Meet Dr. Marcus Hartmann
Dr. Marcus Hartmann has spent over two decades at the intersection of financial law and emerging technology. Based in Zug — Switzerland's Crypto Valley — he has guided startups, trading platforms, and institutional investors through the full spectrum of VASP licensing: from FINMA FinTech notifications to MiCA CASP applications and offshore structuring across 60+ jurisdictions.
He joined CryptoLicenses.net as Senior Licensing Advisor after a decade leading the fintech practice of a Swiss-regulated law firm, where he managed regulatory mandates in the UAE, Singapore, Liechtenstein, and the Cayman Islands.
- There is no DeFi-specific licence in most jurisdictions — regulators apply existing rules by looking for an identifiable person or entity behind a protocol
- MiCA excludes services provided in a "fully decentralised manner without any intermediary" (Recital 22), but truly decentralised setups are rare
- A front-end, a development team, a governance token, admin keys, or protocol fees can each create a regulated point of control
- US agencies (FinCEN, SEC, CFTC) and the FATF all focus on the people who own or operate a protocol, not the code itself
- The practical question is not "is DeFi regulated?" but "is there someone a regulator can hold responsible?"
Is DeFi Regulated?
There is no dedicated DeFi licence in any major jurisdiction as of 2026. Instead of regulating the technology, regulators ask a simpler question: is there an identifiable person or company that controls, operates, or profits from the protocol? If the answer is yes, existing financial rules — licensing, AML, securities, and payments law — generally apply to that person, regardless of the "DeFi" label.
This is why the degree of decentralisation matters more than the branding. A protocol that is genuinely run by no one, with no controlling team, no fee switch, and no operated front-end, sits in a regulatory grey zone. But most projects marketed as DeFi retain centralised points: a company that maintains the website, developers holding admin keys, a foundation managing a treasury, or a governance token concentrated among insiders. Each of those is a hook a regulator can use.
MiCA and DeFi in the EU
MiCA deliberately left fully decentralised finance outside its scope. Recital 22 states that where crypto-asset services are provided "in a fully decentralised manner without any intermediary", they should not fall within the Regulation. In principle, a protocol with no intermediary is not a CASP and needs no authorisation.
The difficulty is the word "fully". If a company operates the user interface, if a team can upgrade the contracts, or if an entity collects fees, the European regulators may treat that entity as providing a crypto-asset service — bringing it back within MiCA. The European Commission and ESMA were tasked under Article 142 of MiCA with reporting on decentralised finance and whether dedicated rules are needed. A future "MiCA II" addressing DeFi specifically remains under discussion, but no dedicated EU DeFi regime is in force yet.
Practical test: if your project has a company, a team that controls upgrades, or a revenue stream, assume MiCA may apply and take advice — the "fully decentralised" exemption is narrower than most founders expect.
United States — Existing Rules Applied
The United States has no DeFi statute, but three agencies apply existing law. FinCEN treats persons who control or facilitate money transmission as money services businesses (MSBs) with AML obligations. The SEC applies the Howey test, treating many tokens and yield arrangements as securities. The CFTC regulates derivatives and has pursued DeFi protocols offering leveraged trading.
Enforcement has repeatedly targeted the people behind protocols. The CFTC obtained a judgment against the Ooki DAO, establishing that a DAO can be held liable. The Treasury's OFAC sanctioned the Tornado Cash mixer, and the US Department of Justice charged its developers — though a 2024 appellate ruling narrowed how sanctions can apply to immutable smart contracts. The consistent theme is that decentralisation is not a shield where identifiable people own, operate, or profit from the service.
Asia-Pacific and the UK
Singapore's Monetary Authority (MAS) applies the Payment Services Act to any identifiable entity carrying on a regulated activity, and has been consistently cautious about retail access to DeFi. Hong Kong regulates virtual-asset activity through the SFC licensing regime and the AMLO, again focusing on operators rather than code. The UK brings crypto activity within the financial-promotions and authorisation perimeter where a firm carries on regulated activity in or to the UK.
Across all of these markets, the FATF's guidance is influential: its 2021 standards say that the software itself is not a virtual-asset service provider, but persons who maintain control or sufficient influence over a DeFi arrangement — "owners or operators" — can be. That principle now underpins how most regulators approach DeFi worldwide.
"Founders ask whether their protocol is 'decentralised enough' to avoid regulation. That is the wrong frame. Regulators look for a person or entity with control or economic benefit. If you run the front-end, hold the upgrade keys, or earn the fees, you are the operator — and the licensing question is about you, not the smart contract."
— Dr. Marcus Hartmann, Senior Licensing Advisor
When Does DeFi Need a Licence?
Whether a project needs authorisation comes down to control and benefit. The more of the factors below that apply, the more likely a regulator treats your project as a regulated service provider rather than neutral software.
| Factor | Lower regulatory risk | Higher regulatory risk |
|---|---|---|
| Front-end / website | No operated interface | Company runs the app users access |
| Contract upgrades | Immutable, no admin keys | Team controls upgrade keys |
| Fees | No fee captured by a party | Entity earns protocol fees |
| Governance | Broadly distributed | Concentrated among insiders |
| Custody | Non-custodial, user holds keys | Protocol or team can move funds |
| Token offering | No sale to the public | Public sale with profit expectation |
Reality check: very few live "DeFi" projects fall entirely in the left column. If even one high-risk factor applies, treat licensing and AML obligations as a live question and take jurisdiction-specific advice.
Compliance Steps for DeFi Builders
Honestly catalogue every centralised element: front-end, admin keys, multisig signers, fee recipients, treasury, and governance distribution. This is what a regulator will look at.
Determine whether your protocol involves exchange, lending, derivatives, or token issuance, and whether any token is likely a security or e-money in your target markets.
If an operating entity is unavoidable, structure it deliberately in a jurisdiction whose rules fit your model, rather than letting liability land on an undefined team or DAO.
Where you operate a regulated point, put AML/KYC controls and the relevant authorisation in place. Document the basis for any service you treat as out of scope.