DeFi Regulation: Legal Framework for Decentralized Finance [2026]

Decentralized finance was built to remove intermediaries, and that single design choice is exactly what makes its legal treatment so hard to pin down. There is no DeFi-specific statute anywhere in the world. Instead, regulators apply the rules they already have to the people and entities they can actually identify behind a protocol. This guide maps how that works in 2026 across the three regimes that matter most: the FATF global standard, the EU's MiCA framework, and the shifting United States posture.

DeFi regulation is the body of existing financial law applied to identifiable controllers of a nominally decentralized protocol. No jurisdiction regulates the software itself. Instead, FATF, MiCA and US agencies ask whether a person or entity controls, operates, or profits from the protocol, and if so, treat that party as a regulated VASP or CASP. The code is not the defendant; the controller is.

Is DeFi regulated? The short answer

Yes and no, and the distinction is the whole point. No regulator has passed a law that says "this is how decentralized finance must operate." But the moment a recognizable person or company sits behind a protocol with control or a profit motive, the existing crypto-asset rules attach to that party. The phrase to internalize is "regulate the person, not the protocol."

This is why blanket claims fail in both directions. "DeFi is illegal" is wrong, because genuinely ownerless code is not the object of any current rule. "DeFi is exempt" is equally wrong, because most projects marketed as decentralized still have a controlling team, a foundation, an admin key or a fee-taking front-end that a regulator can reach. The legal framework lives in the gap between those two extremes.

Definition: what "regulating DeFi" actually means

"Regulating DeFi" means asking whether an identifiable person or entity is doing something already regulated through a protocol that calls itself decentralized. The software program itself is not a regulated entity under the FATF Updated Guidance or under MiCA. The regulated object is always a controller: a creator, owner, operator, foundation, or interface provider who maintains control or sufficient influence over the arrangement. If no such party exists, the protocol drifts into a grey zone rather than a clean exemption.

Why there is no DeFi-specific law yet

Lawmakers have repeatedly chosen to stretch existing categories rather than build a new one. The reasoning is practical: a "DeFi law" would have to define decentralization in binding terms, and no legislature has managed to do that. Instead, all three major regimes converge on a version of the same question, which is who actually controls the thing. FATF settled on an owner/operator test in 2021. The EU excluded only "fully decentralised" services from MiCA and ordered a separate review. The US spent 2025 retreating from enforcement while signalling that it will regulate identifiable actors rather than code. None of these is a dedicated DeFi statute, and that is by design. If you want the broader map of how regulators classify crypto activity, see our overview of licensing by activity and business model.

FATF: the global "owner/operator" test (2021 Guidance)

The Financial Action Task Force (FATF) is the global anti-money-laundering and counter-terrorist-financing standard-setter, and its rules are the baseline that national AML regulators implement. Its treatment of DeFi sits in the Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs, adopted on 28 October 2021, around paragraphs 67 to 70. That guidance is still the governing DeFi treatment in 2026.

The software itself is not a VASP (para 67)

FATF is explicit that the code is out of scope. As paragraph 67 puts it, a DeFi application, meaning the software program, is not a VASP under the FATF Standards, because the Standards do not apply to underlying software or technology. This is the single most cited line in DeFi regulatory analysis, and it is the foundation of the entire "regulate the person" model. A smart contract cannot hold a license, cannot file a suspicious-transaction report, and cannot be sanctioned, so FATF does not try to make it.

But owners and operators can be

The exemption stops at the code. FATF's guidance states that creators, owners and operators, or other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services. In short, the people behind a protocol inherit the obligations the protocol cannot. The AML, KYC and Travel Rule duties attach to that controller. For the operational side of those duties, see our guide on how to become a licensed VASP and the underlying FATF VASP definition and scope.

The "control or sufficient influence" indicators

FATF gives countries a non-exhaustive set of indicators to find an owner/operator with control or sufficient influence. They are not a checklist where one box settles the matter; they are signals a regulator weighs together:

• Control or sufficient influence over the assets or over aspects of the service's protocol.
• An ongoing business relationship with users, even if exercised through a smart contract or other voting protocols, which captures active governance.
• The ability to set or change the parameters of the protocol.
• Whether any party profits from the service.

