Home /Regulation

? DeFi & Regulation

DeFi exists in a regulatory gray zone. Protocols are global, permissionless, and often governed by DAOs - but the people who build and use them are subject to local laws. Understanding the evolving regulatory landscape is critical for anyone building or investing in DeFi.

? Key Regulatory Bodies

SEC
Securities regulator. Claims most tokens are securities under Howey test. Enforces via lawsuits.
CFTC
Commodities regulator. Views BTC and ETH as commodities. Oversees derivatives/futures markets.
EU (MiCA)
Markets in Crypto-Assets regulation. Comprehensive framework for stablecoins, exchanges, and token issuers.

The Central Question: Security or Commodity?

The Howey Test asks: is it an investment of money, in a common enterprise, with expectation of profits, derived from the efforts of others? If yes -> security (SEC jurisdiction). If no -> commodity (CFTC). Most DeFi tokens exist in a gray zone where the answer depends on the token's level of decentralization, utility, and how it was distributed.

FIT21's approach: Tokens can transition from security -> commodity as they become "sufficiently decentralized." This creates a pathway for DeFi projects to eventually fall under the lighter-touch CFTC regime.
Live

FIT21 Act

The Financial Innovation and Technology for the 21st Century Act - how it classifies digital assets and splits SEC/CFTC jurisdiction

How DeFi regulation actually works

DeFi regulation is best understood as a layered overlap of three legal systems that were each built before public blockchains existed: securities law (who can sell what kind of investment to whom), commodities and derivatives law (who can run a futures or perpetuals market), and money-transmission and anti-money-laundering law (who can move customer funds and what records they must keep). A single protocol like Aave or Uniswap can simultaneously trigger all three depending on which user is interacting with which feature, which jurisdiction they sit in, and whether the activity touches a centralized intermediary. There is no single global crypto regulator - each country applies its own pre-existing rules to a borderless system, which is why protocol developers, front-end operators, and users frequently sit in different regulatory boxes for the same on-chain transaction. This page is informational, not legal advice.

In the United States the central question has historically been the Howey Test: an arrangement is a security if it involves an investment of money in a common enterprise with an expectation of profits derived from the efforts of others. Bitcoin clearly is not - there is no promoter to rely on - and the SEC and CFTC have publicly accepted that ETH is not a security at the spot level since 2018. Almost every other token sits in a contested zone, and the SEC's 2023 enforcement wave against Coinbase, Binance, and Kraken pushed the agency's view that listed trading of those tokens itself is securities activity. The 2025 dismissals (Coinbase case dropped with prejudice in February 2025, the Wells notice against Uniswap Labs withdrawn) ended specific cases without overturning the underlying legal framework, leaving the next administration's market-structure bill - most likely modelled on FIT21 - to decide the contested middle.

The European Union has moved further along the rule-writing path. MiCA (Regulation EU 2023/1114) became fully applicable on 30 December 2024, with stablecoin chapters live from 30 June 2024. MiCA defines three token categories - asset-referenced tokens, e-money tokens, and 'other' crypto-assets - and licenses every crypto-asset service provider operating in the EU. Tether USDT was delisted from EU venues at year-end 2024 because it had not obtained an e-money-token authorisation, while Circle USDC had. Outside the U.S. and EU, Singapore's Payment Services Act and Hong Kong's VASP regime focus on licensing centralized intermediaries, while jurisdictions like the Marshall Islands, Cayman, and the BVI have built specialist legal wrappers (DAO LLCs, foundations) so on-chain governance can be conducted by an entity that can hold contracts, employ people, and respond to subpoenas.

