A DAO Is No Defense: CFTC Says Decentralization Does Not Immunize DeFi From Regulation – Commodities/Derivatives/Stock Exchanges

To print this article, all you need is to be registered or login on Mondaq.com.

In Short

The Situation:Under the existing legal regimes,
decentralized autonomous organizations (“DAO” or
“DAOs”) have been viewed as a way to hedge against
regulatory action by way of a decentralized structure. The
Commodity Futures Trading Commission’s (“CFTC”)
recent and first attempt to impose liability on a DAO and its
members disrupts that assumption and helps provide insight into the
future of decentralized finance (“DeFi”) in the United

The Result: The CFTC’s recent Order found bZeroX, LLC and its two founders
violated the Commodity Exchange Act (“CEA”) by unlawfully
engaging in activities that could lawfully be performed only by a
registered futures commission merchant (“FCM”) or
designated contract market (“DCM”), and contended that
individual DAO members that voted on governance measures are
jointly and severally liable for debts of the DAO as an
unincorporated association.

Looking Ahead: The CFTC’s complaint against
Ooki DAO (the successor to bZeroX’s DAO that operated the same
software protocol as bZeroX) charged the same violations that the
CFTC found in the Order. Even if the federal court does not adopt
the CFTC’s “unincorporated association” theory of
liability for DAO voters, its very prospect seems likely to chill
DeFi participation in the United States in the near future.

On September 22, 2022, the CFTC filed an Order announcing it had
reached a settlement with bZeroX, LLC and its two founders, Kyle
Kistner and Tom Bean (collectively, “Respondents”). The
settlement relied in part on imposing controlling person liability
on the founders, under Section 13(b) of the CEA, for bZeroX’s
violations of CEA Sections 4(a) and 4(d)(1). The Order found that
the Respondents violated the CEA by operating an Ethereum-based
DeFi platform (“bZx Protocol”) that accepted orders and
facilitated tokenized leveraged retail trading of virtual
currencies such as ETH, DAI, and others.

According to the Order, the bZx Protocol permitted users to
contribute margin to open leveraged positions, the ultimate value
of which was determined by the price difference between two digital
assets from the time the position was established to the time it
was closed. In doing so, the CFTC found, the Respondents
“unlawfully engaged in activities that could only lawfully be
performed by a designated contract market (“DCM”) and
other activities that could only lawfully be performed by a
registered futures commission merchant (“FCM”).” The
CFTC also found, by Respondents failing to conduct
know-your-customer diligence on customers as part of a customer
identification program, as required of both registered and
unregistered FCMs, that the Respondents violated CFTC Regulation
42.2. Below is an illustration of how the bZx Protocol

Concurrently with the Order, the CFTC filed a complaint against Ooki DAO, the successor to
the bZx DAO-a DAO comprising bZx Protocol token holders that
Respondents had transferred control to following a series of hacks
in 2020 and early 2021. The Ooki DAO complaint charges the same
violations in which the CFTC found in the Order that the
Respondents had engaged. The CFTC characterized Ooki DAO in the
Order as “an unincorporated association comprised of holders
of Ooki DAO Tokens who vote those tokens to govern (e.g. to modify,
operate, market, and take other actions with respect to) the [Ooki]
Protocol.” In the Order, the CFTC stated that
“[i]ndividual members of an unincorporated association
organized for profit are personally liable for the debts of the
association under principles of partnership law.”

As discussed in Commissioner Mersinger’s dissent
(“Mersinger’s Dissent”), neither the CEA nor the CFTC
have ever defined a DAO. More importantly, although the CFTC has to
date settled one action against what it characterized as a DeFi
trading platform (Blockratize, Inc. d/b/a Polymarkets.com), the
Ooki DAO complaint is the first time it has attempted to impose
liability on a DAO or its members. This was not entirely
unexpected. For example, in footnote 63 in the CFTC’s Digital Asset Actual Delivery
Interpretive Guidance
, the CFTC noted that “in the context
of a ‘decentralized’ network or protocol, the Commission
would apply this interpretation to any tokens on the
protocol that are meant to serve as virtual currency as described
herein” (emphasis added).

