KOREA CAPITAL MARKET INSTITUTE

In terms of financial investment, 2021 can be characterized by an investment boom in not only virtual assets like Bitcoin and Ethereum but also the DeFi ecosystem built on virtual assets. According to DeFi Pulse, the total value locked in DeFi services jumped up from $26.7 billion as of end-2020 to $97.7 billion as of end-2021, posting a three-fold increase.¹⁾ This is attributable to the greater participation of new investors who first moved to the virtual asset market in 2021 as well as existing investors familiar with virtual assets, many of whom have broadened investment scope to blockchain network-based applications such as DeFi, NFT, etc. Amid the emergence of DeFi, this article analyzes basic principles, differentiating factors and potential risks that DeFi users must understand, and examines global trends of DeFi regulations.   
 
 
DeFi basics
 
DeFi, which is short for Decentralized Finance, refers to financial services that are settled directly on blockchain networks without the involvement of traditional financial institutions such as banks, securities firms, or insurance companies.²⁾ For those who are unfamiliar with the concept, the DeFi definition may be incomprehensible. Thus, this article tries to draw a comparison between established financial services and DeFi to facilitate a better understanding of the concept.
 
First of all, it is necessary to understand the process where a bank provides a deposit service to customers, which can be roughly summarized as: 1) development of financial instruments; 2) product selling; and 3) provision of services. More specifically, a bank initially designs a new deposit product and prepares its terms and conditions³⁾ (the stage of financial instrument development). Then, provides a description of the deposit instrument and sells the instrument (the stage of product selling). Lastly, the bank executes the arrangements as prescribed in the terms and conditions to ultimately provide the deposit service to customers (the stage of service provision). The overall process is carried out within the bank’s system in the order as mentioned above. In cases where problems such as unfair terms, mis-selling, or failure to deliver a service arise from each stage, the bank should take full liability for any legal matters. 
 
On the other hand, the implementation of financial services on DeFi platforms follows the three stages: 1) creation of service protocols; 2) subscription of users; and 3) execution of protocols. In a broader sense, the process is not quite different from the stages of banking services, but a closer look reveals fundamental differences. First, DeFi rarely puts a limit on who can create service protocols. Those who intend to provide traditional deposit services are required to establish a financial institution and satisfy certain requirements concerning human resources and physical facilities. On DeFi platforms, however, any person including even an individual can easily develop a wide range of financial instruments such as a deposit product by creating DeFi service-specific protocols without having to raise capital or set up a computer system.⁴⁾ Such development is possible in that a blockchain network (e.g. Ethereum) serves as a form of platform that connects users in respect of various contracts. Also, any person can create a service protocol on their own terms (the stage of service protocol creation), and users who agree on the serviceprotocol can subscribe to the service without having to obtain the developer’s permission or go through a separate sales process (the stage of user subscription).5) An additional difference is the fact that the entity responsible for executing service protocols is the blockchain network, not the developer. Multiple nodes designed to create and maintain a blockchain independently implement service protocols based on programming codes, make a comparison with and verify the results derived from each node, and finally register a single result on the blockchain. Consequently, service protocols are executed and DeFi services are provided to users (the stage of protocol execution).
 
In short, blockchain networks play a role as a platform for the development, subscription and implementation of DeFi services, which distinguishes DeFi from existing financial instruments. Any person can develop a new financial product by applying self-described protocols and can freely subscribe to financial instruments developed by other users. DeFi is also different from established financial services in that once registered on a blockchain network, a DeFi service is mechanically implemented without variation as long as the underlying network is sustained. 
  
  
Differentiating factors and risks of DeFi
  
DeFi can be described as a new financial service completely different from traditional services. On DeFi platforms, it is possible to develop financial services without operating an office with employees or building a computer system, while service users can cut down huge sums of costs that they used to pay to traditional financial institutions.⁶⁾ Furthermore, the DeFi ecosystem allows active interactions between services, thereby facilitating a wide range of creative, integrated services. This feature stems from the accessibility of DeFi services that participants can freely utilize without permission. In other words, DeFi platforms enable asset management service developers to come up with new services by freely incorporating or tapping into other DeFi services on the same network, including deposits, loans, investment instruments, or swap products.  
  
However,itisalsonoteworthythatDeFiposesmaterialrisks,thegreatestofwhichis potential damages incurred from cybersecurity incidents. DeFi-related cybersecurity incidents have been steadily reported, resulting in significant losses. As illustrated in Table below, the top 10 DeFi cybersecurity incidents for 2021 led to damages worth as much as $1.6 billion in total. These incidents occur when hackers target vulnerabilities inherent in service programming codes or steal access to an administrator’s account. It is extremely difficult to recover the amount of damages incurred from cybersecurity incidents, mainly due to lack of recovery rules, insufficient social infrastructure and anonymity of blockchain networks, which requires extra caution.     
  

