Starting 2020, the European Union took important steps intended to boost responsible innovation in the EU’s financial sector, especially for highly innovative digital start-ups, while mitigating any potential risks related to investor protection, money laundering and cyber-crime.1 At the same time, these types of risks do not necessarily and always require external public intervention from the European or national authorities or legislators2 as the majority of risks are tackled through solutions which are generated by the different industries themselves, such as the so called DeFi ecosystem.
Crypto-assets qualifying as “financial instruments” under the Markets in Financial Instruments Directive (MiFID II)3 have previously been subject to EU securities markets legislation.
On 29 June 2023, the Markets in Crypto-Assets Regulation (MiCAR) entered into force. It is applicable to all entities issuing crypto-assets, firms providing services around these crypto-assets, firms operating digital wallets, and cryptocurrency exchanges and consumers of this type of services. But MiCAR which focuses on Centralised Finance (CeFi) excludes new paradigms such as the DeFi (Decentralized Finance) industry and non-fungible tokens (NFT), security tokens, and even cryptoasset finance. The difficulty in identifying a DeFi Labs company as clearly being a crypto-asset service provider (CASP) is one of the reasons that MiCAR is described as not intended to target DeFi.4
Central bank digital currencies (CBDCs) also fall outside the scope of MiCAR and will be regulated under the Proposal of an (EU) Regulation on the establishment of the digital euro, which provides a mandate to the ECB to develop and issue it.5
The financial crisis in 2008 highlighted the harsh reality that even the world’s most established banking systems could fail under certain circumstances.6 The response: cryptocurrency, blockchain technology and everything that followed in the field of DeFi. Although there is no generally accepted definition of DeFi, the European Central Bank generally describes DeFi as part of a peer-to-peer network (built on a public blockchain) where assets represented in the network can be transferred automatically (via so-called smart contracts).7 As a matter of fact, DeFi represent the new financial services where the traditional role of banks as an intermediary is replaced or changed by self-executable software on a blockchain (smart contracts), (e.g., automated lending via Aave).
DeFi has gained more popularity among investors who resist the authority, uniformity and control of centralized exchanges. The DeFi which rely on automated protocols to produce financial services represents a rather young branch of the crypto-economic system. The total amount of value locked (TVL) in DeFi services went from $600 millions in January 1st 2020 to a peak around $315 billions on the 26th of December 2021.8 The rapidly increasing adoption of DeFi by institutional investors, the linkages with traditional financial institutions are growing.9
Among the main services you can manage through DeFi are: trading, insurance, collateralised lending, issuance of tokens, digital payments, financial data, over-the-counter (OTC) trading, asset management, capital raising, etc. We might say that we have a finance triangle which is interconnected and evolves concurrently: traditional finance → CeFi → DeFi.
The question that both the financial markets and the financial regulators have to answer to is: Does an increase of interconnections between DeFi activity and the traditional banking system constitute a noteworthy threat to financial stability and a systemic risk? The benefits are worth the risks?
The great majority of the DeFi applications do not provide new financial products or services per se but simulate within the crypto-asset ecosystem the products and services provided by the traditional financial system while does not rely on a centralised authority and a regulatory intermediary but rather on applications that are designed to use blockchain technology and are called smart contracts. As a technology, blockchain needs an application built on it.
DeFi provides important stimulus through the high generation of revenue which are distributed to those who provide liquidity to the system in the form of “protocol revenue”, transaction fees that are kept by the protocol and token holders, and “supply-side revenue”, fees that are given to the users providing liquidity for the protocols.10 As a consequence, it was a natural step for Société Générale (SocGen) to submit an application for the decentralized finance (DeFi) lending platform to accept on-chain bond tokens issued by the bank as collateral for a stablecoin DAI loan.11 Or J.P. Morgan to be the first global bank to offer a blockchain-based platform for wholesale payments transactions called for Onyx.12 And for Société Générale-FORGE (SG-FORGE), a fully integrated and regulated subsidiary of Société Générale group dedicated to digital assets, to launch on April 20th, 2023, in Paris, the EUR CoinVertible, a digital asset that purports to maintain a stable value (stablecoin). EUR CoinVertible is deployed in Euro denomination on the Ethereum public blockchain.13
The trust is built by the automated code which is governed by immutable predefined rules identified as smart contracts. On the other hand, in October 2021, an update to the lending platform Compound introduced an error that incorrectly distributed rewards worth $90 million. The platform’s founder posted on Twitter that “There are no administrative controls or community tools to disable the [...] distribution” of rewards. In traditional finance, erroneous transfers can be challenged in court.14
At the same time, technical flaws, bugs within the codes or carelessness in the interface of the DeFI platforms can represent a significant danger to the whole framework and have the ability of producing security events such as: re-entrancy attacks, oracle manipulation, gas griefing, transaction order dependence attacks (frontrunning), force-feeding attacks, timestamp dependence, denial of service, integer underflows and overflows, information and function exposure,15 etc. Losses on reserves (assets backing the stablecoins, as stablecoins need to be collateralized with liquid/traditional reserve assets, for convertibility purposes) could trigger a loss of user confidence and prompt large-scale redemption requests, while the liquidation of underlying – usually traditional – assets to cover redemptions requests could have negative fire-sale contagion effects on the financial system.16
As an example, the run on TerraUSD, as the related DeFi protocol Anchor collapsed, and its contagion across cryptoasset markets was similar to confidence runs that have occurred in the traditional financial sector involving banks and money market funds, highlighting the need to understand the risks stablecoins could pose to the financial system as a whole.17
Just like the traditional finance, DeFi environment can suffer panic runs from many different reasons such as: important modifications in the regulation environment or even technological and operational incidents, coding errors to flawed price oracles, market contagion from the price crash of well-known cryptoassets such as Bitcoin and Ether. In the above mentioned TerraUSD episode, other algorithmic stablecoins, such as Neutrino USD and USDD, experienced much deeper deviation from their pegs compared with other stablecoins.18
Also, the anonymity of the DeFi platforms, lack of a centralized governance which allows it to be easily influenced and the interconnections with the crypto-assets environment permits ambiguous interventions and malicious attacks. A good example is represented by the flash loans which do not exist in traditional finance. According to CertiK’s report, a total of $308 million was lost in Q2 2022 due to 27 flash loan attacks.19 In one single attack on Beanstalk, an Ethereum-based stablecoin protocol, an attacker used a flash loan to secure voting right, change the code of the protocol, and then send the loaned funds to their own wallet, creating a loss of $182 million.20
The main point of convergence of DeFi with CeFi is represented by the FIAT conversion from and to crypto assets. Payment providers (such as Visa or Paypal) facilitating acceptance of crypto-assets for payments outside crypto-asset space are more likely to be in fact a “currency conversion” service, in cooperation with an exchange company (e.g. Anchorage acting as a custodian for VISA for crypto-assets). This is why exchanges have been suggested by the industry as the regulatory check points for supervisory and regulatory purposes for the DeFi market, albeit insufficiently covering the activity that takes place within the DeFi space.