The CFTC added that “[i]n such instances, the Commission
could, depending on the facts and circumstances, view
‘offerors’ as any persons presenting, soliciting, or
otherwise facilitating ‘retail commodity transactions,’
including by way of a participation interest in a foundation,
consensus, or other collective that controls operational decisions
on the protocol, or any other persons with an ability to assert
control over the protocol that offers “retail commodity
transactions,” as set forth in CEA section

Former CFTC Commissioner Berkovitz also stated in a 2021 speech that “[n]ot only
do I think that unlicensed DeFi markets for derivative instruments
are a bad idea, I also do not see how they are legal under the
CEA.” A few years prior to that, a CFTC spokesperson stated in response to
questions about Augur-a DeFi prediction market offering, among
other things, assassination contracts-that “[w]hile I
won’t comment on the business model of any specific company, I
can say generally that offering or facilitating a product or
activity by way of releasing c­­ode onto a blockchain does
not absolve any entity or individual from complying with pertinent
laws or CFTC regulations[.]” The CFTC’s unincorporated
association theory of liability is not unique: The SEC’s 2017 DAO Report pointed out that
Section 3(a)(1) of the Securities Exchange Act of 1934 defines an
“exchange” as “any . association, or group of
persons, whether incorporated or unincorporated..”

However, as noted in Mersinger’s Dissent, “[d]efining
the Ooki DAO unincorporated association as those who have voted
their tokens inherently creates inequitable distinctions between
token holders.” For instance, a single vote on a generic
governance proposal having nothing to do with the CEA or CFTC rules
could unknowingly subject token holder A to membership in the
unincorporated association, as defined by the CFTC, and assumption
of personal liability, while token holder B escapes
membership/liability by virtue of incidentally neglecting to vote.
Even if token holder A had voted directly against the alleged
unlawful actions, it could still face joint and several liability
for the full legal claim against the DAO.

Moreover, as noted in Mersinger’s Dissent, the CEA
“sets out three legal theories that the Commission can rely
upon to support charging a person for violations of the CEA or CFTC
rules committed by another: (i) principal-agent liability; (ii)
aiding-and-abetting liability; and (iii) control person
liability.” The CFTC has pursued the aiding-and-abetting
theory in somewhat similar circumstances. In January 2018, the CFTC charged Jitesh Thakkarand Edge Financial
Technologies, Inc.
-a company Mr. Thakkar founded and for which
he served as president-with aiding and abetting Navinder Sarao in
engaging in a manipulative and deceptive scheme by designing
software used by Mr. Sarao to spoof mini S&P futures

Mr. Thakkar was also named in a criminal complaint brought by
the Department of Justice (“DOJ”) related to the same
conduct on charges of conspiracy to commit spoofing as well as
aiding and abetting spoofing. The CFTC agreed to stay its case
during the pendency of the criminal matter. After the DOJ’s
charges were dismissed with prejudice in April 2019, the
CFTC resumed its civil action against Mr. Thakkar in September
2019. One year later, the CFTC ultimately entered into a consent order for permanent injunction with
Mr. Thakkar’s company, Edge Financial Technologies, Inc. The
order included findings tracking the allegations in the CFTC’s
complaint, a permanent injunction against aiding-and-abetting
violations of CEA Sections 4c(a)(5)(C) (spoofing) and 6(c)(1)
(manipulation) and CFTC Regulation 180.1(a)(1) and (3) (relating to
the use of a manipulative and deceptive device, scheme, or artifice
to defraud), and an order of disgorgement and civil monetary
penalty totaling $72,600.

While Commissioner Mersinger may have wished to hold only the
founders liable for DAO-related activity, it would seem that the
Commission is not so inclined and may wish to send a message to
those who would trade on unlawful venues, even though the
Commission usually seeks to protect such persons against misconduct
arising from trading on such venues. In the case of DAOs, the
Commission may take the view that such persons operate and control
the venues, in some ways.

