DeFi Regulation: A global framework for assessing when decentralized protocols fall within financial regulations

Executive Summary

Protocol developers and founders face a recurring question: Does my DeFi protocol fall within the scope of financial market regulation and if so, who bears regulatory responsibility? The answer to the first question hinges primarily on one factor: whether an identifiable person or connected group of persons controls the protocol. If no one does, there is no one to whom regulatory obligations could attach.

This article provides a practical framework to answer that question. You will learn:

• How to distinguish genuine decentralization from “on-chain Centralized Finance (CeFi)”
• A five-step assessment framework for determining whether a protocol’s activities can be legally attributed to an identifiable operator
• How the EU, the United States and Switzerland are approaching DeFi regulation

The conclusion: if no person or connected group exercises relevant control over the protocol, it falls outside the personal scope of financial market law. However, the factual assessment of whether control exists requires rigorous analysis.

The Layer Model: Where Centralization Can Hide

On-chain CeFi denotes blockchain-based protocls with material centralization vectors.

DeFi protocols are built in layers, and centralization can occur at any of them. In response to regulatory uncertainty, various frameworks have emerged to provide structured guidance on assessing decentralization in blockchain-based financial infrastructure. Notable examples include the technical framework proposed by Schuler, Cloots, and Schär in their 2024 paper “On DeFi and On-Chain CeFi,” which the Swiss Blockchain Federation’s 2025 circular adapts and extends for purposes of legal classification under Swiss financial market law. These approaches evaluate decentralization across multiple technological levels:

Settlement layer (blockchain): Is the underlying blockchain operated by an identifiable person or closely connected group? For public, permissionless blockchains with distributed node operators such as Ethereum the answer is typically no. For private blockchains or those with a small number of related validators, the blockchain operators themselves may constitute a regulatory anchor point. Most major public blockchains, including Ethereum, are not operated by a closely connected group and therefore do not create a regulatory anchor point at the settlement layer even if they exhibit some technical centralization vectors such as validator concentration.

Asset and protocol layer (smart contracts): This is where legally relevant centralization issues most commonly arise. Do the smart contracts contain permissioned functions (admin keys, upgrade mechanisms, fee switches, pause buttons) that grant someone factual control over user assets or transactions? Are there critical dependencies on centralized external data sources?

Application layer (frontends & block explorers): Frontends and block explorers that visualize data and prepare transactions (but do not execute or transfer such transactions) are typically an optional layer that do not grant control over the protocol itself and are not involved in any transaction whatsoever. Therefore, operating a typical frontend does not make the operator the “operator” of the underlying protocol. Nevertheless, as the frontend is often the most visible layer, the operator of the frontend is typically the person receiving regulatory scrutiny first and there are emerging best practices to mitigate related risks.

The Five-Step Assessment Framework

The following framework is based on the Swiss Blockchain Federation’s 2025 circular, which LEXR co-authored as part of the Federation’s DeFi working group. It provides a structured approach for assessing whether a DeFi protocol has an identifiable operator to whom activities can be legally attributed:

Step 1: Assess blockchain decentralization

Settlement layer: Is the underlying blockchain operated by an identifiable person or closely connected group? For public, permissionless blockchains with distributed node operators such as Ethereum, the answer is typically no. For private blockchains or those with a small number of related validators, the blockchain operators themselves may constitute a regulatory anchor point.

Separately, examine the relationship between the protocol developers and the underlying blockchain. Do persons involved in the protocol exercise any factual or legal control over the blockchain that would allow them to withdraw, block, or materially interfere with user funds? If protocol developers have no ability to influence the blockchain, then centralization at the blockchain does not establish them as operators.

Step 2: Identify permissioned functions

Asset and protocol layer (smart contracts) 1: Review all smart contracts. Are they fully immutable or do any grant special access rights to certain addresses? Examine the protocol for:

• Upgrade functions (particularly proxy contracts)
• Pause or freeze mechanisms
• Blacklisting capabilities
• Parameter changes such as fee switches beyond narrow bounds

If no permissioned functions exist, the smart contract level does not establish an operator through this vector. Proceed to assess external dependencies.

Step 3: Assess whether permissioned functions are critical

Asset and protocol layer (smart contracts) 2: The question is whether any of the functions grants control that would enable the holder to conduct activities that, if performed by an identifiable person, would fall within the material scope of financial market regulation. This includes control over user funds or control over transaction execution, pricing mechanisms, or other core protocol functions.

A fee switch that adjusts fees within predefined, narrow parameters does as per this framework not constitute control over core protocol functions. However, broad upgrade functionality that can alter core protocol logic may represent significant control.

