a16z: How to Regulate Web3 Applications?

Original Title: 《Regulate Web3 Apps, Not Protocols Part II: Framework for Regulating Web3 Apps》

Authors: Miles Jennings, Brian Quintenz

Compiled by: Block unicorn

This is the second part of the series "Regulate Web3 Apps, Not Protocols," which establishes a regulatory framework for Web3 that retains the benefits of Web3 technology, protects the future of the internet, and reduces the risks of illegal activities and consumer harm. The core principle of this framework is that businesses should be the focus of regulation, rather than regulating decentralized autonomous software (underlying protocols).

In the issue of Web3 regulation, two extremes often clash. 1) The first faction advocates for the broad application of existing regulations to Web3, ignoring the key characteristics of Web3 technology, and thus failing to recognize the significant differences in risk profiles between Web3 products and services compared to traditional products and services. This failure leads organizations to advocate for regulating decentralized finance (DeFi) and centralized finance (CeFi) in exactly the same way, without nuance. 2) Conversely, opponents argue for completely excluding Web3 from existing regulations. This group overlooks the real economy of many Web3 products and services and attempts to abandon many successful regulatory frameworks, including those that have made U.S. capital markets the envy of the world.

Both extremes may be popular, but neither withstands scrutiny and both lead to poor policy outcomes.

The correct approach to regulating Web3 lies between the two. In this article, we will explore a pragmatic framework for regulating Web3 applications that follows the principles established in the initial article of this series, asserting that Web3 regulation must only apply at the application level (meaning software that operates for end-users and provides access to protocols), rather than at the protocol level (underlying decentralized blockchains, smart contracts, and new native functionalities for the internet).

In simpler terms: Regulate businesses, not applications.

Businesses can customize applications to comply with regulations, while software protocols designed to be globally applicable and autonomous cannot make subjective judgments that local regulations may require. This is why throughout the history of the internet, governments have always chosen to regulate applications like email providers (e.g., Gmail) rather than regulating the underlying protocols of email (e.g., Simple Mail Transfer Protocol or "SMTP"). Potentially subjective, globally conflicting regulations hinder the interoperability and autonomous operation of protocols, rendering them ineffective.

In the explosive growth of the internet over the past few decades, regulating applications rather than protocols has aligned with the public interest. While the spread of Web3 technology adds a layer of complexity to the challenge of regulating the internet, the regulatory framework for Web3 applications does not need to address illegal activities at the protocol level. We did not regulate SMTP because email facilitated illegal activities. However, proposals for a Web3 regulatory framework must achieve policy goals by reducing the risks of illegal activities, providing strong consumer protections, and eliminating incentives that contradict policy objectives—this can be most effectively accomplished at the application level.

We believe that such a Web3 application regulatory framework should focus on three interrelated factors:

• First, the policy objectives of the anticipated regulation must be assessed. If the regulation cannot achieve legitimate goals, it should not be adopted.

• Next, the characteristics of the applications to be regulated must be considered. Web3 applications operate in many different ways, which should directly influence the scope of regulation.

• Finally, the constitutional implications of a regulation must be analyzed. Fact-based refined analysis can provide guidance for regulatory actions and judicial opinions and should accompany any Web3 regulation.

Based on these factors, we can roughly articulate the starting point of this regulatory framework—keeping in mind that the ultimate scope and application of any regulation will depend on specific facts and circumstances:

Using a first principles approach, let us explore each area in more detail to better understand how, where, and why rules should apply to Web3 applications.

Policy Objectives of Web3 Application Regulation

A popular saying is "same activity, same risk, same rules." In other words, regulations should be consistent. This seems intuitive and applies to many Web3 applications that superficially resemble Web2 or other traditional products and services. However, a closer look reveals that this statement largely fails in Web3 due to the different functionalities and risk profiles of Web3 applications and protocols. Therefore, we must focus on the policy objectives of a given regulation to understand whether the differences in functionality and risk profiles necessitate a different regulatory approach for Web3.

