I. INTRODUCTION

Decentralized finance (DeFi) is a rapidly growing financial ecosystem that is built on blockchain technology. Modern DeFi platforms allow users to lend, borrow, trade, and earn interest on cryptocurrencies without the need for intermediaries such as banks or exchanges. Together with non-custodial wallets and with the use of dApps, they create a competitive alternative to the established financial system. As such, the growth of DeFi, dApps and non-custodial wallets has attracted the attention of regulators around the world. Regulators are concerned about the risks associated with these technologies, such as the potential for fraud, money laundering, and tax evasion.

In this article, we will discuss recent legal and regulatory developments surrounding DeFi, dApps and non-custodial wallets, and explore the different approaches that regulators have taken in regulating them.

II. THE IMPORTANCE OF DEFI, DAPPS AND NON-CUSTODIAL WALLETS

The importance of DeFi, dApps and non-custodial wallets cannot be overstated. They are the infrastructural and financial pillars and foundation of the ecosystem, and are what makes it so competitive against the traditional finance system. Working in concert, they offer a number of advantages over traditional financial system, including:

· Decentralization: They offer users more control over their finances. With DeFi, users can lend, borrow, and trade cryptocurrencies without having to go through a bank or other financial institution. This gives users more control over their finances and allows them to access financial services that they may not otherwise have access to. DeFi is not subject to the control of any single entity, which makes it more resistant to fraud and censorship.

· Transparency: They are more transparent and secure. DeFi transactions are recorded on a blockchain, which is a public ledger that is transparent and secure. This makes it more difficult for fraud or theft to occur and easier to track and audit.

· Cost-effectiveness: They are open to everyone. DeFi is open to anyone with an internet connection, regardless of their location or financial status. This makes it a more inclusive financial system. DeFi transactions are often much cheaper than traditional financial transactions.

Because of their importance to the entire ecosystem, DeFi, dApps and non-custodial wallets have always been in regulators’ crosshairs. However, until recently, all we saw in terms of relevant regulations is various agency advisories. As it was clear that regulations would come sooner than later, it is no surprise that the regulatory landscape has been drastically changing in recent years with various jurisdictions grappling with their own ways to regulate the new technology. While some jurisdictions are attempting to pursue regulation by collaboration with the industry, others, like the United States, have seemingly set out to eradicate DeFi via regulation by enforcement. Let’s explore some of these approaches in more detail. 

III. REGULATORY LANDSCAPE FOR DEFI AND DAPPS

A. UNITED STATES

In the US, the regulators have been waging their war on crypto as a whole and DeFi specifically. The Securities and Exchange Commission (SEC) has taken the position that many DeFi products are securities, and therefore subject to its regulation. The SEC has also brought enforcement actions against DeFi projects that it believes have violated securities laws. The Commodity Futures Trading Commission (CFTC) has also taken an active role in regulating DeFi. The CFTC has jurisdiction over derivatives, and some DeFi products could be considered derivatives. The CFTC has issued guidance on how it will regulate DeFi, and it has also brought enforcement actions against DeFi projects that it believes have violated commodities laws. The Financial Crimes Enforcement Network (FinCEN) has also been involved in regulating DeFi. FinCEN is responsible for enforcing anti-money laundering (AML) laws, and some DeFi products could be used for money laundering. FinCEN has issued guidance on how it will regulate DeFi, and it has also brought enforcement actions against DeFi projects that it believes have violated AML laws. We have covered some of these considerations and risks, as well as CEX-related SEC litigations, in the previous article. It is time to dive into the most recent developments that specifically affect DeFi and dApps.

