CARCI
All Topics
GlobalMiCAR Recital 22 · FATF DeFi Guidance (2021) · FSMA 2023

DeFi

Decentralised Finance — Regulatory Treatment

How regulators are approaching DeFi — the conditions under which decentralised protocols acquire regulated obligations, how DAOs and governance token holders are treated, and how CASPs with DeFi exposure manage compliance across permissionless infrastructure.

In force

Under active regulatory development

DeFi

No major regulatory framework has created a comprehensive DeFi-specific regime. Instead, regulators have adopted a functional approach: where a DeFi protocol has an identifiable operator, owner, or controlling person, that person may acquire regulated obligations regardless of the protocol's technical architecture. The EU's MiCAR Recital 22 states that services provided in a 'fully decentralised manner without any intermediary' fall outside its scope — but most DeFi protocols do not satisfy this test in practice.

The FATF's 2021 updated guidance on VASPs takes a similar approach: DeFi protocols with an identifiable owner or operator are VASPs and must comply with FATF AML/CFT standards. The threshold question — whether a protocol has a controlling person — is a fact-specific legal analysis. DAOs present a particular challenge: governance token holders who collectively control protocol parameters may constitute the 'persons' who trigger regulatory obligations, even without a formal legal entity.

Programmable compliance is an emerging concept in DeFi regulation — the embedding of compliance logic (sanctions screening, transfer restrictions, AML flags) into smart contracts at the protocol layer. Several jurisdictions have begun to require or encourage this approach, particularly for stablecoin infrastructure, as a practical mechanism for making permissionless protocols compatible with regulated obligations.

What compliance professionals need to know

"Fully decentralised" exemptions are narrow — most DeFi protocols have identifiable operators, front-end controllers, or governance structures that can trigger regulated obligations
DAOs: governance token holders may collectively constitute the "persons" controlling a protocol — legal analysis required before assuming no regulated entity exists
No universal definition of DeFi — regulators use functional tests (who benefits, who controls, who can modify) rather than technical architecture
Programmable compliance — embedding sanctions screening and transfer restrictions into smart contracts — increasingly required for stablecoin and payment infrastructure
CASP custody obligations can be triggered by smart contract wallets holding client assets even without traditional custodial infrastructure
DeFi regulatory treatment is under active development across all major jurisdictions — early legal analysis and architecture decisions affect future compliance risk significantly

CARCI programmes covering DeFi

Examination-assessed specialist programmes for regulatory and compliance professionals.

MiCAR Specialist

EU Markets in Crypto-Assets Regulation Specialist

$699

80h · Examination included

Enroll

Build specialist knowledge in DeFi

CARCI specialist programmes are examination-assessed and built for regulatory and compliance professionals.

Browse programmes