Author: Natalie Linhart

ConsenSys Responds to The UK Treasury’s Consultation on Crypto Assets and DeFi

https://consensys.net/blog/news/consensys-responds-to-the-uk-treasurys-consultation-on-crypto-assets-and-defi/

ConsenSys Software Inc respectfully submits this letter in response to HM Treasury’s consultation and call for evidence concerning crypto assets published February 2023. Below, we respond to certain questions pertaining to “decentralized finance” (DeFi) and “other crypto assets.” We are encouraged that the Treasury is taking the step of consulting with the crypto ecosystem on these novel and complex issues, and we welcome the opportunity to discuss with policymakers across government about the innovation in the programmable blockchain ecosystem.

We view this comment letter as an invitation to converse further regarding the ongoing development of Ethereum and other programmable blockchain ecosystems. We hope to engage with you in greater depth on the summarized points set forth below. We appreciate the opportunity to collaborate with you on the important task of bolstering innovation while mitigating the risks that new technologies may present. You may contact us at [email protected] at your convenience.   

1. Background on ConsenSys Software Inc and its Flagship Offering, MetaMask

ConsenSys was founded in 2016 after the launch of the Ethereum protocol with the goal of facilitating decentralization through the development of blockchain-based computing platforms. We believe that, through decentralized networks like Ethereum, people can innovate and achieve like never before. We have dedicated our personnel, product offerings, and resources to help drive this evolution.

ConsenSys is a leading Ethereum software company. We enable developers, enterprises, and people worldwide to build next-generation applications, launch modern financial infrastructure, and access the decentralized web. Ethereum is the largest programmable blockchain in the world, leading in developer community, user activity, and business adoption. On this trusted, open-source foundation, people around the world are building the digital economies and online communities of tomorrow. Our software suite, which includes MetaMask, Infura, Quorum, Truffle, and Diligence, is used by millions and supports billions of blockchain calls. 

MetaMask specifically is one of the most broadly used unhosted wallets in the world by both web3 developers and users. It is open-source software that can be downloaded from the Apple or Google app stores and run locally as either a mobile application or a browser extension. The software is maintained by a development team at ConsenSys and also supported by a global community of developers and designers who wish to democratize access to the decentralized web.

2. Blockchain Networks are Programming Platforms

We applaud the Treasury for endeavoring to learn about blockchain systems before reaching conclusions on the risks they may present and what, if anything, public policy can do about it. Those efforts are particularly important because, in other jurisdictions, the focus of the regulatory conversation has unfortunately been off the mark. We hope that this comment process results in the Treasury engaging in policy discussions from the baseline that blockchain networks are in fact entirely new computer programming platforms.

Programmable blockchains like Ethereum allow anyone to write and publish code that is accessible to anyone else in so long as they have access to the blockchain network and the ability to compose and transmit on-chain transactions. In recent years, the increase in blockchain software development, as reflected in the number of developers committed on platforms such as Github to solve particular programming problems, has been notable. According to one analysis published in early 2023, over 23,000 monthly active developers were working on blockchain programming projects. While these numbers may be small compared with the global developer community writ large, the trend of developers expressing their interest in and becoming proficient at blockchain software development is unmistakable.  

With respect to the UK’s developer footprint, it has in recent years been less than 10% of the blockchain developer community. The UK can and should want to change that to drive more software development in this new space if it intends to be a crypto hub.  

That dovetails with ConsenSys’s efforts to bolster migration of developers into the space through our software platforms that permit developers to innovate new tools that can be shared with an increasingly broad user base. While the ConsenSys offering MetaMask is recognized as the world’s most popular Ethereum self-hosted wallet, few recognize that it is as much a developer platform as it is a client-side key management solution. The clearest expression of this is the release of MetaMask Flask, which is an experimental MetaMask application that allows developers to create new features that can be tested and refined before offering to the public more broadly. The first feature offered through Flask is the Snaps system, which allows developers to create their own programs that expand the functionality of the wallet. ConsenSys is not alone in working to bolster developer engagement and productivity. Examples abound of a thriving developer ecosystem where brilliant minds from all over the globe are tackling the novel problems presented by a nascent technology.  

It is from this perspective that the Treasury should consider regulatory issues around blockchain protocols. While considerable attention to date, both regulatory and otherwise, has focused on the price of digital tokens in fiat currencies and the speculation often attendant in their issuance and secondary market trading, sound regulation will only be realized when the technological functionality of nascent blockchain networks is the focus of the inquiry. 

3. Responses to Specific Questions Concerning DeFi

Do you agree with the assessment of the challenges of regulating DeFi? Are there any additional challenges HM Treasury should consider?

We generally agree with the assessment and applaud the decision to carefully scrutinize risks attendant to DeFi before prescribing a regulatory framework. Below, we list some additional regulatory challenges for your consideration. Cumulatively, these complex and distinct challenges mean that regulating DeFi requires a bespoke approach that might serve as policy leadership across the globe.

Underlying the question of regulating DeFi is the distinction between the investment and technology sides of the crypto ecosystem. The investment side looks very much like traditional finance. There, digital assets are largely just new assets to invest in with the hope that they increase in value when compared with the pound, the dollar, or the Euro.  

The technology side, on the other hand, is the part of the ecosystem that is trying to make these global, permissionless distributed ledger systems actually useful for a variety of activities, including financial and commercial transactions. This side looks very different from traditional finance, as its functioning is determined by cutting edge computer programming and network building. For a deeper discussion of this dichotomy in the crypto ecosystem, read here. It is the technology side that introduces novel risks which we should be careful to understand before we apply regulations. In some instances, public policy may not be the best answer for certain risks.  Rather, the technology itself must evolve to address certain consumer protection, security, and other issues.   

The risks in traditional finance are well established. They include conflicted insider actors, potential abuse of power, and information asymmetries. The key insight about regulating DeFi is how and the extent to which these traditional risks are inherently mitigated by DeFi structures, and to what extent new meaningful risks arise from the technology itself. Regulatory authorities are not traditionally experienced with addressing many of these purely technical risks, so novel approaches should properly be considered.  

Applications, not Protocols

To be effective in mitigating risk and to avoid unduly chilling innovation, these novel approaches must focus on specific applications of blockchain technology and not the composition and functionality of the blockchain itself. By regulating the blockchain system itself rather than applications, we inevitably diminish any efficiencies or new capabilities that blockchain has to offer. Regulating applications offered to the public, on the other hand, takes a more precise approach to mitigating risks such offerings may present. 

