Who is in Charge Here? Liability Considerations for Decentralized Exchange Platforms

Patomak Global Partners fintech experts Ted Serafini, Kristine Johnson, Robert Greene, and Paul Watkins release the first article in a series that examines some of the issues regulators are likely to encounter as activity continues to grow in Decentralized Finance (DeFi), as well as what those operating in the space should consider.

The first paper, “Who Is In Charge Here? Liability Considerations for Decentralized Exchange Platforms” follows, or download as a pdf.

Who Is In Charge Here?

Liability Considerations for Decentralized Exchange Platforms

 By Ted Serafini, Kristine Johnson, Robert Greene, and Paul Watkins

Activity, capital inflows, and total value locked in Decentralized Finance (DeFi) saw a major rise in 2020 that has continued into 2021. DeFi is an umbrella term that broadly refers to financial applications using blockchain technology to offer decentralized alternatives to traditional financial services, geared toward the disintermediation of those services. The DeFi ecosystem includes the digital assets, financial smart contracts, protocols, and decentralized applications (DApps) that to-date have been built mostly on Ethereum.

With the growth of DeFi came the popularization of so-called “decentralized exchanges,” or DEXs, a core piece of DeFi infrastructure. In the past year, these platforms have seen trading volumes hit record highs surpassing $160 billion in some months.[1] Trading volume on some has rivaled that of leading centralized crypto trading platforms.[2]

Unlike traditional trading platforms, once the smart contracts for a truly decentralized DEX platform are launched, they do not require a single entity to run or maintain the platform. Indeed, these platforms are simply software run on a public blockchain that can be leveraged by anyone to engage in a “decentralized exchange” of one asset for another asset. However, DEX platforms are not monolith, and can be more or less automated and distributed depending on their design. Below we use the term “DEX” for simplicity, but acknowledge that there are major structural differences between various platforms referred to using this term – indeed, the regulatory and compliance implications of those differences are explored in-depth below.

With the rise of DEXs, nearly every major activity of traditional market infrastructure is being disintermediated: from brokers, to exchanges, and down to the clearance and settlement system. A truly decentralized DEX platform has no sole person or entity responsible for facilitating the trading activity taking place on the platform. Despite regulators’ best efforts to compose rules that are “technology neutral,” the current rules have been developed with legacy infrastructure in mind and today’s rules do not neatly apply to DEXs or other parts of the DeFi ecosystem.

In a series of articles on DeFi, we will begin to unpack some of the issues regulators at the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the U.S. Department of Treasury (Treasury), and elsewhere are likely to encounter as activity continues to grow on these platforms, as well as what those operating in the space should consider.

A threshold question facing regulators is determining who to hold responsible when illegal activity that comes under the purview of its oversight is facilitated through a DEX platform. What has emerged from early SEC, CFTC, and Treasury enforcement actions is that control, compensation, intent, and contributions to and deployment of DEX code are among the key indicia regulators will use to determine liability.

Distinguishing Centralized and Decentralized Exchanges

Cryptocurrency trading platforms operate on a spectrum from fully centralized and custodial, run by corporations, to largely decentralized, where code was written that enables users to transact, but no sole entity controls the listings or takes any direct profit from the trading.

Today, the majority of the trading activity for cryptocurrency has largely taken place on so-called “centralized exchanges” or “custodial exchanges” which have grown to be household names. These entities have been a vital onramp to entering the digital asset space.

In general, these platforms provide a one-stop-shop where users first deposit funds – either fiat currency (via bank transfer or debit/credit card) or cryptocurrency (i.e., the centralized exchange takes custody of user funds) – then users may make trades with those funds, which are kept in accounts with the trading platform, transfer funds to an external cryptocurrency wallet, or withdraw fiat currency to a bank account.[3] Similar to exchanges in the traditional equity market, these “centralized exchanges” are able to achieve speed and efficiency as they maintain an order book and match orders on the customer’s behalf. Notably, retail trading of cryptocurrencies carried out on these platforms does not directly occur on the blockchain; rather, trades are listed as an entry on the exchange’s database.[4]

The term DEX is often used to refer to platforms that do not take custody of customer funds (hence, they are non-custodial) and through which transactions take place peer-to-peer, or peer-to-contract. A fully decentralized DEX platform is simply software code running on an open blockchain network. It is not a business entity like a custodial exchange, but rather, just software being used through the internet.