Mitigating factors can reduce the level of control effectively exercised:

• Timelocks that delay changes with industry practice ranging between 2-10 days, though no regulatory standard exists
• Exit windows allowing users to withdraw before changes take effect
• Transparent documentation of how and under what conditions functions may be triggered

Step 4: Identify and assess external dependencies

Asset and protocol layer (smart contracts) 3: Does the protocol rely on off-chain data through oracles? Are there any off-chain commitments such as promises to maintain a stablecoin’s peg? Could a third party manipulate or compromise the protocol through these dependencies?

A centralized oracle providing price information can significantly affect protocol functionality, including triggering liquidations or enabling arbitrage if incorrect data is delivered. However, the question is not whether the oracle creates risk, but whether the oracle operator exercises control over the protocol sufficient to be considered its operator. Generally, oracles provide data inputs rather than control protocol logic, and their influence, while potentially damaging, does not constitute the kind of control that establishes regulatory attribution for the protocol’s activities.

As with permissioned functions, examine whether dependencies grant control sufficient to conduct or influence regulated activities not merely whether they create operational risk.

Step 5: Assess who exercises control

Asset and protocol layer (smart contracts) 5: If Steps 2 through 4 reveal permissioned functions or dependencies that grant relevant control, the final question is whether that control is sufficiently decentralized. Consider:

• Single entity holding admin keys to critical functions = high risk of being the operator
• Multi-signature arrangement where key holders have close economic, organizational, or personal connections = may constitute a “group” and be treated as one person
• Governance tokens concentrated in few hands = potential attribution
• Widely distributed governance with no controlling block = likely no operator

The outcome: If the assessment reveals no person or connected group with relevant control, the protocol would fall outside the personal scope of financial market law as there is no regulatory subject. If an identifiable operator with relevant control exists, the protocol constitutes on-chain CeFi.

International Regulatory Overview and Convergence

The regulatory treatment of DeFi remains an emerging field with significant legal uncertainty. No jurisdiction has enacted comprehensive DeFi-specific legislation, and fundamental questions, such as how to apply laws designed for identifiable intermediaries to systems that may lack them, remain unsettled. Court decisions are sparse, and regulatory guidance is often high-level rather than operationally specific.

Nevertheless, key jurisdictions including Switzerland, the European Union, and the United States have signalled similar directions in their approach (see below). A common principle is emerging: the label “decentralized” does not exempt a system from regulation if, in substance, identifiable parties exercise control or significant Influence (COSI). Regulators are increasingly looking through organizational forms and technical architectures to identify responsible persons. Where such persons exist, existing financial market rules apply under the principle of “same activity, same risk, same rules.” However, for ‘fully or sufficiently decentralized’ systems or systems ‘without an identifiable operator’, there is no regulatory subject.

For example, there is broad consensus even under the very strict previous Gensler SEC that the Bitcoin Blockchain is indeed decentralized and, e.g., core developers or miners and other persons participating in the operation of the Bitcoin blockchain are not regulated.

Also, international bodies have provided guidance that align with our framework:

IOSCO (International Organization of Securities Commissions) is the global standard-setter for securities regulation, comprising regulatory authorities from over 130 jurisdictions. In December 2023, IOSCO issued nine policy recommendations for DeFi applying the “same activity, same risk, same regulatory outcome” principle. The recommendations focus on identifying “responsible persons” regardless of organizational form or technological implementation, whereas responsible persons “includes those that exercise or can exercise control or sufficient influence over a particular financial product, service, or activity”. IOSCO emphasizes that this determination requires rigorous factual analysis rather than acceptance of marketing claims, and provides an extensive list of samples that may indicate a responsible person.

FATF (Financial Action Task Force) is the inter-governmental body that sets international standards for anti-money laundering (AML) and combating the financing of terrorism (CFT). FATF’s guidance on virtual assets establishes the Virtual Asset Service Provider (VASP) framework that many jurisdictions have adopted. The 2021 guidance states that “creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services.” FATF has indicated that such control may be exercised through a smart contract or voting protocols, and that countries may consider factors such as whether any party profits from the service or has the ability to set or change parameters. FATF continues to monitor developments in this space and has signalled that further guidance specific to DeFi may be forthcoming as the market evolves and regulatory understanding deepens.

These international positions, while not directly binding, shape national regulatory approaches and signal the direction of global convergence. The consistent theme: substance over form, with the critical question being whether an identifiable person exercises sufficient control to be held responsible under applicable law.

Jurisdictional Snapshot: European Union

MiCA (Markets in Crypto-Assets Regulation) became applicable in December 2024.

The key provision: Recital 22, which provides interpretive guidance though is not itself a binding provision, states that crypto-asset services provided “in a fully decentralised manner without any intermediary” should not fall within MiCA’s scope.

The CASP test: Regulation applies to Crypto-Asset Service Providers, defined as legal persons or “undertakings” providing crypto-asset services professionally. Three elements are relevant:

1. Must be a “person” or “undertaking”. DAOs may qualify as “undertakings” under EU law’s broad functional definition, which focuses on economic activity rather than legal form, though this remains untested in the DeFi context
2. Must provide services “to clients” (implies a service-provider relationship)
3. Must act “on a professional basis”

ESMA’s position: There may be “varying degrees” of decentralization, and each system must be assessed on a case-by-case basis. The scope of the “fully decentralized” exemption remains uncertain.

Current state: To date, no enforcement action has established that a protocol meeting the criteria for genuine decentralization falls within MiCA’s scope. The regulatory focus is on identifying where control exists.

Jurisdictional Snapshot: Switzerland

Switzerland has developed one of the clearest frameworks to date.

Key positions from the Swiss Federal Council and DLT Dispatch:

• The Federal Council’s DLT Dispatch stated that “fully decentralized financial market infrastructures, i.e., financial market infrastructures without a direct operator” fall outside the scope of existing financial market infrastructure legislation.
• The explanatory report to the revised Anti-Money Laundering Ordinance clarified that smart contracts processing transactions without an “access possibility for the trading platform” do not establish an ongoing business relationship subject to AML obligations.

FINMA’s approach:

• Case-by-case analysis using substance-over-form and economic assessment
• Distinguishes projects “without identifiable operators” from those “actually organised and controlled centrally”
• Technology neutrality: same business, same risks, same rules
• Mirroring FATF guidance, FINMA’s 2023 annual report identified potential regulatory anchor points—including control via admin keys or governance token majorities, dependencies on oracles, business relationships with end users, and income flows from the application—though without providing detailed guidance on how these factors should be assessed or weighted.

The 2025 Swiss Blockchain Federation Framework provides detailed practical guidance:

• Multi-step assessment methodology across technological layers
• High bar for decentralization at every level
• Clear distinction between “operating” a protocol and conducting “related activities”

The Swiss position is relatively clear: genuine DeFi falls outside financial market law’s personal scope. However, the assessment of what constitutes “genuine” decentralization requires rigorous analysis.

Jurisdictional Snapshot: United States

The United States lacks comprehensive DeFi legislation and has instead relied on enforcement actions to define regulatory boundaries, creating significant uncertainty for market participants. However, efforts are under way with the CLARITY Act to provide clear guidance and, presumably, exemptions for decentralized infrastructures.

Landmark cases:

Uniswap Labs (2024-2025): The SEC issued a Wells notice alleging unregistered exchange and broker activity. The case closed in February 2025 with no enforcement action. While this does not create binding precedent, it may signal that non-custodial protocols face reduced enforcement priority, at least under current SEC leadership.

Ooki DAO (2022-2023): The CFTC obtained a default judgment finding the DAO was an “unincorporated association.” Governance token voters were potentially personally liable. This case raised serious concerns about DAO participant liability.

Tornado Cash (2022-2025): OFAC sanctioned smart contracts directly. The Fifth Circuit held that OFAC exceeded its statutory authority in sanctioning immutable smart contracts, reasoning that such contracts which cannot be owned or controlled by any person do not constitute “property” that can be blocked under IEEPA. Sanctions were lifted in March 2025. At the same time, one key developer of Tornado Cash was convicted on conspiracy to operate an unlicensed money transmitting business in a first instance sentence (appeal pending).

Key Takeaways for Protocol Developers

Assess control honestly. Map every permissioned function and external dependency. Do not overestimate the degree of decentralization. Common blind spots include: governance token concentration, dependencies on non-decentralized oracles, and upgrade mechanisms controlled by small teams.

Design for decentralization. If you intend to fall outside regulation, you need: immutable or governance-distributed smart contracts, no concentrated token holdings, and no critical single points of failure.

Document the analysis. Maintain clear records of your decentralization assessment. If regulators inquire, you will want to demonstrate: (i) which permissioned functions and dependencies exist, (ii) how you assessed their criticality, (iii) who controls them and what governance mechanisms apply, and (iv) what mitigating factors such as timelocks or exit windows are in place. LEXR offers a DeFi legal audit report.

Monitor all major jurisdictions. Global protocols face global regulatory exposure. A protocol that clearly falls outside Swiss financial market law or MiCA may nonetheless face SEC or CFTC enforcement in the United States, where regulatory boundaries are so far defined through litigation rather than ex ante guidance.

Distinguish the protocol from services built on it. Operating the protocol and building services on top of it are separate questions. Frontend operators, for example, may face distinct regulatory obligations.

What Comes Next

This article addressed when DeFi falls under regulation—the threshold question of whether there is an operator. Future posts in this series will examine specific activities often associated with DeFi protocols: operating frontends, development and deployment, governance participation, staking and validation, running oracles, and providing liquidity.

Each activity raises distinct regulatory questions, independent of whether the underlying protocol has an “operator.”

Do you need clarity on your protocol’s regulatory status? LEXR offers structured decentralization assessments based on the outlined framework, providing documented analysis across all technological layers. Contact us to discuss your protocol.