The more of these a team retains, the harder it is to argue the protocol is genuinely ownerless. Admin keys, a fee switch and active governance together make the owner/operator finding almost inevitable.

What FATF says about the truly ownerless case

This is the hardest edge, and it is where the framework runs out of clear answers. FATF concedes it may be challenging in practice to understand where exactly to draw the line with respect to sufficient control and influence. Crucially, FATF does not declare that a genuinely ownerless protocol is safe-harboured. Commentators note that FATF expects countries to look through "decentralization theatre" and may even expect a regulated VASP to sit somewhere in the chain. We do not state here that ownerless equals exempt under FATF, because the precise primary wording for the no-owner-at-all case could not be verified against the source. Treat the fully ownerless scenario as unsettled, not as relief.

How does MiCA apply to DeFi in the EU?

The EU's Markets in Crypto-Assets Regulation, Regulation (EU) 2023/1114 (MiCA), became fully applicable on 30 December 2024. MiCA regulates crypto-asset service providers (CASPs), which are identifiable legal persons. It does not create a DeFi regime, and it explicitly carves out one narrow category of decentralized activity. For the full EU picture, see our MiCA crypto-asset regulation guide.

Recital 22: only "fully decentralised" services are excluded

MiCA's exclusion lives in Recital 22, which we can quote directly because it was fetched verbatim from the primary source. It reads: "Where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of this Regulation." The operative words are "fully" and "without any intermediary." This is a narrow, fact-specific carve-out, not a blanket "DeFi is exempt." If a service has a controlling team, a foundation, a front-end operator, or a governance body that operates it, then an intermediary exists and MiCA's CASP regime can apply.

When a DeFi project becomes a CASP

Because MiCA regulates identifiable persons, the question is always whether someone is operating the service. A protocol with a foundation that manages treasury and governance, a company that hosts and monetizes the front-end interface, or a team that can upgrade the contracts is at real risk of being classified as a CASP. The branding is irrelevant. What matters is whether a legal person provides the crypto-asset service in fact. Once that line is crossed, the project needs the relevant CASP authorization in an EU member state.

The pending DeFi review (Article 142 + ESMA/EBA Joint Report)

MiCA did not close the door on a future DeFi regime. Article 142 required the European Commission to report on developments not covered by MiCA, explicitly including DeFi and crypto-asset lending and borrowing, by 30 December 2024, with a legislative proposal "where appropriate." To feed that review, ESMA and the EBA published a Joint Report on recent developments in crypto-assets (Art. 142 of MiCAR) in January 2025. That report treats DeFi as largely outside MiCA's current scope, frames decentralization as a spectrum because most "DeFi" retains centralizing elements such as governance tokens, core developers and foundation control, and concludes that further EU-level rules may be needed. As of mid-2026 this is a report, not law. We say a report exists and further rules may come, not that an EU DeFi law is coming.

How is DeFi regulated in the United States in 2026?

The US posture flipped sharply in 2025, from enforcement-by-litigation toward rulemaking and accommodation. The headline is a thaw, but the underlying securities-versus-commodities question remains unresolved. For the enforcement detail, see our page on the latest SEC crypto enforcement posture.

The SEC enforcement retreat (Feb–Mar 2025)

In February and March 2025 the SEC closed or dropped a wave of crypto matters: Coinbase, Uniswap, ConsenSys, OpenSea, Robinhood and Gemini. The Coinbase case was dismissed with no penalty, and the Uniswap investigation closed in February 2025 with no action. Commentators tie Uniswap's reprieve partly to its non-custodial model, which strengthens the argument that it is not acting as an intermediary. The retreat was administrative, a change in enforcement priorities rather than a change in the statute.

