DeFiLlama tracked roughly $97.6 billion in DeFi total value locked on March 10, 2026, a market that no single jurisdiction yet regulates with a dedicated DeFi statute. Regulators license the people behind the protocol, not the smart contract itself. The seven jurisdictions covered below, the United States, European Union, United Kingdom, Singapore, Japan, United Arab Emirates, and Brazil, set the rules under which lending, swapping, staking, and yield products operate worldwide.
Key Takeaways
- DeFiLlama tracked roughly $97.6 billion in DeFi total value locked on March 10, 2026, with Aave V3 leading at $26.18 billion as of April 17, 2026.
- The CFTC fined Uniswap Labs $175,000 on September 4, 2024, over leveraged tokens, while the SEC closed its parallel investigation on February 25, 2025, with no enforcement action.
- MiCA (Regulation EU 2023/1114) Recital 22 excludes services provided in a “fully decentralised manner” from scope, with ESMA Level 3 guidance expected in 2026.
- The FCA’s perimeter consultation CP 26/13 opened April 15, 2026; UK crypto firms can apply for authorization from September 30, 2026, with the regime mandatory October 1, 2027.
- MAS Project Guardian has piloted permissioned-DeFi liquidity pools with DBS Bank, JPMorgan, and Marketnode since 2022, transitioning to commercial offerings in 2025.
- Brazil’s Banco Central do Brasil published Resolutions 519, 520, and 521 on November 10, 2025, with capital requirements from $10.8 million to $37.2 million for VASPs.
- According to FATF’s 2025 update, 99 jurisdictions have passed or are passing Travel Rule legislation, up from 30 in 2022.
Executive Summary: DeFi Regulation at a Glance
The table below pairs each regulator with its operative statute and the current treatment of DEXes, lending markets, and staking across the seven jurisdictions covered.
| Jurisdiction | Lead Regulator(s) | Operative Statute / Framework | DEX & Lending Treatment | DeFi Status |
|---|---|---|---|---|
| United States | SEC, CFTC, FinCEN | No DeFi-specific statute; case-by-case enforcement | Frontend operators and developers exposed; protocols treated case-by-case | Enforcement-led |
| European Union | European Commission, ESMA, EBA, NCAs | Regulation (EU) 2023/1114 (MiCA) | Out of scope only if “fully decentralised without any intermediary” | Carve-out, narrow |
| United Kingdom | FCA | FSMA 2000 (amended) + CP 26/13 perimeter guidance | “Controlling person” test pulls most DeFi into scope | Pre-implementation |
| Singapore | MAS | Payment Services Act 2019 + Project Guardian | Permissioned-DeFi via Trust Anchor model | Sandbox-led |
| Japan | FSA | Payment Services Act + proposed FIEA migration | Working group monitoring; no statutory DeFi definition | Monitored, not regulated |
| United Arab Emirates | VARA (Dubai), FSRA (ADGM), SCA | VARA Regulations 2023 + Issuance Rulebook 2025 | Activity-based licensing for VA Activities | Active licensing regime |
| Brazil | BCB, CVM | Law 14,478/2022 + BCB Resolutions 519/520/521 | VASP authorization required for any controlling intermediary | Framework live, DeFi-specific rules pending |
Source: CFTC, SEC, European Commission (EUR-Lex), FCA, MAS, Japan FSA, VARA, ADGM, Banco Central do Brasil, FATF
United States: Multi-Agency Enforcement Without a DeFi Statute
The United States regulates DeFi through enforcement actions across three agencies: the SEC for securities, the CFTC for derivatives, and FinCEN for anti-money-laundering, without a dedicated DeFi statute. The CFTC ordered Uniswap Labs to pay a $175,000 civil monetary penalty on September 04, 2024, finding that the firm illegally offered leveraged or margined retail commodity transactions in digital assets via a decentralized digital asset trading protocol. The CFTC’s order covered a limited number of leveraged tokens that provided users with leveraged exposure to digital assets such as Ether and Bitcoin, which did not result in actual delivery within 28 days.
