Table of ContentsToggle
In the evolving landscape of decentralized finance (DeFi), ensuring market integrity and safeguarding investor protection have become paramount. In this endeavor, the International Organization of Securities Commissions (IOSCO) has taken a proactive stance by publishing the Consultation Report – a pivotal step toward shaping the future of DeFi.
At CoinDCX, we recognize and wholeheartedly embrace IOSCO’s commitment to refining policy recommendations in the realm of decentralized finance. The Consultation Report, aptly titled “Policy Recommendations for Decentralized Finance,” reflects IOSCO’s dedication to fostering compliant markets while embracing the innovative spirit of DeFi. We are not just witnesses to these efforts; we are active participants, eagerly contributing our insights to this vital discourse.
Our Comments on the document are as follows:
Application of the “Same Activity, Same Risk, Same Outcome” Principle
We appreciate that the IOSCO recommendations recognize the value of responsible innovation. They also suggest the application of the “same activity, same risk, same regulatory outcome” approach to financial markets, regardless of the technology that may be used to deliver financial products and services.
It is pertinent to note that the “same activity, same risk, same regulatory outcome” principle should not be interpreted so as to justify the application of exactly the same form of regulation in all cases to achieve the same regulatory outcome. Instead, it encourages one to assess whether an arrangement constitutes the same activity and poses the same risk as another arrangement.
If the outcome of such assessment is affirmative, in such cases, according to the principle, the same regulation should be made applicable. The principle therefore discourages the blanket application of any singular form of regulation unless the activities conducted and the risk they pose are the same. We believe the IOSCO recommendations’ approach to maintaining technological neutrality is well-intentioned and noble. We also agree with its objective of seeking regulatory outcomes such as investor protection and market integrity from DeFi, consistent with TradFi. That said, such an approach should not imply the imposition of a singular form of regulation on both DeFi and TradFi. It should not exclude the application of a differentiated regulatory approach, should the technology play a fundamental role in altering the underlying activity or the risk profile of the arrangement.
DeFi and TradFi have Vastly Different Risk Profiles
A key aspect of the IOSCO recommendations is an emphasis on drawing parallels between the DeFi and the TradFi ecosystem. This is specifically fundamental to recommendations 1 and 3. The report describes the common products and services offered in the DeFi markets, demonstrating that they do not materially differ from products and services offered in TradFi markets.
The report concludes that DeFi products present “the same risks, along with additional risks due to the way they are offered”. We accept that the products and offerings of DeFi are often similar to those under TradFi. However, the risk profile of the former is vastly different from that of the latter.
TradFi is built around an “intermediated” model, where retail and institutional customers go through intermediaries (banks, insurers, asset managers, brokers, exchanges, custodians, etc.) to execute the four basic financial activities: payments, borrowing/lending, investing, and insurance. 1 In contrast, DeFi is made up of software protocols that provide a number of disintermediated products and services. These software protocols typically consist of a collection of smart contracts deployed to a decentralized blockchain. Users can interact with these protocols directly, without intermediaries and the rules that govern DeFi protocols are written in and enforced through computer code. 2 The smart contracts in DeFi are immutable and controlled via on-chain governance. Notably, the parameters (what is deemed to be acceptable collateral or the actual interest rate or yield paid) in DeFi agreements can be set by the community, but not the core risk parameters, which are programmatically embedded inside the protocol.
Fundamental features of DeFi that contribute to this difference and act as prerequisites that render a protocol a DeFi protocol are:
- Decentralized: There is no one definition for decentralization in the context of blockchains. The concept, however, typically alludes to the absence of a single point of failure, and a single decision-maker/ controller, resulting in a decentralized, community-driven structure. DeFi protocols achieve decentralization by relying on distributed ledger technology powered by crypto. We acknowledge that the IOSCO recommendations contain specific inputs on “purported decentralization”. We respond to those claims in this comment letter.
- Open sourced: As noted previously, DeFi is built with smart contracts and programmable code, replacing intermediaries’ role in underwriting, executing, and managing the risk of financial transactions prevalent in TradFi. Notably, these codes are all open-sourced and hence the element of subjectivity that is prevalent in TradFi is not a factor in DeFi.
- Immutable and Automated: The smart contracts in DeFi are immutable and controlled via on-chain governance. Their application is also automated, and the parameters for action or inaction are clearly laid out. There is thus no scope for intervention. No single entity can unilaterally alter the execution of a transaction, nor can it unilaterally change the execution of the protocol. Every change must be approved by the community and reflected on the Blockchain.
- Permissionless: DeFi protocols have no subjective barriers to entry. They are open to all and permissionless in that sense.
- Self-custody: Another core element of DeFi that sets it apart from TradFi or CeFi is that the underlying financial assets in the model are necessarily controlled by the user. The user thus maintains custody over it.
