Demystifying DeFi in MiCAR
RegCORE Client Alert | EU Digital Single Market
QuickTake
The EU’s Markets in Crypto-Assets Regulation (MiCAR)Available (here) in the consolidated text form dated as of 9 January 2024 and in the original version (here) which is relevant for reviewing the Recitals.Show Footnote, which becomes fully operational from 31 December 2024, is designed to regulate crypto-asset issuers (CAIs) and crypto-asset service providers (CASPs). MiCAR is not designed, at least not in its current form, to regulate nor supervise decentralised finance (DeFi). This is the case even if distributed ledger technology (DLT) and blockchains are decentralised in nature. However even with DLT, much of CASPs providing exchange, trading, custody and administration services relating to crypto-assets have a degree of centralisation in mind, notably in terms of contracts and contact points (i.e. intermediaries). CASPs when providing services falling under MiCAR or under the traditional financial services regime, chiefly the Markets in Financial Instruments Directive (MiFID II), as amended and supplemented, are required to comply with authorisation conditions and conduct of business as well as disclosure and transparency conditions.
In contrast to the above, Recital 22 of MiCAR clarifies that those crypto-asset services, which are provided in a “completely decentralised manner and thus without an intermediary” may not fall within MiCAR’s scope. Equally, the Recital also clarifies that “crypto-assets that are not issued by an identifiable issuer” are exempted from MiCAR. The end of that Recital however states that CASPs providing services in respect of DeFi issued crypto-assets are however in scope of MiCAR. Accordingly, and as discussed in this Client Alert, it is important to delineate the degree of decentralisation and who is doing what with respect for whom in order to distinguish with when DeFin is really inside or outside (i.e. exempted) from MiCAR’s regulatory and supervisory perimeter or not. MiFID II (currently) does not have a corresponding principle as set out in Recital 22 MiCAR.
The above is important as not every business model labelled as DeFi is sufficiently decentralised. This issue was also explored by a report titled “Remaining regulatory challenges in digital finance and crypto-assets after MiCA” (the ECON DeFi 2023 Report)Available here.Show Footnote, which was commissioned by the European Parliament’s Committee on Economic and Monetary Affairs (ECON) to assess the need for further EU financial regulation concerning DeFi following the implementation of MiCAR and the revision of the Transfer of Funds Regulation (TFR). These considerations are likely to be important for both digital asset natives and traditional financial services firms entering the EU’s digital Single Market and MiCAR as the newest addition to the Single Rulebook ahead of any further amendments to MiCAR which may aim to demystify DeFi in MiCAR’s scope of application further.
Key considerations applicable to DeFi
DeFi, while not defined at law, includes a broad range of commercial activities, services and products that are DLT-related. These typically include DeFi “applications” that facilitate decentralised exchanges (DEX) and/or other forms of trade, payments, staking or lending, yield farming, portfolio application as well as insurance. Such activity is conducted on a peer-to-peer basis i.e., without a regulated intermediary (i.e. in the absence of a CASP) or orchestrated using open protocols from decentralised autonomous organisations (or undertakings in MiCAR) (DAOs), which are equally excluded from much of MiCAR (and large parts of the TFR and thus financial crime compliance (such as anti-money laundering (AML) and know your customer (KYC) requirements) unless they are recognised as a legal entity where they meet certain criteria based on their structure and objectives and may be treated as an association or cooperative.
With increases in investment and trade volume, DeFi apps are continuously developing and redrawing how business is conducted on-chain as well as considerations that carry over off-chain. DeFi Apps’ accessibility and user-friendliness are equally adopting and with greater adoption certain barriers, notably (over-)collateralisation, which limits their use cases, may ease. DeFi does offer a number of efficiency catalysts with the potential to shorten transaction settlement and risk as well as drive innovation as the technologies and protocols used are modular, interoperable and open source thus increasing competition and choice. Yet for now, as introduced above, Recital 22 of MiCAR states (our emphasis in bold and clarifications in square brackets):
“This Regulation [MiCAR] should [read as “must”] apply to natural and legal persons and certain other undertakings and to the crypto-asset services and activities performed, provided or controlled, directly or indirectly, by them, including when part of such activities or services is performed in a decentralised manner. Where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should [read as “may”] not fall within the scope of this Regulation. This Regulation covers the rights and obligations of issuers of crypto-assets, offerors, persons seeking admission to trading of crypto-assets and crypto-asset service providers. Where crypto-assets have no identifiable issuer, they should [read as “may”] not fall within the scope of Title II, III or IV of this Regulation. Crypto-asset service providers providing services in respect of such crypto-assets should, however, be covered by this Regulation.”