CFTC Commissioner Caroline D. Pham dissented from the order. I am concerned that the Commission’s ever-expanding jurisdictional overreach continues to perpetuate a lack of regulatory clarity. She added that the action would create further regulatory uncertainty and put small cash market businesses in jeopardy of violating the law. Pham also argued that establishing sweeping interpretations through an administrative settlement order, rather than notice-and-comment rulemaking, was a violation of the Administrative Procedure Act (APA).
The SEC’s parallel investigation closed without action. The SEC officially closed its multi-year investigation into Uniswap Labs on February 25, 2025, with no enforcement action; the original Wells notice had alleged that Uniswap Labs operated an unregistered securities exchange, engaged in unregistered broker or clearing firm activity, or issued an unregistered security. In June 2024, the SEC initiated an enforcement action against Consensys for its MetaMask Staking service, targeting the platform’s role in distributing liquid staking digital assets from providers like Lido and Rocket Pool.
The pattern across CoinLaw’s coverage of crypto enforcement actions holds here too: regulatory clarity arrives through litigation rather than legislation, typically following a market shock by 12 to 18 months.
The three-agency split creates predictable triggers for any DeFi protocol with US users:
- SEC scope turns on token issuance, staking-as-a-service, and any feature where investors expect profit from the efforts of others.
- CFTC scope turns on leverage, margin, and derivatives, the dimension that decided the Uniswap Labs civil penalty.
- FinCEN scope turns on money transmission and any custody touchpoint where the operator can move customer assets.
Lawmakers across the Atlantic chose the opposite path: a single statute up front, with narrow carve-outs.
European Union: MiCA’s “Fully Decentralised” Carve-Out
The European Union regulates crypto-asset services through Markets in Crypto-Assets Regulation (MiCA), with a narrowly drawn DeFi exclusion that few protocols can qualify for. Regulation (EU) 2023/1114 was adopted by the European Parliament and the Council on 31 May 2023 and applies to natural and legal persons performing crypto-asset services, including when part of such activities is performed in a decentralised manner.
The DeFi carve-out lives in Recital 22 of the regulation. Where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of this Regulation. The recital is the operative text. The text does not define “fully decentralised,” and that ambiguity is doing most of the regulatory work. MiCA Recital 22 provides no precise test for the “fully decentralised” label, and ESMA is expected to issue Level 3 guidance during 2026.
Practitioners reading the text closely have already flagged where most live DeFi falls. To be excluded from MiCA, the offer must be technically and governance-wise decentralised, meaning it must run exclusively via smart contracts and on a decentralised DLT system, with no legal entity acting as a counterparty; in practice, frontends, governance tokens with managed treasuries, and DAOs with identifiable issuers fall within scope.
Why it matters: MiCA’s intermediary test is doing more regulatory work than the headline carve-out suggests. A protocol can be technically decentralized at the smart-contract layer and still trigger MiCA obligations through a frontend operator, a governance treasury, or a DAO with identifiable issuers, which describes most of the protocols inside the DeFi total value locked tracked by DeFiLlama.
The UK split the difference, importing MiCA’s intermediary logic while drafting its own perimeter.
United Kingdom: FCA Gateway and the Controlling-Person Test
The UK is in the rule-drafting phase, with the FCA constructing a perimeter that imports MiCA-style intermediary triggers. The FCA’s consultation on cryptoasset perimeter guidance, CP 26/13, opened on April 15, 2026, with responses due by June 3, 2026, and addresses five key activities: issuing qualifying stablecoin, operating trading platforms, dealing and arranging deals in qualifying cryptoassets, safeguarding cryptoassets, and staking.
Crypto firms will be permitted to begin submitting authorization applications on September 30, 2026, with the full regulatory regime becoming mandatory on October 1, 2027. Crypto will be regulated in the UK from October 2027, and the FCA will consult separately on decentralised finance (DeFi) guidance later in 2026, alongside operational resilience guidance for firms using distributed ledger technology.