 
In addition, the risk posed by the entity responsible for DeFi service operation should be considered. The term DeFi refers to decentralized services, but the DeFi services which are currently available are predominantly far from being completely decentralized. In many cases, a service developer is likely to retain the power to change a protocol by setting the admin key function in programming codes used to create the protocol. This function is generally designed to maintain service protocols or upgrade functions and to rapidly respond to any unexpected event such as hacking. But this incomplete decentralization would compromise some benefits of DeFi. DeFi administrators could impose service fees on users for their own benefits. Also, they could abuse the power to make changes to protocols during the operation process, which may put several users at a disadvantage. If a service administrator decides to abandon its DeFi project due to lack of funds, service maintenance could discontinue and lead to malfunction of services, which requires caution. 
  
There is another concern about whether the DeFi protocol’s function of controlling supply and demand would work well even under extreme situations. For instance, a certain amount of liquidity needs to be secured in preparation for a series of sudden deposit withdrawals to ensure the smooth operation of DeFi services such as deposit products and loans. In this respect, some still question whether the function of supply and demand management could be activated even in the face of the abnormal situation called Black Swan.⁷⁾ Additionally, DeFi users should pay attention to the fact that DeFi is heavily exposed to volatility of the virtual asset market and has higher vulnerabilities in terms of consumer protection compared to traditional financial services.
  
  
Global trends of DeFi regulations 
  
Voices demanding DeFi regulations are rising globally due to an array of risk factors embedded in DeFi services. In particular, DeFi services built on stablecoins⁸⁾ are gradually expanding and perform similar functions to traditional financial services, but they are hardly subject to any separate restrictions, which increases the need for establishing the regulatory framework. The US regulators including the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have repeatedly stated that DeFi platforms should be regulated and are considering the introduction of practical regulatory measures.⁹⁾ On top of that, the Financial Action Task Force (FATF) has recently recommended that countries should apply anti-money laundering rules to those who may exert influence over the DeFi service operation.¹⁰⁾   
  
However,itisnotablethatDeFi’snatureandstructurethatquitedifferfromthoseof traditional financial services make it uniquely hard to regulate it under the existing regulatory system. First, it remains unclear as to who should be held liable for regulatory violations. DeFi has no legal person who is entrusted with or keeps in custody the users’ assets, due to its decentralized nature. In addition, the service operation is sometimes undertaken by a community of anonymous developers, rather than by a corporate entity, which gives rise to ambiguity regarding who should take legal responsibility. Second, it is practically impossible to apply the existing rules for financial industries to DeFi services. For instance, regulators may require DeFi services designed for deposit products or loans to comply with the liquidity ratio requirements being currently applied to banks, or try to introduce the existing sales regulations including the principle of suitability and obligation to explain to DeFi platforms. These measures, however, would work against DeFi’s nature, unlikely resulting in feasible regulations. Third, the adoption of relevant rules by a few countries may hardly be effective since DeFi platforms provide cross-border services. In the case of Korea, DeFi services mainly used by virtual asset investors operate predominantly on platforms based in foreign countries, making it difficult to apply domestic rules.     
  
Direct or indirect DeFi regulations that have been suggested can be classified into two categories. The first approach is to identify the entity involved in the DeFi service operation and directly regulate the identified entity. This is desirable in that a potentially problematic DeFi service could be directly subject to regulations. But it is challenging to identify the entity responsible for service operation, and a considerable amount of time is required to formulate effective regulatory policies. The second approach is regulation of the issuance and trading of stablecoins or oversight of business activities conducted by virtual asset exchanges that handle legal tenders. With the aim of controlling the connection between DeFi and legal tenders, this policy is effective in preventing DeFi services from spreading at an excessively rapid pace or being misused as a tool of circumventing the rules applicable to traditional financial services. As international regulators have engaged in intensive discussions about DeFi regulations, Korea’s authorities should take a close look at the global regulatory trend when devising DeFi-related policies.
 

1) Relevant data was compiled during the period from December 30, 2020 at 9 a.m. to December 21, 2021 at 9 a.m. (Korea time).
2) As a technical term, DeFi can be defined as ‘a decentralized financial service based on a blockchain network, which is implemented through smart contracts without the involvement of centralized intermediaries’.
3) The terms and conditions refers to ‘a legal contract drawn up beforehand for entering an agreement with multiple parties’.
4) However, a certain level of knowledge of programming languages is required for service development. Unlike conventional financial instruments of which the terms and conditions is prepared in writing, DeFi services need to formulate service protocols with a programming language adopted by the blockchain network.
5) For more details, see Kwon (2021).
6) Service users need to pay fees for using networks to nodes, which, however, are much smaller than the costs to be paid to traditional financial institutions.
7) The term black swan refers to an event that is beyond what is normally unexpected of a situation.
8) Stablecoins are coins of which value is designed to be pegged to specific fiat money.
9) King & Spalding (2021)
10) FATF (2021)
  
  
References
 
FATF,2021,Updatedguidanceforarisk-basedapproach:Virtualassetsandvirtualassetserviceproviders.
King & Spalding, 2021, Decentralized Finance - Risks, Regulation, And The Road Ahead,  
https://www.jdsupra.com/legalnews/decentralized-finance-risks-regulation-9351911.(Korean)
Kwon, M.K., 2021, Applicability of DeFi Services based on Smart Contracts, KCMI Issue Paper 21-24.