IOSCO unveils consultation report on global DeFi regulation

Author(s): Matthew T. Burgoyne, Laure Fouin, Ankita Gupta, Daniel Mester, Cody Richard

Sep 12, 2023

On September 7, 2023, the International Organization of Securities Commissions (IOSCO) published its second report [PDF] in accordance with its Crypto-Asset Roadmap, Policy Recommendations for Decentralized Finance, this time zeroing in on decentralized finance. The report builds on a prior report in offering nine additional recommendations to assist IOSCO members develop their own decentralized finance (DeFi) regulatory framework. The Report further interprets how IOSCO’s Objectives and Principles for Securities Regulation (IOSCO Standards) apply to DeFi participants.

The release of IOSCO's report coincides with heightened regulatory scrutiny of the DeFi sector. Since the beginning of 2023, several entities associated with DeFi protocols have faced legal challenges, including actions initiated by the Commodity Futures Trading Commission against Opyn Inc., ZeroEx Inc., and Deridex Inc., and New York State’s supervisory action against Paxos Trust Company in relation to its stablecoin, BUSD. IOSCO’s organizational mandate is to promote regulatory consistency both between and within member jurisdictions to avoid “regulatory arbitrage”. Unsurprisingly, as between different jurisdictions, IOSCO favours consistency in DeFi regulation due to the cross-border nature of DeFi products, and within individual jurisdictions IOSCO emphasizes regulators should treat DeFi and traditional finance with the “same activity, same risk, same regulatory outcome” approach.

The report is notable in that its recommendations are premised on the idea that, in substance, DeFi does not differ significantly from traditional finance. Guided by this viewpoint, IOSCO aims to extend conventional securities regulation to the DeFi sector, a move that diverges from the preferences of many within the sector.

The recommendations

The report makes nine primary recommendations:

1. Analyze DeFi products, services, arrangements, and activities: Regulators should first assess what technical knowledge, data, and tools they need to form a holistic and comprehensive understanding of DeFi products, services, arrangements and tools. Regulators must then understand these activities at (i) an enterprise level (i.e., based on substantive economic reality), (ii) a functional level (i.e., by mapping a particular DeFi arrangement to its traditional financial counterpart), and (iii) a technical level (i.e., by analysing the tech stack, including the settlement layer, consensus mechanism, smart contracts, and on-chain and off-chain processes).
2. Identify responsible persons: Regulators should aim to identify the natural persons and entities responsible for a particular DeFi arrangement; that is, the person(s) who provide or actively facilitate the provision of the product or service. To this end, IOSCO recommends that regulators not rely on labels such as decentralized, and instead should focus on persons, including developers, foundations, and decentralised autonomous organisations, roles and relationships in the DeFi arrangement, their level of control over the arrangement, and their financial incentives.
3. Achieve common standards of regulatory outcomes: Regulators must seek outcomes for investor and customer protection and market integrity that are the same as, or consistent with, those that arise in traditional financial markets. Regulators should consider mapping DeFi products and arrangements to traditional financial markets and assess whether they must bolster applicable frameworks to avoid regulatory arbitrage.
4. Require identification and addressing of conflicts of interest: Regulators should require providers of DeFi products and services to identify and address conflicts of interest. Conflicts can arise, for example, if a DeFi service provider has a financial interest derived from user or third-party activities, an ownership interest in a related third-party, a favorable arrangement with a particular related party, or engages in multiple activities in a vertically integrated matter (e.g., operating a trading platform while simultaneously being a counterparty to transactions with users).
5. Require identification and addressing of material risks, including operational and technology risks: Regulators should require DeFi providers to establish and maintain risk management frameworks in this regard. Regulators should, in particular, consider risks posed by the use of technology different from that used in traditional financial markets and determine if they can be effectively mitigated. Regulators should hold responsible those with control or sufficient influence over the DeFi product for identifying, managing and mitigating risks. Such persons should be responsible for risk involved with outsourcing to DeFi services providers, such as oracles and cross-chain bridges.
6. Require clear, accurate and comprehensive disclosures: Regulators should require DeFi providers to accurately disclose to users and investors information material to the products and services offered. Full disclosure helps remedy the information asymmetries inherent in the complex, technologically opaque DeFi markets. Disclosure may take the form of existing traditional financial market disclosure documents, such as prospectuses, and, to the extent possible, should be delivered in plain language.
7. Enforce applicable laws: Regulators should apply their existing authorizations for inspection, investigation, surveillance and enforcement to DeFi providers. In doing so, regulators should keep in mind the “same activity, same risk, same regulatory outcome” approach. First, however, regulators must assess whether they have the appropriate powers, tools and resources.
8. Promote cross-border cooperation and information sharing: Regulators should cooperate with authorities in other jurisdictions, given the cross-border nature of DeFi. This may take the form of ad hoc arrangements to deal with urgent matters, as well as ongoing supervisory colleges or networks. Cooperation should include sharing information on emerging risks, registration and authorization information for market participants, and ongoing supervision. Regulators should also use IOSCO’s Multilateral Memorandum of Understanding and Enhanced Multilateral Memorandum of Understanding, which capture information requests relating to DeFi.
9. Understand and assess interconnections among the DeFi market, the broader crypto-asset market, and traditional financial markets: Stablecoin purchases from centralized exchanges are often on-ramps to DeFi participation and are key to DeFi arrangements, such as liquidity or collateral pools. Traditional financial entities, such as issuers, funds, banks, registered entities and professionals may provide services to DeFi arrangements. Regulators should consider these interconnections and evaluate how its regulatory touchpoints can be used to collect information and offer investor and market protections. 

