The Risk of Stablecoins

DeFi evolved from cryptocurrencies (or crypto-assets), which were originally launched in 2009 with bitcoin. A cryptocurrency is a digital representation of value that is not centrally issued or administered, but can also be converted to fiat currency. It is powered by blockchain technology, which facilitates the peer-to-peer exchange of this digital representation of value. DeFi is birthing a parallel financial system that has the potential to disrupt traditional finance. At the time of writing, the total value locked into decentralized finance is $105.69 billion USD.Footnote ¹ Transactions facilitated by DeFi include borrowing and lending, savings, investments, derivatives, and insurance. DeFi utilizes digital tokens, such as cryptocurrencies, for all transactions in the ecosystem. One of its potential benefits is that it can facilitate inclusion of diverse participants in the financial system by enabling users to access financial services without having to fulfill onerous requirements, as is currently the case in traditional finance.

Yet DeFi presents several challenges that are of key concern to regulators—one of which is the use of stablecoins. Stablecoins are a type of crypto-asset that are designed to maintain a stable market price. They were introduced as a stabilizing mechanism in response to the huge volatility that characterized crypto-assets such as bitcoin. Stablecoins have their value pegged to the price of other assets. Most of them are currently pegged to the U.S. dollar but some are pegged to the price of other crypto-assets or commodities, such as silver or gold. By being pegged to real-world assets, these coins avoid the significant volatility that characterizes crypto-assets in general.

There are three main types of stablecoins—centralized or fiat-backed, crypto-backed, and algorithmic stablecoins. Centralized or fiat-backed stablecoins are issued and controlled by private companies, and their issuers are expected to actually hold the assets against which their coin is pegged (e.g., the U.S. dollar). This model is the basis of most stablecoins. Prominent examples include Tether, USD Coin, Binance USD, and Paxos Standard, where each token should ideally be backed on a 1:1 ratio of stablecoin to fiat currency held in a bank account. Crypto-backed stablecoins are pegged to other cryptocurrencies instead of fiat or commodities. The peg of these coins is maintained through overcollateralization and other stability mechanisms. A prominent example is DAI, the stablecoin minted in the MakerDAO ecosystem (a decentralized autonomous organization). Algorithmic stablecoins use algorithms to control the supply of tokens in order to keep the price fixed at a set level. The goal of these coins is to maintain a stable value by algorithmically expanding and contracting their circulating supply in response to market behavior.

Yet stablecoins face risks that threaten their ability to guarantee the stability of DeFi loans. For example, there has been significant volatility in the value of crypto-backed stablecoins such as DAI, which has become a backbone of the DeFi ecosystem, as seen on March 12, 2020 (“Black Thursday”) when crypto-assets plummeted by 50 percent at the start of the pandemic. This occurred as investors in all asset classes, including the traditional “safe haven” assets like gold, frantically sought to convert their assets to cash. Investors in crypto-assets also followed suit. As a result, there was a sudden drop in collateral valuation which in turn triggered the automatic liquidation of borrowers’ accounts as many MakerDAO loans became undercollateralized.

In addition, issuers of fiat-backed stablecoins, which are significantly used in the DeFi space, are not required to back each token held in a bank account on a 1:1 ratio of dollars to tokens, and this carries financial stability risk. The three largest stablecoin issuers on the market confirmed this in recent detailed reports—Tether in March 2021,Footnote ² Paxos in July 2021,Footnote ³ and Circle in August 2021.Footnote ⁴ On close assessment, these assets are backed by debt of one kind or another including loans to a public or private institution, U.S. Treasuries, commercial paper, and corporate bonds. If there were to be a run on the crypto-assets where a large number of holders want to cash out, there would not be sufficient dollars in the bank for holders to convert their stablecoins into physical dollars. This could result in a significant amount of sell pressure on the assets that these stablecoin issuers are holding, which could in turn result in a downturn in the stock market. While this may not be an immediate risk, it is a potential one given the rate of growth of fiat-backed stablecoins.

