“Decentralised” or “disintermediated” finance: what regulatory response?

As the transparency and immutability of the computer code should replace the trust between players, decentralised finance is also, and perhaps above all, a disintermediated finance. DeFi has garnered significant interest both in the public debate and from supervisors, as much for its current state as for what it could become in the future: “tokenization” of finance, benefits of blockchain technologies for the activities of many economic sectors.

This discussion paper provides a brief description of the DeFi ecosystem, its main use cases, its promises, but also its limitations. Among these limitations, this paper highlights the high level of concentration that characterises the DeFi ecosystem, as well as the fact that governance of its applications is sometimes highly centralised, which constitutes the first risk factor to be considered. In this respect, it seems that the term "decentralised finance" misrepresents the reality of DeFi and that it is more appropriate to speak of “disintermediated finance”.

On a broader level, this paper offers a description of the risks that are specific to this disintermediated finance, schematically distinguishing the three main layers that make it up: blockchain infrastructure, “services” application layer, and mechanisms allowing users to access these services. Some of the risks associated with disintermediated finance are closely linked to the specific -and indeed attractive-features of the technologies used. Thus, the solutions sought to improve the performance of blockchains -their "scaling up"- are the same ones that can weaken consensus mechanisms (layer 1 solutions) or create new security problems (layer 2 solutions). Similarly, at the level of the application layer, the transparency of computer code, the composability of smart contracts, their reliance on blockchain oracles: all these advantages of disintermediated finance are also factors of its vulnerability. User access to these services raises more traditional issues for a financial sector supervisor: the high volatility and complexity of products, and their non- or little regulated access expose users to high risks of capital loss and may threaten the internal stability of the ecosystem - although for the time being they do not pose a threat to the stability of the financial system.

In view of these risks, this discussion paper puts forward a number of regulatory options, some of which are complementary, others alternative. The main idea developed in this paper is that the regulation of disintermediated finance cannot simply replicate the systems that currently govern traditional finance. On the contrary, regulations must take into account the specific features of DeFi. Moreover, such regulation should not be conceived as a monolithic block, but rather as a combination between traditional financial regulations and regulations inspired by other economic sectors.

Among the proposals made, a first set aims to strengthen the security of blockchain infrastructures. To this end, this paper explores two main potential organisational arrangements: in the first one, the infrastructure would continue to rely on public blockchains but, before being cleared for use, these blockchains would need to be "certified" according to minimum security standards (certification of computer code, minimum number of validators, cap on validation capacity concentration). In the second arrangement, financial functions would be transferred to private blockchains, in order to guarantee appropriate governance and security levels; these functions would then be managed by trusted private or public players, although this could limit the innovation capabilities of disintermediated finance.

With regard to the application layer, this paper proposes to strengthen the security of smart contracts using a certification mechanism, covering security of the computer code, nature of the provided service and governance. This would either be encouraged or made mandatory should interaction with a non-certified smart contract be prohibited. Certification would be obtained following an auditing process performed by a human expert, or using formal methods or a combination of these methods. Such certification would include a software composition analysis component: certification of a smart contract would thus require the prior certification of all the called components. Certification would also follow three fundamental rules: it should be withdrawable at any time; it would only be granted for a limited period of time, in order to take into account developments in IT security knowledge and techniques; it should be renewed after any significant change to the computer code. Lastly, in the event that, in the future, smart contracts were to have a certain number of regulatory requirements embedded directly in their code, certification could include checks to ensure that the legal provisions concerned are properly translated into computer language.

Finally, this paper proposes an improved framework for the provision of services and user access to these services. On the provision of services, this paper explores the possibility of creating statutes for some service providers, by operating a recentralisation: players exercising effective control over sensitive services could be required to incorporate, becoming subject to supervision. As an alternative, players exercising effective control over services could directly fall in the scope of supervision. Assigning a legal statute to "decentralised autonomous organisations" (DAO), which would, as necessary, allow supervision, also appears to be a promising avenue: in this regard, this discussion paper refers to the ongoing work carried out by the Legal High Committee for the Paris Financial Centre (HCJP).

On user access, this paper envisages a strengthened control framework for the supervision of intermediaries facilitating users' access to DeFi services. Indeed, only a few users have the skills needed to interact directly with DeFi applications; while it would prove difficult to regulate the access of these expert users, it is essential to regulate that of the majority of users. In this respect, intermediaries can play an essential role in risk prevention, by preventing investors -especially retail ones- from interacting with fraudulent or dangerous protocols (duty of care), or from taking excessive risks (duty of advice). In return, the risk-taking of intermediaries must itself be regulated by the supervisory authorities in order to limit failures and contagion effects. To this end, this paper proposes as a first step to explicitly extend the provisions of the European MiCA Regulation to decentralised financial intermediaries. In order to prevent the regulation from giving rise to unequal treatment, this extension of its scope would apply to all players that facilitate users' access to DeFi services; the potential "decentralised" interfaces should also be included in such a framework. Secondly, it is proposed that access to financial products be made contingent on the level of financial literacy and risk appetite of the customer, both of which should be objectively assessed.

This discussion paper is intended to contribute to ongoing discussions, especially at European level, in the wake of the MiCA Regulation, which provides for a report to be drawn up within 18 months of its entry into force, assessing, among other things, the value of and procedures attached to a European regulation on disintermediated finance.