What Awaits DeFi? Peering Through the CFTC's Regulatory Lens
We analyze the CFTC's recent crackdown on DeFi platforms and explore insights into these regulatory actions, court reasoning, and the future implications for DeFi.
In 2008, the United States faced a seismic shift in its financial foundations with the collapse of Lehman Brothers, an event that presaged the Great Recession. The government's response, increasing financial scrutiny through a series of legislative measures, was a natural reflex to restore trust, emphasizing systemic stability, though it inadvertently moved concepts like anonymity and privacy to the background.
In the midst of this regulatory recalibration, a silent revolution was brewing: Bitcoin's emergence in 2009, which subtly hinted at a financial future where transparency and privacy could coexist free from the complex web of intermediaries and the red tape that characterizes traditional financial systems. The subsequent rise of Ethereum and its decentralized finance (DeFi) model crystallized this vision, offering a new world where financial empowerment and privacy are not mutually exclusive.
Now, with more than a decade of crypto's maturation, we are still in the grey about a lot. The recent actions taken by federal agencies like the Commodity Futures Trading Commission (CFTC) suggest that access to DeFi for Americans might be limited and development closely monitored. As we delve deeper into these federal actions, we must consider their implications for DeFi's promise of financial sovereignty and what it means for the future of digital finance.
CFTC’s Recent Enforcement Actions
The CFTC took decisive action against three DeFi platforms - Opyn, Inc., ZeroEx Inc., and Deridex, Inc. —with settlements announced in September. These US-based firms were found to be in violation of commodities regulations for providing platforms that facilitated illegal digital asset derivatives trading.
The Commodities Exchange Act (CEA) prohibits the offering or facilitation of leveraged, margined, or derivative swaps to US retail consumers —essentially, individuals who are not “eligible contract participants”—unless the offering entity is registered as a Swap Execution Facility (SEF), Designated Contract Market (DCM), or Futures Commission Merchant (FCM). Both Deridex and Opyn have been specifically charged with failing to register in the required capacities and for neglecting to implement a customer identification program, while all three companies stand accused of engaging in illegal leveraged and margined retail commodity transactions in digital assets. The entities neither admitted nor denied the allegations, but agreed to pay penalties.
The CFTC's Director of Enforcement, Ian McGinley, emphasized the agency's stance with a pointed statement:
“Somewhere along the way, DeFi operators got the idea that unlawful transactions become lawful when facilitated by smart contracts. They do not. The DeFi space may be novel, complex, and evolving, but the Division of Enforcement will continue to evolve with it and aggressively pursue those who operate unregistered platforms that allow US persons to trade digital asset derivatives.”
As we peel back the layers of these enforcement actions, we'll explore their broader implications for the future of DeFi and the regulatory landscape that shapes it. With a lot to unpack, let’s dive in.
Blame Game
A common theme seen in the recent enforcement actions by the CFTC is the sharpened focus on DevCos and other key persons, holding them liable for the activities that involve either (i) digital assets created by third parties, as seen with 0x’s case, or (ii) transactions that arise not just from front-end interfaces but also from DEXs and block explorers, as seen in Opyn’s case.
0x’s case is particularly telling, as it signifies the CFTC's intention to foray into territory traditionally outside its purview—spot trades. Despite the actual tokens being issued by third parties, the CFTC contends that 0x, by deploying its protocol and operating the Matcha interface, effectively “facilitated” these transactions and provides means for users to obtain financing or leverage.
Opyn’s case adds another layer to this. The Opyn Protocol was accessible to US users in three ways: through Opyn’s front-end interface (its website), through decentralized exchanges (DEXs) or through a block explorer like Etherscan. While Opyn could control access to its website, regulating user access through DEXs or blockchain explorers is far more complex and may even be technically impossible. These avenues allow users to interact directly with the smart contracts on the blockchain, potentially rendering any front-end restrictions Opyn might put in place ineffective. This raises critical questions for regulators: How can Opyn—or any DeFi protocol—enforce user restrictions when the smart contracts are open to interaction by anyone? Do applications and protocols need to be regulated differently?
Additionally, Opyn's initial efforts to implement geo-blocking were deemed insufficient by the CFTC, which is not much of a surprise given their similar stance in the BitMEX case. However, the CFTC's acknowledgment of Opyn's additional, though unspecified, steps to block US users adds to the ambiguity, leaving a haze of uncertainty about what constitutes sufficient measures for a platform to be considered fully offshore. This uncertainty not only leaves developers and industry participants in a state of conjecture but also subjects them to incalculable legal risks.
The recent Uniswap v. Risley decision clarified that developers are not automatically responsible for the actions of third parties. Judge Failla made a distinction between the foundational smart contracts of the exchange and the additional contracts by token issuers for liquidity pools, leading to the conclusion that Uniswap was not liable for third-party activities. While the ruling was definitely a win for devs, US commodities law casts a wider net compared to securities law. With its wide-ranging provisions on preventing facilitation and access to such transactions, the CEA could be interpreted to extend liability further, placing devs squarely in the sights of CFTC's enforcement.
