Regulating Web3 Applications Rather than Protocols: Practical Applications

This article is the fourth part of the "Regulating Web3 Applications Rather Than Protocols" series, which proposes a regulatory framework for Web3 aimed at preserving the advantages of Web3 technology, protecting the future of the internet, while reducing the risks of illegal activities and consumer harm. The core principle of this framework is that regulation should focus on enterprises, rather than decentralized autonomous software.

The framework established in the first three parts of this series is regulatory neutral - this means it has no fixed position on what types of regulation should apply to Web3. Instead, the framework provides a method for assessing and applying regulations to Web3 businesses, including those related to market structure, KYC, privacy, or any other type of regulation currently applicable to Web2 businesses. The framework only specifies that regulation should have legitimate objectives, be proportionate to the entities and activities it regulates, and the risks it aims to address, while maintaining a truly "technology neutral" ( and not choosing winners in emerging technologies ).

In the fourth part of this series, we demonstrate how the framework can be applied in practice to hypothetical market structure regulation (, specifically managing the legislation and corresponding regulation of digital asset exchange transactions ). We first define the scope of the hypothetical regulation, then explain how different rules and requirements apply to different types of participants and applications in the Web3 space. This analysis shows why the strictest regulatory requirements should apply to applications that pose the greatest risk to users, while those that pose the least risk should be subject to less regulation. This risk-based approach can ensure consumer protection while also safeguarding innovation.

Although the regulatory examples we discussed focus on crypto financial use cases, this analysis should indicate that the framework of "regulating Web3 applications rather than protocols" could be appropriately tailored for a range of Web3 regulations in the future, including those related to social media, the gig economy, and content creation applications.

Definition of the Regulation

We first define the hypothetical regulations that will apply this framework and assess whether these regulations should be included in the Bank Secrecy Act (BSA).

Market Structure Regulation

Market structure legislation has been a focus for many policymakers and regulators in 2022, such as DCCPA, DCEA, RFIA, etc., who believe that the digital asset market needs regulation. We expect that in 2023, there will be renewed efforts to promote market structure legislation and regulatory implementation driven by the following policy objectives.

1. Protect users from risks, including risks arising from custodial relationships, conflicts of interest, and illegal asset trading on unregistered trading platforms.

2. Restrict illegal asset trading, including tokenized securities and derivatives;

3. Promote Innovation

Although decentralized exchanges may be excluded from any market structure legislation and regulation in the short term, they are unlikely to operate outside of regulatory oversight forever. Such an arrangement would greatly disadvantage centralized exchanges, which could reintroduce traditional centralized risks into the decentralized finance (DeFi) ecosystem, thereby undermining the effectiveness of any market structure legislation and regulation. If policymakers include DeFi within the scope of these legislative and subsequent regulatory efforts, they must appropriately adjust their objectives and specific regulatory requirements based on the risks posed by different DeFi entities and activities to the ecosystem and its users.

We assume that the new market structure law includes a benchmark requirement, which states that any trading facility directly promoting the trading of digital assets must comply with the registration requirements of one or more new implementation regulations. The purpose is to ensure that the law covers any exchange where users can directly trade digital assets, whether centralized or decentralized (. The law also includes certain compliance obligations relating to the custody of client assets )1(, listing rules for digital assets exchanged using trading facilities )2(, record-keeping requirements for all trading activities )3(, trading processing guidelines )4(, conflict of interest )5(, governance standards, such as establishing system safeguards for operational and security risks )6(, reporting requirements )8(, minimum thresholds for financial resources )9(, risk disclosures related to the use of trading venues, and )10( code audits. For our purposes, we will refer to this hypothetical regulation as "the Regulation."

Now that we have outlined the principle requirements of the regulation, it is worth discussing what this regulation does not include. First, any market structure legislation could potentially include a statutory definition that clarifies when digital assets should be considered securities or commodities, thereby granting the U.S. Securities and Exchange Commission or the U.S. Commodity Futures Trading Commission specific ) or joint ( authority to promulgate and enforce this regulation. However, whether digital assets are securities or commodities is irrelevant to the purpose of this framework; the framework is an assessment and application of business-based regulation - rather than asset-based regulation. Digital assets are not an application, a protocol, or a decentralized autonomous organization ) DAO (, they are an asset. Therefore, even though many Web3 builders and policymakers are eager for the guardrails that this clarification would provide, a clear definition is not actually necessary to apply the "regulating Web3 applications, not protocols" framework.

Second, any market structure legislation and implementation of the regulations may also include rules related to other market participants such as brokers, dealers, custodians, etc. ) and other activities typically associated with exchanges. Regulations designed for these other types of market participants may actually be more suitable for certain decentralized exchange applications, as the nature of the activities of the application is more similar to those of these other participants compared to traditional exchanges. For example, the function of a decentralized exchange that guides and directs orders may resemble that of an introducing broker under the Commodity Exchange Act, rather than that of a typical centralized exchange; or it may be more suited to a regulatory framework like the SEC's "best execution" rule, rather than the exchange system. However, for simplicity, we have excluded rules applicable to these market participants and considered all applications that directly facilitate the trading and exchange of digital assets as exchanges. In any case, even if the proposed regulations aim to establish rules related to these other participants, the analysis below can be used to assess the impact of these rules on decentralized exchange applications in the same way.