This application-not-protocol approach would parallel how the web2 internet currently is addressed from a regulatory perspective. There, the internet infrastructure that powers “https” websites is not artificially constrained in order to limit activity or function. Instead, certain activities and services on that internet are directly regulated. Taking such an approach with web3 would lead to more consistent and coherent outcomes, including with respect to how open-source code is handled under the law. Such code, which can be created and deployed from anywhere in the world, may be used to create any variety of blockchain-powered products or services. It should be, and is more practically regulated if, those products or services that pose risks that are regulated, not the purpose-agnostic open source code.   

It is for these reasons we encourage HMT to resist the temptation to prescribe substantive requirements or design features for the functioning of blockchain protocols themselves. Doing so would most certainly create concern among software developers that, by developing and publishing open-source protocol code in a way that can be connected to the UK, they will breach some inconspicuous regulatory rules and be exposed to legal liability. Such concerns would have a chilling effect on developers’ willingness to innovate and develop the public good which is a permissionless blockchain ecosystem in the UK. 

Additional challenges

There are several challenges that we must contend with when considering a DeFi ecosystem that is as safe, secure, and resilient as possible. As a general resource, we would commend to you the report written by Professor Tarik Roukny and commissioned by the European Commission, which identifies some additional features of DeFi that give rise to unique regulatory challenges.  

In addition to these challenges, there is the challenge of off-chain data integrity. While data that is native to a chain can be mathematically proven to be accurate or not, the same cannot be said of data from the real world or external computer systems that has been added to the blockchain data state or used in conjunction with blockchain transactions via a data oracle. Many blockchain applications rely on oracles to feed data that is important for those applications to function as designed. Any instability in or manipulation of such oracles would likely cause the blockchain applications to not function as intended. This oracle risk has not been the focus of a lot of public policy attention or crypto ecosystem attention under the general category of industry best practices. But we agree with Professor Roukny in his assessment that additional measures may need to be introduced to ensure that off-chain data being used on-chain is as safe and reliable as native on-chain data.  

How can the size of the “UK market” for DeFi be evaluated? How many UK-based individuals engage in DeFi protocols? What is the approximate total value locked from UK-based individuals? 

This is a difficult question to answer because DeFi participation on a jurisdiction by jurisdiction basis is generally not readily identifiable. Protocols are globally accessible, and while certain regions may constitute the majority of participation in a particular protocol, there is no reliable method to really know the true size of a particular country’s footprint with respect to a specific protocol, let alone a country’s footprint in DeFi more generally.  

But there are metrics which may shed light on the evolution in the involvement of UK persons in DeFi. The number of active web3 developers is one such metric.  A number of publicly available reports have been released which attempt to analyze the change in the web3 developer community, and some include statistics that show where these developers are geographically. One recent report relied upon self-reported locations of developers and the apparent time zones in which developers operated from to reach conclusions on how developers were spread out across jurisdictions. That report concluded approximately 6% of world-wide developers in 2022 were located in the UK, which was one percentage point less than in 2021 but still larger than any European country with the exception of Germany, which has a comparable number of web3 developers.1

Another metric is the number of unhosted wallets in use in particular jurisdictions. Unlike centralized exchange accounts, which are generally designed to permit a person to buy and hold digital assets as an investment, the purpose of unhosted wallets are to allow the user to interact directly, without an intermediary, with DeFi and other web3 services. Wallet providers may have data about monthly active users of their software, including in what regions those users are located.2 

There are potentially other sources of information on the UK’s DeFi footprint that ecosystem participants may be able to share. For instance, ConsenSys has been conducting a broad market survey of public sentiment about web3 and its use around the world. Some of the findings and conclusions of surveys such as this one might be of use to policymakers, and companies like ConsenSys should carefully consider what information from these surveys would be appropriate to share.  

Do you agree with HM Treasury’s overall approach in seeking the same regulatory outcomes across comparable “DeFi” and “CeFi” activities, but likely through a different set of regulatory tools, and different timelines?

We agree in principle with the approach of seeking the same “regulatory outcomes” across comparable “DeFi” and “CeFi” (centralised finance) activities. We understand regulatory outcomes broadly to concern consumer protection, investor protection, combating illicit finance, and market integrity. These are of course important, and should concern not only regulators but also the crypto ecosystem itself.  

But certain qualifiers are important. First, those regulatory outcomes must be in balance with the need to ensure that innovation, collaboration, and other commercial activities are not unnecessarily stifled or burdened. Unreasonably burdensome regulation will likely catalyze regulatory arbitrage as projects will move to jurisdictions with less onerous regulatory regimes. Ultimately, overly burdensome regulation is self-defeating, as the activity which it seeks to regulate merely moves to other jurisdictions. Because the conduct at issue relies on blockchains, those relocated offerings remain accessible to users the regulatory regime seeks to protect. The result is that the burdensome regime is of very little protection at all.  

In our view, achieving the same regulatory outcome is not possible without understanding and acknowledging that the actual functioning of DeFi is different from that of CeFi, and it is that functioning which will ensure that some risk mitigation measures prove effective and others are unproductive. It is imperative that the underlying technology be properly understood to effectively mitigate specific risks and, as you note in the consultation, to understand how the technology itself functions and is evolving to better avoid risks. 

What indicators should be used to measure and verify “decentralisation” (e.g. the degree of decentralisation of the underlying technology or governance of a DeFi protocol)?

We will focus on one concept of decentralization for both the underlying blockchain protocol and a specific DeFi application. With respect to the blockchain protocol, the number of separately engineered and published software programs that can serve as network clients is an important metric. Currently, Ethereum has at least five clients that are independently maintained. Client diversity ensures that the network is not overly reliant on any one instance of code to ensure transactions are executed properly and nodes are maintaining consensus.  

With respect to DeFi application governance, an often overlooked factor is who implements the decisions made through a DAO (decentralised autonomous organisation) vote. In a simple scenario, and assuming a perfectly decentralized DAO membership, a DAO vote would automatically trigger an on-chain transaction that would effectuate the will of the voting DAO members. But DAO decisions are often more complicated and require independent, off-chain implementation. If a DAO decision can be put to action only through the efforts of one of the DAO members, or of persons who have some operational role they play for the DAO in exchange for compensation, then whether they can be trusted to implement the will of the DAO precisely as the DAO intends may only be determined through an assessment of how easily they could act counter to the DAO’s explicit instructions.  

There have been certain reported instances of the implementers of a DAO decision taking different action. In such instances, decentralisation is plainly belied by a single party asserting control not of the decision but its implementation. Governance arrangements where this level of authority is not properly mitigated should likely not be characterized as decentralized.3 The ecosystem itself is still grappling with the question of what constitutes “sufficient” decentralisation. While considering indicators of decentralisation is a useful exercise, we caution against defining decentralisation in a prescriptive manner in a future regulatory framework. The circumstances of each project needs to be evaluated on a case by case basis, especially as decentralised governance is not a binary state. Most often we talk about a progressive decentralisation, a process in which founding teams hand over control to the community by degrees, over time. The reason behind progressive decentralisation is to enable the community to learn how to govern, slowly opening more sensitive topics to a public vote. Any potential regulation should be flexible enough to allow for a governance framework that changes over the course of the project.

