Yesterday the International Organization of Securities Commissions (IOSCO), the global standards setter, published its policy recommendations for decentralized finance (DeFi) following a September consultation. One of the key recommendations is to identify the legally responsible person, which might be the members of a DAO.
It’s keen to see the nine recommendations deployed by its members which include familiar regulators around the world such as the CFTC and SEC in the United States, the FCA in the UK, BaFin in Germany, MAS in Singapore and the SFC in Hong Kong.
IOSCO’s position is that the rules applied to traditional finance (TradFi) should be applied to DeFi because the use of technology doesn’t make it fundamentally different.
In some jurisdictions, DeFi will fall under the regulations for securities or other financial instruments. But even where that’s not the case, IOSCO wants to apply securities regulations. That’s if products behave like substitutes for securities.
Identifying responsible persons
One of the trickiest topics is how to identify responsible persons for DeFi, which is one of IOSCO’s nine recommendations. In other words, those responsible people should apply to be regulated.
IOSCO wants regulators to cast a wide net.
“Some industry participants have asserted that if something is decentralized, it is not, or cannot be, regulated,” says the report. IOSCO strongly disagrees.
A decision on who is the responsible person(s) is “based on whether, in fact, they control or sufficiently influence the offer of financial products, provision of financial services, or engagement in financial activities.”
It states that someone with governance or voting rights, or a DAO could be the responsible person. That’s because they make decisions that influence the financial product or service.
“The lack of control by a single person in a DAO should not negate the existence of a regulatory touchpoint,” says the report. It noted that in TradFi general partnerships and joint ventures are subject to regulation.
Whether someone has control or sufficient influence isn’t limited to voting. It could include “those with design and maintenance control; financial and economic control; and formal and legal control, among other things.”
In addition to DAOs, it also mentions foundations and developers as potentially responsible persons.
The sorts of activities that might indicate sufficient influence include “setting or adjusting parameters, controlling user funds or assets, altering transactions, or controlling access or information with respect to the product.”
IOSCO even anticipates developers or DAOs delegating decisions to artificial intelligence (AI). It has an answer there as well – the person using the AI may be the responsible person.
IOSCO’s wide net
While determining the responsible person(s) will depend on each case, it could fall into one of these groups (copied from the report):
- founders and developers;
- issuers of governance/voting tokens;
- holders and/or voters of governance/voting tokens;
- DAOs or participants in DAOs;
- those with administrative rights to smart contracts and/or a protocol (i.e., with the ability to alter the coding or operation of the smart contracts and/or protocol to some degree);
- those who have or take on the responsibility of maintaining/updating a protocol or other aspects of the arrangement, such as access rights;
- those with access to material information about the arrangement to which other participants lack access;
- those who are promoting use of the protocol through, for example, providing a user interface or otherwise facilitating interaction with the protocol, and/or releasing updates to the protocol;
- those with custody (or effective control through an administrative key, voting structure, or otherwise) over user funds or assets, or with the ability to reverse transactions; and
- those who are profiting, for example, through fees paid by users of the protocol.
Although the list doesn’t include venture capital firms, IOSCO explicitly mentioned them in the report.
A paraphrased version of IOSCO’s nine recommendations are:
- Analyze DeFi products, services, activities
- Identify responsible persons
- Achieve common regulatory outcomes (with securities)
- Address conflicts of interest
- Address material risks
- Require comprehensive disclosures
- Enforce applicable laws
- Promote cross border cooperation
- Assess connectedness between DeFi and TradFi
Meanwhile, the latest recommendations follow IOSCO’s recommendations on crypto-assets released last month.