Accordingly, by using DEXs, users can maintain custody of their assets at all times and, instead of users sending their orders to an intermediary which executes trades on their behalf, DEXs utilize self-executing smart contracts to facilitate trading and orders are sent to an underlying blockchain network.[5] Since there is no central intermediary acting as part of the transaction, there may be no entity collecting Know Your Customer (KYC) information and no anti-money laundering (AML) protocols in place. Truly decentralized DEX platforms can only facilate orders using tokens on particular open source blockchains, and thus do not enable fiat on and off-ramps, which eliminates a major touchpoint to the regulated financial system and means that users can only trade crypto-to-crypto pairs and cannot use fiat currency for trading.

Unlike centralized exchanges that act as a gatekeeper for what tokens can list, most DEXs are designed such that technological parameters govern what tokens can list (e.g. tokens must be ERC-20 compliant to be traded using an Ethereum-based platform). Broadly, DEXs have the following characteristics: i) non-custodial; ii) permissionless; iii) on-chain settlement; and iv) the use of liquidity pools or order books (whether on-chain or off).

An important design consideration for DEX platforms—with liability and regulatory implications—is whether a platform facilitates trading with an order book or automated market maker (AMM).

Order Book DEXs. Just like centralized exchanges, many DEX models make use of order books and bids and asks to facilitate trades. For some order book DEXs, all of this activity occurs on the blockchain. While this is the most transparent option, with the current state of most blockchains, it may not be very practical, as it is expensive and time consuming to update order book pricing due to the relatively high costs of running smart contracts (i.e., Ethereum gas fees). For this reason, some DEXs in this category maintain off-chain order books and settle trades on-chain. While off-chain order books improve speed and efficiency, they also pose the most obvious regulatory considerations. Off-chain order books must be maintained somewhere, which could range from a centralized entity completely controlling the order book, to a model where a decentralized network of third-party participants connect makers and takers.

Automated Market Maker (AMM) DEXs. The innovation that has helped enable the recent growth of DEXs lies in the AMM model. Rather than maintaining an order book, the AMM model employs a liquidity pool reserve-based model that holds a pool of assets that traders can access.[6] Essentially, liquidity providers, or users that voluntarily commit their tokens to form a trading pair (e.g., ETH-USDC), receive benefits incentivizing them to stake their tokens, and traders buy and sell against that liquidity. An algorithmic pricing formula is embedded in the smart contract, and a purchaser receives the requested token nearly instantaneously from the liquidity pool. [7] In this way, these trades are peer-to-contract rather than peer-to-peer, as the exchange’s smart contract acts as a counterparty.[8] In return, liquidity providers receive benefits that vary by platform. Platforms commonly offer a small percentage such as 0.3% of the value of the trades, while some offer interest or interoperable tokens with the ability to earn rewards elsewhere in the DeFi ecosystem.

The AMM model enables a more decentralized exchange where there is no central administrator of the pool. Everything is maintained by the smart contract and anyone may be able to list a token for exchange or be a liquidity provider. To participate in the decentralized exchange enabled by such a software platform, a potential buyer or seller can utilize a decentralized application, or “DApp.” A functional user interface that serves as a portal to the underlying smart contract, a DApp simply refers to an application built on a decentralized network that combines a smart contract and a frontend user interface that is easy for users to interact with.[9] DApps may be hosted by the original DEX smart contract developer, or instead, may be hosted on decentralized file storage solutions.[10] Decentralized exchanges of this nature present important questions about who would be liable for violations of statutes and regulations.