A regulation can achieve many different policy objectives. Reasonable goals may include: protecting investors and consumers, encouraging innovation, promoting capital formation and market efficiency, fostering (or unfortunately discouraging) competition, protecting national interests, and so on. However, sometimes regulation fails to achieve its objectives, or even lacks a legitimate purpose. This may be because a regulation exceeds its original intent, is too broad in scope, produces unintended negative consequences, or because enforcing such regulation undermines the value of the technology it seeks to regulate. In these cases, continuing to enforce a regulation may serve to protect vested interests; or it may simply be regulation for the sake of regulation, both of which are unacceptable.

A historical example illustrates this point. In 1865, the British Parliament passed a Locomotive Act that required road vehicles in cities to not exceed a speed of 2 miles per hour and mandated that a man wave a red flag in front of them. While the "Red Flag Act" may have been appropriate in an era with few cars and pedestrians everywhere, enforcing it today would be absurd and detrimental to the development of a well-functioning transportation economy. As automotive technology, road infrastructure, preferred modes of transport, and protocols for managing traffic flow have advanced, this law has become outdated. Given the technological advancements represented by Web3, any one-size-fits-all regulatory approach would be as outdated as the Locomotive Act and likely become obsolete very quickly. This would significantly undermine the legitimacy and effectiveness of regulatory actions.

Applying regulations to protocols (rather than Web3 applications) can also lead to similarly absurd outcomes. Just as cars brought faster travel, the new computing paradigms brought by Web3 technology also introduce new forms of native internet functionalities (e.g., lending, exchanging, social media, etc.). The ability to transfer value at internet speed is an extremely powerful native capability and is still in its infancy. If regulators impose subjective and globally conflicting regulations on Web3 protocols (e.g., restricting the trading of certain assets with non-objective characteristics, such as securities or derivatives, or censoring categories of speech), compliance may require development teams to undergo an impossible "re-centralization" process to create the illusion of governance and control. While it is understandable that regulators seek a central position of control and accountability, blockchain protocol governance is often globally distributed and decentralized. If it were not, or if forced centralization/centralized management would backfire, it would undermine the very characteristics that make Web3 protocols functional and useful.

To achieve true "technological neutrality," regulation should not undermine the technology it seeks to regulate. This is why regulation should only apply to Web3 applications, as they are operated by businesses that can comply with subjective rule-making, rather than to the underlying protocols, which are essentially software that cannot. A similar argument further holds in the technology stack to protect underlying functionalities (e.g., validators, miners, etc.). Regulation that undermines technological value is less about law and more about Ludditism.

Decentralization is one of the key benefits brought by blockchain technology and has significant implications for regulation. Critics often deride decentralization as a misleading slogan, but blockchain decentralization is real and significant.

Consider the difference between CeFi and DeFi. In the world of CeFi, many regulations aim to eliminate the risks of trusting financial intermediaries. The goal is to reduce the risks that may arise whenever there are potential conflicts of interest or outright fraud, as there is almost always a risk when one person has to trust another with their money or assets (see: FTX & Alameda, Celsius, Voyager, 3AC, MF Global, Revco, Fannie Mae, Lehman Brothers, AIG, LTCM, and Bernie Madoff). In the world of DeFi, traditional financial services are disaggregated, with no intermediaries to trust. Therefore, in true DeFi, the decentralization, transparency, and trustlessness brought by blockchain technology eliminate most of the risks that CeFi regulations primarily aim to address. By removing trust and reliance on intermediaries, DeFi can keep users away from the centralized risk behaviors prevalent in CeFi (such as project exit scams, user asset misappropriation, etc.), and DeFi does this better than any "self-regulatory" or "public regulatory" regime in CeFi. In other words, applying CeFi's "red flag behaviors" to DeFi makes no sense, or rather:

Thus, it is illogical to apply all CeFi regulations to decentralized Web3 applications that do not provide similar intermediary services. Furthermore, any regulatory intervention would be counterproductive. Regulatory intervention would hinder DeFi's ability to achieve many legitimate policy goals pursued by financial regulations, such as transparency, auditability, traceability, responsible risk management, etc., and resistance to such regulation should be resolute.