( Bank Secrecy Act

"Bank Secrecy Act" ) BSA ( - A legislation aimed at preventing criminals from hiding or laundering money through financial institutions - and its implementation imposes certain obligations on financial intermediaries, including Customer Due Diligence ) CDD ( and Customer Identification Program ) CIP ( requirements ) applicable to banks and brokers/dealers, or requires verification of customers and compliance with certain reporting obligations related to customer data and identity verification, commonly referred to as "KYC" measures (, for instance, applicable to money services businesses or "MSB" ). Given the role of exchanges in the broader Web3 ecosystem, market structure legislation and the implementation of the regulation could subject digital asset exchange activities to BSA requirements. These requirements have minimal impact on centralized exchanges, as they are already regulated as MSBs under the BSA; however, applying BSA requirements to applications providing access to decentralized exchange protocols ( that are not regulated as banks or MSBs ) may be unnecessary or unbeneficial. In practice, these requirements could significantly distort the outcomes of the regulation and ultimately contradict the policy objectives behind the regulation. Here is the reason analysis:

First of all, the policy objectives of the BSA can be achieved without imposing KYC requirements on applications that provide access to decentralized exchanges. While BSA requirements assist law enforcement agencies in investigating illegal activities, investigators have been able to effectively obtain the necessary attribution evidence from fiat inflows and outflows already covered by the BSA, such as centralized exchanges and payment processors ( MSBs ), as well as banks. For example, existing regulatory measures have been applied to money transmitters, including centralized exchanges ### such as Coinbase and Gemini ( and other virtual asset service providers ) like Transak and Moonpay (, requiring them to verify the identities of users bringing funds onto the chain. This information allows investigators from the private sector, law enforcement, and regulatory agencies to collect attribution information on users conducting transactions through these mechanisms, including any transactions executed via decentralized exchanges.

Secondly, adding new significant friction to the user experience of applications providing decentralized exchange protocols may undermine all three policy objectives of the Regulation, pushing users from regulated and legally compliant applications towards non-compliant or entirely unregulated applications. As discussed in the third part of this series, the emergence of these unregulated or non-compliant applications is an inevitable result of establishing open and permissionless internet protocols. Therefore, effective regulation needs to be designed to incentivize users to use regulated applications. Mandating all applications to implement KYC measures could have the opposite effect.

The transparency of blockchain provides a powerful incentive for users to protect their privacy - the collection of personal identifiable information ) PII ( by various parties can unexpectedly lead to vulnerabilities or hacks ) or intentional disclosures that may have devastating effects, exposing the entire transaction history of users and making them potential targets for criminal activities, including identity theft, robbery, and kidnapping. Therefore, users are incentivized to provide PII to as few parties as possible. The motivations and opportunities to evade KYC requirements jeopardize the success of the regulations, potentially putting users at greater risk, increasing the trading of illicit assets, and hindering innovation. Moreover, the applicability of BSA requirements to certain applications may, in some cases, raise the possibility of constitutional challenges.

Third, the issues hindering innovation become more complicated due to the costs imposed on startups by BSA obligations. In particular, compliance procedures and data privacy costs may prove insurmountable for businesses operating nascent profit or non-profit applications, thereby dampening entrepreneurs' enthusiasm to create and operate these applications. This will reduce the number of applications available to users and decrease competition, which could introduce centralization risks. For example, profitable applications that can comply will benefit from a lack of competition, allowing these applications to exert more influence over the underlying protocol. Ultimately, this could lead to the network effects of the protocol effectively belonging to these powerful applications. For instance, as more users seek to use the network, they will be directed to profitable applications, enabling them to gain greater returns from users. This dynamic is in stark contrast to the goals that blockchain technology aims to achieve: a free, open, and decentralized internet. This anti-innovation environment will encourage entrepreneurs to build elsewhere and may lead to reduced transparency in U.S. enforcement.

Fourth, adding BSA requirements in the "Regulations" may undermine the financial inclusivity advantages of blockchain technology. For example, decentralized exchanges are a key pillar of blockchain-based financial systems, which are expected to provide financial services, including loans, savings, and insurance, to a broader population than the current banking system. KYC requirements will shorten this commitment and reduce the possibility for impoverished and vulnerable groups, including refugees, to utilize this technology.

In summary, it makes sense that current U.S. laws exclude most applications and protocols from the BSA. As FinCEN clearly stated in its 2019 guidance, non-regulatory, self-executing code or software itself does not trigger BSA obligations because software vendors are not money transmitters. FinCEN stipulates that those who provide "delivery, communication, or network access services for money transmitters to support money transmission services" are not considered money transmitters. [31 CFR § 1010.100 (ff)(5)(ii)]. This is because the suppliers of tools ( communication, hardware, or software ) are "engaged in trade rather than money transmission."

For the above reasons, we have not included any requirements related to the Bank Secrecy Act in the Regulations or our analysis of its application.

Application of the Protocol

Now we will demonstrate the application of the "Regulation" ( without any BSA-related requirements ) in practice, including applications with different characteristics, from centralized exchanges to simple blockchain resource managers. We summarize our analysis in the table below, which charts the relative risk, user count, and regulatory demands for the various types of applications analyzed.

In addition, we evaluated the