Why the Department of Justice’s actions against DeFi are a wreck

Miller Whitehouse-LevineAmanda Tuminelli

2.4.25

Editor’s note: This op-ed is part of a bigger package of crypto policy views. Find the rest here: “Making the U.S. the crypto capital: What it would take.”

If someone runs a red light and causes a car crash, who is responsible: the driver or the carmaker? Almost certainly the driver. Sure, carmakers are responsible for using appropriate materials and installing safety features like seatbelts and airbags, but their obligations end there. It wouldn’t make sense to hold carmakers responsible for the bad driving of their vehicles’ users, just as it wouldn’t make sense to impose car manufacturing obligations on drivers themselves.

Similarly, you wouldn’t hold a self-driving car developer liable if someone else used that carmaker’s vehicle as the getaway vehicle in a bank robbery. As one judge pointed out as part of a hypothetical scenario: You “would not sue the car company for facilitating the wrongdoing; [you] would sue the individual who committed the wrong.”

These principles seem obvious in the case of automobiles, but they are very much still at issue in the digital sphere. Identifying who is exercising control in a given system, and what level of control they have, is the central question from which all other policy and legal questions must flow. The same intuitive principle that governs our understanding of car manufacturer and driver liability should be the foundation of sensible policymaking in the context of decentralized networks and protocols. (In fact, the judge quoted on the hypothetical scenario above was talking about whether Uniswap, the decentralized crypto exchange, could be held responsible for plaintiffs’ purchases of scam tokens created by unknown people.)

Sound policymaking for crypto should always start from an analysis of “control” in a given system: Who exercises control over a system or someone else’s assets, if anyone? How do they do so, and when? Answering that question identifies who can and cannot justly be held responsible for activities in the digital asset ecosystem.

Holding people responsible for systems and activities over which they exercise no agency or control leads to perverse outcomes. Unfortunately, the Department of Justice (DOJ) has ignored this distinction and is attempting to do just that by holding software developers responsible for the actions of third parties that use neutral tools the developers originally created but no longer control.

Within the last year, the DOJ began using Section 1960 to prosecute software developers in the blockchain industry — who, like car manufacturers, make neutral technology — in two known cases: United States v. Storm and United States v. Rodriguez. The broad sweep of the DOJ’s allegations in those indictments suggests that many others in the industry could be targeted, thereby pursuing a policy that is the digital equivalent of holding car manufacturers responsible for car crashes.

For this reason, the biggest policy priority with respect to the digital assets industry as we enter a new era in 2025 involves codifying the proper and legally correct understanding of “control” in law — in particular, the definition of a “money transmitting” business pursuant to Section 1960. Money-transmitting businesses are subject to certain registration and information-reporting provisions of the Bank Secrecy Act, 31 U.S.C. § 5312, and a criminal code provision punishing people for failing to register their business, 18 U.S.C. § 1960. The penalties are extraordinarily harsh: Section 1960 subjects violators up to $250,000 in fines and up to five years in prison.

Clarifying and codifying a correct interpretation of money transmission law necessarily involves incorporating concepts of custody and control into the law itself. This also means ensuring government entities consistently interpret the law in a way that incorporates those concepts. We believe this issue is the most critical one facing the industry in the United States because, left unaddressed, the DOJ can continue to accuse developers of non-custodial software — be it a decentralized finance (DeFi) protocol, the bitcoin protocol, or a similar neutral protocol — of running “unlicensed money transmitting businesses,” even where the allegation makes no sense because those developers have no control over the software or user assets.

The definitions of the terms relating to “money transmission” should leave no doubt about their correct interpretation. The Bank Secrecy Act defines a “money transmitting service” as “accepting currency, funds, or value that substitutes for currency and transmitting the currency, funds, or value that substitutes for currency by any means.” Meanwhile, Section 1960 defines “money transmitting” as including “transferring funds on behalf of the public by any and all means.” From the plain meaning and relevant legal analysis of those definitions, it is clear to everyone but the DOJ that a “money transmitting” business must actually have control over user funds.

An example underscores the distinction. Take a person swapping digital assets: The person can use the services of a centralized exchange business or DeFi protocols to do so. To use a centralized exchange, the person first transfers their digital assets to the exchange, after which the exchange has custody of and exercises control over those assets. The exchange, in turn, effectuates transactions on behalf of the person at that person’s direction. In other words, the exchange “accepts” and “transmits” a user’s funds on the user’s behalf. The centralized exchange’s control over the person’s funds presents certain risks (e.g., loss and misuse) —and policy responses targeting what it can and cannot do with that control can mitigate those risks. In the event the centralized exchange loses the assets they’re controlling on behalf of the person, the exchange should be on the hook.

In DeFi, the person can accomplish a similar result but without having to cede control over their assets to a third party. When using a decentralized software protocol to exchange digital assets, a person retains control over their digital assets and never cedes that control. Instead, the person uses a novel kind of software tool — a DeFi exchange protocol — to unilaterally conduct the exchange on their own, at their own direction. And unlike the centralized exchange business, the original developer of a DeFi protocol does not retain control over the protocol or have the ability to control how third-parties use it. Only the users of a DeFi protocol exercise control over their own assets. And while there are risks associated with using a DeFi protocol (e.g., it can be complicated technology with higher instances of user error), there is less risk that a third party will lose user funds because the user never gives up custody in the first place. (The bank going down isn’t a risk to you if you’re holding on to your own assets yourself.)

A basic understanding of control — in this case, the ability of a third party to actually move funds belonging to the user — is key here. It’s why a centralized exchange business, like the one described above, is appropriately regulated as a “money transmitting” business while the developers of an immutable, non-custodial smart contract protocol are not. It also highlights the perils of improperly understanding and misattributing control. To identify and mitigate sources of risk, on the one hand, and to properly assign liability when things go wrong, on the other hand, requires either identifying who has the necessary control over a system to mitigate risks or who is most responsible for some action in need of redress.

Industry and lawmakers must come together in 2025 to ensure the law properly reflects accurate concepts of custody and control and the responsibilities that flow from it — whether that’s in the context of a market structure bill, broker reporting obligations, or in reforming Section 1960. At the moment, the industry faces a real threat from the DOJ’s overbroad and erroneous interpretation of what constitutes an unlicensed money transmitting business, one of many misunderstandings that exist all across the crypto policy landscape.

As we saw in the analogy above, the automobile likely would not have succeeded if carmakers were held liable for every collision outside of their control. Such policy could have killed automobile innovation and frozen car manufacturing in the United States. If policy and lawmakers can align on the realities of control and custody in the context of software development, we’ll establish a clear and fair foundation for crypto entrepreneurs and developers to build in the United States.

***

Miller Whitehouse-Levine is CEO of the DeFi Education Fund. Previously, he led the Blockchain Association’s policy operation and worked at Goldstein Policy Solutions on a range of public policy issues, including crypto.

Amanda Tuminelli is Chief Legal Officer at the DeFi Education Fund where she leads impact litigation and policy efforts. Previously, she was a lawyer at Kobre & Kim, where she defended clients against criminal and regulatory investigations, government enforcement actions, and large-scale litigation, particularly in the crypto and blockchain space.

***

The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the current or enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.

This content is provided for informational purposes only, and should not be relied upon as security, legal, business, investment, or tax advice, nor as an endorsement of any such practices, products or services. There can be no guarantees or assurances that the views expressed here will be applicable for any particular facts or circumstances, and they should accordingly not be relied upon in any manner. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://a16z.com/investments/.

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.