The FCA’s controlling-person test is the operative concept. Where a clear controlling person carries on a regulated cryptoasset activity, the rules apply, even when the underlying protocol is described as decentralized. In 2025, the FCA will collaborate with the Monetary Authority of Singapore to explore the regulatory considerations for tokenisation within the asset and wealth management sector. Where London debates definitions, Singapore has built a working DeFi pilot.
Singapore: Project Guardian and the Trust Anchor Model
Singapore is the only jurisdiction running an institutional-DeFi pilot at a commercial scale. Project Guardian is a collaborative initiative led by the Monetary Authority of Singapore that brings multiple industries together through pilots to explore how tokenization and interoperable networks could establish the future of financial infrastructure. The first industry pilot under Project Guardian explores potential DeFi applications in wholesale funding markets, led by DBS Bank, JP Morgan, and Marketnode, involving the creation of a permissioned liquidity pool comprising tokenised bonds and deposits.
The architecture solves the regulatory problem by inverting it. Rather than ask whether a protocol is “decentralized enough” to escape the rules, MAS designed a permissioning layer on top. Trust anchors are regulated financial institutions that screen, verify, and issue verifiable credentials to entities that wish to participate in defi protocols, ensuring that participants trade only with verified counterparties, issuers, and protocol developers.
2025 marked a pivotal year for product launches and market adoption beyond proof-of-concept trials, with Project Guardian moving from pilots to real-world applications and DBS expanding tokenized private debt and equity offerings. The Trust Anchor model is the only operational DeFi-permissioning architecture currently running at institutional scale. Every other major jurisdiction either waits for the protocol to declare itself “fully decentralised” or treats any controlling person as the regulable party. Singapore quietly built the third option.
Japan, by contrast, is still rebuilding the foundation underneath crypto itself.
Japan: Stablecoin-First, Securities-Migration Pending
Japan separates stablecoins from other crypto-assets and is preparing to move the latter from the payments law to the securities law. Japan’s Financial Services Agency released a report proposing moving digital asset regulation from its current position under the Payment Services Act to be governed by the Financial Instruments and Exchange Act, while stablecoins linked to fiat currency will remain under the Payment Services Act. The FSA’s proposal stems from a comprehensive review by the Financial System Council’s Working Group, concluding after six meetings between July and December that digital assets possess characteristics that align closely with those of securities.
The stablecoin regime has been live since 2023. Fiat-pegged, par-redeemable stablecoins are regulated as electronic payment instruments under amendments to the Payment Services Act, with issuance and handling limited to licensed entities under the FSA framework with strong AML/CFT and consumer-protection rules; the core regime has applied since June 2023.
DeFi sits in a monitoring posture. A Japan FSA working group has met on average approximately every two to three months to analyze the developments in digital issues and DeFi. No statutory DeFi definition exists yet, and the FSA has signaled a preference for studying market developments before drafting rules. The Gulf chose the opposite posture: build the rulebook first, license aggressively, and let the market come.
United Arab Emirates: VARA and ADGM Dual Track
The UAE runs two parallel virtual-asset regimes: VARA in Dubai and ADGM’s FSRA in Abu Dhabi. VARA issued its Virtual Assets and Related Activities Regulations 2023 on 7 February 2023 pursuant to the final approval of the Board of Directors. VARA’s Virtual Asset Issuance Rulebook became effective on 19 June 2025, locking in approval and disclosure mechanics for issuers and specifying how Fiat-Referenced Virtual Assets and Asset-Referenced Virtual Assets are treated.
VARA has continued to tighten its regime. In May 2025, VARA published updated rule books aimed at enhancing supervisory mechanisms across most of its activities, with key changes including strengthened controls around margin trading and token distribution services; new marketing regulations also came into effect on 1 October 2024.
