DeFi – Risks, Regulations, and What’s to Come

October 27, 2021
BItCoin Icon over abstract background


Crypto-assets1 , which are forms of digital currency that operate on a decentralized network, are known to be theoretically immune to government interference and manipulation, as these digital assets operate on systems that are “decentralized”. This concept of decentralized control runs antithesis to traditional financial systems, which rely on the use of centralized intermediaries. Unlike traditional currency, crypto-assets can be transferred from peer to peer, without the need to be relinquished to an intermediary party, such as a bank or a government.


Decentralized finance, or “DeFi” for short, operates through the use of “smart contracts” – a computer code that can be built into blockchain technology to facilitate, verify, or negotiate a contractual agreement. These computer codes are “open source” which means that they can later be accessed by all blockchain users for both review and audit.

Decentralized Applications

DeFi uses decentralized applications, also known as “DApps”, where users are provided with their own crypto-asset wallet, which they can then use to buy, sell, or trade crypto-assets. Existing DApps can be combined or integrated to build new DApps, or provide additional functionality to already existing DApps. Regardless of the technology or platform used, DeFi systems are designed to remove the intermediaries between transacting parties.

Non-Fungible Tokens

Non-fungible tokens (“NFTs“) are unique and non-interchangeable units of data that are stored using blockchain technology. NFTs can be bought and sold like any other piece of property, but which have no tangible form of their own. NFTs can be anything digital such as artwork, digital collectibles, music, and items in video games. In some cases, NFTs are fetching huge prices in auctions due to hype amongst investors. However, on a more practical level, NFTs can contribute to the growth of DeFi in the long term as they offer a unique way for storing value, while DeFi offers the infrastructure for unlocking this value.

DeFi has the potential to democratize banking and finance (especially for the “unbanked” of the world), create liquidity for crypto-assets, and expend the potential use of blockchain technology.



The presence of cyber security threats and hackers have the potential to compromise the functionality of the complete blockchain platform given that the public blockchain infrastructure is not infallible. In the event that hackers find a vulnerability in a smart contract or other aspects of a DeFi service, there is typically no counterparty or intermediary to reimburse investors who have been victims of an attack. Consequently, investors who have been defrauded will not have the same legal recourse as traditional fraud victims. In addition, if funds happen to be mistakenly transferred, there typically is not the involvement of a regulator or intermediary who can reverse the error, as there is under the traditional financial system.


To date, much of the guidance provided by regulators on digital assets has focused on areas such as initial coin offerings, and not necessarily on DeFi. As a result, there is a lack of a clear, direct, streamlined guidance from regulators when it comes to cryptocurrency. This ambiguity has the potential to implicate a host of issues ranging from anti-money laundering (“AML“) to consumer protection, and obstructs the ability to understand the application of relevant AML and know-your-customer (“KYC“) regimes, which are important in order to meet requirements imposed as a matter of law or as a means to manage regulatory and commercial risks. It also opens the door for potential multi-jurisdictional issues associated with resolving disputes that may arise as between users, or between users and the developers of a DApp, as well as incongruent applications of consumer rights laws depending on the jurisdiction of the relevant user of the DApp.

While in theory, crypto-assets, such as Bitcoin, can be used all over the world, most vendors are not set up to accept them, and many DeFi services operate outside of regulatory structures that exist around more traditional financial products. Analysis as to the applicable regulatory frameworks and securities laws that may apply to any digital tokens issued as part the operation of a DApp, and transactions taking place in relation to crypto-assets via a DApp and/or the nature of activities being undertaken through the DApp are yet to be fully understood. It also should be noted that there is substantial uncertainty with respect to the personal tax implications of any capital gains made as a result of activities on DeFi DApps.


The crypto market is extremely risky, as well as speculative. The market risks are idiosyncratic as cryptoassets trade only on demand and are often heavily influenced by unexpected outside factors such as social media. Because of crypto’s innately volatile character, unexpected changes in market sentiment can lead to sharp and sudden moves in price from hundreds to thousands of dollars, causing associated liquidity risks. This can lead to catastrophic “bank runs”, significantly reducing the value of crypto-asset tokens. An October 2021 International Monetary Fund report stated that out of more than 16,000 crypto-asset tokens that have been listed on exchanges, only 9,000 exist today. Sophisticated investors are not immune from this volatility and the inherit associated risks.

Why DeFi might not be where it ought to be?


As mentioned, a defining feature of DeFi is that it is supposed to be void of intermediaries. In reality, however, this digital ecosystem may not be as “intermediary-less” as claimed by proponents. For example, to effect the interchange of digital currency/asset for another asset, the use of a crypto-asset trading platform (“CTPs“) is required. Thus, CTPs can be said to be the intermediary that brings both buyers and sellers of crypto-currency together. Additionally, there is often a significant service fee associated with the use of a CTP, which is usually higher than service fees associated with traditional finance transactions of a similar nature.


Similarly to CTPs, a self-executing smart contract that is entered on a blockchain is perceived to be intermediary-less. Take the example of a contingent convertible bond (a “CCB“), a fixed-income instrument that is convertible into equity if a pre-specified trigger event occurs. Theoretically, the terms of a CCB could be translated into computer code as a smart contract. The smart contract would then be recorded on some type of distributed ledger, and the contract’s code would work to automatically make interest payments from the issuer to the holder. The payments would be made in some form of virtual currency, and if the holder wished to trade the smart CCB, the distributed ledger would be updated to reflect the new holder of the smart CCB. The code would then automatically order that interest payments be made to the new holder, while the smart contract would check the information sources to determine whether a trigger event has occurred. Upon receiving information that a trigger event has occurred, the distributed ledger would immediately reflect that the holder no longer has any ownership interest in the smart CCB, but instead has an ownership interest in the equity of the issuer. By design, humans would have no real opportunity to interrupt the performance of a conversion. However, coders are still needed to write the underlying code and parties need to maintain the ledger in which the code operates.