1. Treasury and IRS Proposed Regulations of Crypto Tax Reporting

The IRS first provided guidance on digital assets in 2014, when it issued Notice 2014-21, classifying cryptocurrency as property for U.S. federal income tax purposes. In 2019, the IRS released Revenue Ruling 2019-24, elaborating on questions related to the tax treatment of hard forks. In July 2023, the IRS clarified its stance on the taxation of staking cryptocurrency rewards in Revenue Ruling 2013-14. Since 2019 the IRS website has also listed some Frequently Asked Questions on cryptocurrency transactions. Recently, the IRS released proposed regulations on tax reporting requirements for brokers of digital assets. The rule would require a broad range of entities, including wallet software providers and DeFi protocols, to collect and report user information such as name, home address, and wallet address for any user transactions. The rule has been met with widespread criticism from the industry with the obvious and expected arguments being made that it is overly broad and burdensome, and that it would stifle innovation in the DeFi space.

a) Potential Impact

As proposed, the rule would have a far reaching effect across DeFi sector rendering it shy of inoperable for US founders and users alike. Here are some specific examples of how the rule would impact different entities:

· Wallet software providers: Wallet software providers are companies that develop and distribute software that allows users to store and manage their cryptocurrency. The proposed regulations would require wallet software providers to collect and report user information for any transactions that occur through their software, even if the wallet software provider does not have access to this information. This would be a significant compliance burden for wallet software providers, and it would also be a privacy violation for users.

· DeFi protocols: The proposed regulations would require DeFi protocols to collect and report user information for any transactions that occur on their platform, even if the DeFi protocol does not have access to this information. This too would place a massive burden on DeFi protocols, and it would also be a privacy no-no for users who embrace DeFi specifically for its decentralization and anonymity.

· Digital asset exchanges: Digital asset exchanges are platforms that allow users to buy, sell, and trade cryptocurrency. The proposed rule would not require digital asset exchanges to collect and report user information for transactions that occur on their platform. However, the rule would require digital asset exchanges to collect and report user information for transactions that occur off-exchange, such as peer-to-peer transactions. This would be a significant burden for digital asset exchanges, and it would also be a privacy violation for users.

b) Proposed Regulations’ Flaws

Whether on purpose or for lack of understanding, the proposed regulations are highly flawed in the following ways as presented:

· The definition of “broker” is too broad. The present rule defines a broker as “any person that in the ordinary course of a trade or business stands ready to effect sales to be made by others.” The suggested regulations would see the definition of “effect” be revised to include anyone providing services that facilitate sales of digital assets and who would typically know or be in a position to know the identity of the parties involved. This change is deliberately meant to blanket brand as a broker anyone who is in position to obtain relevant information for tax compliance purposes, such as non-custodial wallet software providers, DeFi protocols and various tools and dApps, including . . . the Etherscan!

· The rule is burdensome. The collection and reporting of user information would be a significant burden for many entities, especially small businesses and startups. For many of them, this will drive the choice of either leaving the US market or potentially ceasing to exist.

· The rule would stifle innovation in the DeFi space. DeFi protocols are designed to be permissionless and decentralized, and the rule would require these protocols to collect and report user information, which would undermine their core principles.

On a brighter note, these regulations are only in their propositional stage and may get revised and amended along the way. By way of example, the definition of “broker” could and should be tailored to make the reporting requirements less burdensome and selective in who they apply to. The regulations should also exempt DeFi protocols from the reporting requirements. In addition, the rule should be delayed until there is more clarity on how, and by whom, it would be implemented and enforced.

The proposed regulations are currently open for public comment. The Treasury Department and the IRS will then review the comments and make any necessary changes to the rule. The rule is expected to go into effect in 2025, for tax season 2026. In the meantime, the crypto industry is urging Congress to intervene and fix the rule. Senator Ron Wyden and Senator Mike Crapo, the leaders of the Senate Finance Committee, have requested information from the Treasury Department and the IRS on crypto tax issues. This is an opportunity for Congress to weigh in on the rule and to make sure that it is fair and balanced. The crypto industry is also working to educate policymakers about the potential risks and benefits of the rule. The industry is also developing compliance tools and best practices to help entities comply with the rule, if it is finalized in its current form. The future of these regulations will be highly debated and, likely, litigated. However, as proposed, the regulations would all but expel DeFi from the US shores.

2. The CFTC's Enforcement Actions Against DeFi

On September 7, 2023, the Commodity Futures Trading Commission (CFTC) announced three controversial enforcement actions against DeFi protocols: ZeroEx Labs, Opyn and Deridex. These actions have significant implications for the future of DeFi in the United States.

