Discussion Paper No. 1 of 2022 - Policy Considerations for Decentralised Finance

DISCUSSION PAPER NO. 1 OF 2022 13 April 2022 POLICY CONSIDERATIONS FOR DECENTRALISED FINANCE

CONTENTS CONTENTS ........................................................................................................................................ 2 INTRODUCTION .................................................................................................................................. 3 Why are we issuing this paper?........................................................................................3 Who should read this paper?............................................................................................3 How to provide comments ................................................................................................4 What happens next?.........................................................................................................4 Comments to be addressed to:.........................................................................................4 BACKGROUND .................................................................................................................................... 5 Key terms and typologies .................................................................................................5 Risks arising from DeFi.....................................................................................................8 POTENTIAL MEDIUM-TERM TRENDS............................................................................................. 10 Sustained growth in DeFi................................................................................................11 Changing market composition ........................................................................................12 Regulatory intervention likely in the medium term...........................................................13 Anonymous DeFi becomes increasingly untenable.........................................................13 Defi – alternative views on regulation .............................................................................15 FSRA’S HIGH LEVEL POLICY POSITIONS...................................................................................... 16 DeFi does not change the nature of financial services....................................................16 Equivalent risk, equivalent rules .....................................................................................16 No anonymous participants ............................................................................................18 Governance of DeFi protocols ........................................................................................18 ILLUSTRATIVE REGULATORY FRAMEWORK................................................................................ 19 Recognised and Approved DeFi protocols......................................................................19 DeFi governance tokens.................................................................................................21 Approved DeFi controller................................................................................................21 CONCLUSION .................................................................................................................................... 22

3 DISCUSSION PAPER NO. 1 OF 2022 INTRODUCTION Why are we issuing this paper?

1. The Financial Services Regulatory Authority (“FSRA“) of Abu Dhabi Global Market (“ADGM“) is issuing this discussion paper to seek comments on policy considerations for Decentralized Finance (“DeFi”).
2. DeFi is a new way of delivering financial services through automated software protocols. It is closely aligned with digital assets and blockchain technology, which provide both technological and conceptual infrastructure. DeFi protocols currently offer several financial services that are analogous to traditional financial services (“TradFi”).
3. While DeFi has had strong growth in both value and users since 2020, it remains largely unregulated and anonymous. This poses potential risks in the areas of market conduct, anti-money laundering and countering the financing of terrorism (jointly “AML/CFT”) and financial stability. At this point, there is no international consensus on whether or how DeFi should be regulated.
4. This discussion paper serves as a starting point for a dialogue on how DeFi may be eventually regulated and is not in itself guidance for financial institutions. It contains the following sections: • background that sets out the current state of DeFi, defining key terms and setting out the risks associated with DeFi; • the FSRA’s view on the likely medium-term direction of DeFi (i.e. over the next five to ten years); • high level policy positions on how the FSRA might consider regulating DeFi; and • a description of what a future regulatory framework for DeFi might look like.
5. Unless otherwise defined, capitalised terms used in this paper have the meanings attributed to such terms in the FSRA Glossary Rulebook (“GLO”). Who should read this paper?
6. This discussion paper should be of particular interest to all entities engaging in digital asset related activities, including financial institutions that are considering offering DeFi services to their customers.

4 DISCUSSION PAPER NO. 1 OF 2022 How to provide comments 7. All comments should be made in writing and sent to the address or the email address specified below. If sending your comments by email, please use the discussion paper number in the subject line. If relevant, please identify the organisation you represent when providing your comments. The FSRA does not intend to publish comments and should this position change, we will reach out to you to obtain your consent prior to any such publication. What happens next? 8. The deadline for providing comments on the discussion paper is 30 June 2022. Following this period, the FSRA will review the comments and decide the appropriate channels for continuing the dialogue on DeFi. Comments to be addressed to: Discussion Paper No. 1 of 2022 Financial Services Regulatory Authority Abu Dhabi Global Market Square Al Maryah Island PO Box 111999 Abu Dhabi, UAE Email: consultation@adgm.com