Unfortunately, smart contracts are not able to consider parties who wish to negotiate after the smart contract has been written. Additionally, a smart contract may not be able to contemplate every possible scenario to determine whether or not the contract has been fulfilled. Before smart contracts can be relied upon fully, there would likely need to be an intermediary that is able to adjudicate scenarios regarding an event that has not been contemplated for in the code, or alternatively, allow for the parties to negotiate further. As an example, one can consider how much worse financial collapses like the subprime mortgage crisis of 2008 would have been if there was no ability for counterparties to negotiate outside of the default scenarios previously negotiated into contracts.

Whether it is CTPs, coders, or private parties such as adjudicators, it is clear that intermediaries still exist in the DeFi world, in which case, critics of DeFi would argue that such intermediaries need to be regulated.

What regulation exists today?

Canada and the U.S.’s first foray into regulating crypto-assets came by way of implementing KYC, AML, and proceeds of crime/terrorism finance measures for “virtual currency” (e.g. Bitcoin) used in money services. As of July 1, 2020, Canadian dealers of crypto-assets are required to register with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) and comply with enhanced record keeping and identity verification requirements, while also needing to report “suspicious transactions” of more than $10,000.

Currently in Canada, the Canadian Securities Administrators (“CSA“) and the Investment Industry Regulatory Organization of Canada (“IIROC“) have advanced their regulatory jurisdiction over CTPs who either trade crypto-assets that are considered securities or derivatives, or who do not perform an “immediate” delivery of crypto-assets to the purchaser, but rather, retain ownership, control and possession of the crypto-assets. Through CSA Staff Notice 21-327 and two CSA-IIROC Joint Staff Notices 21-329 and 21-330, the CSA and IIROC have asserted that CTPs acting in this custodial nature are subject to securities regulation wherever a user has a contractual right to the delayed delivery of a crypto-asset with the CTPs (this contract creates either a security or a derivative, even if the underlying crypto-asset is not considered a security or derivative). If a CTP maintains an ongoing custodial function (e.g. controlling the internal wallet holding the crypto-assets), it would have to register as an investment dealer with IIROC and be subject to various securities regulations. On September 23, 2021, in Joint Staff Notice 21-330, the CSA and IIROC warned CTPs about making potentially false or misleading advertising and marketing statements, and using “gambling-style contests” to promote excessive trading by retail investors, in violation of securities regulations.

The willingness of Canadian regulators to take action on CTPs is likely a recognition of the fact that the majority of crypto-asset transactions in Canada currently take place on CTPs, rather than through DApps. As a result, the regulations focus on the CTPs as entities, rather than on the inherent crypto-asset itself and other intermediaries. Future regulations may need to consider regulating the different non-traditional intermediaries involved with DeFi as well as figuring out how to regulate DApps.

In China, a recent ban on crypto-assets sent traders flocking from CTPs that could be captured by current regulations (if the entities operated in Canada) to DApps. As traders are responsible for managing their own wallet and private keys when transacting through DApps, there is no involvement of a custodial relationship as there is with CTPs, and therefore DApp platforms would not be captured by securities regulations outlined in the Joint Staff Notices.

With regard to NFTs, the CSA and/or IIROC have yet to comment on this particular asset class.

What regulations can be used in the future?

The central issue with regulating intermediaries involved with crypto-assets is that DeFi purports to remove intermediaries altogether. A traditional regulatory approach fails to capture the new types of intermediaries involved in DeFi.

Regulation could begin first at the innovation process, where governmental authorities could pre-approve the technology and algorithms being proposed by working with and vetting the coders/developers designing the technology. Coders themselves could also be licensed or have to register with a governing body. As these crypto-technologies rely on self-executing financial algorithms, there would need to be checks in place to understand the algorithms and the intended results. By participating in the innovation process, regulators would have a head start as new crypto-technologies are introduced, rather than reacting after the technology has already been brought to market. Once the technology is pre-approved and tested on the market, regulators would be able to monitor the ledgers which host the technology and also continue to test and monitor the underlying algorithm to lessen operational risk.

By working with developers as technology advances, regulators may be able to mandate certain measures in the technology itself such as an “audit trail” to document the decision making process of the algorithm, a “black-box recorder” to capture input data streams, and data storage requirements. Any future Canadian regulatory measures will still likely be stymied by jurisdictional issues. Many CTPs, DApps or coders could operate in foreign jurisdictions with no regulation and would, therefore, be outside the reach of Canadian regulators. Whatever approach is taken, it must also be cross-jurisdictional in nature to be truly effective.

Until governmental authorities get a handle on DeFi and the increasingly complex algorithms underlying cryptotechnology, we may see regulators trying to reduce overall systematic risk of crypto-assets on the traditional financial sector by putting restrictions on the types of crypto-assets in which traditional regulated financial institutions, such as banks, may invest. Similar to the limits that were put on these institutions from trading in speculative derivatives after the 2008 U.S. financial crisis, regulators could ensure that institutions only invest in crypto-assets that meet established criteria and are hosted on ledgers which also conform to particular standards.

What does the future hold?

Moving forward, we await to see what steps Canadian regulators will take with respect to the regulation of DApps, NFTs, and coders of blockchain, which will have to include working across jurisdictions to ensure that parties are not able to easily skirt Canadian regulations. The DeFi world is fast moving and many more regulatory questions will arise as new waves of blockchain technology and crypto-assets are developed.


1. Includes cryptocurrency, utility tokens, security tokens, and non-fungible tokens