The Know-Your-Customer Challenge

A second challenge of DeFi is its link with significant amounts of money laundering largely because users of DeFi protocols or decentralized applications are not required to fulfill anti-money laundering (AML) and know-your-customer (KYC) requirements. AML is an umbrella term for the range of regulatory processes that firms must have in place to prevent money laundering, while KYC is a component of AML that allows an institution to confirm and thereby verify the authenticity of their customers. To do this, customers of a financial service are required to submit their identification documentation before they begin transacting with/through the financial institution, such as by opening an account and engaging in investment activities. DeFi only requires that customers hold some crypto-assets in a private wallet in order for them to interact with decentralized applications. This gives access to anyone to use decentralized applications to transact anonymously in the DeFi space without fulfilling KYC. It is, as such, easy for users to transfer funds for all sorts of illicit activities.

U.S. regulators have attempted to address this issue through the U.S. Infrastructure Investment and Jobs Act (2021).Footnote ⁵ This Act requires cryptocurrency brokers to collect KYC on their clients and customers for tax purposes. Because the U.S. Internal Revenue Service (IRS) has indicated it will not go after miners, validators, or developers of cryptocurrency blockchains, it is not clear who exactly is covered by this provision. The Act also requires all cryptocurrency transactions valued at over $10,000 to be reported to the IRS and requires the collection of KYC from the counterparties involved in those transactions. Yet this provision remains unclear and could be deemed inapplicable to certain cryptocurrency transactions such as smart contracts where there is no third party involved. In addition, if the IRS does not go after cryptocurrency blockchain developers, who then in the context of DeFi would be required to fulfill KYC?

While this Act has significant implications for DeFi, its enforceability remains questionable as it raises critical questions relating to the governance framework of decentralized (autonomous) organizations and whether such organizations can be regulated. These organizations run strictly through programming codes/protocols and are the mechanisms through which DeFi operates. For these organizations to be fully decentralized, they need to be entirely operated and governed by a programming code/protocol without any influence from a central body such as a software developer. Thus, the question remains as to who would be regulated for the activities occurring within such organizations that are governed strictly by a programming code.

The governance framework of the DeFi protocol relates, among other things, to mechanisms through which decisions are made for the operation of the protocol. Software developers who design DeFi protocols are companies that would usually be registered to operate as companies. Whether or not they are going to be treated as financial intermediaries, and therefore regulated as such, would depend on the degree to which decentralization of the operation of the DeFi protocols they develop has been achieved or if they still maintain sufficient control of the operation and management of the protocol to be responsible for activities occurring on it. Some DeFi protocols have achieved high degrees of decentralization and operate globally, with users able to transact on them without software developer involvements. These protocols could originally be designed as permissionless and open-source protocols where anyone can connect to the network and participate in its modification, and hence reference to it as “decentralized” (an example of this is the bitcoin network). They could also be originally designed to be permissioned (where only designated parties can interact and participate in improving the code) with a plan to move to a permissionless network. This would mean it starts out as a partially decentralized network (distributed across known parties) with plans to move to a fully decentralized network (across unknown parties).

To be sufficiently decentralized, the DeFi protocol would usually need to be run by a group of governance token holders of the particular DeFi protocol. If they have sufficient holdings of the governance token to either create proposals to make changes to the protocol or enough tokens to vote on a proposal, they are the ones who really control the protocol's operations.Footnote ⁶ However, the tricky question is determining the point of decentralization, on the spectrum of decentralization, achieved by the protocol from the day it was launched into the world. If the developer still holds on to the administrative keys to the protocol, which allows the developer to shut the protocol down or make changes to it as an administrator, the protocol is not likely to be deemed decentralized from the company that created it.Footnote ⁷ However, once developers get to a certain point where the company has handed over the administrative keys to the governance framework and can no longer make changes without the vote of holders of the governance tokens, this indicates that the protocol is closer to decentralization on the decentralization spectrum.

If a DeFi protocol has achieved a high degree of decentralization, it becomes very challenging to hold anyone accountable for failures and errors from the operation of the protocol. If it has not and the DeFi protocol developers still maintain some control over the operation of the protocol, they are likely to still be deemed as having some responsibility when something goes wrong and would also be responsible for ensuring the protocol adopts a robust framework for KYC.Footnote ⁸

Regulating DeFi

The regulation of DeFi generally falls under the broad heading of the regulation of digital assets, or crypto-assets. Current approaches to regulating crypto-assets remain fragmented globally with countries adopting different regulatory approaches, ranging from a total absence of regulation to a total ban on crypto-asset transactions. Due to the global nature of crypto-asset transactions and, in particular, DeFi transactions, there is a strong need for a robust global regulatory framework for the prevention of financial crime such as money laundering and terrorism financing; international financial instability; and risks to investors globally.Footnote ⁹