5 DISCUSSION PAPER NO. 1 OF 2022 BACKGROUND

1. DeFi is a new way of delivering financial services through automated software protocols. Instead of engaging an intermediary financial institution, DeFi uses distributed ledger technology (“DLT”) to enable users to access financial services directly, by interacting with smart contracts on the blockchain. This decentralization of the delivery of financial services has the potential to make some financial services more efficient by reducing intermediation costs.
2. One key potential benefit for DeFi users may be the ability to tailor financial transactions to their needs more cheaply than through TradFi. As software, DeFi protocols can automatically interoperate with each other (also known as “composability”) such that if a transaction using one protocol is successful, its output can be used as an input to another protocol. This lets DeFi users conduct multiple sequential transactions with the assurance that they will only complete if all transactions in the chain are successful. Achieving an equivalent level of assurance in TradFi could be both difficult and expensive, as multiple intermediaries may need to coordinate, both to execute such transactions as well as to potentially unwind them.
3. DeFi has had strong growth in both value and users over the past two years. Between 1 January 2020 and 31 December 2021, the estimated total value locked (“TVL”)1 in DeFi protocols grew from about US$630 million to approximately US$238 billion. Over the same period, the estimated number of unique addresses 2 using DeFi protocols grew from about 90,000 to about 4.2 million.
4. However, the use of DeFi remains relatively small compared to TradFi and digital assets in general. The total market capitalisation for and number of owners of digital assets was estimated as US$1.7 trillion3 and 295 million4 respectively as at 31 December 2021: this suggests that there may be significant headroom for DeFi to grow. Key terms and typologies
5. Given that DeFi is a new space, the same term could be used by different persons to mean different things. To facilitate constructive discussion and reduce potential 1 TVL is the total value of all assets deposited in DeFi protocols. It is a useful metric for measuring the size of the DeFi market because it displays the amount that DeFi users are willing to put at risk. (Source: https://defillama.com/) 2 Unique addresses are a useful metric for measuring active participation in DeFi. They are a proxy for total number of users, although individual users may have more than one address. (Source: https://dune.xyz/queries/2972/5739) 3 Market capitalisation includes all assets tracked on https://coinmarketcap.com 4https://assets.ctfassets.net/hfgyig42jimx/5i8TeN1QYJDjn82pSuZB5S/85c7c9393f3ee67e456ec780f9bf11e3/Cryptodotcom_Crypto _Market_Sizing_Jan2022.pdf

6 DISCUSSION PAPER NO. 1 OF 2022 confusion over terminology, we set out a list of key terms below, to provide readers with a common frame of reference. • DeFi protocol – a distributed application running on a public blockchain that automates the provision of financial services. Most DeFi protocols are smart contracts5 on an Ethereum blockchain but DeFi protocols also operate on other blockchains. • DeFi utility token – a token used by the DeFi protocol solely to operate the provision of financial services. Utility tokens are automatically minted and burnt as part of the operation of the DeFi protocol. These tokens are currently not considered to be Virtual Assets under the FSRA’s regulatory framework. • DeFi governance token – a token used to denote a stake in the DeFi protocol is analogous to the ownership of a share in a company. A governance token is tradable and may be a digital security or Virtual Asset. Governance tokens may also be used by the DeFi protocol to operate the provision of financial services in the same way as a utility token. o We distinguish between utility and governance tokens because it is possible to invest in or trade governance tokens without using the DeFi protocol. This is analogous to TradFi firms, where it is possible to trade or hold shares in a financial institution without using that financial institution’s services. • DeFi controller – the natural or legal person(s) who exercises significant control, whether directly or indirectly, over the direction and maintenance of the DeFi protocol. o A common industry perception is that DeFi protocols can run autonomously on the blockchain for an indefinite period without human intervention. However, DeFi protocols will be subject to software bugs and changes in the external environment. This means that DeFi protocols will over time cease to be relevant or function unless they have a DeFi controller that can update the software underlying the protocol. o Determining which person is a DeFi controller is not a straightforward task because of the wide range of governance models used by DeFi protocols. Depending on the governance model, that determination could be based on one or more of the following: 5 Smart contracts are software designed to be executed on the blockchain.

7 DISCUSSION PAPER NO. 1 OF 2022 (i) the share of DeFi governance tokens held by a person (similar to a significant shareholder); (ii) the share of code underlying the DeFi protocol contributed by a person; or (iii) the amount of control over the DeFi protocol’s administration key(s)6 . • DeFi activity – The act of providing financial services through one or more DeFi protocols. A DeFi activity can be carried out either by a DeFi controller (i.e. offered directly by the controller) or by an intermediary (i.e. a firm that offers access to a DeFi protocol). Additionally, composability could mean that a single activity could involve the use of multiple DeFi protocols. • DeFi users – Persons consuming the financial services provided by the DeFi activity. • DeFi participants – Participants include DeFi controllers, intermediaries and DeFi users. 6. We also set out a typology of assets and financial services that can be provided by DeFi protocols: • “Stablecoins” – this includes algorithmic “stablecoins” that do not rely on a centralized custodian to manage the backing assets. There are relatively few DeFi “stablecoins” at present; centralized “stablecoins” are widely adopted. • Credit – this is more akin to securities borrowing/lending than traditional credit. DeFi Participants can borrow digital assets if they put up collateral for the loan (typically they put in more collateral than the amount being borrowed); the main purpose of taking out such a loan is typically either to short the borrowed digital asset or get exposure to it without needing to buy the specific asset. • Markets – some decentralized exchanges (“DEXes”) maintain an order book like a traditional market for securities/derivatives. However, other types of DEXes do not match buy and sell orders, but instead automatically calculate the price of a digital asset based on the ratio of available liquidity for that asset. Liquidity is provided by the users of the DEX, who will lock away their assets in the DEX in return for a yield. 6 An administration key controls what changes can be made to a smart contract(s) underlying a DeFi protocol. The governance mechanisms for using these keys differs from protocol to protocol.