The IRS DeFi broker rule repeal (H.J. Res. 25)

The most durable US change was statutory. The Treasury and IRS rule finalized in December 2024 would have treated DeFi trading front-end service providers as brokers required to file Form 1099-DA reporting customer gross proceeds. Industry argued that non-custodial front-ends cannot collect that data. Congress repealed the rule under the Congressional Review Act through H.J. Res. 25, which President Trump signed into law on 10 April 2025. The vote was 292 to 132 in the House and 70 to 28 in the Senate. The CRA bars the agency from reissuing a substantially similar rule without new legislation, and this was the first crypto bill ever signed into US law.

SEC and CFTC harmonization (Sept 2025)

In September 2025 the SEC and CFTC moved toward a coordinated posture. They issued a joint staff statement on 2 September 2025 indicating that registered exchanges are not prohibited from facilitating certain spot crypto trading, followed by the Atkins–Pham joint statement on 5 September 2025 launching a harmonization initiative and a roundtable on 29 September 2025 covering 24/7 markets, perpetuals, innovation exemptions and DeFi. Reporting of the joint guidance states that "most crypto assets are not themselves securities." We present that phrasing as reported through legal secondaries rather than confirmed verbatim against the primary, because the source page could not be fetched directly.

The proposed "innovation exemption"

SEC Chair Paul Atkins directed staff to craft a conditional innovation exemption that would let firms launch on-chain products such as DeFi, staking and tokenization under disclosure conditions while permanent rules are written, with rulemaking targeted for late 2025 or the first quarter of 2026. Atkins framed self-custody as a foundational American value. As of mid-2026 the innovation exemption is proposed and in progress, not adopted. The timeline slipped around the 2025 government shutdown. Do not treat it as live relief.

What is regulated and what is not in DeFi

This is the deliverable most readers come for: a layer-by-layer map of what current rules can reach and what they cannot. The pattern is consistent. Code is out. Identifiable controllers are in. Custodial front-ends are usually in. Genuinely ownerless protocols and passive DAO voters sit in unsettled grey zones.

The six layers of a DeFi stack, mapped to scope

Read down the middle column and the model is obvious: the more control and custody a party holds, the more clearly it is regulated. The layers nobody can point a finger at are the layers that fall into grey space, not into exemption.

Have questions about your specific situation? Book a free 15-minute discovery call with our licensed advisers, no commitment. Book a Call

The four definitions of "sufficient decentralization"

Everybody in this debate invokes "sufficient decentralization," and nobody has defined it in binding law. That is the single biggest source of uncertainty for builders, because the same protocol can be "decentralized enough" under one regime and not under another. Four different, non-harmonized tests are circulating, and they answer the same question in incompatible ways.

Why nobody has defined it in binding law

Each test was written for a different purpose, AML for FATF, market-conduct for MiCA, securities for Howey, and a proposed market-structure regime for FIT21. They overlap at the edges but never align, so a protocol can pass one and fail another. The practical takeaway is that "we are sufficiently decentralized" is not a portable defence. It must be argued separately under each regime where the protocol touches users, and the analysis is intensely fact-specific.

DeFi grey zones: DAOs, front-ends and governance tokens

Beyond the clear layers, three areas are genuinely unsettled. The honest answer here is that the law is still forming, and anyone who tells you these questions are resolved is overstating the case.

Are DAOs legally liable?

They can be. There is no global rule, but some US courts and regulators have treated a DAO as a general partnership, which would expose token-holders to joint-and-several liability. The CFTC's Ooki DAO matter, which resulted in a default judgment in 2023, is the most cited example, where the DAO was found to be a "person" and held liable. We treat the Ooki specifics as illustrative rather than re-verified against the primary court record. On the protective side, a handful of US states, including Wyoming with its DAO LLC and DUNA wrappers, plus Vermont, Tennessee and the Marshall Islands, offer DAO legal-entity wrappers that can cap liability. Whether a DAO is a regulated operator turns on how active its governance is.

Front-ends and interfaces: the exposed surface

The hosted web app is the most centralized and easiest-to-reach pressure point in the stack. Both the repealed IRS broker rule and the OFAC Tornado Cash sanctions episode targeted this layer rather than the contracts beneath it. A front-end operator that takes fees, screens users, or routes orders looks much more like a regulated intermediary than the underlying smart contracts do. This is why many teams separate the immutable protocol from a geofenced or compliance-gated interface. If your project surfaces DEX regulation questions, the interface is where they land first.

