Statement on DeFi Risks, Regulations, and Opportunities
Nov. 9, 2021
As published in The International Journal of Blockchain Law, Vol. 1, Nov. 2021.
Whether in the news, social media, popular entertainment, and increasingly in people’s portfolios, crypto is now part of the vernacular. But what that term actually encompasses is broad and amorphous and includes everything from tokens, to non-fungible tokens, to Dexes to Decentralized Finance or DeFI. For those readers not already familiar with DeFi, unsurprisingly, definitions also vary. In general, though, it is an effort to replicate functions of our traditional finance systems through the use of blockchain-based smart contracts that are composable, interoperable, and open source. Much of DeFi activity takes place on the Ethereum blockchain, but any blockchain that supports certain types of scripting or coding can be used to develop DeFi applications and platforms.
DeFi presents a panoply of opportunities. However, it also poses important risks and challenges for regulators, investors, and the financial markets. While the potential for profits attracts attention, sometimes overwhelming attention, there is also confusion, often significant, regarding important aspects of this emerging market. Social media questions like “who in the U.S. regulates the DeFi market?” and “Why are regulators involved at all?” abound. These are crucial questions, and the answers are important to lawyers and non-lawyers alike. This article attempts to provide a short background on the current regulatory landscape for DeFi, the role of the United States Securities and Exchange Commission (“SEC”), and highlights two important hurdles that the community should address.
I. Many Investments Share Important Attributes
Many DeFi offerings and products closely resemble products and functions in the traditional financial marketplace. There are decentralized applications, or dApps, running on blockchains, that enable people to obtain an asset or loan upon posting of collateral, much like traditional collateralized loans. Others offer the ability to deposit a digital asset and receive a return. Both types of products offer returns, some directly, and some indirectly by enabling the use of borrowed assets for other DeFi investing opportunities. In addition, there are web-based tools that help users identify, or invest in, the highest-yielding DeFi instruments and venues. Other applications let users earn fees in exchange for supplying liquidity or market making. There are also tokens coded to track the prices of securities trading on registered U.S. national securities exchanges, and then can be traded and used in a variety of other DeFi applications. So while the underlying technology is sometimes unfamiliar, these digital products and activities have close analogs within the SEC’s jurisdiction.
These similarities should come as a surprise to no one, considering finance is in the name. It should also come as a surprise to no one that investing is often at the core of DeFi activity. This movement is not about merely developing new digital asset tokens. Developers have also constructed smart contracts that offer individuals the ability to invest, to lever those investments, to take a variety of derivative positions, and to move assets quickly and easily between various platforms and protocols. And there are projects that show a potential for scalable increased efficiencies in transactions speed, cost, and customization.
These projects are evolving incredibly fast with new and interesting potential. Considering the relative infancy of blockchains that support the scripting needed for sophisticated smart contracts, DeFi development is particularly impressive. But these offerings are not just products, and their users are not merely consumers. DeFi, again, is fundamentally about investing. This investing includes speculative risks taken in pursuit of passive profits from hoped-for token price appreciation, or investments seeking a return in exchange for placing capital at risk or locking it up for another’s benefit.
II. Unregulated Markets Suffer From Structural Limitations
Market participants who raise capital from investors, or provide regulated services or functions to investors, generally take on legal obligations. In what may be an attempt to disclaim those legal obligations, many DeFi promoters disclose broadly that DeFi is risky and investments may result in losses, without providing the details investors need to assess risk likelihood and severity. Others could accurately be characterized as simply advocating a “buyer beware” approach; by participating, investors assume the risk of any and all losses. Given this, many current DeFi participants recommend that new investors exercise caution, and many experts and academics agree there are significant risks.
While DeFi has produced impressive alternative methods of composing, recording, and processing transactions, it has not rewritten all of economics or human nature. Certain truths apply with as much force in DeFi as they do in traditional finance:
- Unless required, there will be projects that do not invest in compliance or adequate internal controls;
- when the potential financial rewards are great enough, some individuals will victimize others, and the likelihood of this occurring tends to increase as the likelihood of getting caught and severity of potential sanctions decrease; and
- absent mandatory disclosure requirements, information asymmetries will likely advantage rich investors and insiders at the expense of the smallest investors and those with the least access to information.
