Where CeFi outshines DeFi: Lawyers’ perspective on asset protection

The crypto market’s growing pains are salient in the legal realm, where things that work for traditional institutions prove inapplicable. Centralized finance (CeFi) frameworks are gradually shifting to the same level of detail as conventional banking. Their rivals, however, seem to present an impossible conundrum for lawmakers and significant risks for users.

Proponents of decentralized finance (DeFi) deem it “unregulatable” by nature. Authorities need a central body to impose rules on, not a swarm of validating and coordinating nodes, as the argument goes. While enthusiasts may think DeFi embodies the fundamental principle of crypto — decentralization — in its purest form, the experience of regulated CeFi companies highlights significant benefits.

In the words of Aleksandra Shelepova, CoinLoan’s Head of Legal, “when it comes to asset protection and regulatory oversight, CeFi is leading the charge.” This article lays out the main differences pertaining to regulation and some of the crucial issues to address for the sufficient protection of users’ rights and assets.

Transparency: transparent financial technologies vs. nodes

Along with centralized management, CeFi platforms offer something DeFi does not — a legal entity as a subject of law with all related consequences. As Aleksandra puts it, “The size of assets held in CeFi must be well-documented and tangible in the eyes of the law.” For CoinLoan, the status of a regulated financial institution we’ve had since March 21, 2018, currently comes with mandatory external and internal audits as well as in-house financial and behavior analytics.

Comparison of CeFi and DeFi. Adapted from LeewayHertz

Meanwhile, DeFi fails to provide complete asset transparency, and the beneficiaries who operate and gain profit from these platforms may be hidden from the public, any audits, and regulators’ view. CeFi has an advantage due to the top-down approach to regulation: companies follow the rules set by state authorities, the regulatory requirements that level the playing field, and protect consumers’ and investors’ rights in their jurisdiction.

While Bitcoin was once hailed as a monetary system beyond the reach of authorities, leaving services unsupervised could put users’ funds in peril. Aleksandra explains, “Regulations that come from the top after consultations with market participants leave little to no room for manipulation. They prevent abuses that could put clients’ assets at stake or infringe upon their rights in any way. The input from regulated businesses here is crucial, as they have first-hand knowledge of actual and potential weaknesses in crypto processes.”

CoinLoan's experience

CoinLoan chose to set its headquarters in Estonia for a simple reason — it was one of the most crypto-friendly locations at the time of the company’s establishment. CoinLoan’s status as a regulated financial institution licensed under Estonia Financial Authority prescribes a certain level of transparency and accountability, including KYC checks. DeFi, on the contrary, can provide complete quasi-anonymity with internal opaqueness as a tradeoff.

Operating within the legal field requires that platforms comply with applicable regulations in all their activities and operations. CoinLoan lawyer Anna Voblikova elaborates, “At the very least, they are to meet the obligations defined by the legal capacity of a legal entity with due regard to the industry specifics. Most prominently, this concerns licensing, monitoring, audits, and AML issues.”

Once a CeFi platform is incorporated, its users become entitled to the protection guaranteed by the current state. This protection includes the right to sue and the right to file complaints and receive a fair response within the legally binding time frames. All interactions with users must be based on clear-cut and unequivocal terms and conditions, privacy and AML policies, claim procedures, and so on.

Flip side of growth

DeFi’s exponential growth presents another problem. In 2020, Total Value Locked (TVL), a gauge of transaction value, saw 14x growth. The following year, it more than quadrupled, peaking at a whopping $112.07 billion.

Number of unique addresses that bought or sold a DeFi asset worldwide between December 2017 and July 4, 2022. Source: Statista

Unlike CoinLoan’s fixed functionality — Instant Loan, Interest Account, and Wallet, each accompanied by detailed terms and conditions — DeFi is highly fluid and may be based on individual and equivocal procedures. The speed at which new products and services for network participants emerge makes it all the more challenging for regulators to keep up.

Inherent risks of DeFi

The risk of tax fraud, forgery, money laundering, and terrorist financing stems from quasi-anonymous transactions due to the absence of KYC. Unfortunately, the market blew up so fast that even the IRS has not issued any specific guidance, although some general principles apply.

When users lose their funds, they typically have no opportunity to recover them. According to the European Commission, a lack of regulatory transparency poses multiple risks for users, including

Hacking and bugs. One of the downsides of self-custody is a greater responsibility to prevent loss of capital. In 2020, users lost almost $100 million worth of crypto due to bugs, exploits, and hacks. Cybercriminals can inspect the code of a DeFi app and exploit unaddressed bugs.
Smart contract exploits. The crucial role of software raises operational risks, as flawed coding can affect the security of smart contracts. Unlike TradFi, where users are punished for breaking the law, the rules of DeFi transactions are encoded in smart contracts. While they cannot be broken, the contracts themselves may — and have been — manipulated.
Pump-and-dump schemes. Anyone can mint scam tokens, list them on a DeFi exchange, leverage social media to inflate their price, and eventually dump them to cash in.
Rug pulls. There have been cases when DeFi developers ran away with investors’ funds, “possibly using a deliberately introduced flaw in the code.” For example, developers of the SQUID token defrauded investors by limiting sell orders.