Key concepts

Howey Test and the security-versus-commodity question
The Howey Test (SEC v. W.J. Howey Co., 1946) is the four-prong U.S. test for an investment contract: investment of money, common enterprise, expectation of profits, derived from the efforts of others. The SEC has used it to argue that most fundraising token sales - and increasingly the secondary trading of governance tokens - are unregistered securities offerings. FIT21's 'sufficiently decentralized' test is an attempt to write a bright-line statutory exit ramp from Howey: once a token's network is decentralized enough, the asset becomes a 'digital commodity' under CFTC jurisdiction.
MiCA and the EU stablecoin regime
MiCA imposes reserve, redemption, and governance requirements on stablecoin issuers (Titles III-IV, applicable since 30 June 2024) and licenses crypto-asset service providers (CASPs) for everything from custody to operation of a trading platform (Title V, applicable since 30 December 2024). The 18-month transitional regime for legacy CASPs ends 1 July 2026. The EU Travel Rule (TFR Regulation 2023/1113), live since 30 December 2024, requires sender and beneficiary identifiers on every crypto transfer above ?1,000 between CASPs and on every transfer involving a self-hosted wallet above the same threshold.
OFAC sanctions and the Tornado Cash precedent
OFAC, a unit of the U.S. Treasury, can designate addresses as Specially Designated Nationals (SDN); transacting with an SDN is a strict-liability offence for U.S. persons. Treasury's August 2022 designation of Tornado Cash addresses was the first time immutable smart contracts were sanctioned. The Fifth Circuit ruled in Van Loon v. Treasury (November 2024) that immutable contracts are not 'property' OFAC can sanction, and Treasury delisted the addresses on 21 March 2025. The criminal cases against developers Roman Storm and Alexey Pertsev proceeded separately - Pertsev was convicted in the Netherlands in May 2024 - establishing that publishing privacy-tool code can still create personal criminal exposure even if the underlying contracts are not sanctioned.
SEC enforcement era (2023-2024)
Between February 2023 and June 2023 the SEC sued Kraken (settled $30M, U.S. staking shut down), Coinbase, Binance, and Binance.US, and issued Wells notices to Robinhood Crypto, Uniswap Labs, and Consensys. The legal theory was that staking-as-a-service products and a list of named tokens (SOL, ADA, MATIC, FIL, SAND, AXS, CHZ, FLOW, ICP, NEAR, VGX, DASH, NEXO, ALGO, BNB, BUSD, MANA, ATOM, COTI) traded on those exchanges were unregistered securities. The 2025 dismissals ended the specific cases but left the legal theory undecided - the next administration's market-structure bill will likely overwrite Howey for digital assets entirely.
FIT21 and U.S. market-structure legislation
The Financial Innovation and Technology for the 21st Century Act (H.R. 4763) passed the U.S. House on 22 May 2024 by a 279-136 vote, with 71 Democrats joining the Republican majority. It creates a 'digital commodity' category for tokens whose networks pass a decentralization test, moves spot regulation of those tokens from the SEC to the CFTC, and gives issuers a clear path to register under SEC rules during the 'restricted' phase. As of April 2026 it is not law - the Senate is the bottleneck - but every subsequent crypto bill (Lummis-Gillibrand, Responsible Financial Innovation Act, the Senate Banking Committee market-structure draft) is written against the FIT21 template.
DAO legal wrappers and front-end liability
The CFTC's Ooki DAO order (September 2022, $250K plus operating injunction) treated the DAO itself as an unincorporated association whose token holders were jointly liable for operating an unregistered futures venue. The lasting industry response is to wrap on-chain governance in a real-world legal entity - Cayman foundation companies, Swiss associations (Verein), Marshall Islands DAO LLCs (under the 2022 amendment to the Non-Profit Entities Act), or Wyoming DAO LLCs. The wrapper provides a counterparty that can hold IP, sign contracts, employ contributors, and respond to regulatory enquiries, which is now table stakes for any DAO with treasury or front-end operations.

Why DeFi regulation matters right now

As of April 2026, the regulatory direction has flipped from 'enforcement-first' to 'rulemaking-first' in both the U.S. and the EU. The SEC under acting chair Mark Uyeda dismissed or stayed the Coinbase, Binance, and Robinhood actions in early 2025, withdrew the Uniswap Wells notice, and rescinded SAB 121 (which had effectively blocked banks from custodying crypto). MiCA's CASP authorisation deadline of 1 July 2026 is the binding gate for every European exchange and stablecoin issuer, and IRS Form 1099-DA broker reporting and EU DAC8 reporting both come online for tax year 2026. The practical consequence is that compliance work has shifted from defending lawsuits to filing for licences, and protocols building today are designing for a near-term world where U.S. exchanges and EU CASPs operate inside a clear (if restrictive) box.

For builders, the operational lessons are concrete. Front-end operators need OFAC screening on the relayer (every sanctioned-address withdrawal that reaches a U.S. front-end is a strict-liability problem) and a real legal wrapper around the entity that operates the site. Token issuers need a defensible decentralization narrative - token distribution, governance live-ness, code immutability - because the FIT21-style 'digital commodity' transition only happens once concentration is below ~20%. Stablecoin issuers serving the EU need an e-money-token or asset-referenced-token authorisation, full reserve attestations, and one-to-one redemption rights. None of this stops the protocol from being permissionless on-chain - it shapes which interfaces can lawfully serve which users, which is where the real regulatory perimeter now sits.