Which parts of the DeFi value chain are most suitable for establishing “regulatory hooks” (in addition to those already surfaced through the FCA-hosted cryptoasset sprint in May 2022)?

As an initial matter, participants in DeFi are most often also active in CeFi and engage with a number of centralized parties. As a result, an important element of any regulatory scheme seeking to reduce risks in DeFi would be to regulate CeFi service providers such as exchanges, custodians, and fiat on/off ramps. Traditional regulations and traditional enforcement are applicable here, such as obligations relating to KYC, AML, segregation and safeguarding client assets. Blockchain analytics tools that can tie DeFi activity to CeFi accounts are proving to be a powerful investigative tool, which in turn meaningfully disincentives illicit activity.  

Focusing on DeFi more specifically, the degree of control that certain persons exercise over an application or protocol should be an important criterion for any regulatory scheme. Circumstances such as a party’s retention of administrative private keys that would enable that party to access or redirect collateral locked in the protocol, or otherwise interfere with the automated operation of the smart contracts, may present risks that might be mitigated by a regulatory scheme, the precise nature of which would be determined in part on the nature of the activity the smart contract in question is facilitating. Regulation here should be balanced so as not to stifle innovation and to bolster efforts to progressively decentralize as described above.

The consultation raised the option for regulating DeFi by defining a set of DeFi-specific activities, such as “establishing or operating a protocol,” as regulated activities under The Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (“RAO”) or the Designated Activities Regime (“DAR”). This approach would be problematic in our view. First, the general activity of “establishing or operating a protocol” is not specific enough to address actual risks that some protocols but not others may present. A better approach would be to distinguish among different types of protocols based on their functions, such as lending, exchange, and liquidity aggregation, before prescribing regulatory burdens. 

Second, the activity “establishing a protocol” might inadvertently bring into its scope the activity of developing software that is not subsequently controlled by that developer. We strongly support HMT’s comment in the consultation that “the objective is not to regulate the activity of developing software”, and any indication that the UK is intent on regulating software development would negatively impact the UK’s efforts to encourage blockchain development within its borders. It is self-evident that protocols can be developed anywhere in the world, and any burdens the UK would impose on such development in its jurisdiction would have predictable impact on the desire for developers to work in the UK.

Third, if this approach is taken, the scope of “operating a protocol” should clearly exclude ordinary holders of governance tokens. Deeming ordinary holders, including those with de minimis holdings, as operators on an equal level with parties that have far greater direct or indirect control would severely discourage participation in voting and governance, thereby undermining the very aims of decentralized governance. A better approach would be to focus on those with administrative keys or other powers that enable them to interfere with the running of the protocol.

Finally, the consultation noted that interface providers and other actors facilitating consumer access to DeFi (e.g. aggregators and other consumer “front ends”) could be another viable hook. It was suggested that such entities conduct regular, independent code audits and IT security tests, as well as standards around information disclosures requiring clear, non-technical descriptions of the services provided and associated risks, third party service provider oversight, and governance standards covering best practices around voting and review periods and vesting schedules are complied with. 

We urge caution here. First, not all “front ends” are the same. Many are merely interfaces that permit simple reading of and writing to the blockchain using coding language that is open source and easily replicated in new offerings. Regulating these sorts of offerings would be akin to regulating the Google Chrome browser because it is used to interact with banking websites. Second, in some situations, front-end providers are not in a position to bear the burden of all suggested regulations, including because their software offering has not been monetized in a manner that would permit it to bear an expansive compliance burden. They should not be expected to have the financial resources, the expertise, or the appropriate presence or access to perform an oversight function. Third, there is a material difference between front-ends that provide a user with better information and those that facilitate new transactions for the user that would not be otherwise available to the user without the front-end. Regulating information collection, curation, and presentation does not serve the interest of consumer protection, in part because it would strongly disincentivize such information-related services.    

What other approaches could be used to establish a regulatory framework for DeFi, beyond those referenced in this paper?

DeFi-native tooling should be fully understood and deployed to appropriately manage risk. At a high level, examples include using decentralized identification, attestations, analytics and the use of smart contracts. The use of smart contracts to automate and self-execute along pre-agreed parameters is already something that the DeFi ecosystem utilizes. For example, if one wishes to borrow on a DeFi protocol, the borrower needs to deposit sufficient collateral. The transaction will not be effected without this step. Further, the smart contracts at play in this protocol measure the posted collateral so that collateral calls and liquidations are automated. 

Finally, DAOs are presenting interesting and novel governance and structural features. It is necessary, as the consultation recognises, to wait for clarity of the legal structure of DAOs from the Law Commission. That said, tooling such as gated communities, automated governance and decision making, quadratic voting (which seeks to solve for the power participants with majority holdings exert on governance), could be deployed to manage risk in a DeFi-native manner regardless of the legal status of a DAO itself to the extent implementing such tools outside a DAO is possible. 

What other best practices exist today within DeFi organisations and infrastructures that should be formalised into industry standards or regulatory obligations?

Many players in the programmable blockchain space already follow industry standards and best practices. We describe some of these below. The success of these standards and practices is in part due to the fact that they are industry-led, which ensures they are kept up-to-date and can dynamically respond to technological developments. They are developed by groups of responsible players that are incentivised to make the space safer and more accessible for everyone, to drive user adoption. Industry players are aware that compliance with best practices not only increases the likelihood of success of their project, but also increases the confidence of the general public in the blockchain space as a whole by reducing the likelihood of negative events relating to bugs and exploits. Given these inherent incentives and the nascent state of the programmable blockchain technology, we encourage authorities to carefully evaluate the costs and potential benefits of any measures that would hard wire industry best practices or standards into regulation.

Best practices with respect to software development include having a third-party code audit conducted before the software is released. ConsenSys specialises in this type of service through its Diligence offering. Diligence maintains a suite of blockchain security analysis tools and pairs up that service with in-person review of smart contract code by a qualified code auditor. Many players make the results of an audit publicly available, demonstrating how the issues found have been remedied, and have the code re-audited if applicable.

