Catarina, a seasoned legal and regulatory expert, is the Regulatory & Compliance Senior Associate at Notabene. Previously heading legal at Fractal, co-chairing the Identify WG at INATBA, Catarina holds advanced law degrees from Technische Universität Berlin and Universidade Nova de Lisboa.
DeFi operates by executing transactions via blockchain code, eliminating the need for intermediaries in financial services.
Regulatory events in 2022 included a protocol-level sanction action against DeFi platform Tornado Cash by the OFAC.
The FATF's regulatory approach focuses on identifying Virtual Asset Service Providers (VASPs) within the DeFi sector and applying AML and CFT obligations to them.
The EU is considering a shift towards an activity-based regulatory approach for DeFi, which would involve regulating the connections between regulated entities and DeFi platforms, smart contract features, and the project teams behind DeFi applications.
Both the FATF and the EU plan to continuously monitor and assess developments in the DeFi sector.
As the decentralized finance (DeFi) sector continues to gain momentum, global regulatory authorities are grappling with effectively overseeing this new frontier in financial services. The Financial Action Task Force (FATF) and the European Union (EU) are formulating their respective approaches to DeFi regulation, focusing on a broad interpretation of the definitions provided in the FATF’s standards and shifting towards an activity-based regulatory approach. The challenge lies in determining which entities within the DeFi ecosystem qualify as Virtual Asset Service Providers (VASPs) and how to apply Anti-Money Laundering (AML) and Counter Financing of Terrorism (CFT) obligations to them.
DeFi eliminates intermediaries in financial services by executing transactions via code on blockchains. In 2022, DeFi protocols and applications continued their unprecedented growth, with major asset managers offering DeFi exposure to institutional investors. Retail users continued to flock to DeFi, although there were risks along the way- liquidations surpassed $8.7 million on February 23, and DeFi exploits across blockchains worldwide totaled $3.64 billion in 2022, a rise of 47.4% compared to 2021.
Timeline: DeFi Legal & Regulatory Spotlight in 2022
Protocol-level sanction action reared its head in 2022. In August 2022, Tornado Cash, an Ethereum-based mixer, was blacklisted by the Office of Foreign Assets Control (OFAC) for its alleged links to the Lazarus hacker group from North Korea. This incident indicates that DeFi protocols will have to comply with sanctions in the future. Additionally, financial regulators released papers highlighting the challenges surrounding DeFi regulation. Below we highlight relevant DeFi events in 2022:
N.B. Dates accompanied by a clipboard icon 📋 indicate a document that a regulator produced.
June 8, 2021 📋 - DeFi Policy Maker Toolkit | The World Economic Forum takes the stance that “an effective regulatory response to DeFi is likely to involve a combination of existing regulation, retrofitted regulation, and new, bespoke regulation.” (p.21)
January 5, 2022 - Aave Arc, designed to help institutions develop new products and services utilizing digital assets, attracted 30 financial institutions to its whitelist.
April 2, 2022 📋 - European Financial Stability and Integration Review 2022 | The European Commission acknowledged that copying traditional regulatory approaches in a decentralized environment may not be an option. It notes, "Possibly, even more emphasis would need to be put on activity-based regulation as opposed to entity-based one.”
April 4, 2022 - Uniswap user forms a class action lawsuitalleging that Uniswap Labs and its investors are culpable for her losses due to a failure to comply with securities laws.
April 13, 2022 📋 - Policy Considerations for Decentralized Finance| Abu Dhabi Global Market expresses the view that “Given that DeFi does not change the underlying nature of financial services, we believe that similar requirements should be placed on DeFi participants as on TradFi participants. (...) However, we recognise that since DeFi changes how financial services are delivered, we may need to impose different obligations on a DeFi activity to achieve the same outcomes as those obligations placed on a TradFi operator.” (p.16-17)
In this section, we will delve into the general stance of the FATF and the EU towards DeFi, examining whether DeFi is currently regulated and the measures being taken to continuously monitor and assess developments in the sector.
FATF vs. EU: General Stance on DeFi
FATF: The FATF expects countries to determine whether an identifiable person is a VASP within the DeFi arrangement on a case-by-case basis, according to a broad interpretation of the definitions provided in the FATF’s standards.
EU: The European Commission has expressed its view that traditional regulatory approaches may not be a suitable fit for the decentralized environment of DeFi platforms. Instead of relying on entity-based regulation, the Commission is considering a shift toward an activity-based regulatory approach, which may better align with the dynamic and decentralized nature of DeFi.
To implement this approach, the Commission proposes a few access points for DeFi regulation:
regulating the connections between regulated entities and DeFi platforms
regulating the features of smart contracts targeting the project team behind the specific DeFi application, and
utilizing embedded supervision to capitalize on the inherent data transparency offered by public blockchains, making it easier to monitor and oversee DeFi activities.
FATF vs. EU: Is DeFi Regulated?
FATF: According to the FATF, a DeFi software application could not inherently qualify as a VASP. Instead, entities that maintain "control or sufficient influence" over a DeFi protocol should be subject to AML and CFT obligations if they provide or facilitate VASP services. This would apply to entities with an ongoing business relationship with DeFi protocol users, those profiting from the DeFi service, or those with the ability to set or change the parameters of the DeFi protocol.
