IOSCO Consultation on 2023 DeFi Report
On 7 September 2023, the International Organization of Securities Commissions (IOSCO) released a Consultation Report, introducing 9 policy recommendations for decentralised finance (DeFi) (Report). The Report seeks consultation on, and builds further on, the IOSCO DeFi report of 2022, and proposes updated recommendations based on discussions with "academics, data analytics firms, researchers, and technologists" noting distributed ledger technology based applications have significantly expanded since the 2022 report.
The Report acknowledges:
DeFi is an important, evolving, and expanding technological innovation. The use of DLT may have the potential to foster financial innovation, increase efficiencies, and improve access to financial products, services, and activities.
However, the word "risk" is mentioned 20 times for each mention of "benefit" in the Report. IOSCO Board Chair, Jean-Paul Servais confirmed that the new recommendations complement the Crypto and Digital Assets Recommendations (CDA) released earlier this year by IOSCO:-
Once finalised, the two sets of Recommendations will provide a first clear, interoperable, and globally consistent policy framework for crypto and digital assets, including DeFi.
The paper defines DeFi as:-
Financial products, services, arrangements, and activities that use distributed ledger or blockchain technologies (DLT), including self-executing code referred to as smart contracts.
In discussing DAOs, the Report links DAOs to people, not self-executing code, asserting that:-
DAO's are, at their essence, organizations of humans
In theory, a DAO’s governance rules could be encoded in smart-contracts on the blockchain on which it depends and all on-chain activity associated with a DAO could be immutably recorded on the blockchain, providing transparency to observers. In practice, however, DAOs rely critically on input from human actors for their operation, including through activities that occur off-chain.
The 9 policy recommendations follow a ‘lifecycle’ approach and are ‘principles-based’ and ‘outcomes-focused’ and include:
Regulators are encouraged to analyse DeFi at a functional, technical and economic reality, enterprise level for a holistic understanding.
Identifying responsible persons - Regulators should look beyond decentralisation and identify natural persons and entities involved in the DeFi arrangement that could be subject to applicable regulatory framework including for example, founders and developers, issuers and holders of governance tokens and custodians.
Achieving common standards of regulatory outcomes - Regulators should avoid regulatory arbitrage between traditional financial markets and DeFi markets.
Requiring identification and addressing conflicts of interest - especially for Responsible Persons.
Requiring identification and addressing of material risks, including operational and technology risks.
Requiring clear, accurate and comprehensive disclosures - transparency is necessary for investor protection and market integrity.
Enforcing applicable laws - this will include obtaining appropriate crypto-asset and blockchain data, tools and expertise to conduct investigatory and enforcement activities.
Promoting cross-border cooperation and information sharing.
Understanding and assessing interconnections among the DeFi market, the broader crypto-asset market, and traditional financial markets.
The Report seeks to 'harmonise' the way crypto-asset markets and securities markets are regulated, following the oft-repeated principle ‘same activity, same risk, same regulatory outcome’.
The approach, particularly when coupled with Recommendation 2 seeking to find responsible persons, may be met with submissions noting the operation of self-executing code does not usually involve responsible persons and given the recent decision in the Uniswap case, there's a risk that Courts might recognise the reality of smart contracts in a way which is not consistent with IOSCOs recommendation.
In addition to the recommendations, the Report contains a list of recent crypto-failures, including the Terra USD/Luna Collapse, the FTX Insolvency and USDC Depeg. These centralised business failures but are said to have "reportedly" impacted DeFi, with reference to liquidity pools and price action, with the Report noting:-
These events also illustrate how investors may tend to migrate assets from a centralized platform to DeFi when they lose confidence in the centralized platform,
The Report also summarises theft of assets which has occurred from DeFi protocols, highlighting the risk of smart contract failure which is unique to DeFi. It also includes several graphs from the 2023 Crime Report from Chainalysis but omits data on the total illicit usage (which sits around 0.15% of volume across all crypto-assets), risking that a casual reader will be left with the impression that DeFi is a growing and risky dangerous area of loss.
IOSCO represents a range of financial regulators around the world and the Report says it represents a ‘significant step forward in achieving regulatory outcomes for investor protection and market integrity’. In light of the coverage of 130 jurisdictions and regulation of over 95% of the world’s securities markets by IOSCO members, once finalised, these recommendations will be likely to lead the approach by regulators concerning digital assets around the world.
IOSCO is receiving public comments on the paper until 19 October 2023 via email DeFiconsultation@iosco.org. and given the nature of the recommendations, it is important that all those involved in DeFi projects ensure that their voices are heard, so that recommendations can capture the benefits of DeFi while addressing risks in a way that accommodates the risk that DeFi actually poses.