Nevertheless, due to the potential multiple policy objectives of such regulation, it is challenging to provide a comprehensive exclusion for all regulation, even in the financial services, intermediary-focused regulatory space. For example, consider the distinction between the "broker-dealer" (BD) regulations set forth in U.S. securities law and the "introducing broker" (IB) regulations established in U.S. commodity derivatives law. One purpose of the Securities Exchange Act is to protect investors from the inherent risks posed by intermediaries holding investor assets. This differs from the scope of the IB law, where the CFTC (U.S. Commodity Futures Trading Commission) focuses on how conflicts of interest can lead intermediaries to influence trading without holding investor assets. The decentralization of Web3 technology clearly eliminates the need for the custody aspect of BD law, but this alone may not eliminate the need for IB law, especially when DeFi applications make decisions on behalf of users (e.g., routing trades).

Now consider the regulations that limit how securities and derivatives can be issued and sold in the U.S. These regulations have many purposes, some of which are not avoided through decentralization or Web3 technology, including those related to investor protection. When the same risks and considerations apply to centralized and decentralized businesses and technologies, the default position may be that rules should be consistent, unless there is some overriding policy objective justifying different rules. For example, it may be difficult to argue that centralized businesses (like centralized exchanges such as Coinbase) should be prohibited from earning commissions on securities and derivatives trading, while another business facilitating access to decentralized infrastructure (like a for-profit website providing access to decentralized trading protocols like Uniswap) should be allowed to earn commissions on those same types of trades. Such a regulatory framework could give businesses using decentralized protocols a significant competitive advantage over centralized exchanges and lead to regulatory arbitrage. Therefore, this difference in approach requires a compelling policy objective to justify it, such as promoting decentralized innovation (which we will discuss further below).

When it comes to the broad range of regulations that may apply to Web3 applications, the above examples are just the tip of the iceberg. However, from the examples above, it should be clear that effective regulation should have clear relevant purposes, appropriate scope, and productive effects. The classification and categorization issues like those above are the bottom line of analysis: how DeFi operates must be understood at a nuanced level. Every well-meaning regulator learns at the outset of their blockchain learning journey that the apparent essential similarity between traditional finance and blockchain finance conceals deep operational, organizational, and functional differences.

Characteristics of Web3 Applications

The characteristics of a specific Web3 application determine the risks that application may pose, thus playing a significant role in determining whether and to what extent regulation should apply. For example, many Web3 applications may not be entirely trustless, as they may hold users' assets, intermediate users' transactions, or promote or advertise certain assets, products, or services to users. Applications with these characteristics are most likely to require regulation, as they are more likely to expose users to residual centralized risks, or if left unregulated, would contradict policy objectives. In addition to introducing centralized risk characteristics, two important features of Web3 applications also have regulatory significance, provided they do not hinder regulatory objectives. These two characteristics are: (1) whether the application is operated by a business for profit; and (2) whether the primary intended purpose of the application is to facilitate activities that are to be regulated (i.e., whether the primary purpose is legal or illegal). We will analyze many other factors in future articles, but for now, these two factors serve as useful jumping-off points.

For-Profit vs. Non-Profit

If Web3 technology does not avoid regulatory objectives, then regardless of whether a Web3 application utilizes truly decentralized protocols, if it is operated by a business for profit, there is a strong presumption that such a business should be subject to regulation. First, the mere fact that the application is operated by a business for profit may expose users to certain risks. For example, if such an application facilitates certain types of financial transactions, the operator profiting from those transactions may create inherent conflicts of interest. Second, if the regulation does not apply, failing to prohibit businesses from profiting from promoting illegal activities that the regulation aims to prevent would effectively encourage such illegal activities and may lead to an increase in such activities. For instance, allowing businesses to charge commissions on the illegal trading of tokenized securities or derivatives may lead to an increase in such illegal trading, which would contradict the policy objectives behind such regulation (reducing the prevalence of such trading) and assist and advocate for the law as a core principle.