Accordingly, DeFi participants’ current “buyer beware” approach is not an adequate foundation on which to build reimagined financial markets. Without a common set of conduct expectations, and a functional system to enforce those principles, markets tend toward corruption, marked by fraud, self-dealing, cartel-like activity, and information asymmetries. Over time that reduces investor confidence and investor participation.
Conversely, well-regulated markets tend to flourish, and I think our U.S. capital markets are prime examples. Because of their reliability and shared adherence to minimum standards of disclosure and conduct, our markets are the destination of choice for investors and entities seeking to raise capital. Our securities laws do not merely serve to impose obligations or burdens, they provide a critical market good. They help address the problems noted above, among others, and our markets function better as a result. But, in the brave new DeFi world, to date there has not been broad adoption of regulatory frameworks that deliver important protections in other markets.
III. Who Regulates DeFi?
In the United States, multiple federal authorities likely have jurisdiction over aspects of DeFi, including the Department of Justice, the Financial Criminal Enforcement Network, the Internal Revenue Service, the Commodity Futures Trading Commission, and the SEC. State authorities likely have jurisdiction over aspects as well. In spite of the number of authorities having some jurisdictional interest, DeFi investors generally will not get the same level of compliance and robust disclosure that are the norm in other regulated markets in the U.S. For example, a variety of DeFi participants, activities, and assets fall within the SEC’s jurisdiction as they involve securities and securities-related conduct. But no DeFi participants within the SEC’s jurisdiction have registered with us, though we continue to encourage participants in DeFi to engage with the staff. If investment opportunities are offered completely outside of regulatory oversight, investors and other market participants must understand that these markets are riskier than traditional markets where participants generally play by the same set of rules.
IV. The Role of the SEC
As an SEC Commissioner I have a duty to help ensure that market activity, whether new or old, operates fairly, and offers all investors a level playing field. I would expect this goal to be one DeFi market participants also support.
To do this, the SEC has a variety of tools at its disposal ranging from rulemaking authority, to various exemptive or no action relief, to enforcement actions. Importantly, if DeFi development teams are not sure whether their project is within the SEC’s jurisdiction, they should reach out to our Strategic Hub for Innovation and Financial Technology (“FinHub”), or our other Offices and Divisions, all of which have experts well-versed in issues relating to digital assets. It is my understanding that FinHub has never refused a meeting, and their engagement is meaningful. If a series of meetings is needed, they spend the necessary time. If a project does not fit neatly within our existing framework, before proceeding to market, that project team should come and talk to us. The more the project team can lead that discussion with possible solutions, the better outcomes they can expect. Our staff cannot offer legal advice, but they stand ready to listen to ideas and provide feedback, as developers know their projects better than we ever could. If the project is seemingly constrained by our rules, it is critical for us to get specific ideas about how these new technologies can be integrated into our regulatory regime to ensure the market and investor protections afforded by the federal securities laws, while allowing innovations to flourish.
That being said, for non-compliant projects within our jurisdiction, we do have an effective enforcement mechanism. For example, the SEC recently settled an enforcement action with a purported DeFi platform and its individual promoters. The SEC alleged they failed to register their offering, which raised $30 million, and misled their investors while improperly spending investor money on themselves. To the extent other offerings, projects, or platforms are operating in violation of securities laws, I expect we will continue to bring enforcement actions. But my preferred path is not through enforcement, and I do not consider enforcement inevitable. Broad non-compliance that necessitates numerous enforcement actions is not an efficient way to achieve what I believe are shared goals for DeFi. The more projects that voluntarily comply with regulations, the less frequently the SEC will have to pursue investigations and litigation.
V. Structural Hurdles
I recognize it is not the SEC’s role to prevent all investment losses. It is also not my goal to restrict investor access to fair and appropriate opportunities. But it is my job to demand that investors have equal access to critical information so they can make informed decisions whether to invest and at what price. I am similarly committed to ensuring markets are fair and free from manipulation. Given this, it seems that there are two specific structural problems that the DeFi community needs to address.
