Is DeFi In Scope? MiCA, FATF, and the Decentralisation Spectrum

This is Part 1 of our "DeFi Compliance" series — exploring how regulators are drawing the line between truly decentralised protocols and entities that must comply with AML/CFT obligations.

The question of whether decentralised finance falls within the regulatory perimeter is no longer theoretical. With MiCA fully in force, FATF guidance evolving, and enforcement actions targeting DeFi-adjacent entities, the answer is becoming clearer — and it is not the blanket exemption that many in the industry hoped for. The reality is nuanced: some DeFi is in scope, some is not, and the boundary depends on the degree of centralisation.

This article examines the legal frameworks that determine whether a DeFi protocol, front-end, or governance token holder has regulatory obligations — and what compliance teams need to do when the answer is yes.

MiCA Article 22: The "Fully Decentralised" Exemption

MiCA Recital 22 states that crypto-asset services provided in a "fully decentralised manner without any intermediary" should not fall within the scope of the regulation. This single sentence has generated more legal debate than perhaps any other provision in MiCA.

The critical phrase is "fully decentralised." MiCA does not define what this means, but the European Commission and ESMA have indicated that the test is functional, not structural. The key questions are:

• Is there an identifiable entity or person that deploys, maintains, or controls the protocol?
• Can any party unilaterally modify the protocol's core parameters (fees, access controls, smart contract upgrades)?
• Does a front-end interface curate, filter, or facilitate access to the protocol in a way that constitutes a service?
• Does a governance token concentrate decision-making power in a small group of holders?
• Does an identifiable entity profit from the protocol through fees, token allocations, or other mechanisms?

If the answer to any of these questions is yes, the protocol — or more precisely, the entity performing these functions — is likely providing a crypto-asset service within the meaning of MiCA and must obtain authorisation as a CASP.

FATF Guidance: The "Owner/Operator" Test

The Financial Action Task Force addressed DeFi in its Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs (October 2021). FATF's position is more explicit than MiCA's:

A DeFi arrangement — regardless of how decentralised it claims to be — has an owner/operator if there is a person or entity that:

• Exercises control or sufficient influence over the protocol
• Maintains an ongoing business relationship with users
• Profits from the service being provided

Where an owner/operator exists, that person or entity is a VASP and must comply with FATF Recommendations, including Recommendation 15 (licensing/registration), Recommendation 10 (CDD), and Recommendation 16 (the Travel Rule).

FATF specifically warns against attempts to avoid regulation through structural design: "Creators, owners and operators who maintain control or sufficient influence over the DeFi arrangements may fall under the FATF definition of a VASP, even if the software is ostensibly decentralised."

The "Sufficient Influence" Spectrum

FATF acknowledges that decentralisation exists on a spectrum. At one end: a fully autonomous smart contract with immutable code, no admin keys, and no identifiable deployer. At the other: a protocol with upgradeable contracts, an admin multisig controlled by a known team, a for-profit foundation, and a branded front-end — which is, functionally, a centralised service with decentralised infrastructure.

Most major DeFi protocols fall somewhere in the middle — and regulators are increasingly comfortable applying VASP obligations to entities in this grey zone.

The Decentralisation Spectrum: Where Do Major Protocols Fall?

To make this concrete, consider how major DeFi categories map against the decentralisation test:

Likely In Scope

• DEXs with branded front-ends and fee switches — Uniswap Labs (the company) operates uniswap.org, collects front-end fees, and has implemented address screening. The protocol is permissionless, but the front-end is a service. (See Part 2 of this series for detailed analysis.)
• Lending protocols with governance tokens and treasuries — Aave, Compound, and MakerDAO have identifiable governance structures, foundations, and teams. Governance token holders vote on risk parameters, fee structures, and protocol upgrades.
• Cross-chain bridges with operator sets — most bridges rely on a known set of validators or multisig signers. The entities operating these validator sets are likely providing a transfer service under MiCA.
• Yield aggregators — protocols like Yearn Finance that actively manage strategies, deploy vaults, and charge performance fees are clearly providing a portfolio management service.

Grey Zone

• DAOs with distributed governance — where no single entity controls the protocol, but governance tokens are concentrated among a small group of holders who effectively control protocol decisions
• Immutable protocols with active communities — protocols with renounced admin keys but active development teams building front-ends, tooling, and marketing

Potentially Exempt

• Fully immutable, permissionless protocols with no admin keys, no upgradeable contracts, no identifiable operator, and no front-end controlled by an identifiable entity. Examples are rare and typically limited to simple, single-function contracts.

Enforcement Signals: Regulators Are Not Waiting

While the legal frameworks are still being refined, enforcement agencies have already taken action against DeFi-adjacent entities:

• OFAC vs. Tornado Cash (August 2022) — OFAC sanctioned the Tornado Cash smart contracts themselves, designating 45 Ethereum addresses. The subsequent arrest and conviction of developer Alexey Pertsev in the Netherlands confirmed that protocol developers can face criminal liability for facilitating money laundering, even if the protocol is "decentralised."
• SEC Liquid Staking Guidance (August 2025) — in a notable counterexample, the SEC's Division of Corporation Finance issued a statement clarifying that liquid staking tokens (including Lido's stETH) do not constitute securities. The reasoning: staking receipt token holders do not rely on "entrepreneurial or managerial efforts" of others. This provides a rare bright line — but applies only to staking mechanics, not to broader DeFi governance or trading activities.
• CFTC enforcement actions — the CFTC has brought multiple actions against DeFi protocols for offering unregistered derivatives, including bZx/Ooki DAO, where the agency held individual DAO governance token holders personally liable.

The pattern is clear: regulators view "decentralisation" as a factual question about control, not a legal shield based on technical architecture.

How BlockchainAnalysis Helps DeFi-Adjacent Businesses

If you operate a DeFi front-end, manage a protocol treasury, or run a DAO with identifiable governance, you likely have compliance obligations — even if the underlying smart contracts are permissionless. The question is not whether to comply, but how to implement proportionate controls given the technical constraints of decentralised infrastructure.

BlockchainAnalysis provides the on-chain intelligence layer that makes this possible. Our wallet screening API can be integrated into DeFi front-ends to screen connecting wallets in real time — identifying sanctioned addresses, mixer exposure, and high-risk counterparties before they interact with your protocol. Our entity database of 1B+ labelled addresses provides the risk context needed to make informed decisions about wallet access and transaction processing.

For protocols that need to demonstrate compliance without compromising user privacy or decentralisation principles, our screening tools operate at the interface layer — the natural point of control where front-end operators can implement proportionate AML measures without modifying the underlying protocol.

Next in the series: DeFi Compliance #2 — DEX Compliance: Can Decentralised Exchanges Meet AML Requirements?, where we examine how DEX front-ends are implementing compliance controls and what regulators expect.