8 DISCUSSION PAPER NO. 1 OF 2022 • Derivatives – this is similar to issuing a traditional derivative but also includes prediction markets for non-financial events. • Insurance – this is similar to traditional insurance, except that it tends to focus on risks specific to DeFi such as the risk of a hack or of a failure of a smart contract. • Asset Management – this is more akin to a robo-advisor in that the protocol can automatically recommend allocations for the user. Users can also select the specific assets they want to invest in. • Staking – in staking, a user agrees to lock their digital assets into the smart contract underlying the DeFi protocol and over time will receive a return (typically a percentage of the locked assets). The locked assets are often used as part of a liquidity pool for loans or exchange, but can also be used for other purposes such as operating a consensus mechanism for a blockchain. Depending on the specifics of the DeFi protocol, this could be similar to a collective investment fund such as a money market fund or a repurchase agreement. o While the DeFi industry compares staking to deposits, this would not be the case under the FSRA’s legal framework as Virtual Assets are not Money7 . Further, no systemic depositor protections exist for staking, as opposed to deposit insurance, and depositor preference in insolvency proceedings in TradFi. ISSUES FOR CONSIDERATION

1. The FSRA invites comments on the key terms and typologies set out above. Risks arising from DeFi
2. Like TradFi, the use of DeFi, poses risks to its users and the financial system, some of which are unique to DeFi. Unlike TradFi however, where those risks are mitigated through a regulatory framework, DeFi is largely unregulated at present. Certain risks, such as those relating to AML/CFT, may currently have regulatory requirements imposed through broader national AML/CFT legislation: while the impact of DeFi risks at present may be small, they are likely to grow as DeFi becomes more widely adopted. 7 Defined in GLO as “any form of money, including banknotes, coins, cheques, electronic money and any other non-cash form, such as payable orders”

9 DISCUSSION PAPER NO. 1 OF 2022 International perspectives 8. Several international organisations have issued reports on the risks posed by DeFi. • March 2022 – the International Organisation of Securities Commissions issued a report providing an overview of the DeFi market. The report noted that DeFi appears to present many similar risks to investors, market integrity and financial stability as do other financial services and products and that it also poses specific and unique risks and challenges for regulators to consider. • February 2022 - the Financial Stability Board issued a report on the risks posed by crypto-assets8 that noted that DeFi has the potential to increase risks to financial stability, in the absence of appropriate regulation and market oversight (e.g. concentration risk in terms of protocols and technology used). Additionally, DeFi could fail to provide the market integrity, investor protection or transparency that can be seen in regulated TradFi markets. • January 2022 - the Organisation for Economic Cooperation and Development (“OECD”) issued a report on DeFi and its policy implications9 that identified DeFi’s decentralised nature as a key risk for policy makers because it may be incompatible with existing regulatory frameworks that mitigates the risks of financial services. • June 2021 - the World Economic Forum (“WEF”) issued a “toolkit” for policymakers10 that enumerated the categories of risk associated with DeFi such as financial, technical and operational risks and described the risks specific to DeFi. Anonymity 9. A common underlying driver of these risks is the anonymity of DeFi participants. Similar to Virtual Assets, anonymity heightens DeFi’s AML/CFT risks by making it harder for authorities to detect illicit activity. At the same time, anonymity can heighten risks to market conduct and investor protection. For example, “rug pulls” are a type of fraud where a DeFi development team unexpectedly abandons a project and absconds with customers’ assets. Given this anonymity, the same malicious team can conduct several “rug pulls” without being detected. 8 https://www.fsb.org/wp-content/uploads/P160222.pdf 9 https://www.oecd.org/daf/fin/financial-markets/Why-Decentralised-Finance-DeFi-Matters-and-the-Policy-Implications.pdf 10 https://www3.weforum.org/docs/WEF_DeFi_Policy_Maker_Toolkit_2021.pdf

10 DISCUSSION PAPER NO. 1 OF 2022 Financial stability 10. While DeFi does not currently pose serious risks to financial stability, this may change over time. The likelihood of an activity posing a risk to financial stability is proportionate to: (i) the amount of value at risk; (ii) the number of participants involved in the activity; and (iii) the speed at which shocks may be propagated. 11. While DeFi’s value at risk and number of participants is currently limited, this is likely to change over time as that number grows. However, while DeFi’s automated nature could cause shocks to propagate more rapidly than TradFi, it also offers an opportunity to put systematic curbs in place to limit the spread of such shocks. AML/CFT 12. While a growing consensus is forming on the need to address AML/CFT risks arising through DeFi, it remains largely unregulated. There is as yet no global consensus on how, or indeed whether, other aspects of DeFi should be regulated. Without more clarity on a regulatory position, the risks posed by DeFi could continue to grow without being addressed. “Decentralisation illusion” 13. One regulatory challenge is the perception that DeFi is decentralised and so cannot be effectively regulated. Further investigation suggests that this perception may not be accurate. The Bank for International Settlements (“BIS”) has suggested that there is a “decentralisation illusion” surrounding DeFi and that in practice, key points of centralisation exist around the decision making and protocol maintenance processes. The FATF has also noted that DeFi creators, owners or operators could fall under the definition of a Virtual Asset Service Provider (“VASP”) given that they can exercise significant control over a DeFi protocol or virtual asset. This suggests that regulating DeFi is indeed possible, as there may be a central person or persons that can indeed be subject to regulation and supervision. POTENTIAL MEDIUM-TERM TRENDS 14. This section sets out the FSRA’s view on potential medium-term trends for DeFi, i.e. over the next five to ten years. These trends are not predictions of what will happen, but informed judgements based on our observation of underlying drivers and