A. Lack of Transparency
First, although transactions often are recorded on a public blockchain, in important ways, DeFi investing is not transparent. I am concerned that this lack of transparency contributes to a two tier market in which professional investors and insiders reap outsized returns while retail investors take more risks, get worse pricing, and are less likely to succeed over time. Much of DeFi is funded by venture capital and other professional investors. It is unclear to me how well known this is in the DeFi retail investor community, but the underlying funding deals often grant professional investors equity, options, advisory roles, access to project team management, formal or informal say on governance and operations, anti-dilution rights, and the ability to distribute controlling interests to allies, among other benefits. Rarely are these arrangements disclosed, but they can have a significant impact on investment values and outcomes. Retail investors are already operating at a significant disadvantage to professional investors in DeFi, and this information imbalance exacerbates the problem.
Some contend that DeFi is, in fact, more egalitarian and transparent because much of the activity is based on code that is publicly available. However, only a relatively small group of people can actually read and understand that code, and even highly-qualified experts miss flaws or hazards. Currently the quality of that code can vary drastically, and has a significant impact on investment outcomes and security. If DeFi has ambitions of reaching a broad investing pool, it should not assume a significant portion of that population can or wants to run their own testnet to understand the risks associated with the code on which their investment prospects rely. It is not reasonable to build a financial system that demands investors also be sophisticated interpreters of complex code.
Put simply, if a retail investor has $2,000 to invest in a risky programmable asset, it is not cost effective for that investor to hire experts to audit the code to ensure it will behave as advertised. Instead, retail investors must rely on information available through marketing, advertising, word of mouth, and social media. Professional investors, on the other hand, can afford to hire technical experts, engineers, economists, and others, before making an investment decision. While this professional advantage exists historically in our financial markets, DeFi exacerbates it. DeFi removes intermediaries that perform important gatekeeping functions and operates outside the existing investor and market protection regime. That can leave retail investors without access to professional financial advisors or other intermediaries who help screen potential investments for quality and legitimacy. These provide meaningful fraud reduction and risk assessment assistance in traditional finance, but there are limited substitutes in DeFi.
A second foundational challenge for DeFi is that these markets are vulnerable to difficult to detect manipulation. DeFi transactions occur on a blockchain, and each transaction is recorded, immutable, and available for all to see. But that visibility extends only down to a certain identifier. Because of pseudonymity, the blockchain displays the blockchain address that sent or received assets, but not the identity of the person who controls it.
Without an efficient method for determining the actual identity of traders, or owners of smart contracts, it is very difficult to know if asset prices and trading volumes reflect organic interest or are the product of manipulative trading by, for example, one person using bots to operate multiple wallets, or a group of people trading collusively. There are specific U.S. securities laws prohibiting trading for the purpose of giving the false appearance of market activity or to manipulate the price of a security, because successful investing depends on reliable information and market integrity. Pseudonymity makes it much easier to conceal manipulative activity and almost impossible for an investor to distinguish an individual engaging in manipulative trading from normal organic trading activity. In DeFi, because markets often turn on asset price, trading volumes, and momentum, investors are vulnerable to losses due to manipulative trading that makes those signals unreliable. To the extent transactions occur off public blockchains, it is even more difficult to assess whether trading is legitimate.
I recognize that in some ways DeFi is synonymous with pseudonymous. The use of alphanumeric strings that obscure real world identity was a core feature of Bitcoin and has been present in essentially all blockchains that have followed. But in the U.S., investors have long been comfortable with a compromise in which they give up some limited degree of privacy by sharing their identity with the entity through which they trade securities. In return, they benefit from regulated markets that are more fair, orderly, and efficient, with less manipulation and fraud.
In moving to DeFi, I suspect most retail investors are not doing so because they seek greater privacy; they are seeking better returns than they believe they can find from other investments. While some in DeFi believe in absolute financial privacy, I expect that projects that solve for pseudonymity are more likely to succeed, because investors can then be comfortable that asset prices reflect actual interest from real investors, not prices pumped by hidden manipulators. Projects that address this problem are also more likely to be able to comply with SEC regulations and other legal obligations, including requirements around anti-money laundering and countering the financing of terrorism imposed by the Bank Secrecy Act.