The CFTC alleged that ZeroEx Labs violated the Commodity Exchange Act (CEA) by operating a platform that allowed the trading of leveraged tokens, which are a type of derivative. The CFTC also alleged that ZeroEx Labs failed to register as a futures commission merchant (FCM) with the CFTC. CFTC has charged Opyn and Deridex with failing to register as swap execution facilities (SEFs) or designated contract markets (DCMs), and with failing to operate as registered futures commission merchants (FCMs).

Opyn is a DeFi protocol that allows users to trade options on cryptocurrencies. The CFTC alleges that Opyn developed a blockchain-based trading protocol for its digital asset derivative token, oSQTH, without proper registration. The CFTC also alleges that Opyn violated federal laws by allowing leveraged transactions and failing to implement a required customer identification program. Deridex is a DeFi protocol that allows users to trade perpetual swaps on cryptocurrencies. Perpetual swaps are a type of derivative that is similar to a futures contract but does not have an expiration date. The CFTC alleges that Deridex illegally offered derivatives via perpetual swaps without proper registration. Similarly, in March 2023, the CFTC charged Ooki DAO with violating certain laws by offering margined and leveraged commodities. Ooki DAO agreed to settle the charges without admitting or denying the allegations. Another notable aspect of the Ooki Dao case was that the DAO (and its members) were served with service of process – formally notified of the action - via Ooki’s online chatbot and Discord.

These latest charges by the CFTC have been so controversial that the CFTC Commissioner Summer K. Mersinger has publicly disagreed with the agency’s enforcement actions against the DeFi projects, advocating for public engagement instead. She emphasized that such actions mark a substantial shift from the CFTC’s previous stance of seeking cooperation with DeFi market players and pointed out that the CFTC’s strategic plan for DeFi was geared towards stakeholder interaction and regulation based on guiding principles.

The charges against ZeroEx, Opyn, and Deridex, as well as past charges and settlement with Ooki DAO, suggest that the CFTC is taking a more aggressive approach to regulating DeFi. While the settlement amounts in the latest 3 actions have been fiscally bearable for large industry players, the cease and desist orders that came with it are concerning. These charges could lead to further crackdowns and have a chilling effect on the development of DeFi in the United States by, inter alia, making it more difficult for DeFi platforms to raise capital. These issues are likely to be the subject of further litigation and debate. However, the CFTC's enforcement actions make it clear that DeFi developers and operators should take steps to ensure preemptive compliance should they be willing to develop in and for the US market.

3. Tornado Cash

Tornado Cash is a decentralized application (dApp) that allows users to mix their cryptocurrency transactions, making it more difficult to trace the source and destination of funds. In a controversial turn of rulings, the dApp has been sanctioned by the OFAC in August of 2022 because of its use by the Lazarus Group, a North Korean hacking group, to launder hundreds of millions of dollars in stolen cryptocurrency. This decision has itself spurred much debate and controversy due to its precedential nature of sanctioning a piece of software.

As the matter has been unfolding, on August 23, 2023, the United States Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned Roman Semenov, one of three co-founders of the virtual currency mixer Tornado Cash. The sanctions designation was conducted in coordination with the U.S. Department of Justice (DOJ), which unsealed an indictment against Semenov and a second co-founder of Tornado Cash, Roman Storm. The sanctions designation and indictment are the latest in a series of actions taken by the U.S. government against Tornado and its founders as part of their campaign to crack down on the use of virtual currency to launder money and support illicit activity. A third co-founder of Tornado Cash, Alexey Pertsev, was arrested on related money laundering charges in the Netherlands in August 2022 by Dutch law enforcement authorities. The indictment against Semenov and Storm alleges that they knew that Tornado Cash was being used by the Lazarus Group to launder money, but they continued to develop and promote the dApp. The indictment also alleges that Semenov and Storm failed to take reasonable steps to prevent the dApp from being used for illicit purposes.

These personal sanctions against Semenov and Storm prohibit U.S. persons from engaging in any transactions with them or their assets. The sanctions also make it a crime for U.S. persons to knowingly provide material support to Semenov or Storm. The sanctions also underscore the importance of due diligence for businesses that operate in the virtual currency ecosystem. Businesses that fail to take reasonable steps to prevent their services from being used for illicit purposes could face sanctions themselves.