Mapping DeFi activities to the IOSCO standards

The report offers a glimpse of how IOSCO understands DeFi arrangement participants and service providers, in an attempt to bring them into compliance with IOSCO standards.

Issuers

IOSCO aims to ensure issuers of securities provide full, accurate and timely disclosure of financial results and risks, and treat securityholders fairly. IOSCO suggests the following activities might constitute issuances of securities, thus triggering disclosure requirements: aggregators and decentralized exchanges (DEXs) offering their own crypto-assets or crypto-assets of other issuers, such as governance tokens; lending/borrowing products or services that offer and sell interests in their pools in exchange for crypto-assets or that sell other crypto-assets, such as governance tokens; automated market makers (AMMs) or other liquidity pools that offer and sell interests in the pool of crypto-assets; and issuances of derivatives, such as cross-chain bridges, wrapped tokens, or liquid staking.

Auditors, credit rating agencies or other information service providers

Service providers, such as auditors and credit rating agencies that offer services to DeFi projects, fall under the purview of IOSCO's recommendations. This means that the output generated by these entities is subject to standards related to oversight and independence. Importantly, this extends to "oracles," which provide off-chain pricing information essential for DeFi projects; such information is expected to align with IOSCO standards.

Collective investment vehicles

DeFi activities may also fall within the scope of collective investment schemes, hedge funds and other private investment vehicles, which are caught by the IOSCO standards concerning eligibility, governance, organization and operational conduct. For example, lending and borrowing protocols and AMMs—pools of crypto-assets deposited by holders in exchange for another token representing the interest in the pool—may be considered collective investment schemes.

Market intermediaries, markets, and clearing and settlement

Many DeFi activities fall within the definition of market intermediaries, including exchanges, brokers, dealers, investment advisors, custodians, clearing agencies and transfer agents, which are all the subject of IOSCO standards. For example, aggregators and DEXs facilitate the exchange of crypto-assets, providing functions typical of exchanges. AMMs may be seen to be acting as liquidity providers or market makers, such as brokers and dealers; lending/borrowing products likely involve broker or dealer activity to the extent the crypto-assets in the pool are financial instruments; and both AMMs and lending/borrowing products may act as custodians of crypto-assets, depending upon how the assets are transferred. This custodial function, even when held in smart contracts, also implicates IOSCO standards relating to clearing and settlement, securities depositories, trade repositories, and central counterparties. Further, aggregators, which enable users to seek the most favourable terms across protocols, likely involve exchange, broker or dealer, or investment advisor activity.

Next steps

IOSCO is inviting stakeholder feedback on the report until October 19, 2023, with the goal of finalizing its policy recommendations by year-end. Given that the DeFi Working Group behind this report comprises staff from the Ontario Securities Commission, the Alberta Securities Commission, and Québec’s Autorité des Marchés Financiers, the ultimate policy recommendations are poised to significantly impact the evolution of Canadian securities regulation, particularly as it pertains to a cornerstone of the cryptocurrency industry—decentralization.

We will continue to monitor and provide updates regarding the evolving regulatory landscape