However, the FATF recognizes that identifying entities with control or substantial influence over a DeFi arrangement can be challenging, and in some cases, a VASP might not even exist. They recommend that countries assess the risks posed by these activities and adopt appropriate risk mitigation measures.  This could include requiring regulated VASPs to be involved in the activities of the DeFi arrangement if deemed necessary. The FATF also clarifies that holding governance tokens of a DeFi protocol does not automatically qualify someone as a VASP, unless they can control or substantially influence the protocol’s governance.
EU: Under MiCA, crypto-asset services that are fully decentralized without any intermediary do not fall within the regulation’s scope. However, if there are natural, legal persons or other undertakings that provide or control, directly or indirectly, a regulated activity or service (i.e., service of exchange of crypto-assets for other crypto-assets or the operation of a trading platform for crypto-assets), even if the service or activity is performed in a decentralized way, it would be subject to the MiCA’s scope. 
FATF vs. EU: Continuous DeFi Monitoring and Assessment
FATF: In its Targeted Update, the FATF acknowledges that DeFi markets have grown significantly from 2021 to 2022 and promises to “continue to monitor developments in DeFi, particularly the emergence of truly decentralized DeFi entities, and to facilitate dialogue on common AML/CFT implementation challenges, risk assessment, and good practices.” 
EU: After consulting with the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA), the European Commission plans to deliver a series of reports to the European Parliament and Council on the latest crypto-asset developments. These reports, particularly concerning areas not yet covered by existing regulations, may inform potential new legislation.
Report on the latest developments in crypto-assets, expected by December 30, 2024, is due to include “an assessment of the development of decentralised-finance in markets in crypto-assets and of the appropriate regulatory treatment of decentralised crypto-asset systems without an issuer or crypto-asset service provider, including an assessment of the necessity and feasibility of regulating decentralised finance.” 
Reports on the application of this Regulation, expected by June 30, 2027,shall include “an assessment of the development of decentralised finance in markets in crypto-assets and of the appropriate regulatory treatment of decentralised crypto-asset systems.” 
As the DeFi sector continues to grow and evolve, regulatory authorities around the world are working to develop effective regulatory frameworks that can address the unique challenges posed by decentralized financial systems. The FATF and EU have proposed different approaches to regulating DeFi, with the FATF focusing on identifying VASPs within the DeFi ecosystem and the EU considering an activity-based regulatory approach. Both organizations will continue to monitor the DeFi sector and assess the risks associated with these activities. The rapid growth of the DeFi sector and the increasing interest from institutional and retail investors make it crucial for regulatory authorities to establish clear and effective regulatory frameworks to ensure the sector's continued growth and stability.
 FATF (2021). Updated Guidance for a Risk-based Approach to Virtual Assets and Virtual Asset Service Providers, page 21, paragraph 53.
What is the regulatory status of Decentralized Finance (DeFi) according to the FATF?
FATF states that a DeFi software application isn't inherently a VASP. Instead, entities with "control or sufficient influence" over DeFi, such as those with ongoing business relationships, profiting from DeFi, or having parameter-setting abilities, should adhere to AML and CFT obligations. However, FATF admits pinpointing such entities can be tough, and in certain situations, a VASP might not be present. Holding governance tokens doesn't automatically deem someone a VASP unless they can influence the protocol substantially.
How does the Crypto Travel Rule apply to DeFi?
The Crypto Travel Rule seeks to assess the approaches of FATF and the EU towards DeFi. While FATF's stance revolves around the interpretation of VASP definitions, the EU emphasizes the dynamic and decentralized nature of DeFi, proposing various access points for effective regulation.
What is the European Union's general stance on DeFi, and how does it compare with FATF's position?
The EU believes traditional regulatory approaches might not fit DeFi's decentralized environment; hence, a shift to activity-based regulation is considered. On the other hand, FATF works on a case-by-case basis to determine if an entity within DeFi qualifies as a VASP based on their standards.
Are DeFi-related activities considered Virtual Assets under FATF and EU regulations?
For FATF, DeFi software applications do not inherently qualify as VASPs. It's the entities with significant control or influence that may be considered. EU's perspective is that fully decentralized crypto-asset services fall outside the regulatory scope unless controlled by natural or legal entities.
Why is DeFi regulation important?
DeFi regulation is crucial as the sector experiences rapid growth with increasing interest from investors. Effective regulatory frameworks ensure that the sector can expand safely, minimizing risks while providing clarity and confidence to both retail and institutional investors.
Regulation of DeFi offers multiple benefits: It ensures investor protection, provides clarity for DeFi developers and users, minimizes potential financial risks associated with DeFi exploits, and fosters a more trustworthy and stable environment for the sector's continuous growth.
Why choose Notabene for Crypto Compliance?
Choosing Notabene for Crypto Compliance offers distinct advantages. Notabene boasts the crypto industry's only pre-transaction decision-making platform, proactively identifying high-risk transactions. Their advanced software ensures real-time decisions, sanctions screenings, and wallet identifications. With a respected SOC-2 security certification, they're trusted by over 100 global companies. Operating from New York with a presence in key financial hubs, they're endorsed by giants like Copper, Luno, and Crypto.com. Their SafeTransact platform, tailored for Travel Rule compliance, aligns with global regulations, emphasizing trust in virtual transactions and supporting financial growth with reduced risk.