In addition to the sanctions against Semenov and Storm, the DOJ also announced the arrest of Roman Storm in the United States. Storm is charged with conspiracy to commit money laundering, conspiracy to operate an unlicensed money transmitting business, and conspiracy to commit sanctions violations. The arrest of Storm is itself a significant development in the for the ecosystem and a stark reminder that the U.S. government could seek criminal liability for developers and operators regardless of them relinquishing direct control over the technology and whether the conceptual purpose thereof did not entail criminal use.  

4. Uniswap Class Action Litigation

While the above actions from the US regulators may seem like doom and gloom, a pattern of recent court decisions favoring the industry has been building up its momentum. Just recently, on August 29, 2023, the United States District Court for the Southern District of New York has dismissed a securities class action against Uniswap, the popular decentralized exchange (DEX). The decision is a major victory for DeFi and could have implications for the future regulation of the industry.

The plaintiffs in the case alleged that Uniswap was an unregistered securities exchange and broker-dealer because it facilitated the trading of unregistered securities. However, the court found that Uniswap's contracts were merely collateral to the activities of the token issuers, and that the exchange itself did not engage in any securities activities. The court's decision is based on the following key findings:

· Uniswap's contracts are neutral and consistent across all tokens, meaning that they do not themselves determine whether a token is a security.

· The securities violations alleged by the plaintiffs were with the specific token-related contracts developed by the token issuers, not with Uniswap's contracts.

· Uniswap's contracts are more analogous to a user agreement than to a securities exchange.

· Uniswap does not hold or own the assets traded on its platform and does not facilitate the transfer of title to those assets.

The court's decision is a significant victory for DeFi, as it recognizes that DeFi protocols are not securities exchanges and are not subject to the same regulatory requirements. This could have implications for the future regulation of DeFi, as it could make it more difficult for regulators to bring enforcement actions against DeFi protocols. In fact, this decision may have a lasting effect even on the DOJ’s prosecution of the Tornado Cash founders. However, it is important to note that the court's decision is not binding on other courts, and it is possible that other courts could reach different conclusions. Additionally, the decision does not address the question of whether DeFi tokens themselves are securities. This question is still being debated by regulators and courts, and it is likely to be resolved in the coming years. Overall, the court's decision in the Uniswap case is a positive recognition that DeFi protocols are different from traditional securities exchanges, and that they should not be subject to the same regulatory requirements. It is also worth noting that the same federal Judge presides over the SEC v. Coinbase lawsuit that we discussed in our previous article covering the CEX’s.

B. EUROPEAN UNION

Across the pond, and with previously discussed MiCa setting in, the European Commission is considering regulations that would require DeFi service providers to comply with certain requirements, such as Know Your Customer (KYC) and Anti-Money Laundering (AML) rules.

1. IOSCO Consultative Report on DeFi Regulation

Recently, in September 2023, the International Organization of Securities Commissions (IOSCO) published a consultative report that aims to address the regulatory treatment of DeFi. The report brings forward nine key policy recommendations that carry weighty implications for securities regulators:

· Adopt a “same activity, same risk, same rules” approach when regulating DeFi products. This means that DeFi products should be regulated in the same way as traditional financial products that pose the same level of risk.

· Push for regulatory convergence on DeFi. The regulators from different jurisdictions are gearing up to work together to develop consistent rules and regulations for DeFi.

· Address potential conflicts of interest. This includes requiring DeFi product providers to manage conflicts of interest, such as those that arise from MEV (miner extractable value).

· Assess and address material risks associated with DeFi. This includes risks such as market manipulation, fraud, and cyber security.

· Introduce clear and precise disclosure requirements for DeFi products. This will help investors to understand the risks and features of DeFi products.

· Enforce broad applicable laws and regulations. This includes laws and regulations that are designed to protect investors, such as anti-money laundering and market abuse laws.

· Recognize the importance of Oracles and cross-chain bridges. These are essential services that DeFi products rely on, and regulators should assess whether they present any risks.

· Emphasize clear disclosure due to DeFi's complexity. DeFi is a complex system, and regulators should require DeFi product providers to provide clear and transparent information to investors.