11 DISCUSSION PAPER NO. 1 OF 2022 engagement with industry stakeholders. We will continue to update these views in light of potential changes to underlying drivers or the environment11 . 15. In summary, we expect that the market for financial services and products offered through DeFi is likely to continue to grow in terms of both assets and users in the medium term, and that this growth will drive a fundamental shift in how DeFi is used and accessed. Sustained growth in DeFi 16. We anticipate that such growth will have two main drivers: • Automation / Cost: we believe that interest in DeFi will be sustained because it has the potential to more efficiently and transparently automate the delivery of linked financial services by financial institutions compared to other technologies. Linked financial services lets customers seamlessly access multiple financial services in a single transaction12. At present, accessing linked financial services across multiple financial institutions is costly and often requires manual processes. Using DeFi, financial institutions can more easily link their offerings with those from other financial institutions at a lower cost, creating an opportunity to access more customers. • Returns: we expect that the potential for generating investment returns, albeit volatile, will continue to attract investors over the medium term. As such, we expect more institutional investors to start exploring the use of DeFi, thereby growing the market. For example, institutional investors may start increasingly using automated asset management protocols to allocate their investments in different digital assets or investing in successful DeFi protocols by purchasing DeFi governance tokens. 17. Despite the presence of these drivers the FSRA does not expect the current high rates of growth of the DeFi market to be sustained in the medium term. We are of the view that the initial high rates of growth have been driven by the potential for high returns and that, as familiarity with DeFi grows, growth rates will level off. Much of the potential for high returns has been driven both by the experimental nature of DeFi, as new business models for delivering financial services could offer outsized returns, as well as by the heightened volatility in digital asset prices over the period of the pandemic, which offered market opportunities. Further, as DeFi users start to identify 11 For example, the recent US Executive Order (https://www.whitehouse.gov/briefing-room/presidential￾actions/2022/03/09/executive-order-on-ensuring-responsible-development-of-digital-assets/) could fundamentally change features of the DeFi environment. Depending on its design features, a widely adopted central bank digital currency (“CBDC”) issued by the US Federal Reserve could speed up the mainstreaming of DeFi while posing existential risks to existing “stablecoins”. 12 For example, a broker may offer its clients the ability to keep their monies in a money market fund. When the client wishes to buy stocks, units will be automatically redeemed for cash which in turn will be used to purchase the stocks.

12 DISCUSSION PAPER NO. 1 OF 2022 which business models are actually viable, we anticipate further consolidation amongst DeFi protocols. Changing market composition 18. Given the drivers identified above, we expect that the composition of DeFi users will change over the medium term. Based on industry views13, current DeFi users can be broadly categorised either as “well-informed”, i.e. those who have a deep understanding of the technology underpinning DeFi and its risks, or as “yield￾prioritising”, i.e. those who are attracted to DeFi by the promise of outsized returns without necessarily having a full understanding of the risks involved. If market composition stays static, the size of the DeFi market will remain small as well￾informed users will always be limited and over time yield prioritising users will misjudge risk, suffer losses and subsequently exit the market. 19. However, we expect that the potential for returns and cost savings through automation will continue to make DeFi an appealing proposition that fosters wider adoption. We therefore expect to see DeFi protocols pivot to become more accessible to a broader middle group of users that are risk conscious but who may not be willing or able to invest the time or effort to fully understand the technology underlying DeFi. Access to this broader user base may accelerate the wider acceptance of DeFi protocols in the marketplace. 20. In particular, we expect to see the rise of TradFi firms engaging in DeFi activities on behalf of their clients, similar to the rise of centralised exchanges for Virtual Assets, which have helped less well-informed investors access Virtual Assets without requiring such investors to acquire deep expertise. TradFi firms, who will have the time, resources and skills to acquire expertise in DeFi can identify and employ DeFi protocols that are appropriate for their clients. 21. Furthermore, we expect that TradFi firms will see an opportunity to integrate DeFi activities into their existing products and services. In particular, we expect TradFi firms to start taking advantage of DeFi’s composability by creating linked financial services. For example, instead of holding their customers’ monies in money market funds or margin accounts, a TradFi broker might convert their customers’ fiat monies into digital assets which in turn could be staked in a DeFi protocol to earn ongoing returns. When the customer executes a trade, the TradFi broker could automatically withdraw the necessary digital assets from staking and convert them to fiat for trade settlement. 13 https://cointelegraph.com/news/a-million-down-a-billion-to-go-how-does-defi-reach-mass-adoption

