Capital markets Legal and IP News Opinion

France’s prudential regulator advances work on certification of smart contracts


As part of a speech earlier this week, the First Deputy Governor of the Banque de France, Denis Beau, revealed that the ACPR is working with the industry to certify smart contracts. The Autorité de Contrôle Prudentiel et de Résolution, ACPR, is the prudential regulatory arm of the central bank.

“Work is continuing in 2024 with stakeholders on one of the ACPR’s key proposals, namely the mandatory certification of smart contracts prior to their use,” he said. Mr Beau noted that early French crypto-asset regulations had heavily influenced the MiCA regulations.

Last April the ACPR shared some proposals on the possibility of regulating DeFi. They fell into three buckets:

  • Security standards for private DLTs and public blockchains
  • Certifying smart contracts
  • Regulating DeFi entry points such as websites.

We covered the issues in some detail at the time.

ACPR smart contract certification

Some of the more widely used smart contracts are already audited. However, the ACPR has more in mind than just auditing. At a big picture level, it suggested that the conventional regulatory construct of targeting intermediaries and service providers won’t always work for DeFi. Instead, regulators should consider oversight of the product, which is smart contracts in the case of blockchain.

Hence, for regulatory compliance, all smart contracts would need to be certified. Most consultation respondents supported the concept of certifying smart contracts, but there was a range of views on how they might be certified, which was covered in the response summary. There was also some debate about what sort of changes would require a re-certification and concerns that this would disincentivize smart contract updates. The composability of smart contracts – where one smart contract is dependent on another – is a major challenge for certification.

The ACPR’s comments clearly indicate that it wants to encourage innovation while protecting consumers. In the consultation response, the ACPR stated that if a smart contract could not be certified, its use should be blocked because it likely poses risks.

However, Ledger Insights is based in Europe, and we have concerns about the potential impact on innovation. We might reconsider our European base if we were blocked from using all uncertified smart contracts. Here’s why.

Smart contract certification – a damper on EU innovation?

There will be different types of uncertified smart contracts. The two important ones are those that have failed certification and those that have not bothered to try. Blocking the former is less of an issue, as they are probably risky. However, innovators building in other jurisdictions will likely only be willing to incur the cost of an EU certification once they have reached sufficient scale.

Hence, if EU access to these uncertified smart contracts are blocked, then individuals and companies within the EU won’t be able to see or experiment with these new and potentially innovative smart contracts.

This is similar to when the EU’s data protection GDPR legislation first came into force. EU residents couldn’t reach a fair number of U.S. websites. Except for smart contracts, certification costs will be considerably more than adding a GDPR plugin to a website.

This is our biggest reservation.

At the same time, we also envisage that it’s not only innovative developers who won’t bother to certify their smart contracts. Dodgy developers won’t attempt certification either.

Additionally, there’s the issue of fragmentation. Web3 is the next generation of the web. An open web is far more scalable than a fragmented web.

Constructive suggestions?

One possible solution is to require wallet providers and crypto exchanges to provide warnings. That’s not dissimilar to what happens if you visit a virus-infected website. A failed certification could be a blocker or at least a very visual red warning requiring acknowledgment of the danger. However, a smart contract that has yet to apply for certification will get an amber alert, allowing knowledgeable users to proceed. This is similar to when a website security certificate is out of date. The web browser message dissuades most users from visiting the web page, but knowledgeable users can proceed.

One of the downsides of the EU’s ever-more-complex regulatory landscape is that when startups choose a jurisdiction, they want to focus on product not regulation. In some realms, the European Union is already an innovation laggard. If this sort of certification doesn’t have a light enough touch, it could push the EU further behind.