Regulatory and Legal Considerations

Depending on the activity occurring through a DEX, it could be subject to oversight by Treasury, SEC, CFTC, and others. Some of the uncertainty around liability will be addressed as agencies carry out DEX-related enforcement actions, rule revisions, and guidance. Today, there are a few regulatory actions that already provide some insights into how regulators are approaching DEXs and liability.

For example, in the U.S., entities accepting “convertible virtual currency” (which the Internal Revenue Service defined to include bitcoin)[11] from one person for the purpose of transmitting it to another person or location are required to register as money services business (MSB) with Financial Crimes Enforcement Network (FinCEN) and must maintain an AML program. As DEXs are non-custodial platforms, they generally rely on FinCEN’s network access exemption for persons that “provide the delivery, communication, or network access services used by a money transmitter to support money transmission services.”[12] FinCEN has, however, argued in guidance that when DApps do “accept and transmit value,” DApp developers, owners/operators, and investors could be subject to AML obligations.[13]

The Financial Action Task Force (FATF), a global anti-money laundering standard setting body, took a similar stance in its 2021 draft guidance on virtual assets and virtual asset service providers (VASPs), where it attempted to address how certain aspects of DeFi may be subject to VASP requirements. The FATF’s draft guidance provides that while “so-called decentralized exchanges or platforms” (referred to in the guidance as a DApp) are not necessarily a VASP – FATF’s standards do not apply to the underlying software or technology – the “entities involved with the DApp may be VASPs under the FATF definition.”[14] The FATF draft guidance provides that potential VASPs include the “owners/operators” of the DApp, persons that conduct business development for the DApp, and parties that are developing a DApp to provide financial services for profit.[15]

FinCEN’s and FATF’s suggestions align with approaches taken by other regulators, including the SEC and CFTC. In November 2018, the SEC took action against Zachary Coburn, the founder of Ethereum-based DEX platform EtherDelta, for operating an unregistered securities exchange. This was the first regulatory action that addressed the personal legal liability of a developer and deployer of smart contract code. According to the SEC, EtherDelta “provided a marketplace for bringing together buyers and sellers for digital asset securities through the combined use of an order book, a website that displayed orders, and a ‘smart contract’ run on the Ethereum blockchain.”[16]

The order focused on two things: i) that Coburn caused EtherDelta to violate securities law, as he wrote and deployed its smart contract to the Ethereum blockchain, exercised complete control over its operations, and received monetary benefit from order fees; and ii) EtherDelta maintained the order book which resided on its centralized server and not on the ethereum blockchain. At all times, Coburn had sole access to the “administrator account” private key which could alter the smart contract. While this access was limited to changing the permissible fees or address of the fee account, the SEC found it relevant. The SEC did not explicitly state which ERC-20 tokens trading on EtherDelta’s platform were securities, leaving the door open for continued ambiguity. The EtherDelta action demonstrates the challenges with off-chain order books and shows that the SEC (and CFTC) could arguably target both the host of the off-chain order book, and individuals associated with the DEX protocol, despite the fact that neither fit neatly into the currently regulatory framework.

By contrast, a similar case would be harder to make for a platform where fees are paid to liquidity providers rather than to any team members, and no central entity maintains an order book. Determining liability would be further complicated in this example because software development is protected under the First Amendment, unless there is no lawful purpose to the software.[17] Some have argued that if a developer created and released DEX software to the public and is not advocating the illegal use of that software, collecting fees from usage of the software, or maintaining a website for accessing the software, then the software publishing activity is protected under the First Amendment.[18]

Conversely, in 2018 CFTC Commissioner Brian Quintenz stated that the appropriate question for attaching liability is whether “code developers could reasonably foresee, at the time they created the code, that it would likely be used by U.S. persons in a manner violative of CFTC regulations.”[19] He further stated that if smart contract code was “designed to enable the precise type of activity regulated by the CFTC, and no effort was made to preclude its availability to U.S. persons,” a strong case could be made that that the developers aided and abetted CFTC violations.[20] Commissioner Quintenz later argued that the CFTC should bring cases where it can show the intent of a developer was to facilitate illegal activity.[21] He noted several factors that should be considered including “whether code is narrowly designed to enable an unlawful purpose rather than broadly designed for legal activities.”

