Decentralised Exchanges are Unregulated, or are they?
The answer is: it depends (i.e. the lawyers’ most favourite response). Before we delve into the depths of regulation, let’s set the stage right as with all things crypto, it is not always so clear cut.
A. What is a decentralised cryptocurrency exchange (DEX)?
A DEX is an exchange that facilitates online cryptocurrency transactions without the need for an intermediary — a concept that squares quite nicely with the very idea behind cryptocurrencies and decentralisation.
In the case of a DEX, the intermediary is substituted for automated means of processing like smart contracts/relayers, whereas buyers and sellers (typically) get to keep custody over their assets.
So, in essence, the DEX is just a trading venue that exists online (no brick and mortar offices). More precisely, the DEX is a piece of self-executing code that facilitates peer-to-peer transactions (even though this is not always clear, take for example liquidity pools which sometimes are also referred to as DEXs by some audiences).
A DEX is settling orders on-chain. In simple terms, this means that all transactions are fully executed and are verifiable using blockchain explorers, for example, Etherscan.
These decentralised exchanges facilitate crypto-to-crypto exchange transactions and even though one might read that fiat-to-crypto transactions are also possible on DEXs, I remain a bit sceptical about the degree of decentralisation in this scenario.
B. So are DEXs regulated?
In their purest form, DEXs might manage to stay outside the regulatory perimeter, but in practice, this is highly unlikely to be the case. Why? Because regulators around the world want to make sure that they are doing their job, which might include protecting consumers and preventing illicit activities like money laundering and financing of terrorism.
Quite often, regulators adopt a “same activities, same rules” approach. This means that they would treat decentralised exchanges in the same way as they treat centralised ones, as both pose the same risks. And (I hope) we can all agree that centralised exchanges are already regulated to a substantial degree (or otherwise the article would become unnecessarily long and difficult to read).
So, while with centralised exchanges it should generally be evident who is the company responsible for the exchange’s operations (even though finding a real company name and details in a centralised cryptocurrency exchange’s terms and conditions might prove an impossible task even for a seasoned compliance officer), this is not the case with DEXs, and regulators have to come up with certain types of tests to identify who is behind a specific DEX and hence, who is responsible for compliance with the applicable regulations.
Let’s examine a few examples:
The regulators in the United States of America are amongst the pioneers in pursuing supposedly decentralised activities.
A notable example, dating back to 2018, is EtherDelta, where the U.S. Securities and Exchange Commission (SEC) went after the developer and deployer of decentrally operated code, namely the owner and operator of a supposedly decentralised exchange called EtherDelta.
As stated by the SEC, “EtherDelta provided a marketplace for bringing together buyers and sellers for digital asset securities through the combined use of an order book, a website that displayed orders, and a “smart contract” run on the Ethereum blockchain.”
While EtherDelta had certain elements of decentralisation, especially the smart contract part, one of its fatal flaws was that the order book was maintained on a centralised server. This, in addition to the fact that the owner was able to set and collect the fees, was sufficient to bring this arrangement within the scope of US securities laws according to the SEC (please note the case was settled, so it never reached a court).
As the chief of the SEC’s cyber unit told Forbes at the time; “using any blockchain to create an exchange without central operations doesn’t remove the original creator’s responsibility. […] The focus is not on the label you put on something or the technology you’re using, the focus is on the function, and what the platform is doing. Whether it’s decentralised or not, whether it’s on a smart contract or not, what matters is it’s an exchange.”
Fast forward to the present days, in January this year, the SEC is arguably continuing with its efforts to regulate DEXs as they published a proposal for a new rule that would amend the scope of US securities laws. The proposal expands the scope of the definition of a securities exchange and if adopted, has the potential to bring many DEXs within the regulatory perimeter. If some DEXs felt safe after EtherDelta because they did not have centralised order books, they would most certainly have to reconsider this stance as this would no longer feel like a valid excuse.
The securities regulators interest in the area was confirmed once again with IOSCO’S DECENTRALIZED FINANCE REPORT (published recently in March 2022), which states: “Most DeFi protocols [including DEXs] rely on centralization in one or more areas, and there are protocols that have a hidden centralized authority and are decentralized in name only.” So apparently securities regulators are starting to get it and are going to be focusing more and more on DEXs.
Anti-Money Laundering Laws and Standards
A recent example of how regulators approach DEXs is coming from the Financial Action Task Force (FATF), which is the global standard setting body promoting effective regulatory measures for combating money laundering and terrorist financing. The FATF published at the end of October last year revised guidance on cryptocurrencies. This guidance aims at harmonising anti-money laundering standards relating to crypto assets globally, and even though the guidance is non-binding, it is a strong indication of how regulators would approach DEXs. In short, the guidance introduces an owner/operator test whereas creators, owners, operators and other persons that maintain control or sufficient influence over a decentralised arrangement could and should be caught within the scope of anti-money laundering laws.