Frequently asked questions

Is the content on this page legal advice?
No. Nothing on this page is legal, tax, or investment advice - it is an explanatory overview written for builders and users who want to understand the regulatory landscape that surrounds DeFi. Rules vary by jurisdiction, change frequently, and apply differently to a developer, a liquidity provider, an exchange, and a passive token holder. For any decision with real money or real exposure attached, talk to a lawyer admitted in the jurisdiction where you live or operate.
What did MiCA actually change in the EU and when did each piece go live?
MiCA - the Markets in Crypto-Assets Regulation, EU 2023/1114 - is the EU's first comprehensive crypto framework. Its stablecoin chapters (Titles III and IV, covering asset-referenced tokens and e-money tokens) became applicable on 30 June 2024, which is why USDT was delisted from EU venues like Coinbase and Crypto.com on 31 December 2024 - Tether had not yet obtained an e-money-token authorisation while Circle's USDC had. The remainder of MiCA - covering crypto-asset service providers, market abuse, and white-paper requirements for non-stablecoin tokens - became applicable on 30 December 2024, with an 18-month transitional regime that ends 1 July 2026. As of April 2026, the major venues operating in the EU all hold or are pending CASP authorisation under MiCA.
Why was Tornado Cash sanctioned and what changed legally afterwards?
On 8 August 2022 the U.S. Treasury's Office of Foreign Assets Control (OFAC) added the Tornado Cash smart-contract addresses to the Specially Designated Nationals (SDN) list, alleging that the mixer had laundered more than $7B since 2019, including $455M tied to North Korea's Lazarus Group. Two developers - Alexey Pertsev and Roman Storm - were arrested. Pertsev was convicted in the Netherlands in May 2024 and sentenced to 64 months. The Fifth Circuit Court of Appeals ruled in November 2024 (Van Loon v. Treasury) that immutable smart contracts are not 'property' OFAC can sanction, and Treasury formally delisted the addresses on 21 March 2025. The episode is the canonical reference for the question of whether publishing open-source code is a regulated activity.
What did the SEC actually allege against Coinbase, Binance, Kraken, and Uniswap, and where did each case land?
The SEC under Chair Gary Gensler filed a wave of actions in 2023 alleging that staking-as-a-service products and a list of named tokens were unregistered securities. Kraken settled its staking case in February 2023 for $30M and shut down U.S. staking. Coinbase was sued in June 2023 over staking and listed tokens; Binance was sued the day before. After the 2024 election the SEC under acting chair Mark Uyeda dropped or stayed many of these actions in 2025: the Coinbase case was dismissed with prejudice in February 2025, the Binance case was paused, and the Wells notice against Uniswap Labs was withdrawn. The lasting outcome was less the legal theory than the chilling effect - most U.S. exchanges now pre-screen listings against the Howey test and avoid 'staking-as-a-service' branding entirely.
How does FIT21 split jurisdiction between the SEC and CFTC?
The Financial Innovation and Technology for the 21st Century Act - passed by the U.S. House on 22 May 2024 by a 279-136 vote and re-introduced in the Senate in 2025 - proposes a 'sufficiently decentralized' test: digital assets associated with networks that pass the test transition from SEC jurisdiction (as 'restricted digital assets') to CFTC jurisdiction (as 'digital commodities'). The test asks roughly whether no single party owns more than 20% of the token or governance and whether the protocol's code has not been materially modified by an issuer in the last 12 months. The SEC keeps jurisdiction over fundraising, the CFTC over secondary spot markets and derivatives. As of April 2026, FIT21 is not law but is the template every U.S. crypto-market-structure bill is now drafted against.
Are DeFi front-ends and DAOs treated differently from the protocol itself?
Increasingly yes. Regulators have started to attack the user-facing surface - the website, the relayer, the front-end - even when the underlying smart contracts are immutable and globally accessible. The CFTC's $250K settlement with Ooki DAO (September 2022) treated the DAO itself as an unincorporated association liable for operating an illegal derivatives exchange. Uniswap Labs received a Wells notice in April 2024 over the Uniswap front-end (later withdrawn in 2025). The SEC's 2023 actions framed Coinbase Wallet's swap routing as broker-dealer activity. The legal direction is that protocol immutability is not a shield for the people running the front-end, and many DAOs have responded by wrapping voting in Cayman foundations, Swiss associations, or Marshall Islands DAO LLCs to put a regulated legal wrapper around the on-chain governance.
As of April 2026, what is the actual compliance burden on a DeFi user?
For a self-custody wallet holding tokens, the binding obligations in the U.S. and most of the EU are tax reporting (every disposal is a taxable event) and OFAC screening (do not knowingly transact with sanctioned addresses, including the cluster around the Lazarus Group, the now-delisted Tornado Cash addresses, and any newly designated mixer). For users of centralized venues - Coinbase, Kraken, Binance non-U.S. - KYC, transaction monitoring, and increasingly the EU Travel Rule (transfers > ?1,000 carry sender/receiver identifiers) apply. The 1099-DA broker reporting regime kicks in for U.S. crypto brokers in tax year 2026, and EU DAC8 requires CASP-to-tax-authority reporting starting 2026 as well. None of this is legal advice - confirm specifics with a tax adviser in your jurisdiction.