Addison Cameron-Huff, Cryptocurrency Lawyer

The Ethereum Enterprise Alliance has written an extensive guide on DeFi risks: https://entethalliance.org/specs/drafts/defi-risks/20230116/#sec-compliance-risks. Below is a screenshot of the section on legal & compliance risks, which I think is worth mentioning because it's a great example of the views that many have in the crypto space. This section is considerably lighter than that of accounting, even though accounting and tax risks are rarely the reasons why projects shut down or don't get off the ground. So far as I know, no one has gone to jail for having poor accounting controls, but you can go to jail for violating sanctions laws (and some crypto developers have).

This is a great guide. It's such a great guide, that I think it's worth offering some constructive criticism, and also more perspective on what the guide says. This is also a great opportunity to address some misconceptions and ideas about law that I think cause people to have an incorrect view about what laws are and how they apply. Below is a section-by-section analysis.

The risks inherent in DeFi are compounded by a general absence of clear regulatory frameworks.

Should law be specific? This is a great philosophical debate, with centuries of scholarship. In one way, the civil law systems and common law legal traditions of the world provide one way to view this debate. But it's certainly not true that risks are higher when there is not a clear regulatory framework. Many systems operate just fine without such frameworks. What people are thinking of when they say things like this is something like the securities regulatory system or tax codes, or other highly prescriptive systems with detailed rules. The vast majority of the economy is not burdened by any such system and instead relies on general legal principles that can be applied to any specific circumstances.

What the guide says here is what many people have said about law in the crypto space, but it's not necessary to have a specific and complex regulatory framework in order for something to be orderly and well-regulated. Some countries (like the UK) don't even have codified systems for what counts as a crime! (Canada and the US do.) When almost everything doesn't have a detailed and specific regulatory framework, why demand this for crypto? Would it really be better? In many ways it will probably be worse, because flexible rules have proven to be an excellent system for governing. This is the heart of the common law system.

The decentralized nature of DeFi can make it difficult to regulate any single entity, and it also makes it difficult to identify responsible parties or enforce regulatory actions.

I wouldn't characterize this as a legal risk per se because the difficulty of enforcing a law is a separate issue from whether or not it exists. This statement might even be seen as encouraging unlawful behaviour! If someone were to go to a lawyer and ask if they can rob a bank, the answer is an obvious no. It would be strange if the lawyer started going on with questions about how fast the would-be robbers can run. Just because you get away with something doesn't make it legal.

It is true that these novel systems can pose more difficult questions for lawyers. But it's usually not a proper subject of lawyers to advise on enforcement challenges. And it's a bit of a lazy answer to point to that because the more interesting work is figuring out the likely legal status given how the system operates.

The absence of mandatory or standard disclosure requirements in DeFi applications exacerbates these risks.

There are hardly any legal systems that mandate specific disclosures. I think what they have in mind is maybe labelling laws for product warnings, or perhaps they want to know what disclaimer to paste at the bottom of something to make it legal. A lot of people in the crypto space want to know what magic text to append to something that lets them do something they wouldn't otherwise be allowed to do. This is almost never the case. And there's hardly any legal regime that mandates product labelling but doesn't require registration or other rules to be followed. I can't think of any laws like that in Canada.

Disclosure rules that are mandated by law are usually at a principled level, not at the level of specific wording. In other cases, they're driven indirectly by lawyers recommending language about disclaimers. But these have to be carefully thought through, and they're regularly updated as bad things happen.

In some cases, DeFi companies could band together to form their own standard language about disclaiming risks, but why bother? Standards emerge over time as people copy from one another. In most industries there is no cooperation on what standard disclosures should look like, and practices will usually vary.

Tokens considered as securities, rather than as utilities, are generally subject to different and stricter regulatory frameworks.

There's a common misconception embedded in this statement. There is no rule in any country that says that if something is a utility then laws don't apply. This is something that's somewhat invented by people in the crypto industry, and originally by lawyers who wanted to position their clients' products as being outside of securities law. But there's no utility token exception. Something either is a security or it isn't. Dominos doesn't sell utility pizzas, they just sell pizzas. They don't have disclaimers that the pizzas aren't securities. It would be strange if they did. The conclusion about whether something is a security or not does not depend on finding it to be a utility, and I usually steer my clients away from language like this. Referring to something as a utility only makes sense to crypto people as saying that it isn't a security, but in that case, why even call it that at all? It shows that the person turned their mind to this issue and was concerned about it. That's not good from a legal positioning perspective.

Furthermore, it's not that securities are stricter as they are different. Profoundly different. So much so, that for almost every token, if it's a security that's the end of the line and development shouldn't continue. Many projects have found out about this too late and had to close. More than a few other projects decided that, rather than close, they could lean into the utility label. But this doesn't save them. It's the substance of the product. Very few projects are capable of entering into the world of (nationally or subnationally-regulated) securities markets, which are different all over the world.

...engaging in trade with entities that are subject to local sanctions regimes such as OFAC.

OFAC is America-specific. It's important but it would be helpful to also point out that sanctions are a big issue. Sanctions laws are expanding rapidly, all over the world, and have tremendous penalties. Even individual software developers have been imprisoned on this basis (e.g. Tornado Cash). There's also export bans, such as the one that many countries place on North Korea, that are also an issue. In Canada, all trade with North Korea, at all, is blocked, unless someone obtains a permit (which won't be granted!). A former Ethereum Foundation researcher was arrested for violating these types of legal restrictions involving North Korea. The EEA probably knows about these rules, but if not, they could do users of the guide a service by adding in more detail, because AML doesn't quite capture the full scope of obligations in this area about who people are allowed to do business with in many countries. Even worse, sanctions laws and AML laws vary by country. In some cases there are sanctions laws that are designed to try to prevent the application of sanctions laws of other countries! Anyone attempting to implement KYC as the solution to sanctions isn't considering the full scope of what sanctions cover.

Other Issues

The EEA's section on legal and compliance is very short. Lawyers regularly write blog posts much longer than this! There are a lot of other risks to consider. I hope the EEA bulks up their guide to give DeFi projects more information because laws are one of the most existential risks to a project, and often a serious concern for the founders.