13 DISCUSSION PAPER NO. 1 OF 2022 Regulatory intervention likely in the medium term 22. Before market composition changes can occur, however, we believe that significant regulatory intervention will need to take place. While the current risks posed by DeFi remain relatively low, representing a tiny amount of value at risk14 in comparison to the global financial system, these risks will increase as DeFi becomes more widely adopted. In the medium term, we expect that these risks will become unacceptable to the global regulatory community, especially given recent interventions in the related digital asset space, and that further regulatory intervention will occur. Such intervention is likely to fundamentally reshape how DeFi participants interact with each other. 23. Recent statements by standard-setting bodies suggest that intervention is likely to occur in the medium term. While the FATF’s revised guidance on virtual assets15 does not make specific recommendations on DeFi, it notes that DeFi arrangements could fall under the definition of a VASP and that countries should consider, where appropriate, taking mitigating actions against the risks posed by DeFi. The BIS research paper from December 2021 examining the risks posed by DeFi16 suggests that the growth of DeFi could pose financial stability concerns as well as other risks and that a potential entry point for policymakers to mitigate such risks could be the governance structures for DeFi. While no definite recommendations have yet been issued, such statements suggest that standard-setting bodies are laying the foundations for regulatory intervention. 24. The likelihood of intervention grows in proportion to the growth of DeFi. Even though DeFi’s share of assets and users is relatively small, it could become systemically important if current rates of growth are sustained while remaining largely unregulated. In this regard, the discussion surrounding DeFi is similar to the post-financial crisis discussion on non-bank financial intermediation, also known as “shadow banking”, where the exposure of those institutions could have become a source of systemic risk. Anonymous DeFi becomes increasingly untenable 25. We believe that preserving the anonymity of DeFi participants will increasingly become untenable in the medium term. We expect that this will be driven both by regulatory intervention as well as market demand for transparency. 14 For example, total worldwide bank assets alone was US$100,860 billion (https://stats.bis.org/statx/srs/table/b1?m=S) in September 2021 compared to the DeFi TVL of approximately US$238 billion in December 2021. 15 https://www.fatf-gafi.org/media/fatf/documents/recommendations/Updated-Guidance-VA-VASP.pdf 16 https://www.bis.org/publ/qtrpdf/r_qt2112b.pdf

14 DISCUSSION PAPER NO. 1 OF 2022 26. Based on guidance issued by FATF, we consider that addressing AML/CFT and sanctions-related risks will be a priority area for jurisdictions when considering interventions for the oversight of DeFi. This is because AML/CFT risks in this context are better understood compared to other risks such as prudential, conduct, operational or financial stability risks. The FATF has carefully considered the risks posed by virtual assets and proposed several interventions to mitigate those risks. Non-financial authorities have also taken action to disrupt terrorist financing that employs virtual assets17 and we expect further action to be taken to address the use of virtual assets to evade financial sanctions18 . Given the close relationship between DeFi and virtual assets, we expect that a similar policy position is likely to be adopted for DeFi. 27. Ensuring that DeFi participants are able to provide accurate and validated identities is likely to be the key element in any such intervention because anonymity heightens the risk that DeFi will be abused for AML/CFT purposes or allow sanction restrictions to be circumvented. We expect that one channel for such intervention to take place will be through TradFi firms who may wish to intermediate DeFi services. Such firms will only be able to work with DeFi protocols if they can maintain compliance with their regulatory obligations and so we expect a greater push to find such solutions. Indeed, some DeFi controllers have already started exploring permissioned DeFi solutions that require all DeFi users to be identified and screened for eligibility so that they can tap on institutional flows19 . 28. We also expect DeFi users to start pressuring DeFi controllers to identify themselves, as the current state where those controllers can remain anonymous facilitates the perpetration of fraud. Malicious actors can continue to mislead DeFi users by starting new fraudulent schemes, which has already occurred in the DeFi space20 . 29. While the anonymity of DeFi participants is not likely to remain tenable, we believe that pseudonymity could be a potential solution that balances privacy against the risks of AML/CFT. In such a scenario, a DeFi participant would be able to use DeFi services without revealing their identity, instead providing a unique identifier that can be reliably used to obtain the accurate and validated identity of the participant. To some extent, this is beginning to happen in the digital asset space as firms start associating wallet identifiers with individuals who have undergone know-your￾customer (“KYC”) and customer due diligence (“CDD”) checks. Applying similar 17 https://www.justice.gov/opa/pr/global-disruption-three-terror-finance-cyber-enabled-campaigns 18 https://ec.europa.eu/commission/presscorner/detail/en/ip_22_1649 19 https://cointelegraph.com/news/aave-launches-its-permissioned-pool-aave-arc-with-30-institutions-set-to-join 20 For example, in January 2022 an anonymous founder of Wonderland, a DeFi protocol that claimed to offer a “stablecoin”, was unmasked as a convicted criminal and the founder of a fraudulent and defunct Canadian cryptocurrency exchange. https://www.coindesk.com/markets/2022/01/27/wonderland-rattled-after-cofounder-tied-to-alleged-quadrigacx-190m-exit-scam/