Nevertheless, due to the benefits brought by Web3 technology, a more flexible regulatory approach for for-profit Web3 applications may be reasonable. In particular, since Web3's decentralized protocols enhance the native functionalities of the internet, which anyone can use, they can effectively serve as public infrastructure (similar to SMTP/email). Taking a flexible regulatory approach to for-profit Web3 applications can promote the development of these protocols, encourage development, and even allow developers to self-fund by operating for-profit applications. Conversely, overly burdensome entry regulatory barriers or economies of scale in regulation would hinder the technology's ability to fully realize its future potential. Requiring developers to register under overly burdensome regimes or obtain expensive, time-consuming licenses to deploy a front-end website providing access to decentralized protocols could stifle Web3 innovation in the U.S. Therefore, there is a strong public policy argument for protecting nascent Web3 applications from cumbersome regulation to incentivize the development and availability of U.S. Web3 infrastructure.

If Web3 applications are not operated by businesses for profit, the rationale for leniency becomes even more compelling. For example, many Web3 applications effectively operate as public goods—purely non-custodial communication and consensus software that interacts with decentralized protocols. These Web3 applications may not raise the same concerns as above, as the motivation to create conflicts of interest or encourage operators to promote illegal activities diminishes or disappears if no one is profiting. As mentioned above, the goal of any Web3 application regulatory framework should be to reduce the risks of illegal activities and suppress illegal activities, rather than eliminate the possibility of their occurrence. Therefore, if Web3 applications are not operated by businesses for profit, cumbersome regulation should be resisted as much as possible, as such regulation would undermine important policy objectives that promote innovation in the U.S.

Primary Purpose

Even if Web3 applications are not operated by for-profit enterprises, their potential purposes may be significant, possibly very significant, for regulatory purposes. If the application is specifically designed to facilitate activities that should be regulated, there would be an assumption that such applications should be regulated. In fact, many such applications may already be regulated on this basis, even if they are merely front-end websites displaying blockchain information and assisting users in communicating with such blockchains. For example, through its enforcement actions, the CFTC previously identified certain communication systems as swap execution facilities (SEFs), thus subjecting them to certain regulations. The CFTC found that these communication systems were managed by a centralized entity, established for trading derivatives, and provided enhanced functionalities that met the SEF definition. However, it is important to note that other similar communication systems with SEF-like functionalities were not identified as SEFs, possibly because they were not built to facilitate derivatives trading, even though such derivatives trading occurred on those communication systems.

Based on these CFTC examples, one might expect different treatment for a front-end specifically built for a derivatives trading protocol (e.g., the controversial Ooki protocol) compared to a decentralized exchange front-end that enables the permissionless listing and trading of any digital asset (e.g., the Uniswap protocol), while a simple blockchain explorer (e.g., Etherscan) should receive the most lenient treatment. This different regulatory treatment makes sense because the primary purpose of the Ooki front-end is allegedly to facilitate illegal trading in the U.S., while the primary purposes of the Uniswap front-end and Etherscan are to facilitate essentially legal activities.

However, even in cases where an application is specifically designed to promote regulated activities, exempting the application from burdensome regulatory regimes may align with the public interest. For instance, if trading in digital assets is regulated in the U.S. and all exchanges are required to register, there is ample reason not to extend the full scope of such regulation to an application specifically designed to provide users with access to decentralized trading protocols (assuming it is not operated for profit or is in a nascent stage of development). In particular, the decentralized nature of the protocol and the characteristics of the application may eliminate many of the risks that regulation intends to address (as discussed in the previous section), and the potential societal benefits brought by enabling unrestrained trading on the internet may far outweigh all regulatory policy objectives.

Finally, regardless of whether Web3 applications are for-profit or whether their primary purposes are legal, all applications should continue to be subject to certain existing legal frameworks, and many applications should be subject to new narrow customer protection requirements. First, maintaining existing legal frameworks related to fraud and other types of prohibited malicious activities has its value. However, enforcement actions against protocol or application operators that do not engage in malicious activities violate the fundamental concepts of due process and justice. Second, consumer protection regulations, such as disclosure requirements, can help inform users of the risks associated with using specific DeFi protocols, while code audit requirements can protect users of applications from failures of the underlying protocols' smart contracts. However, any such requirements also need to be tailored to enable Web3 applications and their developers to comply without controlling the decentralized protocols they provide access to.