The guidance makes it clear that regulators will look at the substance over the form and would disregard self-classification and marketing terms like “decentralised”, “dApp”, “DAO” or “DEX” whenever they can find a centralised party with sufficient control. Of course, regulators would also look for who is benefiting from a specific arrangement (and not just control) and if you think about it, it makes sense — to illustrate, for a potential exchange user to find that a DEX even exists, there would probably be an associated web page promoting it. So, someone must have registered the respective domain name and must be paying the hosting fees, and they are probably doing this because they expect returns in the form of profit from fees collected by the DEX (unless they are working pro bono).
Actually, collecting fees would be a very strong indication for the presence of an owner or operator of the arrangement, and that person or persons (in case of DAO for example) could easily be considered responsible for compliance with the anti-money laundering and countering the financing of terrorism laws — let’s not forget that law itself is based on the principle that the person who takes the benefit must bear the burden.
Further, if it is is still not clear after EtherDelta, the FATF guidance reiterates the idea that if you are running a trading platform that you control and you automate its processes through the use of smart contracts, that is not decentralisation, it is automation (similar to how banks automate the cash withdrawal process through automated teller machines, but you wouldn’t see them characterise it as a dATM or a dBanking service).
Considering that the FATF standards are applied worldwide and to the vast majority of tokens and crypto assets (and not just security tokens), this guidance would have a huge global impact on DEXs as they would have to implement robust compliance programs, and most importantly, start implementing know-your-customer procedures, which DEXs are notorious for lacking and have been trying to avoid since their dawn.
C. So what should I do?
The first step is assessing the degree of decentralisation and your personal involvement in a DEX project. Bearing in mind the above discussion points, you should already know that regulators would look into specific elements of control and influence — if you have keys to administrative accounts, can change parameters of the specific arrangement, have specific voting and governance rights, or similar, you could be considered having control over the arrangement. Also, if you are profiting from a DEX, this would be a strong indication that you might be on the regulatory hook. Of course, an experienced lawyer could be invaluable in helping you navigate through this.
As a next step, if the DEX is actually not that decentralised, it is wise to obtain proper legal advice and secure the necessary regulatory permits, registrations and licences, and most importantly, implement a robust compliance program. At this stage, companies like Sekuritance could be extremely helpful, as you would be able to obtain a packaged deal encompassing RegTech that could help with your KYC needs, as well as in conducting on-chain analysis.
Actually, my personal opinion is that regardless of the level of decentralisation, DEXs should be looking into ways to implement KYC procedures, prevent money laundering patterns and screen against sanctions (a topic that became quite important during the recent month with the sanctions against Russia). This could be achieved in a number of ways, for example calling external oracles (e.g. through APIs) that can certify that they hold KYC data for a certain wallet address, by building in rules around transaction monitoring and suspicious activity patterns into the smart contract itself, etc.
D. Seems like a lot of hassle. Should I really care about it that much? It’s just a DEX.
Well, actually yes, everyone involved with the operation of a DEX should do their own due diligence. If you get this wrong and take a stance that a DEX is completely unregulated, you could easily find yourself breaching a plethora of local and international rules and regulations like: securities laws, anti-money laundering and countering the financing of terrorism regulations / financial sanctions, privacy laws, laws banning or prohibiting trading from within or to customers based in specific jurisdictions, as well as your own tax obligations. Let’s not forget also criminal law — people don’t realise that they are subject to the criminal laws of their place of permanent residence, as well as the place where they were born (nationality-based extraterritoriality) — and those laws most probably prohibit facilitating money laundering. So, if you are not implementing measures aimed at preventing money laundering (including because you have a company in a less-regulated jurisdiction that does not require implementing such measures), you might still be facilitating money laundering and you could still get into trouble for this.
In this regard, just registering a shell company in an offshore jurisdiction is not as helpful as some might lead you to believe. If you don’t trust me, check the Money Market case in the US where the SEC went after the owners of a Cayman Islands company for offering, among others, unregistered sales of securities using smart contracts and DeFi technology.
To conclude this on a more positive note, I am a firm believer in innovation and the technological advancements that could transform our lives, but this does not mean that DEXs should be left completely outside of the regulatory perimeter — for one because there are many cases of fraud and rug pulls. Some people would say that DEXs’ competitive advantage compared to their centralised counterparts is that they are not conducting know-your-customer procedures, but should non-compliance with the law be your sole competitive advantage — I think not.
Head of Legal
The Sekuritance RegTech platform provides a single platform for every eGRC need, including end-to-end AML/CTF, CECL, FCPA, vendor management, beneficiary onboarding, investor check, card processing MFA checks, blockchain wallet checks, cyber-risk assessments, and other RegTech or Business Process Management requirements.
Stay tuned for more info and follow us on: