I. Introduction
Decentralised Finance (DeFi) is an emerging and rapidly developing area at the intersection of blockchain, digital assets, and financial services. In 2020 and 2021, DeFi experienced enormous growth, and temporarily, digital assets worth around $200-220 billion were locked in the system. Even though crypto prices have dropped significantly in the past couple of months, the latest data shows that assets used in DeFi protocols remained more or less stable.
While the future of DeFi is difficult to predict, it is certain that DeFi introduces legal questions that regulators and courts will need to address, and this article will give an overview of some of these challenges. After an introduction to the basics of DeFi, the article will delve into selected private law aspects of DeFi before discussing whether, and how, DeFi should be regulated under Swiss financial market laws.
II. What is DeFi?
Generally speaking, DeFi describes a category of blockchain-based, decentralised applications for financial services. However, a generally accepted definition has not yet emerged – perhaps because DeFi is still in its early development process and the existing DeFi applications cover a wide range of different activities. Typically, the term DeFi is therefore rather defined by certain functional criteria, also distinguishing DeFi from the traditional financial system. In short, the defining elements of DeFi can be summarised as follows:
As indicated by the name, DeFi applications are generally intended to be decentralised. Decentralisation is meant to be the absence of an intermediary required for access to the respective infrastructure or the settlement of any transactions.
In DeFi, the traditional need for financial intermediaries is replaced by novel technologies that allow users to enter into transactions directly with each other via one or more software protocols, known as ‘peer-to-peer’.
When interacting with a DeFi protocol, the users do, however, not transact under their names. Rather, they use an address of the blockchain network that is publicly visible, but can be created anonymously. DeFi users are therefore often described as acting under a pseudonym.
While the lack of intermediaries is a typical element of DeFi, users may choose to use or involve intermediaries for the use or operation of a DeFi application. Hence, in reality, there is often no complete decentralisation in DeFi applications, but rather various degrees of decentralisation.
DeFi applications aim to replicate traditional financial services such as trading, credit lending, or asset management.
The technical infrastructure of DeFi is based on multiple different layers that are built on each other, similarly to building blocks.
The settlement layer consists of the underlying blockchain.
On top of the blockchain, on the asset layer, assets in the form of tokens are issued.
The next layer, the protocol layer, contains the actual smart contracts that are the basis of the specific DeFi use cases.
On top of this, the application layer creates user-friendly applications that are connected to individual DeFi protocols.
Finally, the aggregation layer extends the application layer and allows for user-friendly applications to connect to, and compare, multiple DeFi protocols.
The backbone of all DeFi protocols is smart contracts. Smart contracts are software-based protocols that automatically execute actions according to predefined conditions and rules. Hence, smart contracts allow for the execution of transactions pursuant to a predefined set of rules and make the use of a respective intermediary redundant.
DeFi is further characterised by permissionless access. This means that the system is accessible to everyone: no active recognition or authorisation by an administrator is required for access. Furthermore, blockchain technology is based on the idea of open-source software codes that can be viewed and reviewed by anyone with the necessary know-how.
III. Selected private law considerations
DeFi applications are typically used across various jurisdictions. In the case that any disputes arise in connection with the use of a DeFi protocol, they are therefore likely to have an international dimension. In this case, as a first step, an assessment of the competent court and applicable law will be required:
A. Determination of the competent court
1. Jurisdiction clauses
The use of distributed ledger technology (DLT) does, in principle, not prevent the parties from their right to contractually agree on the place of jurisdiction (or the jurisdiction of an arbitral tribunal), subject to mandatory jurisdiction rules (namely for consumer, employment and insurance contracts). However, in practice, in the case of a DeFi protocol that is based on a public permissionless blockchain, a jurisdiction clause is rarely an option. This is because the mere participation in such a blockchain network can generally not be considered as a declaration of the respective participant to consent to such a jurisdiction clause with all other network participants.
Even if consent to a jurisdictional clause were established, it would need to be ensured that the formal requirements applicable to jurisdictional clauses are complied with. For instance, under the Swiss Private International Law Act (PILA), an arbitration clause must be made in writing or any other form that allows a proof in text form. It is doubtful whether an arbitration clause that does not appear in the form of a separate pop-up window that must be ticked, but has only been included in a smart contract and is thus written in coded language, satisfies these legal requirements.
2. Statutory jurisdiction rules
If there is no valid choice of a jurisdiction or arbitration clause, the competent court is determined by statutory jurisdiction rules. The applicability of these rules depends on the subject matter of the specific dispute.
For instance, in the case of disputes concerning the membership rights represented by a token, the application of the jurisdiction to company law disputes seems to be appropriate. On the other hand, in the case of tokens linked to a contractual claim, the provisions on contractual disputes are likely to be decisive for the determination of the competent courts.
However, even if a statutory jurisdiction rule is applicable, difficulties may arise in determining the specific place of jurisdiction. For example, since transactions with DeFi applications are carried out via the internet, it is often unclear where the contractual place of performance is, which may be relevant for determining the geographically competent court. In any case, these uncertainties can be mitigated by initiating legal actions at the defendant's domicile, which is – in the absence of any mandatory places of jurisdiction – generally a valid place of jurisdiction.