The European Securities and Markets Authority (ESMA) in its “2nd Package” Consultation Paper from 5 October 2023Available here.Show Footnote noted at para. 108 that (our emphasis added in bold):
“Finally, regarding DEXs, ESMA acknowledges Recital 22 of MiCA that ‘(…) Where crypto-asset services are provided in a fully decentralised manner without any intermediary’ should fall outside the scope of MiCA but also notes that the exact scope of this exemption remains uncertain. ESMA considers that an assessment of each system should be made on a case-by-case basis considering the features of the system. In this context, ESMA considers it useful to clarify how pre-trade transparency should apply to such protocols. This is without prejudice to any possible clarification that can be published in the future regarding the scope of the exemption for fully decentralised systems.”
Market participants in the DeFi ecosystem operate using various decentralisation models and differing degrees of decentralisation some freely mix both centralised and (partially) decentralised offerings as well as differing degrees of disintermediation. MiCAR nor (currently available – ESMA or other) supervisory guidance fails to define what constitutes “partial” or “full” decentralisation nor centralisation. Instead ESMA advocates looking at substance over form and taking a case-by-case assessment – in some ways this preserves (supervisory flexibility) but also pushes the problem and any resolution thereto further down the road (or indeed the chain). Nevertheless, it follows that were control or centralisation applies (not necessarily outweighs) then full decentralisation will no longer be deemed to be given and MiCAR may well apply.
With that in mind it also is important to distinguish the define use of decentralisation from that of disintermediation. Disintermediation is not a precondition for decentralisation as decentralisation involves the distribution of control and decision-making whereas disintermediation focuses on the removal of intermediaries (such as CASPs or DAOs that are recognised as a legal entity). In many decentralised systems, disintermediation may materialise as a side-effect given the absence of a need for central intermediary. However, Recital 22 of MiCAR (in its current drafting) confuses decentralisation and disintermediation by excluding crypto-asset services only if they are fully decentralised and intermediary-free. With less centralised infrastructure, decentralisation can eliminate intermediaries. As sections of the financial services value chain decentralise, re-concentration may occur in less regulated and transparent areas of the value chain. Certain systemically important crypto intermediaries (SICIs) are essential to many DeFi ecosystems, their operation and sustainability, proving that complete disintermediation is not always possible or desired.
Looking at market realities, decentralisation of DeFi apps typically means that independent network members or algorithmic governance oversee the running of transactions in the DeFi background and overall DeFi structure or “DeFi Stack”. Each stack layer relates to the technical interaction of several protocols an services where each layer of protocols may be contingent on the previous one thereby creating an independent financial ecosystem relying on multiple layers of applications to achieve clearing, settlement and asset safeguarding i.e., custody. Protocols’ application and aggregation can have differing elements and can provide and/or operate as a decentralisation component to a DeFi application. As an example, governance tokens (i.e. under MiCAR these may be categorised as utility tokens) can be issued at the asset layer but such governance tokens can be used for decentralised management in the DeFi protocol, including such as proposal creation and voting thereupon which may have differing degrees of control.
However, not all decentralised services are “true” DeFi business models nor fully disintermediated (even where they may be marketed as such i.e., there is an illusion of decentralisation). In some cases, a firm that administers a smart contract on a blockchain that runs a “decentralised” trading platform may be deemed to be the platform’s operator including for MiCAR’s purposes. Whether a firm or person earns trading fees or other benefits from DeFi exchange participants is another indicator. The specifics of each instance will therefore need to be assessed on the degree of decentralisation versus components of centralisation. In the case of the latter, it should be noted that every layer in DeFi also has some embedded operational centralisation. One such aspect is that the protocol layer can have an admin key that allows its owners (typically developers) to amend smart contracts and thus exert some form of control.
After considering all the contributing elements across the different stack layers, if the service is only partially decentralised, a conceivably identifiable initiator or operator (i.e., intermediary and/or issuer) may still be subject to MiCAR. In other words, a DeFi protocol’s decentralisation under MiCAR depends on the existence of identifiable natural and legal people or other undertakings that “control” (partially) decentralised DeFi services. Thus, the legislator makes this person/undertaking accountable for DeFi acts later to avoid legal confusion. However, at which DeFi layer these “intermediaries” should act to partially concentrate power in a DeFi project is yet unknown in the absence of supervisory guidance.