Are governance tokens regulated?

Unsettled. A governance token might be a security under a US Howey analysis, a MiCA crypto-asset, or a mere utility and voting instrument, depending on the facts. The decisive factor is often how the governance actually works. Active fee-switch governance can be evidence of an ongoing business relationship under FATF, pulling holders toward intermediary status, while passive voting probably does not. The label on the token matters far less than what holders can actually do with it.

What DeFi regulation means for founders and builders

If you are building, the framework above translates into a few hard principles. This is general information, not legal advice, and DeFi classification is intensely fact-specific. Get jurisdiction-specific counsel before launch.

Decentralization is a defence, not a magic word

Both FATF and MiCA look at who actually controls the protocol. Admin keys, upgrade keys, a fee switch you can flip, a foundation that runs governance, or a custodial front-end can each make you a regulated VASP or CASP regardless of how you describe the project. Calling something decentralized does not make it so in the eyes of a regulator who can see the control you retain.

Custody is the bright line

Non-custodial design, where users keep their own keys, is the strongest single argument for not being an intermediary. It underpinned Uniswap's US reprieve and the logic behind repealing the DeFi broker rule. The moment your system takes custody of user assets, the analysis shifts hard toward regulated-intermediary status, and the Travel Rule for VASPs and related AML duties come into play.

Do you need a license to launch a DeFi protocol?

If there is any controlling entity, custody, or a fee-taking front-end, you likely need a VASP or CASP authorization somewhere you operate. A purely ownerless, non-custodial, immutable protocol is the only scenario that plausibly sits outside current rules, and even that is a grey zone rather than a guarantee. For the operational path, see how to become a licensed VASP and, for issuers, stablecoin issuer licensing. For the broader context, our global crypto licensing guide sets out the worldwide picture.

DeFi regulation timeline (2021–2026)

A dated changelog of the developments that built the current framework:

• Oct 2021: FATF adopts the Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs. Its owner/operator treatment of DeFi (paras 67–70) is still governing in 2026.
• 30 Dec 2024: MiCA becomes fully applicable. The Commission's Article 142 report on DeFi and crypto lending was due by this date.
• Jan 2025: ESMA and the EBA publish the Article 142 Joint Report, treating DeFi as largely outside MiCA and suggesting further EU rules may be needed.
• Feb–Mar 2025: The SEC drops or closes Coinbase, Uniswap, ConsenSys, OpenSea, Robinhood and Gemini matters.
• 10 Apr 2025: President Trump signs H.J. Res. 25, repealing the IRS DeFi broker rule. House 292–132, Senate 70–28. First crypto law in US history.
• Sept 2025: SEC and CFTC issue joint statements (2 and 5 Sept) and launch a harmonization initiative plus a 29 Sept roundtable covering DeFi.
• 2025–Q1 2026: The SEC "innovation exemption" for on-chain products is in progress, proposed but not adopted.

DeFi regulation vs DeFi compliance: what is the difference?

These two terms are often used interchangeably, and conflating them causes expensive mistakes. Regulation is the legal framework, meaning who regulates what, which is the subject of this page. Compliance is the operational program you build once a controller has been identified, covering AML, KYC and Travel Rule procedures, transaction monitoring, reporting and governance. Regulation tells you whether you are in scope. Compliance is what you do about it. Once you know a controller exists and which regime applies, the operational steps live on a separate page, how to navigate DeFi compliance.

From our practice

In our advisory work the recurring pattern is consistent: founders ask whether their protocol is "regulated," when the question regulators actually ask is who controls it. The teams that get into trouble are rarely the ones with the most decentralized code. They are the ones who kept an admin key, a fee switch and a hosted front-end while telling the market the project was fully decentralized. Our standard first step is a control-mapping exercise, identifying every party that can change parameters, hold custody, or take a fee, because that map, not the marketing, determines which authorization is needed and where.