One example of industry-led initiatives in respect of smart contract auditing is the EEA EthTrust Working Group, which is part of the Enterprise Ethereum Alliance (EEA). The EEA brings together representatives from leading technological companies, smart contract auditors, financial institutions, consultancies, academic researchers, public authorities and others. The EEA EthTrust Working Group works on a technical standard for security review of smart contracts, with a first version published in August 2022.  The group is currently working on an updated version. The group has developed the EEA EthTrust Certification, which confirms that a smart contract has been reviewed and found not to have a defined set of security vulnerabilities. To grant the EEA EthTrust Certification, an auditor provides a conformance claim that the tested code meets the requirements of the specified security level for which it is certified. The Certification is available at three security levels, with each providing successively stronger assurance that a smart contract does not have specific security vulnerabilities. The optional Recommended Good Practices, if correctly implemented, further enhance the security of smart contracts. 

In addition, the EEA DRAMA Working Group was formed with the goal to develop and promote the use of common assessment criteria for risks involved in the use of DeFi protocols, to encourage mainstream acceptance and enterprise adoption. They have produced a survey on how the industry sees various risks in the area of DeFi in terms of importance. The ongoing results of that survey, alongside the group’s own expertise, is used to develop a discussion paper on the risks associated with DeFi that is intended to describe best practices for both risk assessment and mitigation. The paper is currently in an internal drafting phase and will be made available for public comment in the coming months.

Is there merit in regulating mining and validation activities in the UK? What would be the main regulatory outcomes beyond sustainability objectives?

No, directly regulating the validation of blocks in a permissionless, global blockchain network is not advisable because it will not serve desirable outcomes. Before we get into details of why that is the case, we wanted to note that our response will be limited to the validation of blocks on a blockchain employing a proof of stake consensus mechanism.

First, validators in any jurisdiction must abide by the protocol specifications that apply globally.  Should a particular jurisdiction institute requirements on validators that cause them to run code that is inconsistent with these specifications, then those validators are removed from the network.  The controls that they institute would thus not be able to impact any network activity, which presumably is what the controls were intended to affect in the first place. After those nodes are excluded from the network, other network participants would continue operating as if those nodes never existed in the first place.  

Second, even if such nodes did not get removed from the network, then any transactions that this cohort of validators would not process could be freely processed by any other validator that did not implement the same controls, presumably because it was located in another jurisdiction. Again, because the controls the particular jurisdiction enforced on its validators were not imposed network-wide, they do not have a meaningful effect on network activity.   

Third, it would be very hard to police such validator regulations in no small part because, through the simple use of widely available VPNs, one cannot tell a validator’s location of operations. Validators running in the regulated jurisdiction could avoid implementing regulations, and the regulating agency would have little ability to identify the noncompliance.    

Fourth, an attempt to regulate how the protocol-layer of the blockchain ecosystem works would be construed as a heavy-handed, antagonistic regulatory step that would undoubtedly chill industry interest in participating in the space from that jurisdiction. It would be directly at odds with any goal to become a globally-recognized leader in blockchain technology.   

As explained below, validation is a technical activity that, in itself, does not carry the risks that financial regulation traditionally seeks to address. We recognize that reducing money laundering is an important regulatory objective. But an attempt to mitigate illicit finance through direct regulation of validation would not create benefits that outweigh its costs, and would create a situation where all transactions, including those submitted by UK residents, would be largely if not entirely processed by validators in other jurisdictions. For more on proof of stake consensus in the Ethereum ecosystem, read here.

What do you think the most appropriate regulatory hooks for layer 1 staking activity would be (e.g. the staking pools or the validators themselves)?

As discussed above, validators run software that performs a critical data integrity function for the network that is purpose agnostic. They are therefore an inappropriate hook for financial regulation, and would also be a counterproductive tool because regulation would only serve to push blockchain infrastructure like validators into foreign jurisdictions where it would still be accessible to the jurisdiction’s users.

We note HMT’s suggestion in the consultation that some staking arrangements may qualify as a collective investment scheme (CIS). Staking offerings should not be classified as a CIS, unless the offering goes beyond the provision of technical activities and involves the exercise of discretionary managerial activities.

We include the definition of CIS at section 235 of FSMA below for reference:

“(235) In this Part “collective investment scheme” means any arrangements with respect to property of any description, including money, the purpose or effect of which is to enable persons taking part in the arrangements (whether by becoming owners of the property or any part of it or otherwise) to participate in or receive profits or income arising from the acquisition, holding, management or disposal of the property or sums paid out of such profits or income.

(2) The arrangements must be such that the persons who are to participate (“participants”) do not have day-to-day control over the management of the property, whether or not they have the right to be consulted or to give directions.

(3) The arrangements must also have either or both of the following characteristics—

  1. the contributions of the participants and the profits or income out of which payments are to be made to them are pooled;
  2. the property is managed as a whole by or on behalf of the operator of the scheme.”

This definition is widely drawn and is intended to cover a broad variety of schemes beyond traditional investment funds. Staking models that pool customers’ staked assets may be interpreted as satisfying the requirement at section 235(3)(a) of FSMA, but we think that interpretation is not correct.  

The requirement for profits or income to arise “from the acquisition, holding, management or disposal of the property” provides an important basis for excluding staking offerings from the scope of CIS. Staking does not involve an acquisition or disposal of property, and staking rewards do not arise from merely “holding” staked assets, even in custodial staking models. In our view, providing staking services cannot properly be described as “management” of staked assets either, unless the activities of the service provider are more akin to those of an asset manager than running software with predetermined functionalities. 

Management of assets implies an exercise of managerial efforts and discretion. This must be distinguished from services providing merely technical/administrative support with validation activities without a scope to exercise discretion or deviate from the predetermined constraints of the software. For example, the purely technical/administrative type of services automatically distributes any staking rewards generated by the protocol directly to stakers (minus a predetermined service fee). In the case of smart contract-facilitated liquid staking in particular, there is no scope for human discretion as the functionalities of the software suite are determined by smart contracts. 

This view is shared by James Burnie, Partner at law firm gunnercooke, in his article “What’s at stake? The legal treatment of staking” published in the October 2022 edition of the Butterworths Journal of International Banking & Financial Law and available here. We support Burnie’s analysis of CIS in the context of staking, and it is worth reproducing part of this analysis here. According to Burnie:

The breadth of the CIS definition is the biggest single hinderance to validator staking in the UK. It is also UK-specific and pre-dates the concept of proof-of-stake by 10 years. The question is therefore whether it is appropriate for validator staking arrangements potentially to fall within the definition of a CIS.

One principal purpose of the CIS regime is to regulate those arrangements which involve the exercise by managers of investment management decisions in respect of pooled assets aimed at generating wealth. In contrast, validators undertake valuable work (validation) and are rewarded for that work. Their decision making is limited to compliance (or otherwise) with specified, open-source and verifiable protocol rules. Validators do have discretion to engage in MEV related activities but this discretion could be limited through sub-contracting block-builders, contract or other technical MEV mitigation techniques. Where validator discretion is limited in a precise, transparent and openly verifiable way, it is not clear that the “management” element of validator staking poses the same (or equivalent) risk to investors as “management” in the sense of an investment management decision aimed at generating wealth.