The CFTC took the latter approach when in August 2020, it entered into a consent order of permanent injunction against Edge Financial for providing software that aided and abetted spoofing and use of a manipulative and deceptive scheme under the Commodity Exchange Act.[22] In that case, the CFTC found Edge Financial liable because it developed the software to meet a trader’s requested specifications that enabled spoofing.[23]

Founders and operators of decentralized exchange platforms or DApps of any sort should undertake a full risk assessment to understand how regulators may view the activity being conducted, particularly as it pertains to the U.S. jurisdiction. In the future, the CFTC and other regulators could look to extend secondary liablity to additional actors interacting with DEXs in some way. For example, some argue that the CFTC could find holders of governance tokens that have a “controlling” interest over the direction of a DEX platform, liquidity providers, or even end users of these platforms that directly facilitate or disproportionately facilitate certain behavior liable for unlawful activity.[24] Yet notably, even if a regulator were to bring an enforcement action against any of these entities, it would not necessarily prevent users from interacting with a DEX platform’s underlying software once the code and smart contracts have been deployed.

Conclusion

Accordingly, the concerns of regulators seeking to exert greater oversight in this space are only increasing as DeFi activity grows. For example, in a recent speech, CFTC Commissioner Dan Berkovitz argued that the CFTC “should not permit DeFi to become an unregulated shadow financial market in direct competition with regulated markets” and that the “CFTC, along with other regulators, needs to focus more attention to this growing area of concern and address regulatory violations appropriately.”[25]

As regulators bring more actions in response to activity on these platforms, there will be more data points on liability. Thus far, regulators have pursued enforcement cases where liability is relatively clear due to the level of the defendants’ control, intent, and compensation from the activity they facilitated. It may be, however, that regulators will have more challenges in the future as truly decentralized DEXs that merely provide a platform for exchange—including AMM DEX platforms—facilitate more of the activity that has been done on regulated exchanges. Regulators may, as a result, have to cast a wider net to exert their oversight in this space. In addition to the founders and operators of these platforms, market participants that are interacting with DEX platforms, including providing liquidity to activities that may be facilitating prohibited activity, owning governance tokens and participating in the governance of such platforms, and more, should be aware of the potential regulatory risks involved and take note of future enforcement actions.

Accordingly, for parties seeking to enter or already in this space, regulatory liability should be carefully considered. When assessing liability, the factors that regulators are likely to consider include—does an individual or entity:

i)              maintain the sole interface to the underlying smart contract?

ii)             have sole access to make changes to the conditions or functions of the protocol/does the contract grant any exclusive rights to one party?

iii)           receive or control some monetary interest, such as receiving transaction fees?

iv)           design the program with the intent to facilitate regulated activity?

v)            promote the activity or conduct business development for the activity?

The next article in this series will look more closely at how the CFTC’s existing derivatives regulatory framework may apply to DeFi platforms that enable regulated derivatives contracts.

[1] See Kieran Smith and Aditya Das, Uniswap leads 2021’s best decentralized exchanges (Jan 28, 2021), available at https://bravenewcoin.com/insights/trading-volume-surges-on-decentralized-exchanges.

[2] See The Block, Exchange – Presented by Fireblocks, available at https://www.theblockcrypto.com/data/decentralized-finance/dex-non-custodial.

[3] Centralized exchanges essentially provide escrow services and play a role in transaction flow. They act as a trusted intermediary and custodian of funds. See What Is a Decentralized Exchange (DEX)?, Binance Academy (May 2021), available at https://academy.binance.com/en/articles/what-is-a-decentralized-exchange-dex.

[4] Agostino Capponi and Ruizhe Jia, The Adoption of Blockchain-based Decentralized Exchanges, at 7 (April 16, 2021), available at https://arxiv.org/pdf/2103.08842.pdf.

