks are very different. A viable regulatory framework for DeFi should take these differences into account. But both TradFi and DeFi regulatory frameworks should achieve the same regulatory outcomes: safety and soundness of participants, financial stability, and consumer and investor protections.

• Defining DeFi: the term ‘DeFi’ refers to the ecosystem of applications and protocols enabled by blockchain technology that provides digital and open access to financial services without a single intermediary or small group of intermediaries controlling the system offering the financial service. DeFi is a subgroup of a broader category of decentralized services and products. By removing the traditional financial intermediary ‘middlemen,’ DeFi holds the promise of lowering access barriers to financial services, reducing bias and fees that had inhibited participation in traditional financial activities, and enhancing overall individual financial sovereignty and opportunity.

• DeFi digital tech stacks: at the top of the DeFi ecosystem are the end-users who use financial services applications (or ‘apps’) that access DeFi protocols, which in turn are built on top of base layer blockchains—all of which essentially form digital technology stacks. 

• DeFi protocols are public goods that should remain accessible to any business building financial services apps and be exempt from regulatory requirements and obligations if they possess certain features. The base layer blockchain is a public good akin to the Internet, while DeFi protocols are reminiscent of Web1 protocols like HTTP, SMTP, and FTP. These served as public goods, enabling innovators to develop applications and businesses during the early days of the Internet (like AOL, Gmail, and MS Outlook). DeFi protocols should continue to act as public goods, and any regulatory model should acknowledge and encourage this categorization. 

• To be exempt from regulatory requirements, DeFi protocols must exhibit five features, namely: (1) decentralized, (2) open source, (3) autonomous, (4) standardized, and (5) non-discriminatory access and use, to be ‘Public Good Protocols’. DeFi protocols should be encouraged to act as public goods for the global financial ecosystem and meet certain baseline criteria to ensure they are sufficiently safe to act as digital public infrastructure that adds new functionality to the Internet.

  To foster Public Good Protocols, DeFi protocols should be encouraged to possess these critical characteristics, which would therefore exempt them from financial regulation:

1. 1. Decentralized: This paper puts forth two critical tests to determine a protocol’s decentralized status. First, no single person or the managerial efforts of a specific or limited group of persons can (i) control or fundamentally alter a protocol’s purpose or code; (ii) control user funds or assets; (iii) reverse transactions; or (iv) restrict access to the protocol. Second, a decentralized protocol must be built on a public and permissionless blockchain to help ensure the protocol’s decentralized and non-discriminatory nature. For the purposes of this paper, base layer blockchains are assumed to be public and permissionless.

   2. Open source: The protocol’s software should be open source, enabling the public to view, contribute to and learn from the protocol’s technology. This avoids vendor lock-in, helps to quickly identify and fix errors, and fosters network effects through community engagement.

   3. Autonomous: The protocol’s smart contracts should be self-executing, meaning the rules and actions are predetermined. The autonomous nature of the protocol’s smart contracts ensures the protocol’s credible neutrality (i.e., that the protocol will not discriminate against individuals or types of transactions).

   4. Standardized: Protocols should use existing technical standards and/or take steps to maximize their potential composability and interoperability.

   5. Non-discriminatory access and use: Protocols should allow users to freely access and use the system as a form of public good. As mentioned under the ‘decentralized’ characteristic above, protocols should be built on public, unbiased and non-discriminatory blockchains (i.e., permissionless).

Benefits of Public Good Protocols

• Financial applications built on Public Good Protocols can leverage the open, neutral, and decentralized nature of the protocol technology to offer new and low-cost financial services that will form a critical part of the next iteration of the Internet (i.e., Web3)—one that mitigates many of the risks in the TradFi system through increased transparency, innovative forms of governance, and enhanced security.
  
  We outline some of DeFi’s benefits in this paper, including:

1. 1. Reducing counterparty risks. The intra-transaction composability of smart contracts allows multiple actions to be executed within a single transaction. This feature reduces the reliance and trust needed for numerous parties to effectively facilitate custody, escrow, clearing, and settlement. In addition, the self-custodial nature of Public Good Protocols empowers the end-user to utilize a broader set of customizable services through programmable smart contracts.

   2. Improving financial inclusion and access. Historically, marginalized communities have faced various forms of exclusion from the traditional financial system, limiting their access to basic financial services and opportunities to grow wealth. DeFi’s inherent qualities, such as unbiased permissionlessness, composability, and self-custody, also support greater access to financial services while reducing rent-seeking intermediaries. DeFi can also help promote growth and efficiencies in emerging markets and mitigate access challenges in disruptive regimes.

   3. Increased transparency. The visibility of on-chain transactions also provides a rich data source for real-time risk management while reducing information asymmetries. As a consequence of this transparency and decentralization, public blockchains act as a public good in the form of financial infrastructure by providing neutral, independent, and immutable transaction records, while DeFi protocols act as another public good in the financial infrastructure by providing accessible and unbiased operations.

   4. Improving security and resilience. DeFi has fewer points of failure relative to Centralized Finance (CeFi)/TradFi alternatives. Distribution of information reduces the likelihood of unilateral changes to the ledger by a single entity. It also reduces the likelihood of a systemic failure of the blockchain. Furthermore, self-custody eliminates counterparty risk exposure to third-party custodians.

   5. Provide participatory stakeholder governance. DeFi protocols can allow participants to participate in the protocol’s governance. For example, many decentralized protocols utilize Decentralized Autonomous Organizations (DAOs) to assist with operations and protocol improvements. They allow members to participate directly in the governance of the blockchain. Persons or parties can become members of DAOs by acquiring governance tokens of the protocol or blockchain. This vehicle provides end-users access to participate in the governance process. DAOs are also subject to the decentralization test and should not be controlled by any single member or through the managerial efforts of a small group of members. 

Risks in Public Good Protocols

• DeFi activities may be similar to those in TradFi, but the risks associated with them can be fundamentally different. The decentralized design of Public Good Protocols may eliminate or significantly reduce traditional financial risks, such as counterparty, credit, and custodial risks, as well as human error, bias, and even corruption/embezzlement, while introducing other risks. Key DeFi risks are often operational, relating to flaws in the design, governance, or interconnections in the decentralized system. Some of these key risks fall into the following categories:

1. 1. Illicit finance/anti-money laundering (AML) risks. Illicit actors have been found to use DeFi services for purposes of money laundering and transferring illicit proceeds. However, the visibility of DeFi transactions enables public tracking of on-chain activity, helping financial authorities to investigate and mitigate laundering. Note: this paper does not explore in-depth how illicit finance regulation should be applied to DeFi. CCI plans to explore illicit finance regulation of DeFi in a companion paper in coming months.

   2. Flawed DAO governance risks. Many DAOs suffer from a lack of active participation by all of their members, leading to an uneven distribution of participation. This concentration of voting participation in active but smaller groups of token holders could lead to protocol governance being concentrated in the hands of a few parties. In turn, these few parties could attempt to benefit at the expense of other DAO members. Much of this uncertainty and risk could potentially be mitigated through regulatory standards regarding decentralized governance.

   3. Cybersecurity risks, including smart contracts and oracle vulnerabilities. While discussion of DeFi cybersecurity risks typically focuses on the resiliency of the underlying blockchain, cybercriminals are more likely to exploit the protocol’s smart contract vulnerabilities. However, the majority of smart contract hacks have been hacks of cross-chain bridges, which are often controlled by a single or small group of parties.

      For DeFi protocols, there are three main types of smart contract vulnerabilities: (i) initiating a flash loan to exploit a smart contract vulnerability, allowing them to drain funds within the bounds of the smart contract; (ii) exploiting token bridge signature requirements to steal investment funds, and (iii) taking advantage of a platform’s reliance on a single oracle by conducting leveraged trading to manipulate pricing and exploit pricing errors. Code audits, bounty programs, and decentralized oracles can help mitigate these risks. We also recommend public-private information sharing and analysis centers

   4. Underlying base layer blockchains risks. DeFi protocols are exposed to risks posed by their underlying blockchains, including validator-related risks. For instance, due to the high transparency of Ethereum, validators through the Proof of Stake (PoS) consensus mechanism can front-run blockchain transactions and selectively order them to their benefit (i.e., maximum extractable value (MEV)). Concentrations of power in the validation process could lead to 51% attacks or validator cartels, leading to blockchain alterations to the benefit of those in control. Depending on specific objectives, alternative consensus mechanisms to PoS, such as Delegated Proof of Stake (DPoS) and Proof of History (PoH), may alleviate the outlined risks by increasing decentralization of the consensus mechanism or bolstering the objectivity of transaction ordering.
      

   5. Interconnections with the traditional financial system. As more TradFi institutions and users engage with DeFi, the interconnectedness between the two sectors will grow. Risks stemming from failures in TradFi can spill over into DeFi and vice versa. For example, stablecoins are crucial in DeFi as they provide the main form of value transfer (i.e., payment) in DeFi systems. But when Silicon Valley Bank failed earlier this year, Circle (the issuer of fiat-backed stablecoin USDC) lost access to $3.3 billion in cash reserves held at the bank, leading to a temporary dollar de-peg for one of the most important payments stablecoins used in DeFi.
      

DeFi Policy Recommendations 

In adherence to the principle of ‘Same Activity, Different Risk, Different Regulation but Same Regulatory Outcome,’ this paper proposes a specific regulatory approach: ‘Regulate Businesses, Not Public Good Protocols,’—which places regulatory obligations on the app-operating businesses.

Following this approach, we propose three policy recommendations:

1. Mandatory Disclosure: A standardized disclosure regime for app-operating businesses that includes information about the underlying DeFi protocol.

2. Independent Certification: The establishment of an Independent Certification Regime Organization (ICRO), which certifies DeFi protocols that meet the ICRO’s criteria, including security code audits.

3. Regulatory Safe Harbor: A safe harbor regime for nascent protocols that aim to decentralize.

We believe this ‘Regulate Businesses, Not Public Good Protocols’ approach prioritizes consumer and investor protection and mitigates financial risks without stifling the benefits of these innovative technologies. It provides many of the necessary economic and regulatory incentives to encourage businesses operating DeFi applications to be in compliance with the applicable laws in the jurisdictions where they are providing services and a pathway for Public Good Protocols to develop safely and decentralize through the regulatory safe harbor program. Mandatory disclosure obligations would be the responsibility of the app-operating businesses, and this disclosure regime would be enhanced by a certification regime through which the ICRO independently certifies Public Good Protocols. Importantly, this overall framework will help foster the growth, security, and resilience of Public Good Protocols to serve as the public goods infrastructure for the Web3 ecosystem of the future.