It should be noted that according to MiCAR crypto-assets that are designated as “financial instruments” and thus which become subject to “traditional financial services” legislative, regulatory and supervisory frameworks such as MiFID II. Unlike MiCAR, MiFID II does not exempt decentralised models from regulation and supervision so that Recital 22 may cease to be relevant if the crypto-assets in question of a DeFi protocol are “financial instruments”.
Key considerations from the ECON DeFi 2023 Report
A number of these considerations have been explored by ESMA but more so by the ECON DeFi 2023 Report which stated that:
“‘Decentralized Finance’ (DeFi) is neither a legal nor technical term. Common usage incorporates one or more elements of: (i) decentralization; (ii) DLT, with blockchain being an element of DLT; (iii) smart contracts; (iv) disintermediation; and (v) open banking. While decentralized systems such as Bitcoin rely on DLT to underpin token-based ecosystems, DLT is not the only way to achieve decentralization. Further, many distributed ledgers operate today with a hierarchical, centralized governance model, limiting access to permissioned participants only. In turn, decentralized does not necessarily mean distributed. Disintermediation is not a prerequisite for decentralization; rather, disintermediation may be one (side) effect of decentralization, given that the establishment costs of centralized infrastructure will be difficult to recoup in a world where services can be provided on a distributed or decentralized basis. In fact, “where parts of the financial services value chain are decentralized, we expect re-concentration in a different (but possibly less regulated, less visible, and less transparent) part of the value chain.” In fact, this has occurred. Many DeFi ecosystems rely on crypto intermediaries that are indispensable for that very ecosystem, called herein “Systemically Important Crypto intermediaries” (SICIs). We understand DeFi to comprise, at its core, what its simple name suggests: the decentralized provision of some type of financial services through a mix of infrastructure, markets, technology, methods, and applications. Decentralized provision of financial services means, in turn, a provision by multiple participants, intermediaries, and end-users spread over multiple jurisdictions, with interactions facilitated, and often enabled in the first place, by technology.”
The ECON DeFi 2023 Report goes on further to elaborate that:
“At the heart of fully decentralised platforms thus lies human cooperation, exercised through the steering of computers and servers. Human cooperation already results in the entity status of a “cooperation” under the private laws of some EU countries, and in most jurisdictions potentially results in joint liability of all contributors of that cooperation. In particular, the mere cooperation of a team of developers or community members that either founded the project or volunteered to keep it afloat suffices in some jurisdictions for entity status. Given that the smart contracts that underlie the functioning of DeFi protocols are coded, put into operation and modified by humans, and humans decide to let them operate on their information technology, the argument that the mere use of smart contracts results in a product that is something different from the result of human cooperation, is inconclusive. If all parts of something involve human cooperation, then the sum of the parts cannot be something else.”
The ECON DeFi 2023 Report paves the way for possible further publication of rulemaking instruments and/or supervisory guidance under MiCAR. This will invariably be required not just for clarity around (de-)centralisation and (dis-)intermediation but a variety of other areas including legal uncertainties regarding property rights, asset separation, and jurisdictional issues, as well as technical complexities and transparency deficits in crypto ecosystems. The ECON DeFi 2023 Report argues that despite the decentralised nature of DeFi, many risks are analogous to those in traditional finance, such as agency risks, conflicts of interest, leverage use, market abuse and concentration risks. Therefore, it advocates for regulation under the principle of “same risks, same rules,” supplemented by “new risks, new rules” to address the unique challenges posed by partial or full decentralisation.
