DeFi and Regulation: Self-Custody, Security and Compliance
1inch and Black Vogel debate why and how to regulate DeFi: user protection, smart contract audits, wallet monitoring, financial inclusion and regulating at the code level
30min · Full recording from 09/10/2025 at CAM Builders Stage. Also available on YouTube.
DeFi and regulation: self-custody, security and compliance
Overview
Does everything in DeFi need to be regulated, and how can it be done without breaking its essence? In this MERGE Madrid panel, 1inch and the consultancy Black Vogel debate the legal implications of decentralized finance: why we regulate, how DeFi differs from banks and centralized exchanges, and how the industry itself provides security on a voluntary basis.
What you'll learn
- What DeFi is: finance with no central intermediary or custodian, where smart contracts execute everything automatically
- Why regulate: user protection as the real goal, not bureaucracy
- DeFi vs TradFi vs CEX: differences in size, maturity and risk between banks, centralized exchanges and DeFi
- Voluntary security: smart contract audits, wallet monitoring and tools like Chainalysis or TRM Labs
- Limits of KYC and user education: “your keys, your money” and personal responsibility
- Regulating at the code level: sandboxes and certification of smart contract auditors to preserve self-custody
Session summary
What DeFi is and its scale: the panel clarifies that DeFi has no central intermediary or custodian (smart contracts execute everything) and that it is still small compared to traditional finance: a total value locked of around 150-200 billion dollars, versus hundreds of trillions in TradFi, which is worth bearing in mind when regulating.
Why and for whom we regulate: the panel agrees that the goal of regulation should be user protection, and distinguishes three layers: traditional banking, centralized exchanges (with some compliance) and DeFi.
The industry's voluntary security: it explains that many players apply security measures even when the law does not require it, because it benefits both users and the business: continuous smart contract audits, blockchain-level wallet monitoring and providers such as Chainalysis or TRM Labs to detect and block suspicious activity.
The 1inch case: as one of the largest DEX aggregators by volume, it describes that it does not custody funds or collect personal data, that it is one of the most audited firms in DeFi (with 15-20 auditors, for example when integrating Solana) and that it has proactively refunded users affected by a front-end hack despite having no legal obligation.
User education and responsibility: it stresses that DeFi changes the paradigm (“your keys, your money”): if you lose your keys there is no one to turn to, so user education is key to telling a fraud or hack apart from a user's own bad practice.
Real impact and financial inclusion: it argues for approaching regulators with concrete impact examples, such as Ethics Hub (financing small coffee farmers in the global south excluded from banking) or partnerships with bodies like the UNDP, to demonstrate the added value of these technologies.
Regulating at the code level: given the lack of a central party, it proposes regulating the code through sandboxes that certify smart contract auditing firms (such as OpenZeppelin), following initiatives like Gibraltar's, to provide assurances without giving up self-custody; it also mentions the Tornado Cash case and the security differences between different DeFi players.
Watch the full panel
Watch the full panel recording on MERGE's YouTube channel, with 1inch and Black Vogel on DeFi, regulation and self-custody.
FAQs
What is DeFi?
It is decentralized finance: financial services without a central intermediary or custodian, in which smart contracts execute operations automatically and the user keeps self-custody of their funds.
Why regulate DeFi?
According to the panel, the goal of regulation should be to protect the user and create a secure environment, not bureaucracy itself; trust favors adoption.
How does the industry provide security without the law requiring it?
Through continuous smart contract audits, blockchain-level wallet monitoring and analytics providers such as Chainalysis or TRM Labs to detect and block suspicious activity.
What does regulating at the code level mean?
Regulating the code instead of a non-existent intermediary, for example by certifying the firms that audit smart contracts through sandboxes, to provide assurances without giving up self-custody.
Robert Kopitsch
Secretary General at Blockchain for Europe