· Call for improved transparency on operations, risks, governance, conflicts of interest, and providers' financial conditions. This will help investors to make informed investment decisions.

a) MEV

The report also discusses MEV for the first time. MEV is the value that miners can extract from the Ethereum blockchain by strategically ordering transactions. IOSCO considers MEV to give raise to the conflicts of interests if a provider of DeFi service/product should be responsible for identifying, managing & mitigating the impact of MEV strategies used by miners/validators.

b) Impact

The IOSCO report is a first targeted step towards regulating DeFi in the EU. Accordingly, it is bound to have a significant impact on regulators and the industry alike. It provides guidance on how to regulate DeFi, and it also calls for regulatory convergence. This will make it easier for regulators to cooperate and share information, which will help to protect investors. The IOSCO report also has a positive impact on the DeFi industry as it provides clarity on the regulatory landscape and identifies some of the risks that DeFi products pose. This will help the industry to develop more robust products and services.

IV. REGULATORY LANDSCAPE FOR NON-CUSTODIAL WALLETS

Non-custodial wallets are often seen as more secure than custodial wallets, which are managed by a third party. However, non-custodial wallets also present a number of regulatory and legal challenges. For example, it can be difficult to determine who is responsible for complying with anti-money laundering (AML) and know-your-customer (KYC) regulations when users are responsible for their own private keys. Additionally, from regulators’ perspective, non-custodial wallets can be used to facilitate illegal activities, such as money laundering and terrorist financing.

A. UNITED STATES

In the United States, there is no specific regulation for non-custodial wallets. However, we have explored the proposed IRS regulations affecting wallets and wallet providers above. The Financial Crimes Enforcement Network (FinCEN) has also previously issued guidance that non-custodial wallet providers may be considered “financial institutions” under the Bank Secrecy Act (BSA). This means that non-custodial wallet providers may be subject to AML and KYC requirements. Overall, the US has a number of laws and regulations on the books already that could apply to non-custodial wallets. These include:

· The Bank Secrecy Act (BSA): The BSA requires financial institutions to comply with AML and KYC requirements. Non-custodial wallet providers may be considered “financial institutions” under the BSA, depending on the specific facts and circumstances.

· The Commodity Futures Trading Commission (CFTC) Act: The CFTC Act regulates derivatives trading. Non-custodial wallet providers that offer derivatives products may be subject to the CFTC Act.

· The Securities Act of 1933: The Securities Act of 1933 regulates the offer and sale of securities. Non-custodial wallet providers that offer tokens that are considered securities may be subject to the Securities Act of 1933.

B. EUROPEAN UNION

In the European Union, the Markets in Crypto-Assets (MiCA) will regulate a wide range of crypto assets, including non-custodial wallets. The regulation will require non-custodial wallet providers to comply with AML and KYC requirements, and to register with the relevant authorities. The EU has a number of laws and regulations that could further apply to non-custodial wallets. These include:

· The General Data Protection Regulation (GDPR): The GDPR regulates the processing of personal data by organizations in the EU. This could apply to non-custodial wallet providers that collect personal data about their users.

· The Anti-Money Laundering Directive (AMLD): The AMLD is a directive that sets out minimum standards for AML and KYC compliance across the EU. Member states are required to implement the AMLD into their national laws.

V. CONCLUSION

The regulation of DeFi, dApps, and non-custodial wallets is a complex and evolving issue. In the US and EU, the regulators have expectedly taken a harsh approach to regulating them, citing concerns about investor protection, financial stability, tax evasion and money laundering.

This harsh regulation, particularly the regulation by enforcement carried out by the federal agencies in the US, has been criticized by many bright minds who argue that it stifles innovation and makes it difficult, if not impossible, for startups to operate. However, regulators argue that the harsh regulation is necessary to protect investors and prevent fraud, tax evasion and AML issues. In addition, DeFi, dApps and non-custodial wallet developers and operators should also remain aware of the potential for criminal prosecution under the criminal laws of the United States. The regulations are bound to evolve in the coming years. As blockchain technology becomes more mainstream, regulators will need to find ways to balance the need to protect investors and prevent wrong-doing with the need to not stifle innovation.