B. Determination of the applicable law
Similar considerations to the determination of the competent jurisdiction arise with regard to the designation of the applicable law. Under the Swiss PILA, a choice of the governing law among the parties is generally permissible, subject to any applicable mandatory provisions. However, participation in a blockchain network alone can usually not be interpreted as an intention to consent to the choice of law.
If no (valid) choice of law has been made, the applicable law is determined based on the statutory provisions of the PILA or any applicable state treaty. For instance, if the purpose of a DeFi protocol is to resell tokens, it is likely that the law applicable to contracts will be relevant. However, even if the rules, pursuant to which the applicable law shall be determined, are clear, difficulties may arise when applying these rules.
Under the PILA, for example, a contract shall be governed by the law of the jurisdiction with which it is most closely connected. It is thereby assumed that the closest connection exists with the jurisdiction in which the party who must perform the characteristic obligation of the contract resides or has his place of business (article 117 PILA). In the case of DeFi, the test of determining the applicable law based on the closest connection typically does not result in a specific jurisdiction.
In view of these practical difficulties, some scholars propose to assume that there is no close connection to any jurisdiction in blockchain-related transactions. Based on Article 15 of PILA, Swiss law shall therefore apply to all of these transactions. This approach seems to be a very broad interpretation of the Article, but it would be a pragmatic solution, as it would allow Swiss courts to determine the applicable law in a simple and predictable manner.
C. DeFi applications in Swiss substantive private law
If a person suffers damage in connection with the use of a DeFi protocol and Swiss law is applicable, pursuant to the relevant conflict of law rules, it needs to be assessed based on Swiss substantive law and the individual structure of the DeFi application whether the user has a claim for compensation. In principle, Swiss law distinguishes between three categories of claims:
Claims based on contracts:
Contractual claims require that a contract between two parties has been established: that they mutually expressed their intent to enter into an agreement together. The fundamental characteristics of DeFi (namely, pseudonymity, decentralisation, and open access) make it difficult to integrate DeFi applications in these conventional contract law structures.
Typically, there is no specific (natural or legal) person that assumes responsibility for the DeFi protocol (for example, as a platform provider). On the contrary: the persons involved in the preparation or provision of a DeFi application usually explicitly reject any contractual responsibility.
In the case that there is no individually identifiable counterparty to the user of a DeFi application, the existence of a contract is excluded. Even if a specific counterparty could be identified, the existence of a contract would require that both parties mutually declare that they wish to enter into an agreement. While some scholars argue that the participation in a blockchain network results in the creation of a comprehensive system agreement among all network participants, the majority of Swiss legal doctrine (rightly) rejects that approach.
In particular, the use of a DeFi protocol is generally deemed to be an act which, alone, does not qualify as a declaration by the user to enter into an agreement. This applies all the more as most DeFi applications contain a disclaimer that explicitly excludes the conclusion of a contract.
Claims based on tort law:
Under Swiss law, compensation based on tort law for pure financial losses generally requires the violation of a statutory rule, the purpose of which is the protection of the violated right or interest (so called ‘protective norms’).
These protective norms are contained primarily in the Swiss Criminal Code (CC). For instance, in the case of losses due to hacking attacks or other fraudulent activities in relation to a DeFi protocol, potential protective measures could be embezzlement (Article 138 CC) or fraud (Article 146 CC).
Claims based on unjust enrichment:
If a user wishes to reverse a transaction that was executed based on a smart contract, he or she may try to retrieve the transferred assets on the grounds of a claim of unjust enrichment. However, in the area of DeFi, claims of unjust enrichment need to overcome additional hurdles. In particular, transactions that have been executed according to a (non-manipulated) protocol will likely not be classified as unjustified, even if their effects may not have been intended by the user.
IV. Selected regulatory considerations
A. Regulatory classification of DeFi applications de lege lata
DeFi not only creates new challenges in private law, but also in Swiss financial market laws. Swiss financial market regulations are based on the concept that each regulated service is provided by a particular (legal or natural) person. This concept contradicts the core idea of DeFi, which is that, in case of fully decentralised and freely accessible DeFi applications, there is no person that ‘operates’ the protocol.
Rather, a large number of network participants take over this function. These network participants can, however, not be effectively supervised. They are too numerous, change frequently and usually only have a relatively small impact on the functioning of the respective DeFi protocol. In addition, at least some of them are usually located outside the national territory of the respective regulator, which makes it difficult – if not impossible –to supervise them. Finally, individual network participants may not be in a position to exercise control or otherwise influence the services and transactions carried out by a DeFi protocol, as these are executed automatically via smart contracts.
As a result of the decentralised structure of a DeFi protocol, its functionalities can often not be attributed to a specific person. As a consequence, there is no operator of the DeFi protocol that could fall within the scope of Swiss financial market laws and, thus, no licence or other regulatory requirements are triggered by the DeFi protocol.