Even if this “unincorporated association” theory of
DAO liability is not ultimately endorsed by a federal court, this
ruling will likely result in protocol founders increasingly
choosing to maintain anonymity and/or operate offshore. This could
result in decreased availability of DeFi derivatives trading to
U.S. persons and, if DeFi derivatives trading remains available to
U.S. persons from offshore, greater extraterritorial enforcement
efforts by the CFTC.

More broadly, this action is a warning that some regulators view
unregulated DeFi trading activity as incompatible with existing
legal structures, notwithstanding the argument that DAO token
holders are engaged in active management of the protocol and so are
not dependent on the efforts of others under SEC v. Howey
Footnote 10 of the bZeroX Order sounds loud and clear on
this point, warning that “[i]t was (and remains)
Respondents’ responsibility to avoid unlawfully engaging in
activities that could only be performed by registered entities and,
should they ever wish to register, to structure their business
in a manner that is consistent with Commission registration
” (emphasis added).

Incidentally, the message in that footnote is the answer to questions raised by some as to how crypto
businesses are to operate when their very structures seem
incompatible with existing regulatory schemes. More recently, SEC Chairman Gensler expressed a
similar sentiment
, stating that “[t]he commingling of the
various functions within crypto intermediaries creates inherent
conflicts of interest and risks for investors. Thus, I’ve asked
staff to work with intermediaries to ensure they register each of
their functions- exchange, broker-dealer, custodial functions, and
the like-which could result in disaggregating their functions
into separate legal entities to mitigate conflicts of interest and
enhance investor protection
” (emphasis added).

DAOs possess many novel qualities not present in traditional
corporate structures-transitory ownership tied to a tradeable
token, user ownership and governance, and operations conducted by,
in some cases, an autonomous smart contract code. While
encompassing only active voters in the instant case, the CFTC’s
language in its complaint against Ooki DAO seems to suggest that a
smart contract protocol running programs deemed to violate
regulations could continuously generate liability for DAO members
simply by way of the members having “permitted”
transactions executed by such programs. The greater the autonomy
and automation of the smart contract underlying the protocol, the
less sense attaching joint and several liability to DAO members
arguably makes. Automating protocol functions to reduce the
necessity of DAO member input is another foreseeable result of the
CFTC’s position.

While the potential for DAOs to avoid classification of their
tokens as securities has reinforced the use of a fully
decentralized structure lacking legal form, the countervailing risk
of a general partnership-and especially voting member liability as
an “unincorporated association”-will likely lead to
increased use of traditional legal
in DAO formation and governance for the DAO and
individual participants alike. For all of the innovation the unique
traits of a DAO allows, it is becoming increasingly clear that
existing regulations will demand the rails of legal personhood to
achieve compliance.

Whether a “test case” ramping up to something larger
or simply a reminder to founders-or those who otherwise seek to
legally or practically distance themselves from the DAOs that they
create (e.g., by the developers “giv[i]n[g] up ownership over the ‘escape
hatch’ function, which would allow a designated party to shut
the system down[]”
)-that DAOs cannot be used as a tool to
evade regulatory action, the outcome of the CFTC’s lawsuit
against Ooki DAO is one to closely watch as a harbinger for DeFi as
a whole. User ownership and voted token participation in DAOs-while
not the regulatory shield some might wish it to be-is an idea
unlikely to go away anytime soon.

Three Key Takeaways

  1. The CFTC’s Ooki DAO complaint serves as warning to the DeFi
    market to conform to the existing legal structure and could place a
    premium on founder anonymity or reduce DeFi protocol access for
    U.S. citizens. This outcome could result in further
    extraterritorial enforcement efforts by the CFTC as protocols shift
    operations overseas to avoid unlawfully engaging in activities
    allowable only by registered entities.

  2. The CFTC finding active voters personally liable under
    principles of partnership law will likely cause DAOs to increase
    their levels of autonomy and automation, which would reduce the
    necessity of DAO member input and make the argument attaching joint
    and several liability to DAO members less viable.

  3. The risk of DAOs’ classification as general partnerships
    and individual voting members’ potential personal liability
    under an unincorporated association theory will likely lead to the
    increased use of traditional legal entities in DAO formation and

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.