15 DISCUSSION PAPER NO. 1 OF 2022 principles to the DeFi space could offer an appropriate balance between privacy and risk mitigation. Defi – alternative views on regulation 30. Against the backdrop of growth and heightened regulatory intervention, we anticipate that DeFi controllers will be faced with two potential ways forward. • Embracing regulation: We expect that some DeFi controllers will recognise the opportunity offered by regulatory intervention. They will understand that such actions signal that DeFi has, like digital assets have, become recognised as part of the global financial system. By embracing regulation, they will be able to tap a wider user base and access more liquidity, thereby helping their protocols grow. Such DeFi protocols will become increasingly integrated with TradFi, letting clients of TradFi firms benefit from the efficiency and transparency that DeFi offers. In the short term, these DeFi controllers may face difficulties in adapting to regulation, but will reap the long-term benefits by becoming part of the mainstream financial services industry. • Pushback: We expect that some DeFi controllers will seek to maintain the current largely unregulated and anonymous status quo. In the short term, such controllers are likely to be successful in doing so, but we anticipate that the ongoing and growing concerns over anonymity, fraud and systemic risk will make such pushback increasingly untenable. Indeed, the more successful that controllers are in growing the DeFi space, the larger the risks posed by DeFi will be. This in turn will drive a stronger push towards regulatory intervention. 31. Based on our interaction with the industry, we believe that in the short term most existing DeFi controllers will not willingly embrace regulation. Such an approach could require that they completely change their technological infrastructure and/or business model21 so that they can comply with new obligations. Additionally, much as the cost of acquiring technical knowledge may be prohibitive for some DeFi users, the cost of even acquiring knowledge of how to comply with regulation, let alone complying with such regulation, may be prohibitive for some DeFi controllers. 32. Nonetheless, we are of the view that the potential for growth and transparency will draw new compliant-by-design DeFi controllers into the market and will convince far￾sighted DeFi controllers to make the necessary changes to comply with regulations. Embracing regulation will let such controllers tap the full potential of the global financial system with its massive liquidity and user base. Indeed, we see the initial 21 In particular, DeFi protocols that are architected specifically to support anonymity (such as OnionMixer, a cross-chain anonymous transaction protocol) will likely need to rethink their business model if they are to embrace regulation.

16 DISCUSSION PAPER NO. 1 OF 2022 steps being taken by some DeFi controllers to access institutional flows as an encouraging sign for the future of DeFi. ISSUES FOR CONSIDERATION 2. The FSRA invites comments on its view on potential medium-term trends for DeFi. FSRA’S HIGH LEVEL POLICY POSITIONS 33. Given the nascent state of the DeFi market, international standard-setting bodies and regulatory authorities including the FSRA have not yet established firm views, and thereby policy positions, for appropriate regulatory frameworks. Nevertheless, we believe that it is important to set out our preliminary thinking on DeFi to help the industry understand our approach to balancing innovation while safeguarding the integrity of our financial ecosystem. The interim high-level policy positions below do not bind the FSRA to specific regulatory interventions, but instead serve as a reference point for continued dialogue and discussions with our regulated community and Defi participants on what any future regulatory framework might look like. DeFi does not change the nature of financial services 34. We are of the view that DeFi does not fundamentally change the nature of financial services. The underlying reasons why people consume financial services remains the same, i.e. to make payments, to safeguard their wealth, to hedge risk and to obtain a return. DeFi does not in itself create new reasons to use financial services. 35. However, we are of the view that DeFi may significantly change the way in which financial services are provided. Its automated nature may change how financial services are consumed, through the use of linked financial services, what kinds of firms may provide such financial services and what specific DeFi-related risks may appear. In this regard, the FSRA sees DeFi as no different from other technological advances in financial services such as digitisation or tokenization. Equivalent risk, equivalent rules 36. Given that DeFi does not change the underlying nature of financial services, we believe that similar requirements should be placed on DeFi participants as on TradFi participants. Much like our existing Virtual Asset regulatory framework, DeFi activities and DeFi controllers that are equivalent to TradFi should be subject to equivalently robust regulations and rules22. However, we recognise that since DeFi changes how 22 For example, firms offering insurance through a DeFi protocol would be required to obtain a Financial Services Permission for Effecting Contracts of Insurance, Carrying Out Contracts of Insurance as Principal or Insurance Intermediation (as the case may be) and be subject to similar obligations as a TradFi firm that offers the same type of insurance.

17 DISCUSSION PAPER NO. 1 OF 2022 financial services are delivered, we may need to impose different obligations on a DeFi activity to achieve the same outcomes as those obligations placed on a TradFi operator23 . Regulation and supervision 37. Each DeFi protocol would need to be examined in detail to determine which type or combination of existing regulated activity or activities they most resemble24 . In conducting such examinations, the FSRA would have regard to the various regulatory toolkits proposed by international organisations such as the WEF. 38. Due to DeFi’s composability, a DeFi protocol could use multiple other DeFi protocols to provide its service25 (“composed protocol”). Firms using a composed protocol might not need to obtain a Financial Services Permission (“FSP”) for each of the underlying DeFi protocols, as such activities are effectively being outsourced to the other protocols. However, similar to outsourcing, firms using a composed protocol would need to consider whether the other protocols are sufficiently robust and secure enough for them to be able to meet their regulatory obligations. 39. It is also possible that the services provided by a DeFi protocol may not fall into any existing regulated activity. For example, the DeFi protocol might provide services related to non-fungible tokens (“NFTs”) in a way that might not fall under the regulatory ambit of the FSRA26 . This would require additional scrutiny to understand the business model of the DeFi protocol and determine whether it (i) is captured under an existing regulated activity; (ii) includes elements of both an existing regulated activity as well as activities outside the FSRA’s current regulatory ambit; or (iii) falls entirely outside the FSRA’s current regulatory ambit. 23 This is a long-standing practice amongst regulators. For example, in 1990 the IOSCO Principles for the Oversight of Screen￾Based Trading Systems (https://www.iosco.org/library/pubdocs/pdf/IOSCOPD4.pdf) set out principles for electronic-based trading systems that were equivalent but not identical to those required for open outcry trading systems. 24 For example, a DeFi credit provider that offers staking that automatically converts between multiple digital assets might be simultaneously Operating a Collective Investment Scheme, Providing Custody or Dealing in Investments as Agent, depending on the specifics of the protocol 25 For example, a DeFi protocol might automatically shift its users’ tokens between DeFi governance tokens with the highest available staking yield and use another DeFi protocol to carry out the conversion. 26 For example, the DeFi protocol might provide a means for its users to register ownership of NFTs and pay for them using Virtual Assets. Such an activity may not be captured under the FSRA’s regulatory ambit as the NFTs in question may not constitute Specified Investments or Financial Instruments.