Classifying staking arrangements as CIS would restrict access to staking for UK users who do not meet the conditions for participating in a CIS. This would go against the aim of democratising access to securing proof of stake networks. It would also burden staking providers with compliance costs, likely resulting in concentration of larger players at the expense of smaller providers. This would undermine the aim of ensuring the security of proof of stake blockchains through a vast, decentralised network of validators. As Burnie notes:

Validator staking involves the provision of valuable and important work for blockchain systems. Pooled validator staking arrangements potentially allow retail participants to contribute to the provision of this work and share in the rewards generated. This provides retail investors with an opportunity for exposure to a different type of risk than deposit accounts or schemes involving the investment of their assets. Pooled validator staking arrangements help to protect retail users through the reduction of technical/error risk and the reduction of concentration of penalty and slashing risk through the use of multiple validators.

Validator staking is a fundamental part of blockchain ecosystems and, if the UK is to become a global crypto-hub, it will be important to incentivise validators to use the jurisdiction of England and Wales. One option which could facilitate this is to introduce a new specific exemption to the CIS definition to allow for validator staking. Such an exemption could help to clarify and mitigate the types of risk that users take under a pooled validator staking arrangement, while incentivising validators – as some of the most important DeFi ecosystem participants – to base part or all of their operations in the UK.

We agree with this analysis and would encourage HMT to consider the above suggestion for an exemption to the CSI definition for validation activities. 

Respectfully submitted,

CONSENSYS SOFTWARE INC.

by/ 

Natalie Linhart

Shehram Khattak

Bill Hughes

30 April 2023

Footnotes
  1. It should be noted that analysis of web3 participation is not necessarily intended as synonymous with DeFi participation. Both terms are defined in varying manner, and both are often used synonymously, but we conceptualize DeFi as being one component of the web3 ecosystem. Analyses of web3 participation by users and developers should thus be understood as potentially being one step removed from analyses of DeFi specifically.
  2. This data, however, may not paint a completely accurate picture of DeFi participation. Just because a UK person may have an unhosted wallet does not necessarily mean they are using DeFi protocols, although there is some degree of correlation that could be relied upon to get some sense of DeFi usage. Additionally, wallet provider data will be impacted greatly by their collection method. Usage metrics are generally only collected if the wallet holder has specifically opted into sharing such information. Many users do not opt into sharing product-improving data, which is and absolutely should be their right.
  3. This does not mean to suggest that decentralised organisations need to operate without any human involvement. When the concept of decentralised autonomous organisations emerged in 2014, the main idea was to run organisations in a fully automated, human-independent manner. It was a response to the failures of the centralised systems, the lack of trust in powerful leaders and corporations, and the disappointment in existing governance mechanisms. Today, organisations are realising the need for a level of reliability and structure that is inspired by what some would consider “traditional”. The governance mechanisms currently used in the biggest DeFi protocols try to marry the openness and lack of centralisation with frameworks that make participants accountable. To achieve this, protocols introduce guilds or subDAOs that are responsible for management of different areas, including marketing, treasury, community growth, and grants. To become part of those groups, members of a DAO need to present their expertise by participating in the general community activities before being approved for the guilds. The more sensitive the topics the more walled the access to the guilds.

ConsenSys Comments on FSB’s DeFi Report and the FSB Recommendations on Cryptoassets

https://consensys.net/blog/news/consensys-comments-on-fsbs-defi-report-and-the-fsb-recommendations-on-cryptoassets/

On 16 February 2023, the Financial Stability Board (FSB) published a report assessing the vulnerabilities of decentralized finance and its interlinkages with traditional finance. The report also outlines plans for monitoring the evolution of decentralized finance (DeFi).

We welcome FSB’s work in analyzing the type and quantum of DeFi-specific risks. Following the publication of FSB’s proposed recommendations for the regulation of crypto-asset activities in October 2022, ConsenSys and other industry players pointed out that these recommendations should not apply equally to centralized finance (CeFi) and DeFi due to the different risks pertinent to each. In our view, the principle of “same activity, same risk, same regulation”, proposed by FSB in its October report, could lead to rules that are not fit-for-purpose and may be impossible to implement by DeFi players in practice. A better approach would be to focus on regulatory outcomes, which can be achieved not only through top-down regulation but also through self-regulation and technical innovation as this nascent ecosystem matures. Focusing on regulatory outcomes is also the approach that the UK has proposed.

In light of the findings in its recent DeFi report, the FSB plans to explore whether the recommendations published in October “need to be enhanced acknowledging DeFi-specific risks”. While this is a step in the right direction, in our view the recommendations should not be merely enhanced, but in some cases need to be fundamentally redrafted to make them suitable for DeFi. ConsenSys’ full response to the proposed recommendations is reproduced below. 

ConsenSys Software Inc. respectfully submits this letter in response to the Financial Stability Board’s (FSB) consultation on the proposed framework for the international regulation of crypto-asset activities, dated 11 October 2022. Our response covers questions 6, 7, 8 and 10 of the consultation. 

ConsenSys is the leading Ethereum software company. We enable developers, enterprises, and people worldwide to build next-generation applications, launch modern financial infrastructure, and access the decentralised web. Our software suite, composed of MetaMask, Infura, Quorum, Truffle, Codefi, and Diligence, is used by millions and supports billions of blockchain calls. Ethereum is the largest programmable blockchain in the world, leading in developer community, user activity, and business adoption. On this trusted, open source foundation, people around the world are building the digital economies and online communities of tomorrow.

As the FSB works on formulating its proposed recommendations, we encourage policymakers in all jurisdictions to pay attention to the innovation in the programmable blockchain ecosystem. This ecosystem not only offers the opportunity for economic growth but also the potential to make the internet more open, egalitarian, private, and secure.

We view this comment letter as an invitation to converse further regarding the ongoing development of Ethereum and other programmable blockchain ecosystems. We hope to engage with you in greater depth on the summarised points set forth below. We appreciate the opportunity to collaborate with you on the important task of bolstering innovation while mitigating the risks that new technologies may present. You may contact us at [email protected] at your convenience.  

ConsenSys’ response

Should there be a more granular differentiation within the recommendations between different types of intermediaries or service providers in light of the risks they pose? If so, please explain. (Question 10)

We strongly support a more granular differentiation between different types of intermediaries and service providers in light of the risks they pose. In our view, the differentiation should be done on the basis of (i) the type of risks posed, and (ii) the amount or severity of risks posed. In respect of both points, a distinction should be drawn between what is commonly referred to as Centralised Finance (CeFi) and Decentralised Finance (DeFi). The Consultative Document does not seem to make this distinction. 