Amongst those policy options, the ECON DeFi 2023 Report proposed adopting a broad default ruleThis reads (as proposed) as: “Crypto-assets are deemed transferable securities subject to Annex I Section C(1) of MiFID II, unless the National Competent Authority determines that the crypto-asset is subject to regulation as a financial derivative, a payment service under the payment Services Directive, E-money under the E-money Directive, or an EMT, an ART or other crypto-asset under MiCAR, another regulated service or activity, or is exempted from financial regulation altogether.”Show Footnote classifying all crypto-assets as transferable securities (and thus as “financial instruments” under MiFID II and traditional financial services regulation and supervision) unless exempted (or requalified) by national competent authorities (NCAs), assigning entity status to DAOs, harmonising international private law as to recognition or property rights, negotiability and the need to establish clear rules on court jurisdiction and applicable law (including by amendments to the Rome I and Brussels Regulations), expanding supervisory networks to include crypto-assets (including Non-Fungible Tokens (NFTs) otherwise outside the scope of MiCAR unless an exemption applies) and developing a “Euro Wallet” (albeit a working title name) with embedded compliance features under the EU’s eIDAS FrameworkRegulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, as amended.Show Footnote with embedded compliance as to AML/KYC, licensing, and client solicitation requirements, which allows only compliant (i.e. licensed and supervised actors that pursue AML/KYC checks) to transact with EU clients. Such a Euro Wallet may also provide opportunities to embed sustainability disclosures and provide the foundational infrastructure for the Digital Euro at a later point in time.As the ECON DeFi 2023 Report notes, “If technology is well designed, these Euro Wallets, while ensuring compliance by technical means, would be linked to the users’ identity through the process embedded through eIDASR, yet anonymous vis-à-vis third parties. Since they are provided by public infrastructure and supervised by technical means, these wallets would benefit from a cost advantage compared to private wallet offerings. Over time, these Euro Wallets would crowd out other wallet types that are less supervised.”Show Footnote
While some of these proposals may (currently) seem far-off to fanciful, it should be noted that precisely because such measures are being proposed, some degree of tackling the regulation and supervision of DeFi can be expected as the operationalisation of MiCAR and the TFR’s requirements, notably on the Travel Rule gathers pace.
Key considerations for the market
What is clear from the above it is exceptionally important (both practically and to reassure regulators/supervisors) to periodically:
- Review the categorisation of crypto-assets and their type in particular as to whether they are MiCAR or regulated and supervised under MiFID II and/or other traditional financial services legislative, regulatory and supervisory requirements;
- Review the level of control and centralisation v decentralisation (including illusion of decentralisation) across layers to ascertain a view on the substance over form of a protocol or DeFi application; and
- Assess the nature and type of crypto-asset services that are provided to or in respect of DeFi issued crypto-assets.
A number of regulatory and supervisory authorities, including Germany’s NCA, the BaFin have (repeatedly) warnedIn particular here.Show Footnote on DeFi-specific risks. Such DeFi risks include (but are not limited to) smart contract hacking, misaligned economic incentives that cause protocols to fail (e.g., collateral liquidation fails, called a “exploit”), data protection issues and financial crime compliance issues when contracts are signed with unknown or pseudonymous parties. The same is true in terms of tokenisation of real-world assets using DAOs and DeFi protocols which may facilitate money laundering through conversion and washing of assets.
Ultimately those operating or engaging with DeFi must (periodically) critically assess governance and operational approaches as well as DeFi-specific risks including beyond AML/KYC and TFR compliance. Many DeFi platforms seem decentralised, yet they have consolidated decision-making power or smart contract control, which could make them susceptible to MiCAR or MiFID regulation.
Outlook
While the above should raise awareness of all market participants to proactively embed compliance on DeFi into their value chain, the ECON DeFi 2023 Report along with further reports mandated by MiCAR itself should reinforce that requirement. These further reports include those to be issued pursuant:
- Article 142(1) and (2)(a) MiCAR, the European Commission shall by 30 December 2024, having consulted with ESMA and the European Banking Authority (EBA), present a report to the European Parliament and the Council on the application of MiCAR, accompanied, where appropriate, by a legislative proposal, with “an assessment of the development of decentralised-finance in markets in crypto-assets and of the appropriate regulatory treatment of decentralised crypto-asset systems without an issuer or crypto-asset service provider, including an assessment of the necessity and feasibility of regulating decentralised finance; and
- Article 140(1) and (2)(t) of MiCAR, the European Commission shall by 30 June 2025, having consulted with ESMA and the European Banking Authority, present an interim report and by 30 June 2027 a final report to the European Parliament and the Council on the application of MiCAR, accompanied, where appropriate, by a legislative proposal with “an assessment of the development of decentralised finance in markets in crypto-assets and of the appropriate regulatory treatment of decentralised crypto-asset systems.”
Collectively, these reports will certainly demystify the discussion around decentralisation and may lead to full-scope regulation (for MiCAR and MiFID II purposes) of DeFi. Taking early preparatory action may ease the move to meeting the required degree of compliance so as for DeFi to deliver the potential it very much promises and certainly can provide.
About us
PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators. We have equally built a proprietary AI-powered offering known as “LORA” – to help clients with their “Legal Obligations and Regulatory Analysis” of their CAI and CASP compliance obligations.
In addition to LORA and in order to assist firms in staying ahead of their compliance obligations we have developed a number of RegTech and SupTech tools for supervised firms. This includes PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.
Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.
The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award”.
If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.