My respect for innovation does not lessen my commitment to help ensure all our financial markets are sustainable and offer average investors a fair chance of success. DeFi is a shared opportunity and challenge. Some DeFi projects fit neatly within our jurisdiction, and others may struggle to comply with the rules as currently applied. It is not enough to just say it is too hard to regulate or to say it is too hard to comply with regulations.
It is a positive sign that many projects say they want to operate within DeFi in a compliant way. I credit their sincerity on this point, and hope they commit resources to collaborating with the SEC staff in the same spirit. For DeFi’s problems, finding compliant solutions is something best accomplished together. Reimagining our markets without appropriate investor protections and mechanisms to support market integrity would be a missed opportunity, at best, and could result in significant harm, at worst. In conceiving a new financial system, I believe developers have an obligation to optimize for more than profitability, speed of deployment, and innovation. Whatever comes next, it should be a system in which all investors have access to actionable, material data, and it should be a system that reduces the potential for manipulative conduct. Such a system should lead capital to flow efficiently to the most promising projects, rather than being diverted by mere hype or false claims. It should also be designed to advance markets that are interconnected, but with sufficient safeguards to withstand significant shocks, including the potential for rapid deleveraging. In decentralized networks with diffuse control and disparate interests, regulations serve to create shared incentives aligned to benefit the entire system and ensure fair opportunities for its least powerful participants.
My staff and I have been actively engaged in helpful discussions with DeFi experts and my door remains open. I can’t promise an easy or quick process, unfortunately, but I can assure you of good faith consideration and a true desire to help promote responsible innovation.
 I am deeply grateful to my colleagues Robert Cobbs, Kathleen Gallagher, Micah Hauptman, Claire O’Sullivan, and Gosia Spangenberg, whose hard work made this submission possible. I would like to particularly thank my colleague David Hirsch, who has been instrumental not only to this submission, but also provides valuable support to my office’s overall approach to digital assets. We are also grateful to a variety of industry experts and attorneys who generously shared their time and ideas, and helped deepen my understanding of these questions. And finally, thanks to Dr. Matthias Artzt, Sandra Ro, and all the editors of The International Journal of Blockchain Law. The views I express herein are my own and do not necessarily reflect the views of the Commission, my fellow Commissioners, or the SEC Staff.
 Composable refers to the ability to link smart contracts and build on existing modular code, which leads some to refer to DeFi applications as money Legos. See Quantstamp Labs, DeFi’s Composability: More Possibility, More Risk, (last visited Nov. 8, 2021). The term interoperable describes the ability to use DeFi protocols and applications across platforms and smart contracts. See Fabian Schär, Decentralized Finance: On Blockchain and Smart Contract-Based Financial Markets, Fed. Res. Bank St. Louis Rev. 153 (Feb. 5. 2021).
 In addition to the securities law issues addressed in this article, regulators have also raised concerns about DeFi projects’ failures to comply with rules relating to anti-money laundering, combating the financing of terrorism, tax compliance, the Commodity Exchange Act, and other issues. While not the primary focus of this article, I share some of those same concerns.
 The DeFi market overall has grown dramatically. DeFi today has more than $101 billion in total value locked, representing rapid expansion since September 2020 when that figure stood at $19.5 billion. See Marketforces Africa, DeFi Market Soared 335% to $85 Billion, (last visited Nov. 8, 2021).
 See Schär, supra note 3, at 164.
 Id. at 165.
 Id. at 162.
 I listened to a recent podcast in which a young developer acknowledged that humans as a species are attracted to high returns, but are also bad at considering risk in choosing where to invest and at what price. He also said that people were mortgaging their homes to free up funds with which to invest in DeFi, and that he was concerned the outcome could be scary. Without reference to this specific person, it seems like common knowledge that some retail investors are taking on huge exposure in DeFi without understanding the risk or having the ability to price for it. Developers should build systems that are compliant with important regulatory and policy frameworks so that investors have all material information, including about the potential risks, and are protected from misconduct that puts them at a disadvantage.