However, this may not hold true with respect to DeFi applications that are not fully decentralised: those that may be controlled or otherwise influenced by one or more particular persons. In these cases, these persons could be considered to be providing the regulated services of the DeFi application and could therefore be required to obtain a licence or comply with other regulatory requirements under Swiss financial market laws.
B. Potential regulation of DeFi applications de lege ferenda
Since financial market regulations in most jurisdictions have not been designed with a view to decentralised applications, working groups of international policy makers and standard setters are currently assessing approaches for a potential regulation of DeFi. Legislators thereby have a broad range of options: They can either decide that there is no need to specifically regulate DeFi applications (for example, because they are of the view that their national supervisory authorities are not competent or because the rules already in place also apply to DeFi protocols), introduce a new (separate) regulation for DeFi applications or opt for intermediate stages, such as warn lists. Potential approaches to a regulation of DeFi namely include the following:
Licensing requirement for software developers:
DeFi protocols are created by software developers. Even after the deployment of the DeFi protocol on the blockchain, software developers often hold so-called admin keys that allow them to make adjustments to the underlying smart contract. Hence, until a protocol is fully decentralised – in other words, until the community has taken over the functionalities of the software developer – the developer typically has certain control over the DeFi application and could therefore be a possible link for regulators to impose a licensing requirement.
However, in our view, a licensing requirement for the programming and deployment of a DeFi protocol could restrict innovative business ideas and could be difficult to enforce in practice, in particular as software developers often act in groups and under pseudonyms and are located in different jurisdictions that may be outside the territory of a national regulator.
Licensing requirement for providers of DeFi services:
An alternative approach to the regulation of DeFi could be to reserve the provision of certain DeFi services to licensed institutions. The respective activities could then only be carried out if their providers have the necessary licence.
With regard to the specific design of such a licensing requirement, potential options are either to impose a general prohibition to provide certain DeFi services without the respective licence, or to require the providers of interfaces that grant users access to the functionalities of a DeFi protocol to obtain a licence.
Both of these approaches seem relatively straightforward. However, in the case of a general licensing requirement for the providers of certain DeFi applications, the question remains who the actual provider of a DeFi service is, particularly in light of the generally contemplated decentralised structure of DeFi protocols.
In addition, while the licensing requirements for interface providers will be able to regulate the access to DeFi protocols, it will not be able to regulate the functionalities and actual use of these protocols. Hence, such licensing requirement would in our view only provide limited protection for investors.
Blocking of certain DeFi protocols:
Since DeFi protocols require the use of the internet, network blocking could be used by regulators to protect investors from accessing illicit DeFi applications. Network blocks are implemented by redirecting customers to warning and information pages when they attempt to attempt to access certain internet domains.
While the Swiss legislator already applies this approach under the Federal Act on Money Games, networking blocks seem to be less effective in the case of DeFi applications. Due to its decentralised nature, DeFi is not dependent on specific websites and access restrictions could be circumvented relatively easily with the necessary technical know-how.
Voluntary certification of DeFi protocols:
As an alternative to licensing requirements or networking blockings, the certification of DeFi protocols should be considered. In this case, the protocols would be examined for reliability and risks and provided with a ‘quality label’ by either supervisory authorities or private institutions if they meet the respective minimum requirements.
While we believe this approach would likely have a positive impact on Switzerland's reputation as an innovation-friendly crypto nation, it remains unclear whether developers, who are generally reluctant towards governmental actions, would make use of the certification option or whether investors have sufficient trust in the certificates issued by private persons.
The EU has announced that it will introduce Markets in Crypto Assets (MICA) regulations, which will regulate, among others, the issuance of crypto-assets and the provision of crypto-asset services. In short, MICA extends the applicability of some of the existing regulations under the MiFID II, EU Market Abuse Regulation and EU Prospectus Regulation to crypto-assets.
While various aspects of MICA are criticised, such as the lack of a distinction between the different forms of digital assets, we believe, irrespective of its specific form, a (separate) regulation addressing the regulatory challenges of DeFi applications may be helpful for market participants. This is because the existing legal uncertainty may hinder software developers’ or users’ interactions with DeFi applications.
On the other hand, if a DeFi-specific regulation is adopted, it will need to be ensured that the new rules will not be overly restrictive. In particular, they should not be designed to (factually) prevent existing regulated market participants from interactions with DeFi applications (for example, due to high capital adequacy requirements). In addition, the new rules should – to the extent that this is possible – consist of dynamic requirements that may be adjusted in line with the further technological development of DeFi applications.
V. Outlook
Considering the potential risks of DeFi applications and the existing legal uncertainties in private law and financial market regulations, one is left with the impression that despite all the fascination and potential of the new technology there is a need for action by the Swiss legislator. It is therefore to be welcomed that the Swiss Federal Council is undertaking a review of the existing legal framework and analysing whether legislative adjustments are necessary to address the recent development of DeFi protocols.
If the Federal Council comes to the conclusion that new regulations for DeFi applications shall be introduced, we hope that the Swiss legislator will prepare this regulation in close contact with academics and practitioners, as it did in connection with the recently enacted DLT-Act.