DeFi hacks accounted for the largest share of crypto stolen in 2021. Source: Chainanalysis

Convenience of unified regulation

The legal landscape for crypto, including lending and depositing services, is still shifting. Legislative attitudes and the activities associated with them vary around the world, but EU businesses anticipate gradual expansion of the frameworks that resemble the banking sphere.

In Estonia, crypto platforms licensed as financial institutions essentially follow the same rulebooks for account transfers, execution of court decisions, and inheritance as TradFi. The logic of civil and financial legislation can be applied in an analogous way. Here are a few examples.

With regard to AML compliance, FATF’s guidelines cover legal jurisdictions, the treatment of cryptoassets, source-of-funds checks, and so on.
In terms of taxation, CeFi platforms can generate reports in formats accepted by tax authorities in the clients’ jurisdictions. DeFi, with its complex models like yield farming, presents unique challenges, as taxpayers need third-party software to import their data from the ledger.
Situations involving the transfer of asset ownership, such as settling inheritance, are treated by banks and CeFi similarly. CoinLoan follows the same principles as TradFi, requiring (depending on the jurisdiction) a Certificate of Inheritance to prove ownership of the deceased’s assets, the death certificate, and, if applicable, the last will and testament. Access is granted following administrative verification.

Due to the regulatory vacuum, the transfer of assets, like everything else in DeFi, is a gray zone. Emerging solutions — for instance, software that generates and executes an automated last will — operate beyond the scope of national legislation and do not guarantee accurate access transfer on the predetermined date.

State of DeFi regulation

In the UK, HMRC has recently published guidance on the treatment of DeFi. The IRS has not addressed DeFi as a subset of crypto services, despite requiring US citizens to pay taxes on all cryptocurrency transactions. Notice 2014-21 merely provides the general principles applicable to such DeFi transactions as staking, borrowing, and yield farming.

Still, DeFi is under regulators’ lens. A copy of a US draft bill leaked in June 2022 emphasizes user protection and requires any crypto service provider or platform to be legally registered. However, a legal framework is yet to be officially enacted and furtherly enforced.

The European Commission’s 2022 report “European Financial Stability and Integration Review 2022” devotes 12 pages to DeFi, acknowledging that “given the absence of regulation, DeFi is acutely prone to conduct risks such as scams and fraud.”

Downside of self-sovereignty

DeFi platforms have no formal leadership that regulators could interact with and no incorporated legal entities, which complicates risk control. In a conventional model, regulators communicate with the management of trading services to keep an eye on their clients and detect suspicious activity. This is true for CeFi and may give crypto companies a say in the regulatory process.

Aside from its constant interaction with the Estonian authorities, CoinLoan has contributed to the amendments to the Estonian AML Act. Aleksandra Shelepova explains, “What we create and apply here is so innovative and interesting that it gets incorporated into the state legislation.”

DeFi future regulation is inevitable

Crypto regulation, in general, is bound to increase, and it could threaten the future of DeFi if its leaders continue to show the same lack of response. On August 8, 2022, The US Treasury Department’s Office of Foreign Assets Control barred transacting with Tornado Cash addresses in the US — a move that could prove pivotal for the entire DeFi industry. The crypto mixer had become a facilitator of cybercrime, processing over $1.5 billion worth of transactions for illicit actors.

All-encompassing protection is a must

DeFi is a potential vector for three crucial risks that financial regulators must control: illicit activity, fraud, and systemic risk. Meanwhile, CeFi platforms are approaching comprehensive asset protection, as legal professionals see regulators’ intention to set clear rules. The draft for the Markets in Crypto-assets (MiCA) Law of the European Union, expected to come into effect in 2023, strongly focuses on consumer and investor protection.

The need for a tailored approach

A balanced framework should produce all-around protection of consumer and investor rights in crypto, along with deposit insurance and other safeguards enjoyed by clients of TradFi. The CoinLoan legal team considers such measures likely and desirable, but only if they are adequately adapted to digital assets.

Regulations should not simply replicate banking frameworks — cryptocurrencies and conventional assets are just too different. For example, in terms of AML transparency, crypto beats fiat by default. Besides the absence of additional paperwork, crypto transactions are easier to check. Any party can verify the origin of funds in any transaction.

The key takeaway, according to Aleksandra, is specificity trumps generalization. “In its regulatory approach, CeFi should zoom in on the specifics of crypto. The notion of a one-size-fits-all framework for financial institutions is inherently wrong. Despite identical guarantees for crypto users, the regulation must be precisely tailored to digital assets.

Currently, crypto regulations are quite odd, awkward, and old-school. As there is no detailed regulation worldwide for the CoinLoan products, we, the lawmakers, are creating it following our vibes.”

CeFi businesses should welcome any opportunity to get involved in the lawmaking process, as CoinLoan has done and continues to do. In the meantime, while DeFi remains unregulated, users should be aware of the magnitude and diversity of risks to their funds and data.