Considering all of the above, several critical aspects remain ambiguous and require clarification by the CFTC to appropriately assign liability. Firstly, the CFTC should define what constitutes both the front-end user interfaces and the actual underlying blockchain protocols and subsequently devise regulatory approaches for each. Secondly, the Commission should evaluate the protocols' characteristics, including the degree of decentralization, whether it is open source, the extent of code modifiability, whether its permissionless, censorship-resistant etc. These factors can help clarify whether a company has substantive control over the protocol or merely contributes to its development and maintenance. For example, if we were to pick just three of these factors to compare the protocols in question, we already have differing circumstances:
This comparison highlights significant differences in the operational structures of the protocols, which should ideally lead to distinct regulatory implications. The 0x protocol exemplifies true decentralization, operating autonomously as a self-executing software akin to foundational internet infrastructure. There is a stronger chance for 0x to protect its devs from liability as they do not have substantial control over the protocol. Opyn, however, maintains a degree of centralized control, evidenced by its ability to shut down the protocol—a power that suggests a higher level of responsibility and potential for regulatory action due to its ability to exert substantial influence over the protocol's operations. Deridex's situation is even more pronounced, with its centralized adjustments to smart contract operations indicating a strong level of control and, consequently, a greater likelihood of being held accountable for activities within the protocol. These distinctions are crucial for regulators to consider when determining the extent of a platform's liability and the appropriate regulatory response. A one-size-fits-all enforcement strategy would not be suitable in this context.
Lastly, the CFTC should elucidate the effectiveness and requirements of geofencing strategies for US users—questioning whether methods like geoblocking are sufficient, how to effectively counteract VPN usage, and whether these measures should be applied at the interface or the contract level and if they're even feasible. As Commissioner Summer K. Mersinger has stated in her strong dissenting statement regarding these enforcement actions, these issues should be addressed through a rulemaking process, which would benefit from the input of customers, market participants, and other stakeholders. Such a process would ensure that rules are clear, transparent, and crafted with public input. Relying solely on enforcement without a full grasp of the technology and unfairly penalizing developers for actions beyond their control could hinder innovation.
More Questions Than Answers?
In her dissent, Commissioner Mersinger pointed out that rather than comprehending these market structures and attempting to regulate them suitably, the current enforcement actions have brought to light new queries that only begin to illustrate the intricacies involved in regulating DEXs, such as:
In instances where a DeFi protocol is crafted with lawful intentions but later utilized by others in violation of the CEA, to what extent should the original developer bear responsibility?
Does the developer of a DeFi protocol face endless liability if their technology is used illegally by others, or does the timing of the illegal use compared to the deployment matter?
Could there be a consideration for a minimal level of unlawful use threshold that must be exceeded before imposing liability on the developer under such circumstances?
Given the level of uncertainty surrounding regulation, DeFi platforms must be proactive in regulatory compliance by adjusting business practices as needed, and potentially restricting US persons' access to avoid enforcement actions. Additionally, they should focus on decentralizing control as much as possible, enhancing transparency in governance and vetting token listings carefully to align with regulatory standards and maintain accountability.
The Road Not (Yet) Taken
Reflecting on the Commission’s past approach and as seen in its 2022-2026 Strategic Plan, there is a clear commitment to “increasing stakeholder engagement and leveraging principles-based regulation,” and acknowledging that “extensive stakeholder engagement” is necessary to address the novel challenges posed by DeFi. This acknowledgment reflects an understanding of the unique challenges DeFi presents. Building on this foundation, the CFTC can adopt a more balanced approach which can include:
Establishing clear distinctions between having control over a protocol and merely contributing to software development. There should be a clear definition of what constitutes front-end user interfaces versus the underlying blockchain protocols, with tailored regulatory approaches for each. This will help in accurately assigning liability.
Assessing the characteristics of protocols, such as the degree of decentralization, open-source nature, code modifiability, permissionless and censorship-resistant features, to determine the extent of a company's control over the protocol.
Establishing clear guidelines for geofencing activities, which can allow protocols to be fully compliant.
Collaborating with DeFi and industry experts through initiatives like LabCFTC or regulatory sandboxes, offering safe harbors to promote innovation without the threat of punitive action. Coinbase International Exchange, for instance, just received regulatory approval by the Bermuda Monetary Authority to offer perpetual crypto futures contracts, a strong example of promoting innovation and customer protection through updating existing regulations.
Engaging in a transparent rulemaking process, with stakeholder participation, to develop clear, understandable regulations that protect consumers while encouraging responsible innovation. This process should aim to provide the legal certainty that market participants need to operate confidently within the DeFi space.
In the end, the definitive resolution to these complex issues will likely come from legislative action by Congress. While current regulations serve the important purpose of safeguarding the public from the inherent risks of leveraged derivatives, they are unable to properly regulate this novel system run on the incredible fluidity of code. However, there has been constructive movement in both sides of Congress, with efforts underway to address the multifaceted challenges confronting the industry. It is our hope that these initiatives will culminate in the introduction of balanced and pragmatic regulations that reconcile the need for consumer protection with innovation.