Constitutional Implications

Regulating Web3 has potential constitutional implications, and we have ample reason to believe that courts will ultimately defend Web3. While today's constitutional arguments defending Web3 focus on discrete issues raised, they portend a fundamental and significant national and global legal competition regarding the nature of individual, collective, and national sovereignty.

Now, consider these trend lines and inferential questions. While these frameworks are articulated in terms of the U.S. Constitution, the similarities with other constitutional and international legal frameworks are self-evident:

• Many believe that the First Amendment may protect software developers, on the grounds that code is law. Do a series of rights under the First Amendment encompass the right to engage in cryptocurrency transactions? Does the freedom to transact include a fundamental right to on-chain privacy?

• Many also believe that the Fourth Amendment may protect DeFi protocols from having to use intermediaries to collect know-your-customer information or meet regulatory compliance burdens. Do individuals have the right to secure their on-chain identities, games, social networks, and assets from unreasonable searches and seizures (e.g., through the expansion of global civil asset forfeiture regimes)?

• Recent case law further suggests that regulatory agencies expanding their jurisdiction to cover Web3 rule-making without specific congressional authorization may be unconstitutional. What should multi-agency collaboration look like to ensure constitutional norms, transparency, legality, and ultimately effectiveness? This applies not only to the SEC and CFTC but also to the U.S. Treasury, the Federal Reserve, the Federal Trade Commission, the Department of Justice, and global regulatory bodies.

All of these are valid areas of discussion and raise fundamental civil rights issues. Regardless of how certain these constitutional challenges may appear, their strength remains uncertain. Therefore, it would be foolish for participants in the Web3 industry to refuse to engage in policy-making or reject all regulation based on the Constitution's protection of Web3, as such protection may ultimately not materialize. Web3 industry participants must work with policymakers and regulators to develop regulatory policies and rely solely on the courts to uphold constitutional rights and prevent specific overreach.

Given the potential constitutional challenges, Web3 regulation needs to be crafted with caution. Otherwise, policymakers' good-faith efforts to provide regulatory clarity for the industry may inadvertently create greater uncertainty. Additionally, the rule-making of regulatory agencies needs to be taken seriously and publicly addressed based on a complete cost-benefit analysis; it should not be decided through opaque enforcement actions or implicitly through broader reforms of existing regulations.

Conclusion

Effective regulation of Web3 applications is a significant task. It requires a reassessment of existing regulatory schemes, a deep understanding of Web3 technology, and a nuanced balancing of policy objectives. Executing these tasks is crucial. If Web3 applications remain subject to existing regulatory frameworks applicable to traditional businesses without any reassessment and room for technological nuance, the development of the internet in the U.S. will stagnate. Outdated "Red Flag Acts" must be reconsidered, and new regulations must be implemented to achieve policy objectives.

This process must begin with establishing clear policy objectives for Web3. It is important that these objectives are correctly calibrated so that the societal benefits created by Web3 technology far exceed its costs. This does not require eliminating the possibility of Web3 technology being used for illegal activities, but it does necessitate measures aimed at reducing the risks of illegal activities and suppressing illegal activities. Subsequent parts of this series will explore how to further suppress illegal activities and other important topics related to Web3 policy, including discussions on specific regulatory schemes, differences between applications and protocols, and the importance of U.S. leadership. Ultimately, leveraging Web3 technology and its ability to transfer value at internet speed will lead to an increase in many new forms of native internet functionalities and create millions of new internet businesses. However, to achieve this, we must apply regulation judiciously to support innovation and limit unnecessary "gatekeeping." To this end, policymakers, regulators, and Web3 participants should continue to engage in respectful, open, good-faith, and thoughtful discussions.