(I) Differentiation based on the type of risks posed

There are different types of risks pertaining to DeFi and CeFi, as discussed in the recently published report commissioned by the European Commission and written by Prof. Tarik Roukny. In his report, Roukny identifies distinct features of DeFi and how it differs from traditional finance. CeFi (as this term is often used to identify centralised crypto exchanges, custodians, and centralised trading platforms, among others) has many of the features of traditional finance mentioned below, with the key feature being the existence of a centralised intermediary. Roukny identifies the following unique features of DeFi:

  • “Universal access: No single entity has authority to bar entry of any participant. This applies to all sides of a financial service including users, developers, validators, etc. Traditional financial services which require screening of customers or licensing of service providers.
  • Transparent and deterministic rules: Contracts and infrastructures supporting DeFi solutions are coded in public and autonomous scripts (i.e. smart contracts). This feature contrasts with traditional finance where contracts can be private and rules subject to arbitrary decisions.
  • Non-custodial services: Holders of crypto-assets in a DeFi process have full control over the treatment of their assets once they are associated with holders’ public addresses. This feature contrasts with the traditional use of custodial services by financial intermediaries to manage their clients’ portfolios.
  • Interoperable and composable protocols: DeFi protocols can be combined and interfaced at will to generate new solutions. The capacity to freely interoperate digital services and seamlessly interface protocols is intrinsic to the open and public nature of DeFi protocols. This feature is inherited from the legacy of open source systems in computer science. As such, there is no direct mirror of such a dynamic in the traditional financial system.”

These differences mean that the risks present in traditional finance and CeFi may not be present in DeFi, which may make rules that would be appropriate for the former unsuitable for DeFi. On the other hand, DeFi poses distinct risks that rules modelled on traditional financial regulation may not adequately address. We discuss below some of FSB’s recommendations that may need to be adapted.

Same activity, same risk, same regulation (recommendation 2)

The “same activity, same risk, same regulation” approach must be applied carefully. We caution against applying the same rules to CeFi and DeFi activities that are, at first sight, similar, but function differently and pose different risks to markets, consumers and financial stability. For example, trading through an account with a centralised exchange is very different from connecting a self-custodial wallet to and exchanging assets through an automated market maker (AMM). The former involves risks relating to human error, mismanagement or wrongdoing by representatives of the centralised exchange (such as fraud, theft, loss of assets, conflicts of interest). These risks are less relevant, if at all, to trading through an AMM. This is partly thanks to decentralised governance, as discussed below.

Governance framework (recommendation 4)

In respect of recommendation 4, we caution against advising authorities to “require compliance with rules and regulations for effective governance irrespective of the structures of activities and technology used to conduct the crypto-asset activities”. The emergence of new structures means that regulations should be expanded to cover them, rather than restricting them through regulation that is not adapted to such structures. 

Having “clear and direct lines of responsibility and accountability, clear definition of the roles and responsibilities of the management body and the decision-making process” is a step in the right direction, however it needs to be understood that the traditional ‘one position-one person’ or the “leadership body” do not exist in decentralised projects. While we acknowledge that some projects are ‘decentralised in name only’, we disagree with the suggestion that decentralisation is only ‘useful’ as a way to frustrate the identification of a responsible entity or for regulatory arbitrage. If done properly, decentralised projects have greater transparency and more dynamic adaptation to poorly performing members compared to centralised entities. As a matter of fact, the nature of governance has been evolving for much longer, due to the pressure of globalisation, digital environments, and technological specialisation moving to systems much more distributed, horizontal, and ultimately – decentralised. 

Indeed, when the concept of decentralised autonomous organisations emerged in 2014, the main idea was to run organisations in a fully automated, human-independent manner. It was a response to the failures of the centralised systems, the lack of trust in very powerful leaders and corporations, and the disappointment in the existing governance mechanisms. While, initially, the proponents of DAOs and distributed ledgers were very libertarian, advocating for no governance, today organisations are realising the need for a level of reliability and structure that is inspired by what some would consider “traditional”. The governance mechanisms currently used in the biggest DeFi protocols try to marry the openness and lack of centralisation with frameworks that make participants accountable. To achieve this, protocols introduce guilds or subDAOs that are responsible for management of different areas – marketing, treasury, community growth, grants, etc. To become part of those groups, members of a DAO need to present their expertise by participating in the general community activities before being approved for the guilds. The more sensitive the topics the more walled the access to the guilds.

One of the biggest benefits of decentralised governance, from a regulatory perspective, is the transparency of decision making. Each protocol has a defined proposal process which has to be followed by anyone who wants to suggest an improvement. The discussion is kept public, through forums and mailing lists, so that at any point in time the reasons for making the decision are retractable. For lower impact votes, tools like snapshot.org are utilised. Members of the organisation have to connect their self-custodial wallet to prove they have voting rights, and votes are recorded on the platform. For high impact votes, usually there are a few stages of making a decision – first “temperature checks” using a snapshot, then (provided there is a clear agreement in phase 1) using on-chain voting tools. These record every vote on the distributed ledger, making that entry immutable, transparent and visible to everyone. This process has the potential to provide better auditability than traditional organisational structure with boards of directors making decisions behind closed doors. 

The decisions are rarely immediately executed for two main reasons. One, it gives an opportunity to people who disagree with the decision to leave the protocol (sell their governance tokens and leave the community). Two, it prevents attacks whereby a malicious actor manipulates the community to make a bad decision and uses the time pressure to implement that decision. Decentralised governance is characterised by a great degree of caution and planning for the worst case scenario. 

Next, decentralised governance is not a binary state. Most often we talk about a progressive decentralisation. To quote a paper by one of the leading researchers in the industry “[it is] a process in which founding teams relinquish control by degrees, over time. Doing so step-by-step allows teams to focus and creates a path toward regulatory compliance, including issuing tokens that hopefully will not run afoul of securities regulations”. The reason behind progressive decentralisation is to enable the community to learn how to do governance, slowly opening more sensitive topics to a public vote. Any potential regulation should be flexible enough to allow for a governance framework that changes over the course of the project.

Moreover, decentralised governance may encourage longevity and successful continuance of a project. The evolution of a protocol is driven by many people, so it is not reliant on a single founder or a small leadership group, and allows for a flow of contributors in and out. This also brings greater diversity of voices and gives an opportunity for newcomers to spot bad behaviour or poor governance design. From a regulatory perspective, this brings challenges in terms of identifying who is “in the community”, but long term it brings better outcomes for participants and introduces an extra level of control. 

