Regulate Web3 Apps, Not Protocols
Part II: Framework for Regulating Web3 Apps

Miles JenningsBrian Quintenz

This is part 2 in a series, “Regulate Web3 Apps, Not Protocols”, which establishes a web3 regulatory framework that preserves the benefits of web3 technology and protects the future of the Internet, while reducing the risks of illicit activity and consumer harm. The central tenet of the framework is that businesses should be the focus of regulation, whereas decentralized, autonomous software should not.

Two extremes frequently clash over web3 regulation. The first faction argues for the wholesale expansion and application of existing regulations to web3. This group ignores critical features of web3 technology and therefore fails to recognize significant differences in the risk profile of web3 products and services as compared to traditional products and services. This failure leads the group to advocate for regulating things like decentralized finance (DeFi) and centralized finance (CeFi) in exactly the same way, without nuance. The opposing faction argues, in contrast, for the complete exclusion of web3 from existing regulations. This group ignores the economic reality of many web3 products and services and seeks to abandon many successful regulatory frameworks, including those that have made U.S. capital markets the envy of the world.

Both of these extremes may be popular, but neither holds up to scrutiny, and both produce bad policy outcomes.

The correct approach to regulating web3 lies somewhere in the middle. In this post, we’ll explore a framework for a pragmatic approach to web3 app regulation, which abides by the principle established in the initial post of this series — that is, web3 regulation must only apply at the app level (meaning the businesses operating end-user-facing software that provides access to protocols), rather than at the protocol level (the underlying decentralized blockchains, smart contracts, and networks that provide the Internet with new native functionality). 

Put more succinctly: Regulate businesses, not software.

Whereas businesses can tailor apps to comply with regulations, software protocols designed to be globally accessible and autonomous are incapable of making subjective determinations that local regulations may require. This is why, throughout the history of the Internet, governments have always chosen to regulate apps such as email providers (e.g., Gmail) and not to regulate underlying protocols such as email (e.g., Simple Mail Transfer Protocol or “SMTP”). Potentially subjective, globally-conflicting regulations thwart the ability of protocols to interoperate and function autonomously, rendering them useless.

Regulating apps, not protocols has served the public interest well over the past decades of the Internet’s explosive growth. While the propagation of web3 technology adds a layer of complexity to the challenge of regulating the Internet, a web3 app regulatory framework does not need to address illicit activity at the protocol level. We do not regulate SMTP just because email can facilitate illicit activity. But proposals for web3 regulatory frameworks must be capable of accomplishing policy objectives by reducing the risk of illicit activity, providing strong consumer protection and removing incentives that run counter to policy objectives — this can be done most effectively at the app level.

We believe such a framework for the regulation of web3 apps should focus on three interrelated factors: 

  • First, the policy objectives of an intended regulation must be assessed. If the regulation won’t accomplish a legitimate goal, it shouldn’t be adopted.
  • Next, the characteristics of the apps to be regulated must be considered. Web3 apps work in many different ways, which should directly impact the scope of regulation. 
  • Finally, the constitutional implications of a given regulation must be analyzed. Granular, fact-based analysis that can inform regulatory activity and judicial opinion should accompany any web3 regulation.

Based on these factors, we can roughly represent the starting point for this regulatory framework as follows — noting that the final scope and application of any regulation will depend on specific facts and circumstances: Using a first-principles approach, let’s explore each area in more detail to better understand how, where, and why rules should apply to web3 apps.

Policy objectives of web3 app regulation

A popular mantra is “same activities, same risks, same rules.” In other words, regulations should be consistent. This seems intuitive and applicable to many web3 apps that appear on their surface to be analogous to web2 or other traditional products and services. However, upon closer inspection, it is clear this mantra mostly fails in web3 because of the different functionality and risk profile of web3 apps and protocols. As a result, we must look to the policy objectives of a given regulation in order to understand whether such differences in functionality and risk profile necessitate a different regulatory approach for web3.

A single regulation can fulfill many different policy objectives. Legitimate goals may include: protecting investors and consumers, fostering innovation, promoting capital formation and the efficiency of capital markets, encouraging (or, unfortunately, discouraging) competition, protecting national interests, and so forth. Sometimes regulation fails, however, to achieve its purpose or to even have a legitimate purpose. This can be because a given piece of regulation outlives its original purpose, because it applies too broadly beyond its intended purpose, because it creates unintended negative effects, or because applying such regulation would negate the value of the technology it seeks to regulate. In these situations, the continued application of a regulation may be to protect entrenched interests. Or, it’s just regulation for regulation’s sake. Neither is acceptable.