18 DISCUSSION PAPER NO. 1 OF 2022 40. Where a DeFi protocol falls outside the FSRA’s current regulatory ambit, the FSRA would need to consider whether to extend its regulatory perimeter to capture such activities or not. No anonymous participants 41. Risks from anonymous DeFi activity arising in the areas of fraud and AML/CFT are not and will not be tolerated in ADGM. Similar to our existing regulatory approach to Virtual Assets, the FSRA will only allow DeFi activities where all DeFi participants have been identified and have undergone the necessary due diligence to ensure compliance with AML/CFT obligations under the AML Rulebook, thereby reducing the risk of DeFi protocols and DeFi users being abused or engaging in money laundering or terrorist financing activities. 42. We recognise that putting the necessary infrastructure and processes in place to securely and accurately transmit identifiable information will pose both technical and conceptual challenges to the industry. In particular, transacting with cross-border participants can become challenging due to differing regulatory requirements, including data protection. Nonetheless, we are of the view that this is a necessary step for DeFi to become more widely adopted. The FSRA will work with stakeholders to determine what types of public infrastructure would be appropriate and implementable. Governance of DeFi protocols 43. DeFi protocols may have new governance models that do not map to those of TradFi firms, which have common governance structures, usually consisting of a board of directors, a senior management team and key appointment holders. While the responsibilities of each role may differ from firm to firm, generally they are well understood (e.g. the role of the Senior Executive Officer vs the role of the Compliance Officer.) This is not the case for DeFi controllers, where roles may be more fluid. For example, a governance model based on voting on specific projects could see the same individual fulfil multiple roles simultaneously on behalf of different areas. While such fluidity lets DeFi protocols rapidly respond to changes in the environment to remain relevant, it may also lead to conflicts of interest amongst Defi controllers and a diffusion of accountability. Controllers 44. We are of the view that individuals who are DeFi controllers and therefore exercise significant control over a DeFi protocol should be treated in a similar way as individuals playing an equivalent role in a TradFi firm, i.e. Approved Persons, and have personal obligations placed upon them. This is necessary to ensure that these individuals, in their capacity as DeFi controllers, are fit for the task and understand and accept that they are accountable for ensuring the safe and sound operation of

19 DISCUSSION PAPER NO. 1 OF 2022 the DeFi protocol. This would include requiring that, amongst other things, such individuals: • observe high standards of integrity and fair dealing; • act with due skill, care and diligence; • observe proper standards of conduct; • deal with the regulator in an open and co-operative manner; • effectively manage and control the areas of the DeFi protocol for which they are responsible; and • ensure that the areas of the DeFi protocol for which they are responsible comply with applicable regulations. 45. The speed at which DeFi protocols may change governance models and at which individuals may change roles poses a challenge. For TradFi firms, the FSRA will typically carefully consider the background of key appointment holders to determine whether they are fit and proper and have the necessary experience to operate a financial institution. However, this same level of scrutiny may not necessarily be possible given the speed at which individuals can switch roles. Additionally, given the relative novelty of DeFi, founders may not always have the necessary experience in operating a DeFi protocol. The FSRA will need to consider how best to overcome this challenge, primarily through leveraging technology. 46. The FSRA recognises that imposing such obligations on DeFi controllers may be particularly challenging where those controllers operate in other jurisdictions. In this regard, the FSRA would have to consider whether to allow potential users access to the DeFi protocol, and if so, whether limits should be placed on such access. ISSUES FOR CONSIDERATION 3. The FSRA invites comments on the high-level policy positions set out above. ILLUSTRATIVE REGULATORY FRAMEWORK 47. In this section, we set out what a regulatory regime based on the above high-level policy positions above might look like. The objective of this illustrative framework would be to provide the industry with examples based on both the future direction and the high-level policy positions, in order to foster clearer dialogue. The FSRA is not bound to implement such a framework, which is for illustrative purposes only Recognised and Approved DeFi protocols 48. As described above, we anticipate that TradFi firms will increasingly seek to engage in DeFi activities so that they can better provide services to their customers so we expect such firms to increasingly represent a growing proportion of the DeFi market. This raises concerns over these firms’ ability to appropriately protect their customers,