ADGM’s framework is older and recently sharpened. In 2018, the ADGM became the first jurisdiction globally to introduce and implement a comprehensive and bespoke regulatory framework for the regulation of exchanges, custodians, brokers, and other intermediaries engaged in VA activities. On 10 June 2025, ADGM’s FSRA implemented amendments to its digital-asset framework and updated its Guidance on Virtual Asset Activities, including a streamlined path for recognising Accepted Virtual Assets, refined capital and fee settings, and explicit confirmation of the prohibition on privacy tokens and algorithmic stablecoins.
Both UAE regimes are activity-based: A protocol that crosses one of the named VA Activities triggers licensing regardless of its decentralization claims. South of the equator, Brazil chose a similar path with a tighter timeline.
Brazil: BCB Resolutions 519, 520, 521
Brazil’s central bank moved from consultation to a live framework, building on the Virtual Assets Law passed earlier. On November 10, 2025, the BCB published three major resolutions, 519, 520, and 521, establishing a comprehensive regulatory framework for virtual asset service providers. Both new entrants and incumbents operating as custodians, exchanges, and intermediaries will need to go through the process to become Sociedades Prestadoras de Servicos de Ativos Virtuais (SPSAVs).
Capital and timeline requirements separate Brazil from softer-touch jurisdictions. The implementation deadline is February 2026 with a 9-month grace period, and capital requirements range from $10.8 million to $37.2 million, depending on activity type. Resolution 521 applies FX regulations to stablecoins and virtual assets referenced in fiat currency, while the framework maintains the 2023 Presidential decree structure, where the BCB is the regulator and the Brazilian Securities Commission has jurisdiction over securities-like tokens and consumer protection issues.
The CVM keeps a parallel role for fund exposure. CVM Resolution 175/2022 sets forth that Financial Investment Funds must comply with the limit of up to 10% of net equity to invest in some assets, which include crypto-assets. The rules published in November 2025 include only an initial treatment of staking.
By the numbers: The BCB set capital requirements between $10.8 million and $37.2 million for virtual asset service providers under Resolutions 519, 520, and 521, with implementation deadline February 2026 and a 9-month grace period. Staking is explicitly carved out for further BCB-CVM coordination.
Seven jurisdictions, seven slightly different statutes, and one shared theory of how to actually enforce them.
The Global Convergence: Regulating People, Not Protocols
Despite the surface differences across the seven regimes, every major regulator has independently arrived at the same workable theory of DeFi enforcement: license the people behind the protocol, leave the smart contract alone. MiCA Recital 22’s “fully decentralised without any intermediary” carve-out, the FCA’s “controlling person” test, Brazil’s VASP authorization regime, and the CFTC’s enforcement against Uniswap Labs all rest on the same triggering question: who do we sue?
CoinLaw’s coverage across crypto regulation history shows a recurring pattern: enforcement that seems harsh in the short term almost always accelerates institutional adoption within 18 months once the targeting becomes clear. The post-FTX wave (late 2022) produced MiCA enforcement, the US Clarity-Act drafts, and the BCB resolutions within two years.
The convergence is doing meaningful work in the market. DeFiLlama tracks DeFi total value locked in the $95 to $140 billion range as of April 17, 2026, depending on whether liquid staking tokens, restaking, and Bitcoin DeFi are included, with Aave V3 leading at $26.18 billion and Lido following at $23.07 billion. DeFiLlama tracks 7000+ DeFi protocols across 500+ chains, with Ethereum hosting roughly half of global TVL. None of the headline protocols has collapsed under the enforcement pressure; every regime has found a way to regulate the controlling persons without dismantling the underlying smart-contract infrastructure.
For an entity-level reference on how decentralized finance was originally architected, see how DeFi protocols work.
