The Regulatory Position on DeFi in 2026, More Settled Than It Looks
DeFi regulation is often characterised as an unsettled and evolving area. This framing is partially accurate but misleading in its practical implications. The core legal question, whether a given DeFi protocol or its operators are carrying on regulated activities that require authorisation, is answered by existing legislation, not by legislation that is yet to be written. The FCA's DeFi position has become progressively clearer through published guidance, supervisory letters, and enforcement action. It is not settled law, but it is considerably more predictable than the "evolving" framing suggests.
This piece sets out where the regulatory perimeter currently sits for DeFi protocols operating in or accessible from the UK and EU, the specific factors that determine whether a protocol team faces regulatory exposure, and the compliance measures that are now considered baseline expectations for professionally operated DeFi infrastructure.
Regulators do not regulate protocols. They regulate persons. The question for any DeFi team is not whether the protocol is regulated, it is whether any identified person or entity involved in the protocol's development, operation, or promotion is carrying on a regulated activity without authorisation, or is failing to comply with obligations that apply to them regardless of authorisation.
The FCA's Current Position
The FCA published Discussion Paper DP23/4 in November 2023, setting out its thinking on DeFi regulation. The DP identified a spectrum of decentralisation, from "fully decentralised" protocols at one end, where no identified person exercises control, to "decentralised in name only" at the other, where a founding team retains substantial control through admin keys, governance tokens, or upgrade mechanisms.
The FCA's position, reflected in subsequent supervisory letters and Dear CEO correspondence, is that protocols at the centralised end of the spectrum will be treated as regulated businesses regardless of their technical architecture. The central test is not whether the protocol runs on a blockchain, it is whether identifiable persons exercise control over the protocol in a way that amounts to carrying on a regulated activity.
The activities that typically trigger the regulatory perimeter
- Operating an exchange or trading venue, a protocol that facilitates the exchange of cryptoassets between users may be operating a multilateral trading facility or an organised trading facility under UK MiFID II, depending on its structure. Automated market maker (AMM) designs have been scrutinised under this framework.
- Providing custody, a protocol that takes custody of user assets, including where a smart contract holds assets on behalf of users, may require authorisation as a custodian. Admin key holders who can access or freeze those assets are particularly exposed.
- Providing investment advice or portfolio management, automated rebalancing strategies, yield optimisation products, and protocol-native investment strategies have all attracted regulatory analysis. Where the protocol's function is economically equivalent to discretionary portfolio management, regulatory characterisation follows.
- Issuing tokens that are securities, governance tokens with economic rights (revenue share, buybacks) and tokens that function as investments rather than utility instruments may be specified investments under FSMA 2000 or financial instruments under MiFID II. Classification is fact-specific and requires formal legal analysis.
MiCA and DeFi, Fully Decentralised Is Exempt, But the Bar Is High
MiCA Recital 22 states that MiCA should not apply to crypto-asset services provided in a fully decentralised manner without any intermediary. Article 4(3) confirms that MiCA does not apply to crypto-assets that are unique and not fungible, and to services provided in a fully decentralised manner. This exemption is real, but the bar for "fully decentralised" is higher than most protocol teams assume.
ESMA has published guidance indicating that a protocol is not fully decentralised if any of the following are present: admin keys or upgrade mechanisms controlled by identified persons; a foundation or entity that funds core development and exercises influence over the protocol's direction; governance token voting that is dominated by the founding team or investors; or a front-end interface operated by an identified company that routes user traffic to the protocol.
The front-end problem
The distinction between the protocol (smart contracts running on-chain) and the front-end (the web application through which users access the protocol) is increasingly important. ESMA and the FCA have both indicated that operating a front-end to a DeFi protocol constitutes providing a crypto-asset service within the meaning of MiCA and FSMA respectively, even where the underlying smart contracts are not controlled by the front-end operator.