Given the absence of intermediaries and the use of blockchain, DeFi is also considerably more transparent than TradFi. Generally, anyone can inspect and audit the public blockchain ledgers upon which many DeFi protocols are built, and the ledgers reflect both the smart contracts that govern the protocol’s operations as well as a record of the price and quantity of each transaction, entered into on a given platform.
We, therefore, believe that drawing comparisons between TradFi and DeFi may be a good starting point for understanding the ecosystem, but it should not inform the regulatory framework governing DeFi.
The Need to Define Prerequisites of DeFi, set Minimum Requirements for Decentralization, and Identify Global Best Practices:
As noted previously, decentralization is the absence of a single point of failure, and a single decision-maker/ controller, resulting in a decentralized, community-driven structure. It is a fundamental feature of DeFi. The IOSCO recommendations encourage regulators to reject labels and rather rely on their own assessment of DeFi arrangements.
We wholeheartedly agree with this recommendation. Given that the industry is still developing, several projects often incorrectly label themselves as DeFi arrangements, while in reality, they are fairly centralized. The Celsius project is a prime example. Learnings from its 2022 meltdown make a strong case for regulators and users to refrain from purely trusting labels.
Instead, assessing the arrangement at (i) an enterprise level (i.e., based on the factual and substantive economic reality), (ii) a functional level, and (iii) a technical level, as suggested in the IOSCO recommendations, is critical. That said, we believe that the IOSCO recommendations appear to dismiss the possibility that certain DeFi projects are indeed decentralized. As noted previously, fundamental minimum prerequisites for a protocol to qualify as a DeFi protocol are (i) decentralized; (ii) open-sourced; (iii) immutable and automated; (iv) permissionless; and (v) self-custodial. We recommend that IOSCO, in consultation with the industry, should lay out clear criteria for the identification of such DeFi protocols.
These criteria should encompass the aforementioned five features. The primary objective here is to create a standardized and clear roadmap that enables regional regulators to distinguish DeFi protocols from other protocols.
This is imperative in light of the vastly different risk profile of DeFi. Given that decentralization is a core component here, it is also critical for multilateral standard-setting bodies such as IOSCO to drive the alignment of all stakeholders on the definition of decentralization. Decentralization must not be viewed as a binary and cannot be measured in absolutes. It is a spectrum representing different levels of distribution of power and control within a network.
It encompasses a range of architectural designs, governance models, and decision-making processes that determine the degree of decentralization achieved. Therefore, in a DeFi protocol, decentralization should be viewed from several different perspectives and must be tested holistically against the backdrop of the use case and value proposition of the product in question.
Factors that may influence the determination of whether a protocol is truly decentralized and hence under the ambit of DeFi may include a) how they achieve consensus, b) whether a centralized entity or group of individuals can significantly influence governance decisions, c) whether a centralized entity or group of individuals can control prices; and e) whether a centralized entity or group of individuals can restrict one’s access to the DeFi protocol.. There is thus a pressing need for the IOSCO recommendations to provide minimum conditions that must be satisfied for a protocol to be deemed decentralized.
Besides decentralization, protocols should also be required to satisfy the other four criteria stated above to be deemed a DeFi protocol. In order to streamline this process, we propose that the IOSCO, in consultation with the industry, should also certify protocols as true DeFi protocols, relying on actual periodical assessments and not just on labels. This will further empower users to easily set apart true DeFi protocols from other projects. Lastly, the IOSCO should also conduct the activity of identifying global best practices and encouraging their adoption by both new and existing protocols. These best practices may relate to areas such as cyber security, smart contract auditing, etc.
Our Concerns with the Concept of “Responsible Person”:
Recommendation 2 of the IOSCO recommendations encourages regulators to identify “Responsible Persons” behind DeFi protocols. Notably, there is no clear definition of the phrase. It is said to include those that “maintain control or sufficient influence” over a particular DeFi arrangement or activity.
Regulators have been advised to consider factors such as design and maintenance control; financial and economic control; and formal and legal control. More specifically, the recommendations state that persons such as founders and developers of DeFi protocols and those issuing governance tokens.
We understand that the objective of this recommendation is to identify the subject of regulatory action. We agree with this objective and recognize its importance. We also agree with IOSCO’s approach of rejecting labels upfront and conducting an inquiry of its own. However, we believe that an inquiry to identify whether a protocol is a DeFi protocol, as mentioned in the previous sections of this document, should be a necessary first step.
If a protocol is deemed to be a DeFi protocol – that is to say, it is sufficiently decentralized, open-sourced, immutable and automated; permissionless; and does not take custody of its’ user’s asset, in such cases deeming a developer or founder a “Responsible Person” is counter-intuitive, and will stifle innovation.
In such cases, all the information is already available, and any disclosure mandates, for example, that may be imposed on a “Responsible Person” will be of no consequence. DeFi protocols are fundamentally different from TradFi, and the application of traditional regulatory principles, such as the identification of a “Responsible Person,” is not recommended for the DeFi ecosystem.
