Iosco Establishes DeFi Task Force; Cites “Hidden” Risks
Posted by Colin Lambert. Last updated: March 25, 2022
The International Organisation of Securities Commissions (Iosco), the umbrella body for global securities regulators, has published a report into decentralised finance (DeFi), in which it states, “most of the new services which are emerging replicate more traditional financial services and activities, but with weaker regulation and increased risks for investors”.
The report cites, leverage, asymmetry and fraud risks to retail investors as a key risk, noting that many DeFi products and systems fail to provide important disclosures. “Although blockchain data and smart contract code is transparent for all to see, understanding this data and code requires technical capability and knowledge,” Iosco states. “Without basic regulatory safeguards, including those that are the purpose of traditional financial services regulation, such as requirements for the disclosure of material information about a product, service or the individuals and underlying entities, investors may not necessarily receive sufficient information to make informed investment decisions.
“Some DeFi products and systems may require certain technical or other expertise that not all investors have and, as a result, may be unsuitable for some investors,” it adds. “There may be hidden informational or technological advantages sophisticated participants have over retail investors that make for an uneven playing field. Even absent fraud or misconduct, investors may lose some, if not all, of their investment due to these asymmetries.”
Of course, it could be argued that asymmetry and leverage risks exist in all markets where retail and institutional traders meet – it seems as though Iosco is keen to establish some sort of working model that can avoid the type of disputes that flare up in all markets – most recently in US equities over payment-for-order-flow (PFOF).
“Certain DeFi products or systems claim to be governed by governance tokens [however] in many products and systems there is highly concentrated voting control and governance token ownership.
The report also notes that many risks in the DeFi space are analogous to those in traditional financial markets, however it also highlights risks that are “somewhat unique” to DeFi, including front running (or similar), which can be triggered by miners having the ability to re-order or censor the blockchain. The report states, “Generally, the Ethereum blockchain, upon which most DeFi apps are built, has been vulnerable to front-running as perpetrators have had sufficient time to re-order transactions in a favourable way.”
Iosco also highlights the use of “flash loans” to finance certain strategies, often arbitrage, but observes that these protocols “can facilitate the rapid exploitation of a vulnerability, such as a coding error in a smart contract”, and be used to facilitate manipulative conduct.
The report says that for DeFi protocols to function properly, the participation of certain actors may be required. These can include diverse actors such as validators on the underlying blockchain, arbitrage traders, liquidity providers and oracles. “Although incentive structures exist to promote that participation, mainly through what is coined “tokenomics,” arbitrage opportunities, fees, and other profit-making mechanisms, these structures may fail, causing a protocol ultimately to fail,” the paper states. “In traditional markets, participation by key participants may be supplied or augmented by regulated entities that currently are not acting to support the DeFi ecosystem.
“As a specific example, various DeFi protocols are highly reliant on a few fiat-backed stablecoins as critical sources of liquidity,” it continues. “These protocols are, therefore, highly dependent on the continued viability and existence of these stablecoins. To the extent that there is any event, whether from a regulatory action, issuer default, or some other factor, that impacts the value of the stablecoin, the collateral and liquidity that is the engine for these DeFi protocols would be significantly impaired, potentially resulting in systemic failures of these DeFi protocols.”
DeFi, by its nature, also presents AML/CFT risks, Iosco warns, noting that while some industry participants are beginning to explore the use of tools to combat and comply with these risks, many products and services have no AML/CFT requirements. There are also, obviously, cyber security risks associated with such a market structure, as well as operational risks found in TradFi businesses.
Two primary areas where governance risks arise is in the control of administrative keys and the functioning of protocol governance structures. If there is no disclosure of material information about these governance arrangements to potential investors, they are deprived of information that could have a substantial impact on the performance of the product or system, the report says.
“The DeFi market and its participants in many respects have operated to date either outside the scope of existing regulatory frameworks or, in some jurisdictions, in non-compliance with applicable regulations”
Retention by an entity or individual of an administrative key permits the disabling or alteration of a smart contract or protocol. This may present advantages for maintaining the code, however, the retention of an administrative key also poses risks. In some instances, Iosco says, the holder of the administrative key has unilateral control of users’ funds held in a smart contract or protocol. Risks arise, such as key loss or theft, insider theft of crypto-assets held in the smart contract or protocol, and other cybersecurity concerns (such as ransom or hacks from outside parties). There is also the risk that the smart contract or protocol will be disabled or altered unexpectedly by the administrator.
“Certain DeFi products or systems claim to be governed by governance tokens,” the report states. “While in theory governance tokens are intended to grant decision making regarding the protocol and smart contracts to a dispersed community of users, in many products and systems there is highly concentrated voting control and governance token ownership.
“Also, there could be misalignment of incentives as between holders of governance tokens and holders of other tokens issued by the protocol, which ultimately present risks to the protocol.,” it adds “Governance token holders, although having the ability to vote on certain aspects of the protocol, may be incentivised to sell the token on centralised crypto-asset trading platforms for short-term profit taking while holders of other tokens issued by the protocol may be looking for more long-term use of the protocol.
Iosco also argues that a governance token holder may only hold the governance token through a vote and thereby influence the protocol without any interest in the long-term prospects of the protocol. Equally, if governance token holders have access to information that other users of the protocol do not, risks relating to information asymmetries, such as non- disclosure of material information to investors and insider trading, also arise.
“Certain activities can permit actors to gain a large influence over a protocol,” the report says. “For example, some protocols allow for the delegation of voting rights to others, who could acquire large concentrations of voting rights. Moreover, in many cases governance token holders transfer or delegate their voting rights to concentrated groups or entities, while retaining the economic benefits. This bifurcation may undercut assertions of decentralization. Information about these voting transfers and delegations may not be available to the market and purchasers of governance tokens in secondary market trades. In a technique known as a “Sybil attack,” certain individuals with advanced knowledge of a governance token “airdrop” by a protocol can generated multiple pseudonymous addresses to obtain control over a concentration of airdropped tokens and gain a large influence over a system.”
The report also taps into a popular theme of recent Bank for International Settlements’ reports about the spillover potential of an event in DeFi onto traditional markets, however it does not really add much to the debate that has not already been outlined.
Overall, the report represents a comprehensive review of the fast-evolving DeFi market from a regulator’s perspective – something that is much needed as the crypto-assets industry generally edges towards some sort of regulatory framework. The report identifies some products and services which are novel to DeFi, but concludes that most of the new services which are emerging replicate more traditional financial services and activities, with weaker regulation and increased risks for investors. “The DeFi market and its participants in many respects have operated to date either outside the scope of existing regulatory frameworks or, in some jurisdictions, in non-compliance with applicable regulations,” Iosco states.
In response to the report, Iosco has also announced the establishment of a new task force. Tuang Lee Lim, assistant managing director (capital markets) of the Monetary Authority of Singapore (MAS) has been named as chair. He says, “The report provides evidence of both the potential opportunities as well as significant risks that DeFi can bring to investors and markets. Iosco’s decision to establish the task force signifies our members’ resolve to take timely and coordinated policy action to appropriately address the risks arising from this fast-growing area. I look forward to working closely with experts and colleagues on the task force in charting its work ahead.”