OFAC's 2022 enforcement action against Tornado Cash, and the subsequent EU equivalent, was directed in part at front-end operators and interface developers, not just the smart contracts themselves. Protocol teams that operate or control the primary user-facing interface for their protocol have significantly less regulatory distance than those whose protocol is accessible only through third-party interfaces.
AML Obligations in DeFi, Where They Apply and to Whom
AML obligations under the MLRs 2017 and MiCA/AMLD6 apply to persons providing crypto-asset services, not to smart contracts. Where a DeFi protocol has identified operators who are providing services to users, those operators may be obliged entities under the AML framework. Where the protocol is genuinely fully decentralised, there is no person to whom AML obligations can attach.
In practice, the most exposed parties in a DeFi ecosystem from an AML perspective are: the entity that operates the primary front-end; the foundation that employs core developers and funds protocol development; and any entity that operates fiat on-ramps or off-ramps interfacing with the protocol. Each of these may be an obliged entity regardless of the protocol's decentralisation.
Sanctions, the most immediate risk
Sanctions exposure in DeFi does not require the protocol to be regulated. The Tornado Cash sanctions demonstrate that OFAC and OFSI are willing to designate protocols and their associated persons directly, and that interacting with a designated protocol, regardless of whether the interaction is permissioned, can constitute a sanctions breach.
Protocol teams operating in or accessible from jurisdictions subject to UK or US sanctions must maintain front-end geo-blocking for sanctioned jurisdictions, screen protocol interactions for sanctioned addresses, and document their sanctions risk assessment and mitigation measures. These are not regulatory obligations under AML law, they are legal obligations under sanctions law that apply regardless of regulatory status.
DAO Legal Architecture, The Compliance Dimension
The choice of DAO legal wrapper has compliance implications that often receive less attention than the corporate and tax considerations. From a regulatory compliance standpoint, the key questions are: does the legal wrapper create a regulated entity that requires authorisation; does the governance structure create obligations under SMCR or its equivalent; and does the entity structure clearly define who bears responsibility for AML and sanctions compliance?
Foundation structures (Cayman Foundation Companies, Swiss Vereins) are increasingly preferred for DeFi protocols because they allow community governance without creating a corporate shareholder structure that implies control. However, the foundation's directors and officers remain individually accountable for the foundation's compliance with applicable law. Where the foundation operates in the UK or EU regulatory perimeter, those individuals may face personal regulatory accountability.
What Protocol Teams Should Be Doing Now
- Commission a regulatory perimeter analysis, formal assessment of whether and how the protocol's activities fall within the UK and EU regulatory perimeter, based on the actual architecture and governance structure, not a generic DeFi analysis
- Assess front-end operator status, if the protocol team operates or materially controls the primary front-end, the regulatory exposure is that of a crypto-asset service provider, not an anonymous protocol developer
- Implement sanctions controls at the front-end, geo-blocking, wallet address screening, and a documented sanctions risk assessment are now considered minimum baseline for any professionally operated DeFi front-end
- Design governance to reflect actual control, governance tokens that give the founding team effective control of protocol decisions create both regulatory exposure and governance fiction; the architecture should reflect the genuine intended governance model
- Obtain legal opinions in key jurisdictions, token classification opinions, perimeter analysis opinions, and DAO legal structure opinions in the UK, EU, and US provide a documented defence in regulatory proceedings
Regulatory analysis of DeFi infrastructure is significantly easier, and the outcomes significantly better, when conducted before launch than after. A protocol that has been operating for 18 months, generated significant TVL, and built a user base is far harder to restructure for regulatory compliance than one that has been designed with the regulatory position in mind from the outset.
How Arca Compliance Can Help
Arca Compliance advises DeFi protocol teams on regulatory perimeter analysis, financial crime risk assessment, sanctions control frameworks, and front-end compliance design. We work alongside specialist cryptoasset legal partners for formal legal opinions on token classification, DAO legal architecture, and regulatory perimeter opinions across UK, EU, US, and UAE jurisdictions.