Instead, a more tailored approach is necessary. Notably, we are not proposing that there should be no regulation on the DeFi ecosystem at large. We are merely proposing that the regulation in question be proportionate to the risk that DeFi poses, and it should not curtail innovation.
Given that DeFi protocols form the infrastructure layer of the DeFi ecosystem, they are comparable to HTTPS or SMTP protocols in the existing digital ecosystem. Placing mandates on founders of such protocols will reap no benefit and will only serve to disincentive innovation. As an alternative, there are several consumer-facing elements to DeFi, that enable users to access DeFi products and protocols. We suggest that this is a fair point for regulatory interference. In such cases, we believe identification of a “responsible person” and placing compliance on them may be beneficial.
Regulations Should Account for the Nascency of the Ecosystem:
The recommendations identify certain risks associated with DeFi protocols. These include potential conflicts of interest, operational risks, and technical risks. We believe that many of these risks exist primarily due to the nascency of the ecosystem.
For instance, DeFi’s reliance on oracles has been identified as a key operational and technical risk in the IOSCO recommendations. Unfortunately, Oracle manipulation attacks have occurred in the past. However, there is constant innovation in this space to address such concerns.
For instance, many DeFi projects are adopting multiple oracle providers to ensure a diverse and reliable source of data. This approach reduces the reliance on a single data source or entity and enhances the integrity of the information being fed into smart contracts.
Some projects are developing decentralized oracle networks that rely on crowd-sourcing or consensus mechanisms to validate data. These networks aim to eliminate the need for a single point of failure by utilizing a distributed network of participants who contribute, verify, and aggregate data.
This way, trust is distributed across a wider network, enhancing the security and reliability of the information being used by DeFi protocols.DeFi projects are also exploring the use of crypto-economic incentives to motivate participants in the oracle network to provide accurate data.
By introducing rewards and penalties based on the correctness of the data reported, these projects encourage participants to behave honestly and align their interests with the security of the system. Further, some DeFi protocols are exploring cross-chain solutions that leverage multiple blockchains to verify and validate data before it’s transmitted to the main DeFi platform.
This approach ensures that information is sourced from different networks, reducing the risk of manipulation. We believe that many of the identified challenges can be addressed if this ecosystem is permitted to evolve. We recommend that the IOSCO recognizes the nascency of this space and encourages innovation. We thus propose the inclusion of sandboxing provisions. These provisions can allow the ecosystem to grow and develop in a controlled fashion.
Addressing Concerns Around Data Collection and Monitoring the Ecosystem:
The IOSCO recommendations document also identifies challenges in collecting data pertaining to the DeFi ecosystem. These challenges include difficulty in aggregating and analyzing data on distributed ledgers; features such as pseudonymity, the cross-border nature, and the development of privacy-enhancing technologies; a large number of off-chain transactions; lack of reporting, etc.
As noted previously, this technology is still at a nascent stage. Despite that, since transparency and audibility constitute its core ethos, DeFi is much easier to monitor than other traditional systems, including TradFi. This space, by design, offers publicly available and verifiable data. In parallel advanced tools are being developed to increase efficiency in this process of analysing such data and monitoring the space. There are now a wide variety of private platforms offering publicly available aggregated data on DeFi. An illustrative list of these platforms includes CoinMarketCap, DeFillama, Dune, DeFiprime, Chainalysis, Coinfirm, Elliptic blockchain analytics, etc.
We acknowledge that the pseudonymous nature of this space presents unique challenges to traceability, which may potentially be augmented by the development of privacy-enhancing technologies. However, at the outset, it is important to recognize that the overwhelming majority of flows on crypto trading platforms are for legitimate purposes.
Further, as the ecosystem continues to develop, effective tools to capture bad-faith actors have also emerged, and successful enforcement action has been undertaken, as in the case of Hydra. A key tool will be leveraging centralized crypto-asset service providers and other access points into the ecosystem. This issue, along with issues relating to the lack of consistent reporting, is surmountable with clear, effective policies and industry cooperation.
We at CoinDCX have always endeavored to go above and beyond the minimum standard to run a safe and wholly compliant enterprise. We conduct ourselves so as to provide a positive example, both to other players in the ecosystem, and the government, with the overarching objective of developing trust between key stakeholders.
Aside from domestic regulations, we follow global best practices and deploy significant resources to work with global leaders to ensure our processes are of the highest standard. At the same time, we are, and always have been, willing to update our processes based on any new information or mandate received from the relevant authorities and are always more than happy to engage in transparent conversation.
We strongly believe that constructive dialogue and outreach will play a pivotal role in addressing the policy challenges in this complex and dynamic space. We appreciate the opportunity to provide comments on the IOSCO recommendations and will be happy to shed further light on any of the views expressed in this letter.
If you have any questions or need further clarification on our submissions, please feel free to reach out to us.
What makes crypto such a different game?