 For activity within the SEC’s jurisdiction, compliance with the investor protections of the Securities Act of 1933 and the Securities and Exchange Act of 1934 requires important disclosures.
 There is a great deal of academic research into network effects and how network adoption and engagement benefits the value of networks. I would be interested in research that studies how fraud and other violations of trust within a network impact that network’s value by reducing adoption and engagement, and the potential for this impact to extend to competing networks.
 The U.S. government has dedicated significant resources to providing feedback, supporting innovation, and developing in-house expertise to ensure regulatory approaches are based on an accurate understanding of the technology. For example, the SEC has a FinHub, and a number of other authorities have innovation initiatives that engage with market participants and study the technology.
 See Melanie Waddell, State Securities Regulators Report Tripling of Digital Asset Enforcement Actions, ThinkAdvisor (last visited Nov. 8, 2021).
 At the SEC we have existing laws and rules that guide our approach and are shaped by court interpretations. Rather than proactively labeling every investment vehicle as a security or not a security, we look at specific facts and circumstances and apply the law based on that analysis. We do not have a measuring box like at airports, where if a bag fits inside it can be carried on, and otherwise must be checked. That type of mechanical jurisdictional test might be easier to apply and yield a faster conclusion, but ultimately would require us to revise the test and adapt the rules every time a new type of investment is introduced or changes in form. Considering that we regulate capital markets exceeding $110 trillion, made up of tens of thousands of entities, that type of proactive “define everything” approach is too rigid, and markets are too large, for it to be workable. Our statutes recognize that and provide for a flexible, principles-based approach, but one that also inherently requires a more detailed analysis to determine whether specific conduct or assets are within the SEC’s jurisdiction.
 My responsibility extends to conduct within the SEC’s jurisdiction, and my able colleagues at sibling agencies are responsible for other types of conduct.
 See SEC Strategic Hub for Innovation and Financial Technology (“FinHub”).
 FinHub comprises representatives across the SEC’s Divisions, and so those meetings includes access to a broad range of experts. FinHub is also an important resource to the Commission as it considers policy choices.
 Coming in to speak with SEC staff does not provide amnesty for violative conduct. It is, however, an important path to help projects identify potential SEC regulatory compliance issues, discuss possible solutions, and develop a plan to operate legally. To the extent a project team has already been operating outside of compliance, working with staff to prevent future violations may also position it to more quickly and inexpensively resolve any potential enforcement action for related past violations. Our Division of Enforcement considers cooperation when determining what remedies to recommend for violative conduct and we have agreed to settle multiple cases with reduced or no penalties in response to self-reporting violations, including in the digital assets space. See, e.g., In the Matter of Gladius Networks, Order Instituting Cease and Desist Proceedings, Securities Act Release No. 10608 (Feb. 20, 2019).
 See In the Matter of Blockchain Credit Partners d/b/a DeFi Money Market, Gregory Keough, and Derek Acree, Order Instituting Cease and Desist Proceedings, Securities Act Release No. 10961 (Aug. 6, 2021).
 I recognize that DeFi has experienced significant asset price appreciation, and that is part of what motivated me to write this. The impacts of the information disparities or market conduct on retail investors may not be easy to see until the next DeFi market downturn or crisis.
 Joel Khalil, Investing in DeFi is Seriously Risky But Maybe It Doesn’t Have to Be, Techradar.com (last visited Nov. 8, 2021) (describing “[h]igh transaction fees, market volatility and security incidents linked with vulnerabilities in smart contracts” as risks that are more pronounced for retail investors).
 Kevin Werbach, Finance 3.0: DeFi, Dapps, and the Promise of Decentralized Disruption, The Reboot (last visited Nov. 8, 2021).
 See 15 U.S.C. § 78i (2018).
 In a recent speech I requested input from digital assets market participants. See Caroline Crenshaw, Commissioner, Sec. & Exch. Comm’n, Digital Asset Securities – Common Goals and a Bridge to Better Outcomes (Oct. 12, 2021). Unfortunately, that has not yet yielded much of a response from a community that often says it lacks necessary guidance from the SEC, among others. My door remains open, and I welcome your ideas. I’ve created a dedicated mailbox for this purpose: email@example.com.