It is one of the basic principles of capital and financial markets regulation that the same rules apply to the same business and the same risk. In the age of DeFi, this does not seem to be the case anymore. A second look shows, however, that nothing has changed but that the results have become far more difficult to predict.
To assess whether regulations apply, it is generally necessary to assess (1) whether the activities are regulated and (2) identify the entity/person engaging in such activities.
Until more recently, it has been relatively easy to identify both the regulated activities as well as the relevant actors. For DeFi protocols, the answer is not always that straight forward. In the absence of legal documents, it is often unclear how the services are structured (e.g. lending vs. investing). And even where it is possible to classify the respective activity, it is still necessary to analyze whether the activity is performed by a person (regulated) or a piece of software (unregulated).
This brings us to the question of when a project is sufficiently decentralized.
While there is no general answer to this question, there is a distinct set of factors that must be considered when answering the question. The most important factor is the degree of control the team retains over the project after it is launched. In many cases, the team retains admin rights to fix bugs or to upgrade the protocol. This alone may, however, not be enough to establish a sufficient link between the team and the regulated activity. In fact, a comparison with the traditional financial and capital markets shows that the regulations do not apply to the technology providers but those using the technology, in other words, banks, exchanges, and other financial intermediaries. Nasdaq, for example, is not only a registered exchange in the United States but also a software company providing its matching technology to more than 70 markets globally. This does, however, not make Nasdaq subject to regulations in all these markets. Instead, the regulated entities are those providing the marketplace.
If financial and capital markets regulations are meant to be interpreted technology-neutral as claimed by regulators around the globe, nothing different can apply to DeFi protocols. Just because the smart contracts are publicly available on the blockchain does not justify different results in the case of DeFi.
Something different applies, of course, if the team does not only develop and maintain the smart contract but also engages in the listing of tokens or provides the GUI for interacting with the protocol. In this case, there is a clear link between the regulated activity and the team, and registration becomes necessary.
If the GUI is provided by someone else, it is likely that this person becomes subject to regulation as this person opens the marketplace and facilitates trading, etc.
As can be seen from these examples, it is not always possible to draw a clear line. To avoid the risk of becoming subject to regulation, the best way is still full decentralization. In other words, the team must deploy smart contracts without admin rights or transfer the protocol’s governance to the community. While still untested, it is highly likely that this provides an effective shield against regulations.
The trade-off of this approach may, however, be a lack of institutional investment/usage. It is, therefore, necessary to consider the implications of a fully decentralized strategy holistically and not solely from a regulatory point of view. What works for one project might not necessarily be ideal for others.