As the crypto policy world debates the future of stablecoins and the legal culpability of decentralized autonomous organization (DAO) governance voters, don’t sleep on the Digital Commodities Consumer Protection Act (DCCPA). The bipartisan bill co-sponsored by leaders of the Senate Agriculture Committee endeavors to answer a couple of key questions confounding crypto lawyers: when should crypto tokens be treated like commodities as opposed to securities, and how should the exchanges on which these tokens trade be regulated.

While the DCCPA helpfully codifies bitcoin and ether as digital commodities under the exclusive jurisdiction of the Commodity Futures Trading Commission (CFTC), it leaves a great deal of the line drawing between crypto securities and crypto commodities uncertain. In addition, in requiring all platforms for buying, selling, and trading crypto tokens to register with the CFTC and comply with other mandates, the DCCPA poses serious challenges to decentralized finance (DeFi). To defend creative dynamism in DeFi, any registration of decentralized crypto token exchanges (DEX) ought to be strictly voluntary.

Cryptocurrencies are innovative because they allow users to store and send value all over the world without the intermediation of trusted third parties. DeFi takes this innovation a step further, disintermediating not only token transfers but also a variety of other financial transactions – from making and taking out loans to trading different types of crypto tokens to creating novel insurance arrangements.

In lieu of financial middlemen, DeFi uses self-executing smart contracts deployed on cryptocurrency blockchains to deliver financial instruments when specified conditions are met. For example, if a user locks the appropriate collateral in a lending protocol’s smart contract, a crypto token loan will be issued.

DeFi has revolutionary potential because it is permissionless and composable, allowing for projects to be more creatively adapted and recombined. The lending scenario described above is permissionless; instead of requiring a traditional credit score – or an “in” with the right institution to get the loan – the borrower only needs the right collateral.

In addition, DeFi is composable – because the underlying smart contracts are written with open-source code and standards, functions can be built atop one another like interoperable Lego blocks. For example, a Web3 application that requires payment in ether (ETH) can still transact with holders of other cryptocurrencies by leveraging a third-party token swap protocol to perform the conversions.

The DCCPA threatens DeFi’s unique features. Although the law does not once use the word “decentralized,” its broad definition of “digital commodity trading facility” (i.e., that which facilitates the execution of digital commodity sales or trading of digital commodities between persons) very likely brings DEXs within its scope. DEXs would therefore be subject to a slew of compliance mandates, beginning with the requirement to register with the CFTC.

The problem with these mandates is that many of them are aimed at what current CFTC Commissioner Kristin N. Johnson aptly referred to in a 2021 law review article as “intermediary risks” – the potential for financial middlemen to mishandle assets and information in their possession. Regulations to address intermediary risks don’t make sense for software designed to achieve disintermediation.

For example, under the DCCPA, covered platforms would be required to “hold customer property (including digital commodities) in a manner that minimizes the risk of loss.” This is relevant to a centralized, custodial exchange but not to a DEX where users self-custody their tokens.

In addition, trading facilities would be required to “make public timely information on price, trading volume and other trading data,” as required by the CFTC. At best, this requirement is superfluous when applied to DEXs composed of open and auditable smart contracts with transactions settling on public blockchains. At worst, it could require information to be provided in formats achievable only with more active management of DEX projects.

Similarly, under the DCCPA, digital commodity platforms would be required to designate a chief compliance officer. While regulators micromanaging personnel is a problem in any context, adding managers to a project that is otherwise a series of self-executing smart contracts is entirely counterproductive to reducing intermediary risks.

Consider how a mandatory registration regime would impact composability and permissionlessness in the example described above of a Web3 app leveraging a DEX protocol for token conversions. Given the DCCPA’s broad definition of trading facility, the app itself might be treated as a covered digital commodity exchange. If so, interoperability with DEX protocols would be a compliance risk, undermining the benefits of composable code.

But even if the law were interpreted to place the compliance onus primarily on the DEX, the need to negotiate policies and terms outlining the relationship between the app and the DEX would make the ecosystem far less permissionless.

To help preserve the composable and permissionless quality of DeFi, any exchange regulation must ask what separates a decentralized exchange from a centralized exchange and how their risk profiles differ. Decentralization can be defined by relevant technical hallmarks, such as whether no person or group has majority control over governance decisions and whether an exchange is composed of open-source, self-executing and publicly auditable smart contracts.

The law also should differentiate between project teams that interpose themselves and their discretion between users and a DEX protocol and developers that simply let the software, not human agency, be the service. The relevant question is whether there is a provider in the loop making promises to users beyond code.

For example, if a front-end user interface provider makes promises about how its own performance will benefit users, such as through active whitelisting or promotion of what it considers worthwhile tokens, that provider is functioning more like a traditional middleman one expects to act in good faith. Barring such promises, however, it makes little sense to subject bona fide decentralized exchanges that are just basic front ends and public, auditable smart contracts to rules designed to address intermediary risks.

Any law that would impose sweeping obligations on DeFi should at the very least know what it is regulating. Defining what it means to be a decentralized exchange is the right place to start because rules ought to be tailored to specific risks. Anything broader would create undue barriers to entry, reducing the very competition among marketplaces that drives innovation, including in consumer protection.

Passing a law that hampers the creative potential of DeFi by mistaking disintermediated exchanges for their very opposite is a serious risk unto itself.