One of the major issues of contention with the introduction of MiCA is whether or not the new EU/EEA regulatory framework for crypto assets includes decentralized finance (DeFi). Companies that see themselves as software companies but that offer services around DeFi must therefore tread carefully.
Mads Ribe is an associated partner and leads EY's focus on Digital Law & AI in Norway. Mads is a leading business lawyer specializing in new technologies such as blockchain, digital assets, and artificial intelligence. He has assisted key players in the Norwegian blockchain community, including growth companies and more established players.
This is what Mads Ribe writes in a recent blog post at kaupr.io. Ribe is a lawyer and associate partner in Ernst & Young Advokatfirma AS.
The EU Markets in Crypto Assets Regulation (MiCA) is due to be implemented in the EU/EEA during 2024, and one of the major issues of contention is whether or not MiCA encompasses decentralized finance (DeFi). ESMA recently made some clarifications, which show that the issue is complex. Norwegian DeFi players, who see themselves as pure software companies, risk having to apply for a license as CASP (“Crypto Asset Service Provider”) under MiCA.
DeFi, or decentralized finance, is basically excluded from MiCA, but this article challenges this perspective and sheds light on the implications the regulation could have for software vendors that provide services into the DeFi market. In effect, MiCA regulates parts of the DeFi industry in a way unknown to today's IT service providers to traditional banking and finance industries, and if so, what implications does it have for the financial sector of the future?
DeFi is a system based on blockchain technology that consists of software designed to carry out financial activities between equal parties or systems, such as the exchange, lending, borrowing, offering, management and tokenization of digital assets. These systems are governed by predetermined coded rules, algorithms, or protocols, which eliminate the need for an intermediary. The DeFi systems are stored and executed on a blockchain managed by a network of independent nodes using a consensus protocol, contributing to greater resilience to system failures. Although there are various degrees of “decentralized”, decentralized here refers to DeFi systems that are not owned or controlled by any single entity or a coordinated group of individuals.
In a DeFi system, users have open and transparent access, and the system works without requiring centralized intermediaries. Smart contracts are code that performs actions without the involvement of third parties and that are enforced by consensus rules and network validation. For example, these contracts can secure an asset until a particular event takes place or certain conditions are met. Control over these assets is programmatically limited and is subject to the logic of the DeFi protocol's smart contract and the underlying blockchain's consensus rules. Public publishing on the blockchain ensures validity and enables public scrutiny.
DeFi services are a form of hybrid financial services, in which coders have in many ways taken over well-paid advisers at financial houses to create complex financial products. In many cases, the relationship between the traditional financial regulation of DeFi services is uncertain because they operate in a kind of grey zone, where some services will be able to fit into the current regulation for financial products and services, while others do not and thus remain unregulated. DeFi includes, among others:
The benefits of DeFi technologies range from operational aspects (e.g. instant settlement) and reduced settlement costs (without costly intermediaries), to seamless collaboration across multiple services and blockchain protocols (e.g., from Bitcoin to the Ethereum blockchain). Beyond these operational efficiencies, DeFi can present regulatory benefits such as increased market transparency, improved market efficiency, and strengthened risk management (e.g., automatic sales encoded into the smart contract where the market value falls below a certain level).
At the moment, services provided in a fully decentralized manner without an intermediary fall outside the scope of MiCA according to. MICA's Pream/Preamble Section 22. It can be difficult to determine whether a DeFi service is “fully decentralized” or not. Intermediaries using DeFi services are likely to require licensing as a crypto-asset service provider or a CASP (Crypto Asset Service Provider) under MiCA. MiCA has a fairly broad definition of what is considered a CASP, and the types of services that fall within its regulation. This can create challenges for DeFi players, who may not even know they are CASPs or offer crypto-asset services according to MiCA.
To determine whether a person/company falls within the MiCA, one must go through two steps:
The European Securities Market Supervisory Authority (ESMA) has recently made some clarifications on how MiCA should be interpreted and applied to DeFi. In a recent consultation document, ESMA provides some guidelines on how to assess whether an individual performs crypto-asset services with continuity and regularity, which is one of the criteria for being a CASP. ESMA also provides some examples of how to deal with situations where a person uses or interacts with decentralized technology (“permissionless DLT”). The essence of a decentralized ecosystem is that no single entity can exert control over the system.
ESMA itself acknowledges that the terminology “fully decentralized” in MICA's proposition/preamble 22 is somewhat unclear: “[...] Where crypto-asset services are provided in a fully decentralized manner without any intermediary should fall outside MICA's scope, but also notes that the exact scope of this exception remains uncertain. ESMA considers that an assessment of each system should be made on an individual basis taking into account the characteristics of the system [...] '.
The central point of this assessment, as also highlighted by ESMA, must be that decentralization is not binary, but must be seen in a spectrum starting from centralization to increasing degrees of decentralization. To get outside of MiCA, there needs to be multi-level decentralization, including the existence of multiple user interface/front-end solutions that give users the ability to connect to the system in an easy way. Access to the smart contracts cannot depend on a single front-end solution driven by one device, as front-end solutions are the main way to access the underlying smart contracts that make up DeFi technology. This has implications for how MiCA and other regulations, such as the Financial Action Task Force (FATF) supervisors relating to crypto assets, are to be interpreted and applied to crypto assets and DeFi services.
The question of where the boundary of “fully decentralized” goes under MiCA is also discussed by other relevant organizations and authorities in Europe. One of these is The Board of the International Organization of Securities Commissions (IOSCO), which in a recent report on DeFi recommends that authorities should identify the “responsible person” behind DeFi applications. The IOSCO report highlights some important considerations in this assessment, including; i) Governance structure — how is decision-making authority distributed? ii) Control and Ownership — how is control and ownership distributed? iii) Network operation — what is the level of decentralization in the operational infrastructure of the network? iv) Transparency and transparency — is the information available and the conditions of competition equal for all stakeholders?
A key question for whether a DeFi protocol or platform falls under MiCA is whether a customer relationship exists between a service provider and a user. Ideally, all elements that could lead to the establishment of a service-customer relationship, such as the collection of fees (with the exception of transaction fees paid to validators/miners), should be minimized or eliminated so that the existence of such a relationship is not present. This would serve as a dual safeguard for a DeFi technology to fall safely within the exception provided under MiCA for “fully decentralized finance”.
This means that companies that provide user interface/front-end solutions and thus connect users to decentralized exchanges/exchangers of crypto-assets for a fee may find themselves in a grey area around whether they should be considered to be a CASP with an impact on the exchange or whether they “only” provide software technology that allows the user to use systems that can be considered fully decentralized. Regardless, such companies will have to deal with money laundering rules, with the potential control and reporting of suspicious transactions, terror financing and current customer measures (KYC/KYT).
Norwegian companies that provide such services or otherwise offer services around decentralized systems must therefore tread carefully. Software companies in DeFi are facing an unpredictable time in the face of implementing MiCA, unless ESMA and/ Norwegian authorities clarify the distinction before MiCA is implemented during 2024.
Kaupr's blog column is open for posts, analysis and debate. Send your article or article idea to morten@kaupr.io.