Highlights:
- To regulate DeFi don’t purely focus on intermediaries
- Although DeFi websites should be considered intermediaries
- Will define who controls some protocols (governance votes, admin keys)
- Treat smart contracts as products that have to be certified as safe
- Specify minimum safety standards for public blockchains.
Last week the Banque De France’s prudential regulator, Autorité de Contrôle Prudentiel et de Résolution, ACPR, published a discussion paper on how decentralized finance (DeFi) might be regulated in a future iteration of Europe’s MiCA regulation. It includes suggesting that certain DeFi protocols incorporate in the EU and web interfaces for DeFi protocols would be considered intermediaries. MakerDAO, the issuer of the DAI stablecoin, would need to incorporate in Europe under MiCA as a stablecoin (electronic money token) issuer.
Europe’s MiCA regulation doesn’t directly cover DeFi and requires a report on how to regulate DeFi within 18 months of MiCAR coming into force. The parliamentary MiCAR vote is a week today. And despite the legislation not covering DeFi, many believe that local regulators will argue that some protocols are not decentralized and attempt enforcement.
In fact, the ACPR makes the same argument about a lack of decentralization and suggests that rather than DeFi, it should be referred to as disintermediated finance. And this is the thrust of its regulatory approach.
A radical approach: treat smart contracts like products
Historically, finance has been regulated based on intermediaries and service providers. The ACPR asserts that DeFi is sufficiently distinctive that this approach is problematic. Instead, it suggests legislation should borrow from other spheres, such as product safety, where a product has to be certified as safe.
“This paper proposes a certification system for smart contracts, which would apply to the product itself, without the need to define a person that would be directly responsible for compliance with this obligation. If no one wants to have a product certified, that product will simply not be distributed.” Hence, the law would be imposed on the smart contract object itself. Regulators could choose to either discourage the use of products that are not certified or prohibit them.
For systemic activities, certification is not enough
The ACPR thinks certifying smart contracts is not enough for some’ sensitive services’, including systemic risks. In these cases that it will look at who controls the DeFi protocol and expect them to incorporate in the EU. Control will likely be determined by the level of governance tokens owned or access to administrative keys.
While MakerDAO did not get a specific mention in this context, a specific proposal would cover stablecoins like the DAI. “If a decentralised service claims to create or use a crypto-asset with an official currency as a reference, this crypto-asset must be an EMT (electronic money token or an equivalent asset) within the meaning of MiCA,” says the report.
Access: Who needs protection?
Rather than trying to outright ban anything, any future legislation should be targeted. The focus is on protecting the general public and institutions, likely the latter being a financial stability risk. The ACPR is not bothered about sophisticated and tech-savvy players who can access DeFi without a web interface. Presumably, they know what they’re doing.
It suggests that consumer access should be based on their financial sophistication based on answering questions to assess their knowledge. Those who don’t understand the products and the associated risks cannot access them. This is similar to how derivatives and other sophisticated financial products work. But there’s the question of how these tests work in a ChatGPT world.
Hence, the ACPR looks at who provides access to the smart contract ‘product’ in order to protect the general public. And the vast majority of users go via centralized exchanges or websites associated with the DeFi protocol. The DeFi activities of exchanges could be easily included in expanded MiCA regulations and it proposes that DeFi website operators be treated as service providers under a future MiCAR.
Minimum standards for public blockchains
The ACPR observes that a key risk is the underlying infrastructure, the blockchain on which the DeFi operates. It sees three potential approaches to address this risk:
- Create minimun standards for public blockchains
- Restrict DeFi to private blockchains operated by regulated entities
- Consider running DeFi on publicly run infrastructure such as Europe’s EBSI
From a regulatory perspective, private blockchains are easier to supervise than smart contracts on a public blockchain. They could fall under a supervisory framework similar to payment rails. However, the ACPR recognizes that private blockchains lack the same degree of composability, and restricting DeFi to private blockchains might inhibit innovation.
For public blockchains, it proposes minimum standards around code design and security, governance, and the validators, including their number and degree of concentration. To enforce caps on validator concentration, it would not allow pseudonymous validators. However, the ACPR is concerned that any validator concentration restrictions might inhibit new blockchains.
DeFi smart contracts must warn their contract users if the number of validators drops below a threshold or becomes more concentrated.
The report also suggests regulators operate archive nodes to recover data in case of an attack.
Harnessing innovation
Meanwhile, the Banque de France is learning to walk the talk. It is participating in a DeFi project (Mariana) with the BIS and central banks of Switzerland and Singapore for using automated market makers (AMM) for foreign exchange trading re cross border payments.
In a recent speech, Deputy Governor Denis Beau gave the nod to this paper and the need for a second generation of legislation. But apart from addressing the risks, he also looked to DeFi for promising and ‘exciting’ innovations.