Finally, as FSB points out and as evident from recent events, there have been projects that claimed to have decentralised, autonomous governance, but in practice were run by a small group of publicly known “leaders” that had a disproportionate influence over the project. Insufficient decentralisation made wrongdoing easier to conduct and cover up; in contrast, a properly auditable track of votes, decisions and a community driven model could have prevented malicious actions.

The industry is still grappling with the question of what constitutes “sufficient” decentralisation. The insufficient decentralisation that we observe today comes from numbers – there are not enough members in decentralised projects who actively participate in the governance. A project is not decentralised when it has a 10 or 20 people committee that participates in each vote. It is only when we reach numbers in the 100’s that the promise of decentralisation is delivered. One of the reasons for lack of participation is lack of clarity as to the potential legal liability of people participating in governance votes.

In this respect, we would like to note the approach taken by the European Union (EU) in the Markets in Crypto-Assets Regulation (MiCA). According to Recital 12(a), MiCA “applies to natural, legal persons and other undertakings and the activities and services performed, provided or controlled, directly or indirectly, by them, including when part of such activity or services is performed in a decentralised way.” Based on our interpretation, MiCA will apply if there is a clearly identifiable party, which could be the case for projects that are “decentralised in name only”, but will not apply to projects that are in fact decentralised. The implementation and enforcement of MiCA will be key to providing guidance on the scope of its application. National competent authorities should assess the level of decentralisation on a case by case basis and take a proportionate approach to enforcement, so as not to discourage people from participating in governance voting.

Effective risk management framework (recommendation 5)

The above discussion is also relevant to recommendation 5. An effective risk management framework enhances user confidence, and many DeFi protocols already have some form of risk management in place. However, we caution against overly prescriptive rules requiring a specific form of framework modelled on risks pertinent to centralised entities. These risks typically relate to the existence of insider actors, potential abuse of power, and information asymmetries, all of which are less present (if at all) in DeFi.

On the other hand, given the non-custodial nature of DeFi projects, users have fewer avenues to recover lost funds in case of a technical failure of the protocol compared to claiming losses against a centralised entity. A risk management framework for DeFi should therefore focus on reducing risks of hacks and bugs. Best practices with respect to software development, already applied by responsible actors in the space, include having a third party code audit conducted before the software is released. ConsenSys specialises in this type of service through its Diligence offering. Diligence maintains a suite of blockchain security analysis tools and pairs up that service with in-person review of smart contract code by a qualified code auditor. This service has been increasingly popular among smart contract developers who wish to avoid vulnerabilities, employ mitigation best practices, model possible threats, and test their software before it is published. The Diligence team has worked on projects for many of the most notable names in the blockchain developer community, such as Uniswap and Aave. Industry-led solutions like software auditing will play an important role in keeping blockchain network users safe from hacks and bugs.

DeFi projects should also analyse their interdependencies with third-party actors, such as oracles. In this respect, we encourage FSB to consider Prof. Roukny’s suggestions for supporting a stable and efficient development of oracle services.

Data and disclosures (recommendations 6 and 7)

As explained above, one of the advantages of open source programmable software is transparency – the ability to see what is happening in real time on the blockchain network. However, we acknowledge that only technically-proficient parties are able to analyse on-chain data in a way that would be useful for auditing and monitoring purposes. We would encourage the FSB and the relevant national authorities to not only look at top-down regulatory initiatives, but also cooperate with the industry to find ways to leverage the potential of blockchain data in a way that would enhance transparency of activities conducted on blockchain networks.

Similarly, while open source code that underpins DeFi protocols or other blockchain applications can in theory be read and verified by anyone, in practice few users have the technical capabilities to do so. FSB’s proposal to make available information about the functionality and risks of software “in an understandable manner for the intended audiences” would enhance user confidence and enable users to make informed decisions. 

(II) Differentiation based on the magnitude/severity of risks posed

We support FSB’s emphasis on applying the recommendations proportionately to the risk, size, complexity and systemic importance of the given service provider. To adhere to this principle, we encourage a more granular differentiation between the different types of service providers both during the legislative process and during implementation.

The programmable blockchain ecosystem is characterised by a large number of individual developers, or small groups of developers, innovating and spinning out new projects quickly. Programmable blockchains like Ethereum allow anyone to write and publish code that is accessible to anyone else in so long as they have access to the blockchain network and the ability to compose and transmit on-chain transactions. In recent years, the increase in blockchain software development, as reflected in the number of developers committed on platforms such as Github to solve particular programming problems, has been notable. According to one analysis published at the end of 2021, over 18,000 monthly active developers were working on blockchain programming projects, with over 34,000 new developers migrating to the blockchain ecosystem in 2021.

This trend is also something that ConsenSys is working hard to bolster by offering software platforms that permit developers to innovate new tools that can be shared with an increasingly broad user base. While the ConsenSys offering MetaMask is recognized as the world’s most popular Ethereum self-hosted wallet, few recognize that it is as much a developer platform as it is a client-side key management solution. The clearest expression of this is the release of MetaMask Flask, which is an experimental MetaMask application that allows developers to create new features that can be tested and refined before offering to the public more broadly. The first feature offered through Flask is the Snaps system, which allows developers to create their own programs that expand the functionality of the wallet. ConsenSys is not alone in working to bolster developer engagement and productivity. Examples abound of a thriving developer ecosystem where brilliant minds from all over the globe are tackling the novel problems presented by a nascent technology.

Products and services that result from this innovative process must not be constrained by burdensome compliance requirements that smaller projects might not have the resources to comply with. This could lead to crowding out smaller players and strengthening the position of established centralised entities, at the expense of innovation. 

The crypto industry as a whole has suffered intense market stress over the past six months. The collapse of numerous centralised players has fleshed out the risks associated with lack of supervision over centralised issuers and providers of crypto asset services. These risks are already well understood and defined in FSB’s consultative document. Further, authorities already have experience with regulating centralised players and financial intermediaries in traditional finance.

In contrast, as demonstrated in our response, risks relating to programmable blockchain and DeFi are novel, less understood, and cannot be addressed by a ‘one size fits all’ regulatory approach. In our view, the most effective way to safeguard financial stability and protect users would be to focus, as the first step, on the risks posed by centralised issuers and providers of crypto asset services (including players that are ‘decentralised in name only’). The EU has rightly included a carve out for decentralised projects in MiCA, and has rightly recognised the need to examine the programmable blockchain ecosystem in more detail before consulting on potential regulation affecting it. We encourage FSB and national authorities to follow the same approach.

Finally, we note DeFi is currently a fraction of CeFi in terms of its size and interconnectedness to the traditional financial system. These two factors alone suggest that authorities should prioritise addressing financial stability risks posed by CeFi.