Thus far, very little has been achieved to put in place a global regulatory regime to tackle the money laundering and financial stability risks associated with DeFi. Efforts have mainly focused on regulating AML/KYC for centralized institutions such as cryptocurrency exchanges and wallet providers through the Financial Actions Task Force, which is the global watchdog against money laundering and terrorism financing. The task force's 2021 recommendations, which constitute international standards on combating money laundering and terrorism financing, provide that crypto-asset service providers know the identities of those transacting on them by collecting personal data on participants for transactions exceeding 1,000 USD/EUR.Footnote ¹⁰ KYC requirements for centralized cryptocurrency exchanges and wallet providers also came into force at the regional level in the European Union in January 2020 through the Fifth Anti-Money Laundering Directive.Footnote ¹¹ This EU directive requires cryptocurrency exchanges and wallet providers operating within the EU to verify the identities of those transacting on them and also to fulfill data-sharing obligations. Yet if DeFi protocols are sufficiently decentralized, KYC requirements cannot be easily built into DeFi protocols as this would require approval from a diffused network of governance token holders who are scattered across the world and who may not be keen for this to happen.

As DeFi grows in popularity, software developers are exploring the concept of creating permissioned protocols to deal with the KYC challenge. This will entail wallets being whitelisted to be able to interact with the protocol. This is currently being implemented for entities wishing to transact in the DeFi space and who are required to fulfil KYC obligations. The software would be exactly the same as the permissionless protocol, which currently powers decentralized finance networks and enables anyone to access it and become part of the network without fulfilling KYC. Thus, there could be a permissioned and a permissionless version of the same protocol with users in the permissioned one all fulfilling KYC/AML requirements and also aware that they are transacting with all parties who have fulfilled KYC/AML obligations. This is currently being applied by Aave (another open source DeFi borrowing and lending protocol) for its corporate clients.Footnote ¹²

Despite the current absence of a global regulatory framework for DeFi, the EU proposed a Markets in Crypto-Asset Regulation in September 2020.Footnote ¹³ This provision focuses specifically on crypto-assets and as such has detailed proposals for the regulation of stablecoins. The proposed regulation seeks to apply standards depending on the “significance” of particular stablecoins. “Significance” would be assessed on the basis of the size of the stablecoin issuer's customer base; the value of tokens issued and also used in individual transactions; the size of the issuer's reserve of assets; and the instrument's interconnectedness with the financial system. Regulatory requirements cover issuance, disclosure, whether issuers would need to hold capital, and whether they need to be authorized/licensed to be able to issue these tokens. The proposed EU framework is a good attempt at addressing the financial stability concerns raised by stablecoins but it is unlikely to be far reaching. Its focus is on the operation of crypto-asset businesses operating within the EU and thus requires authorization by EU regulatory authorities for stablecoins to be traded within the EU. The U.S. President's Working Group on Financial Markets Report and Recommendations on Stablecoins has also recently highlighted some risks and recommendations for regulating stablecoins,Footnote ¹⁴ which is a strong indicator of the approach the U.S. would take in regulating stablecoins in the near future.

Given the global reach of DeFi and the limitation of existing financial instruments to regulate DeFi software protocols, the best approach would be to create global standards for building regulatory compliant DeFi protocols with a special focus on stablecoins. One option is to require protocols to recognize when a 1:1 ratio is maintained between the stablecoin and the digital dollar (a central bank digital currency). This would necessarily mean that the protocol itself would automatically verify that a 1:1 ratio is maintained with the digital dollar equivalent of cash. This could be useful to avoid reliance on stablecoins that are backed by cash equivalents (including commercial papers and other debt instruments) that are not cash. Another option is to require the exclusive use of algorithmic-backed stablecoins in DeFi as these rely on algorithms to maintain a stable value by expanding and contracting their circulating supply in response to market behavior. This way the stablecoin is able to avoid the exposure that fiat-backed stablecoins have to traditional financial debt instruments. These global approaches are likely to have a wider and more meaningful reach than any regional approach to regulating DeFi.