20 DISCUSSION PAPER NO. 1 OF 2022 particularly where retail customers may be subject to abusive behaviour. In this regard, the FSRA may choose to require that firms, whether TradFi or otherwise, only be allowed to engage in DeFi activities if they use specific DeFi protocols that the FSRA has designated as acceptable. Firms would be required to obtain the appropriate FSP for engaging in the Regulated Activity or Activities that the DeFi protocol is offering. Recognition 49. In assessing whether a DeFi protocol is acceptable, the FSRA would likely weigh up various considerations. These would include, for example, the ability to identify DeFi participants, the track record of the DeFi controller, the level of transparency or explanation on how the DeFi protocol functions and how governance decisions are made, as well as the technology underpinning the DeFi protocol. 50. The FSRA would also likely require that firms engaging in DeFi activities provide additional disclosures to their customers. These would include explaining the risks to customers of engaging in DeFi in clear, easily understandable language as well as disclosing to customers how the firm intends to engage in a DeFi activity (e.g. directly accessing the DeFi protocol or by integrating it within TradFi services). 51. This approach is similar to the FSRA’s current approach to Virtual Assets, where Authorised Persons can only conduct Regulated Activities in relation to “Accepted Virtual Assets”. Recognition of a DeFi protocol would not be considered an endorsement of the protocol but instead signifies that the FSRA understands how the DeFi protocol is related to existing Regulated Activities, considers that the DeFi protocol has met certain minimum requirements and is comfortable that the firm engaging in DeFi activities understands the risks of doing so and has appropriate safeguards in place to protect its clients. Approval 52. The FSRA may also consider whether it is appropriate to approve specific DeFi protocols. Such approved DeFi protocols would be held to a higher standard than recognised DeFi protocols. In particular, the FSRA might require that at least one DeFi controller be based in ADGM or that the DeFi protocol have a longer, demonstrable track record. The FSRA might also create a specific regulatory framework for such approvals (see below). 53. As described above, the key driver for deciding to recognise or approve a DeFi protocol is to protect the interests of clients. Where a firm engages in a DeFi activity using a recognised DeFi protocol, the FSRA may also choose to impose conditions on (including caps on exposure) or prohibit Retail Clients’ exposure to the DeFi activity, to limit the potential impact to such clients should risks events materialise for the DeFi activity. In contrast, Professional Clients’ and Market Counterparties’

21 DISCUSSION PAPER NO. 1 OF 2022 exposure to recognised protocols would generally be more relaxed given that such clients would be better placed to protect themselves. In addition, should the FSRA decide to approve specific DeFi protocols, both Retail and Professional Clients would be allowed to use approved DeFi protocols with few or no conditions on exposure on the basis that these protocols would be held to a higher standard of regulation. DeFi governance tokens 54. In general, the FSRA would likely treat DeFi governance tokens in a manner consistent with the FSRA’s existing regulatory regime for Virtual Assets, as holders of such tokens are not obliged to use the DeFi protocol27 . However, a firm that offers financial services would be considered as engaging in a DeFi activity if it were using a DeFi protocol to do so. Approved DeFi controller 55. Given the challenges around determining which person is a DeFi controller and the wide range of governance models adopted by DeFi protocols, the FSRA recognises the need to explore what may be appropriate best practices and governance structures. For example, the FSRA could consider creating a specific framework for approving DeFi controllers in the ADGM. The objective of such a framework is to ensure that approved DeFi protocols can be appropriately governed to protect investors even if their governance structures are non-traditional. The FSRA could require that at least one DeFi controller be incorporated in ADGM to undertake this Regulated Activity and that personal obligations be placed on individuals identified as DeFi controllers so that they take due care to manage the DeFi protocol in accordance with the applicable regulatory requirements. 56. This framework could be focused around managing the governance of the DeFi protocols controlled by the DeFi controller. The DeFi controller could be obliged to make information accessible to the FSRA and DeFi participants concerning who is allowed to modify the DeFi protocol and under what circumstances and give undertakings that they have taken due care to manage the DeFi protocol. In particular, the DeFi controller may need to demonstrate how it would be able to conduct an orderly exit if the DeFi protocol intends to cease operation, analogous to how a TradFi firm would demonstrate its ability to conduct an orderly winddown. 57. The FSRA would generally expect that under this framework, an approved DeFi controller would also need to seek the appropriate FSP for any DeFi activities it might carry on. Firms that only use a DeFi protocol to operate a DeFi activity and already 27 For example, a firm that acts as a centralised exchange for customers to buy and sell DeFi governance tokens would be treated as a Multilateral Trading Facility and would be required to obtain the appropriate FSP to do so.

22 DISCUSSION PAPER NO. 1 OF 2022 have an FSP for the relevant activity would not be required to seek an FSP under this framework. Such firms may not have any control over the direction or maintenance of the protocol. 58. The framework for controlling approved DeFi protocols is intended to support DeFi controllers that have sought to embrace regulation and are willing to submit themselves to a higher standard, so that their DeFi protocols can be more easily integrated into the global financial system. 59. Separately, the FSRA is unlikely to create an equivalent framework for recognised DeFi protocols. Regulatory concerns would be addressed by the recognition process, limits on client exposures as well as the obligations placed on the firms engaging in the DeFi activity, who would have to obtain the relevant FSP. ISSUES FOR CONSIDERATION 4. The FSRA invites comments on the illustrative regulatory framework set out above. CONCLUSION 60. We expect to see significant developments in the DeFi space in the future. The medium-term trends that the FSRA has identified are subject to disruption and changes in the environment. Nonetheless, on balance we expect that DeFi’s composability and ability to create linked financial services will drive its adoption as part of mainstream financial services. For this to happen, appropriate regulatory frameworks must be considered and developed so that the potential risks posed by DeFi can be effectively mitigated. We therefore seek your input on our high-level policy positions so that we can better refine our understanding of the DeFi space and adjust our approach accordingly.