Have the regulatory, supervisory and oversight issues and challenges as they relate to financial stability been identified accurately? Are there other issues that warrant consideration at the international level? (Question 8)

We would like to focus on section 3.4 (Risk management related to wallets and custody services). MetaMask specifically is one of the most broadly used self-custodial wallets in the world by both web3 developers and users. It is open-source software that can be downloaded from the Apple or Google app stores and run locally as either a mobile application or a browser extension. The software is maintained by a development team at ConsenSys and also supported by a global community of developers and designers who wish to democratise access to the decentralised web.   

As FSB points out, the risks relating to use of self-custodial wallets are two fold. First, as FSB notes, “only the users themselves can access or recover their private keys. In general, users are responsible for maintaining their own wallets.” This responsibility carries with it a risk of loss or theft of private keys due to actions on the part of the user. Despite our ongoing commitment to the security of MetaMask users, scammers and other online criminals continue to target users through a variety of schemes. The MetaMask team has extensive educational materials and FAQs drafted to guide MetaMask users through smart and safe use of the wallet.  ConsenSys has also partnered with Phishfort, a third-party anti-phishing solution, so that phishing threats against MetaMask users are identified and taken down.

MetaMask developers and Ethereum developers more broadly recognize these threats and believe it is important to mitigate them not only through vigorous law enforcement but also through technology. For example, Ethereum community developers have since 2016 considered ways to separate the account from the private key, whereby having the latter stolen did not necessarily mean that the former would be also. This concept has been referred to as account abstraction. ConsenSys remains at FSB’s disposal to provide further details on this technology. 

It is widely recognized that the current system, which is entirely dependent on public-private key pairs and is thus highly vulnerable to user predation, faces a real challenge to achieving its aim of scaling to billions of people with ease. The innate incentive for the Ethereum community to improve security should give pause to any well meaning regulator who might otherwise think the sole solution lies with new statutes, regulations, or administrative guidance.  

Scams and phishing attacks can be devastating for affected individuals. However, as each user stores their private keys on their own device and no centralised entity has access to those keys, the effects of scams and phishing schemes tend to be isolated and are unlikely to pose broader financial stability risks.

Second, FSB points out the risk of the wallet software being disrupted by a cyber incident. Security is critical for MetaMask to be a powerful and reliable tool for both developers and users. Its code has been audited by security experts and independent researchers, and the audit reports are publicly available. The MetaMask team at ConsenSys sponsors a bug bounty program that rewards volunteers who report vulnerabilities so they may be patched. We are also investing in novel research and development into new security technologies with applications far beyond our ecosystem, such as LavaMoat. Technical risks relating to the quality of software or a technical product currently are not, and should not be, addressed through regulation. Any potential losses resulting from cyber incidents affecting unhosted wallet software should be resolved between the parties according to the terms and conditions of the software provider. 

Does the report accurately characterise the functions and activities within the crypto ecosystem that pose or may pose financial stability risk? What, if any, functions, or activities are missing or should be assessed differently? Do you agree with the analysis of activity patterns and the associated potential risks? (Questions 6 and 7)

The list of activities is generally complete and accurate. However, we would like to comment on the following aspects of Annex 1 (Essential functions, risks and relevant international standards).

Software developers

We respectfully object to referring to software developers as “service providers” in the consultative document. Further, referring to software development as one of the crypto activities that might need to be regulated alongside activities such as custody or provision of a centralised trading platform is inappropriate. A clear distinction must be drawn between the development of the underlying technology that supports a product or service, and the actual product or service that is offered to the public. The former is typically not regulated in any sector at the moment, as it does not represent inherent risks (subject to limited exceptions, mainly for technologies that have the potential to cause non-financial harm, such as certain weapons). Only when the underlying technology is used to build a product or service that is offered to the public do we need to consider any potential risks relating to such offering. 

For example, the internet infrastructure that powers https websites is not constrained by legal or regulatory rules, while an online marketplace leveraging that infrastructure might be. Similarly, publishing a piece of open-source code that may be used to create blockchain-powered products or services must be distinguished from what is actually offered to and used by the public. A contrary proposition might give rise to concerns among software developers that, by developing and publishing code, they will breach some inconspicuous regulatory rules and be exposed to legal liability. Such concerns would have a chilling effect on developers’ willingness to innovate and develop the blockchain ecosystem.

Unhosted wallets

In respect of the provision of self-custodial wallets, FSB correctly notes that “there is no corollary in traditional finance”. However, we respectfully disagree with FSB’s qualification that self-custodial wallets “have some resemblance to broker dealer, money transmission, [or] depository”. MetaMask is essentially a piece of software that encrypts the private keys leading to the part of the Ethereum blockchain where the owner’s funds are held (an “externally owned account” on the Ethereum blockchain), and temporarily decrypts the private keys when the owner signs a transaction. In other terms, it is a user interface that permits users to access and execute transactions using their account.  

The direct interaction with the blockchain makes use of self-custodial wallet software fundamentally different from a broker, which executes transactions on behalf of a client, or a money transmitter, which takes customers’ funds and sends them on their behalf. A depository institution takes control of and safeguards clients’ funds, and may also be authorised to use clients’ funds for internal purposes such as lending to other clients. A self-custodial wallet is fundamentally different in that only the holder of the private key may access the funds; the software wallet provider has no access to users’ funds.

Staking

In respect of providers of Staking-as-a-Service and Delegated Proof of Stake, we agree with FSB’s assessment that there is “no direct corollary in traditional finance”, but respectfully disagree that these providers “can resemble issuers (e.g., of interests in a pooled vehicle or other investment opportunity)”. In our view, the key difference lies in the way revenue is generated through staking. Staking as a Service or Delegated Staking providers do not issue the tokens constituting staking rewards. The tokens are generated by the protocol during the validation process. Validation entails running code that verifies new transactions do not violate rules of the blockchain protocol and are consistent with its transaction history. 

Custody

The description of “provision of custodial (hosted) wallet and custody services” includes DeFi protocols among “custody service providers” on the basis that they “manage users’ cryptoassets or information about their interests in crypto-assets using smart contracts that pool users’ crypto-assets, typically as part of DeFi protocol offering exchange or lending activities.” Depositing tokens into a smart contract (e.g. a liquidity pool in an AMM) should not necessarily be treated as custody. This would be an undue extension of the concept and against the parties’ expectations. The governance of the protocol would need to be examined on a case by case basis to determine whether there is an individual or entity that retains an “administrative key” to that smart contract, and the potential level of control over users’ assets while they are deposited in the smart contract.

Respectfully Submitted,

CONSENSYS SOFTWARE INC.

by:

Natalie Linhart, William C. Hughes