Lessons From Recent Regulatory Enforcement Actions Against DeFi Applications and DAOs
The relationship between regulatory obligations to know-your-customer (“KYC”) and decentralized finance (“DeFi”) applications is complicated. On one hand, the burgeoning Web3 ecosystem seeks to democratize commerce and increase privacy by placing control over functionality, movement of value, and data into the hands of the user—without any intermediaries. On the other hand, regulators—like the United States Department of Treasury’s Office of Foreign Assets Control (“OFAC”) and the Commodity Futures Trading Commission (“CFTC”)—have signaled a readiness to hold these DeFi applications responsible for KYC obligations and accountable for the transactions that occur through the application.
The recent regulatory enforcement actions taken against DeFi applications have made it increasingly clear that regulators are treating these applications like traditional financial services, ignoring the decentralization of the application, and analogizing decentralized autonomous organizations (or “DAOs”) with centralized finance structures.
DeFi and their DAOs
DeFi is an umbrella term for financial services deployed on and accessible via public blockchains. Using smart contracts, DeFi applications enable users to engage in a range of financial services utilizing “smart contracts” that self-execute the transfer of value on the blockchain in response to pre-established conditions. Once a smart contract is set up, it usually cannot be altered. Proponents of DeFi argue that nobody controls the application because it automatically executes according to the user’s wishes, and thus the application is merely software residing on the Ethereum blockchain.
Frequently, DeFi services claim to operate autonomously without the support of a central company, group, or person. In practice, many DeFi protocols establish governance using pre-established rules or by relying on a controlling organization, like a DAO. Employing a DAO involves concentrating ownership or governance rights in holders of governance tokens—digital assets that represent a right to participate in the organization’s governance—who vote on proposals to implement within the application. This structure can provide a measure of centralized administration or governance to the application, a structure that U.S. regulators have identified as a point of pressure for regulatory responsibility.
Regulators Are Treating DAOs as Responsible for Smart Contracts
In August 2022, OFAC sanctioned Tornado Cash, a virtual currency mixer that had been used by malicious actors, including North Korean hackers, to launder the proceeds of illicit cyber activities. Because Tornado Cash operated automatically and autonomously on the Ethereum network using smart contracts, it was unclear what, exactly, OFAC had sanctioned—i.e., the smart contract code or some unidentified group of persons that OFAC believes constitute the “entity” called Tornado Cash and who control the resulting smart contract code.
Members of the blockchain industry argue that OFAC exceeded its authority because Tornado Cash is just code, and not an entity or group of people subject to sanctioning authority. In November 2022, OFAC redesignated Tornado Cash by clarifying that it constituted a “person,” for purposes of sanction authority, defined by Executive Order 13694, Section 6(a). In FAQ 1095, OFAC explained that Tornado Cash had an organizational structure (the DAO) because it handled voting on and the implementation of new features created by the developers. OFAC elaborated that that Tornado Cash’s individual founders, developers, members of the DAO, users, or other persons involved in supporting Tornado Cash were not designated as sanctioned at this time. This obviously raises the question: who, other than these exempted people, are left to sanction?
OFAC’s reasoning behind designating Tornado Cash as a “person,” follows closely to the CFTC’s complaint against Ooki DAO, filed in September 2022. In its compliant, the CFTC named Ooki DAO (formerly bZx DAO) as the Defendant, even though bZeroX designed, deployed, marketed, and made solicitations about the decentralized application. The CFTC defined Ooki DAO as an unincorporated association comprised of holders of OokiDAO Tokens who vote those tokens to govern (e.g., to modify, operate, market, and take other actions regarding) the Ooki Protocol.
For the foreseeable future, regulators are likely to continue this trend of defining DAOs as unincorporated entities because it aligns with the traditional structure of centralized decision making. As the Department of Justice has said, although DAOs aim to operate in a decentralized manner, the decentralized services are “decentralized more in name than in fact.”
The Novel Theories Underlying These Actions Present Increasing Risks for DAO Participants
DAOs carry a risk of being named in a lawsuit, which raises a practical question: who should or will show up to defend the application in court, and who might be pulled unwittingly or unwillingly into the litigation?
Only two states—Wyoming and Vermont—have formally recognized a DAO as a legal entity with limited liability. Thus, because DAOs are rarely incorporated, they carry the risk of being designated as a general partnership, an argument recently advanced by private plaintiffs in civil litigation.
The Uniform Partnership Act defines a general partnership as an association of two or more persons to carry on as co-owners a business for profit. A DAO could be found to be a general partnership because it is an association between token holders, investors, and founders—governance tokens holders—participating in governance decisions through voting on proposals and then executed and implementing the outcomes of those decisions, sometimes automatically and autonomously on the blockchain. These group actions of voting and then implementing such approved votes can be used to show an association of persons who are carrying on as co-owners of a business.
Under general partnership principles, partners can be held personally and jointly and severally liable for the organization’s actions and debts. In other words, a general partnership does not protect participants from personal liability. If a DAO is categorized as a general partnership, its token-holders (i.e., its “partners”), as participants of the DAO, could be exposed to personal liability for the application’s actions and debts, including the transactions that occur through smart contracts—even if those token-holders have not participated in the transaction run by the DeFi application, or decisions made by the DAO.
U.S. regulators will likely continue utilizing this legal theory to hold DeFi applications responsible, and its related DAO accountable, for failures to implement processes to identify customers or for unlawful activities that are attributed to the applications or DAOs. And, because it appears that principles of general partnership will apply to the DAO as the controlling entity for transactions that run under DeFi applications, those who participate in the DAO, whether or not they voted for or against a proposed change, may be held personally liable for the debts, activities, and judgments against the application when the DAO is an unincorporated entity.
1 The Report of the Attorney General Pursuant to Section 5(b)iii of Executive Order 14067: The Role of Law Enforcement in Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Assets (justice.gov).
2 Sarcuni et al v. bZx DAO et al. (S. D. Cal., May 2, 2022) (explanatory citation).