What FATF’s Travel Rule Means for DeFi Worldwide
FATF’s Travel Rule is the transnational floor under every national regime above. Per FATF, 99 jurisdictions have passed or are in the process of passing legislation implementing the Travel Rule, which ensures transparency of information around cross-border payments. The FATF 2024 update recorded that 70% of respondents (65 of 94 jurisdictions) had passed legislation implementing the Travel Rule, reflecting a notable improvement since 2023, when 35 jurisdictions had passed legislation, and 2022, when 30 jurisdictions had passed legislation.
The illicit-finance backdrop matters for DeFi enforcement priorities. FATF noted a significant uptick in the use of virtual assets in fraud and scams, with one industry participant estimating approximately $51 billion in illicit on-chain activity relating to fraud and scams in 2024. FATF stated it will facilitate the sharing of best practices, findings, and challenges, including those relating to DeFi, stablecoins, unhosted wallets, and P2P transactions.
For a broader context on how earlier crypto regulations evolved, see CoinLaw’s history of crypto regulation.
Frequently Asked Questions (FAQs)
Using a DeFi protocol is not itself illegal in the United States. The SEC officially closed its investigation of Uniswap Labs on February 25, 2025, with no enforcement action. The CFTC ordered Uniswap Labs to pay a $175,000 civil monetary penalty on September 04, 2024, over leveraged tokens. There is no federal DeFi statute; enforcement happens case-by-case across the SEC, CFTC, and FinCEN.
MiCA Recital 22 states that services provided in a fully decentralised manner without any intermediary should not fall within the scope of this Regulation. The phrase is undefined, and ESMA Level 3 guidance is expected during 2026. In practice, frontends, governance tokens with managed treasuries, and DAOs with identifiable issuers fall within scope.
Crypto will be regulated in the UK from October 2027 under the FCA’s new regime, and crypto firms will be able to start applying for authorisation from September 2026. The FCA’s consultation on cryptoasset perimeter guidance (CP 26/13) opened April 15, 2026, with responses due by June 3, 2026, and the FCA will consult separately on decentralised finance (DeFi) guidance later in 2026.
Project Guardian is a collaborative initiative led by the Monetary Authority of Singapore that brings multiple industries together through pilots to explore how tokenization and interoperable networks could establish the future of financial infrastructure. The first industry pilot, led by DBS Bank, JP Morgan, and Marketnode, created a permissioned liquidity pool of tokenised bonds and deposits.
The FATF Travel Rule requires virtual asset service providers to share originator and beneficiary information for cross-border transfers above a threshold. 99 jurisdictions have passed or are in the process of passing legislation implementing the Travel Rule, which ensures transparency of information around cross-border payments. FATF stated it will facilitate the sharing of best practices, findings, and challenges, including those relating to DeFi, stablecoins, unhosted wallets, and P2P transactions.
Conclusion
The regulatory map this current year breaks into seven different grids, each pulling from the same toolkit: license the controlling person, define carve-outs narrowly, and let the FATF Travel Rule sit underneath as the AML floor. The roughly $97.6 billion in DeFi total value locked tracked by DeFiLlama on March 10, 2026, sits across protocols where Ethereum hosts roughly half of global TVL, Aave V3 leads at $26.18 billion, and Lido follows at $23.07 billion. The regulatory question turns on who can be served with a notice, not on the protocol’s design.
The jurisdictions covered above each tell a version of the same story. The US runs enforcement-led clarification, while the SEC and CFTC sometimes disagree on which protocol is in scope. The EU drew a written carve-out for “fully decentralised” services and is now living with the gap between text and reality. The UK is consulting through 2026, with the full regulatory regime becoming mandatory on October 1, 2027. Singapore built a working permissioning layer that nobody else has matched. Japan separated stablecoins from everything else. The UAE licenses aggressively. Brazil set capital floors of $10.8 million to $37.2 million and an implementation deadline of February 2026 with a 9-month grace period.
The convergence on the controlling-person test is the practical takeaway for builders and counsel: decentralization claims matter less than the identifiable intermediary’s licensing posture.
The parallel by-jurisdiction adoption picture lives in cryptocurrency adoption by country statistics.