[5] Id. at 8.

[6] Yuen Lo and Francesca Medda, Uniswap and the rise of the decentralized exchange, at 3 (Nov 3, 2020), available at https://mpra.ub.uni-muenchen.de/103925/1/MPRA_paper_103925.pdf.

[7] For example, a constant product AMM ensures that the reserves in the system before and after the trade adhere to the function x*y=k, where x is the quantity of reserves of asset x, y is the quantity of reserves of asset y, and k is a constant. The constant, k, means that there is a constant balance of assets that determines the price of assets in the pool. Every time asset x is bought, the price goes up as there is less of that asset in the pool; conversely, the price of asset y goes down as there is less of that asset in the pool. The pool stays in constant balance, and the prices of tokens in the pool follow a curve determined by the formula.

[8] Aaron Wright and Gary DeWaal, TAC Virtual Currency Subcommittee Presentation—The Growth and Regulatory Challenges of Decentralized Finance, at 14 (Dec 14, 2020).

[9] See Introduction to DApps (June 11,2021), available at https://ethereum.org/en/developers/docs/dapps/.

[10] Id.

[11] Internal Revenue Service Notice 2014-2, available at https://www.irs.gov/pub/irs-drop/n-14-21.pdf.

[12] “[I]f a CVC trading platform only provides a forum where buyers and sellers of CVC post their bids and offers (with or without automatic matching of counterparties), and the parties themselves settle any matched transactions through an outside venue (either through individual wallets or other wallets not hosted by the trading platform), the trading platform does not qualify as a money transmitter under FinCEN regulations.” FinCen Guidance, Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies at 24 (May 9, 2019), available at https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20Guidance%20CVC%20FINAL%20508.pdf

[13] Id. at 18.

[14] FATF, Draft updated Guidance for a risk-based approach to virtual assets and VASPs (March 2021), available at https://www.fatf-gafi.org/media/fatf/documents/recommendations/March%202021%20-%20VA%20Guidance%20update%20-%20Sixth%20draft%20-%20Public%20consultation.pdf.

[15] Id.

[16] Securities and Exchange Commission Press Release, SEC Charges EtherDelta Founder with Operating an Unregistered Exchange (Nov 8, 2018), available at https://www.sec.gov/news/press-release/2018-258.

[17] See Bernstein v. Dep’t of State, 176 F.3d 1132, 1136 (9th Cir.), vacated for rehearing en banc, 192 F.3d 1308 (1999), available at https://globalfreedomofexpression.columbia.edu/cases/bernstein-v-department-of-justice/#:~:text=The%20U.S.%20Court%20of%20Appeals,paper%20and%20its%20source%20code.

[18] See Peter Van Valkenburgh, There’s no such thing as a decentralized exchange, Coin Center (October 3, 2020), available at https://www.coincenter.org/theres-no-such-thing-as-a-decentralized-exchange/

[19] Speech by CFTC Commissioner Brian Quintenz at the 38th Annual GITEX Technology Week Conference (Oct 16, 2018), available at https://www.cftc.gov/PressRoom/SpeechesTestimony/opaquintenz16

[20] Id.

[21] Brian Quintenz, How the CFTC can take a pro-innovation posture while maintaining orderly markets, Coin Center (Feb 12, 2019), available at https://www.coincenter.org/how-the-cftc-can-take-a-pro-innovation-posture-while-maintaining-orderly-markets/

[22] CFTC v. Edge Financial Technology, Case No. 1:18-cv-00619 (Aug 12, 2020), available at https://www.cftc.gov/media/4661/enfedgefinancialconsentorder091420/download

[23] Id. at 8.

[24] Wright and DeWaal, supra note 8, at 49.

[25] Speech by CFTC Commissioner Dan Berkovtiz, Climate Change and Decentralized Finance: New Challenges for the CFTC (June 8, 2021), available at https://www.cftc.gov/PressRoom/SpeechesTestimony/opaberkovitz7.