Last but not least, the above-mentioned anonymity of the DeFi platforms poses significant challenges in regards of the matter of the Source of funds/Source of wealth. Nowadays, SOF checks are limited to FIAT currencies. Where blockchain is involved, important issues are related to the distributed network economy concerning instability, classifications as currency or an asset class, energy-inefficient consensus protocols (like proof of work), anonymity and dark web money laundering concerns.21
There is an immediate need for strong and extensive national regulatory frameworks in accordance with common global standards.
DeFi infrastructure could be provided directly by regulators as a sovereign function, ensuring in this way direct public participation in decentralized financial markets, in addition to traditional forms of regulation and supervision,22 an idea which surfaced in discussions pertaining the central bank digital currencies.23 Such an initiative could be considered the People Bank of China’s plan to introduce a ‘Digital Yuan’, as a response to a private initiative such as Facebook’s Libra. But government development, provision, control or even nationalization of core DeFi infrastructure are in utter contradiction with the claims of decentralization of DeFi and will produce the opposite effect of its professed mission to reduce government control.24
Furthermore, the DeFi ecosystem has to put in place buffers and insurance instruments that presently are used by traditional commercial banking (e.g., prudential regulation, deposit insurance, the safety net represented by central bank standing facilities) according to the principle ”same activity, same risks, same regulation” promoted by the Financial Stability Board.25
Another form of using and regulating DeFi could be the so called RegTech, term which defines the use of technology for regulatory compliance, monitoring, and supervision26 or the idea of not only embedded supervision27 but actually the next step further meaning ”embedded regulation”. This means that public or state regulatory approaches could be erect technically into the design itself of DeFi as part of the authorization requirements based on ex ante guidelines on operational and risk parameters. In this way, the system itself is able and responsible to implement, monitor, and enforce compliance requirements.28 Of course, the authority designing and implementing this RegTech should be the country where the platform or the application is registered or incorporated, thus creating the possibility of reducing the role of financial hubs and, at the same time mitigating the challenges pertaining to the applicable law and jurisdiction of competent authorities and courts.
Despite the advantages of RegTech, we have to consider whether or not an algorithm is better at detecting troublesome signs than a human bank examiner, for instance, depends on the myriad of specific technical choices embedded in its operation.
How DeFi will evolve, remains uncertain and regulating DeFi might prove difficult in the lack of one essential condition: a central entity that controls the DeFi protocols. Also, due to the global nature of DeFi and the scattering of its stakeholders, an internationally coordinated approach is essential to prevent and mitigate the dangers to global financial stability and the systemic risks to the financial markets. Market developments following the entry into force of MiCAR, will generate the need to identify and assess any risks arising from crypto-asset conglomerates, and the DeFi environment.
Therefore, regulatory responses must take a comprehensive and integrated view of the ecosystem to tackle the multiple risks associated with DeFi in general and those resulted from the complicated interconnection between stablecoins (the fuel) and DeFi.
While the future of DeFi remains open, it holds a credible promise for new forms of financial services adapted to a globalized, competitive and digital economy. At the same time, severe threats to consumers, producers and the economy at large accompany this opportunity.29 As a result, it is important for the European Union to promote EU-level knowledge exchange and monitoring of market developments, given that the European legislation in the matter is one of the vanguard and a pioneer in the field of regulating new technologies.
DeFi promotes innovation in financial services especially given the open-source nature of protocols, could be seen as a testing ground for the use of DLTs in financial services and could have some potential to promote financial inclusion depending on the design and transaction governance arrangements and in settling transactions to the underlying DLT or blockchain.30
At the same time, we must regulate in a wise, authentic technology-agnostic and explicit manner the pre-eminence of law over technology, and of human welfare over the materialistic interest of making profit with the minimum effort possible.31 It remains an open question whether a more thorough and vigorous regulation is to prompt a rampant institutional interest and, consequently, an exponential growth of the industry or it would lead to a downfall, should the risks and damages be too important and would prove the business model of DeFi to be invalid. n