A historical example drives the point home. In 1865, the UK Parliament passed a Locomotive Act requiring road vehicles to cap their speed at two miles per hour in cities and for a man to walk in front of them waving a red flag. While possibly appropriate in an age with few cars and ubiquitous pedestrians, the “red flag act” would be absurd and highly detrimental to the development of a well-functioning transportation economy if enforced through today. Advances in automobile technology, road infrastructure, preferred modes of transportation, and protocols governing the flow of traffic rendered the law obsolete. Given the technological advancement that web3 represents, any one-size-fits-all regulatory approach will be as anachronistic as the Locomotive Act, likely immediately. This would significantly undermine the legitimacy and efficacy of regulatory action.

The application of regulations to protocols — as opposed to web3 apps — would lead to similarly absurd results. Like the automobile enabling faster travel, the new computational paradigm enabled by web3 technology adds new forms of native Internet functionality (e.g., borrowing, lending, exchanging, social media, etc.). The ability to transfer value at the speed of the Internet is an extremely powerful primitive, and one that is still in its infancy. If regulators were to impose subjective and globally-conflicting regulations on web3 protocols (such as limiting trading of certain assets with non-objective characteristics like securities or derivatives, or censoring categories of speech), compliance might require development teams to undergo an impossible process of ‘re-centralization’ to create illusions of governance command and control. While the regulatory search for central loci of control and liability is understandable, blockchain protocol governance is often globally distributed and decentralized. Pretending otherwise or forcing such governance to be centralized would be counterproductive, undermining the very properties that make web3 protocols functional and useful in the first place.

To be truly “technology neutral,” regulation should not break the technology it seeks to regulate. This is why it is fundamental for regulations only to apply to web3 apps, because they are run by businesses and can comply with subjective rule-making, and not to underlying protocols, which are essentially software and cannot. Similar arguments hold further down in the tech stack in order to preserve the functionality of the baselayer (e.g., validators, miners, etc.). Regulation that destroys the value of technology is less law than Luddism.

Decentralization is one of the key benefits enabled by blockchain technology that has significant regulatory implications. Critics often deride decentralization as pretextual, but blockchain decentralization is real, and it is a big deal.

Consider the difference between CeFi and DeFi. In the world of CeFi, many regulations are designed to remove the risk of trusting financial intermediaries. The goal is to reduce the risks that may arise whenever there is potential for conflicts of interest or outright fraud, which are almost always present when one person has to trust another with their money or assets. (See: FTX, Celsius, Voyager, 3AC, MF Global, Revco, Fannie Mae, Lehman Brothers, AIG, LTCM, and Bernie Madoff.) In the world of DeFi, where traditional financial services are disintermediated, there are no intermediaries to trust. So, in true DeFi, the decentralization, transparency, and trustlessness enabled by blockchain technology eliminates much of the risk that many CeFi regulations are primarily intended to address. By removing the need to trust and rely on intermediaries, DeFi can insulate users from many of the age-old acts of malfeasance prevalent in CeFi and do so better than any ‘self-regulatory’ or ‘public regulatory’ regime in CeFi ever could. In other words, it makes no sense to apply the “red flag acts” of CeFi to DeFi, or:

As a result, the whole-sale application of CeFi regulations to decentralized web3 apps that do not provide intermediary-like services would be illogical. Moreover, any regulatory intervention would be counterproductive. Regulatory interventions would impede DeFi’s native ability to effectuate the very legitimate policy objectives that many financial regulations pursue, such as transparency, auditability, traceability, responsible risk management, and so forth. Resistance to such regulation should be resolute.

Still, it is difficult to provide blanket exclusions from all regulations, even within the financial services, intermediary-focused regulatory landscape, due to the multitude of potential policy objectives such regulations may have. Consider the difference between “broker-dealer” (BD) regulations under U.S. securities laws and “introducing broker” (IB) regulations under U.S. commodity derivatives laws, for instance. One purpose of the BD laws is to protect investors from risks inherent to intermediaries who take custody of investor assets. This differs from the scope of IB laws, through which the CFTC focuses on how conflicts of interest could lead to intermediaries affecting trading without ever taking custody of investor assets. The decentralization of web3 technology clearly obviates the need for the custodial aspects of BD laws, but alone it may not obviate the need for IB laws, particularly where a DeFi app makes determinations (such as routing trades) on behalf of users.

Now consider regulations restricting how securities and derivatives can be offered and sold in the United States. These regulations have many purposes, some of which are not obviated by decentralization or web3 technology, including those that relate to investor protection. Where the same risks and considerations apply to centralized and decentralized businesses and technologies, the default position will likely be that the rules should be consistent absent some overriding policy objective that justifies different rules. For instance, it may be difficult to argue that a centralized business (such as a centralized exchange like Coinbase) should be prohibited from earning commissions on trades of securities and derivatives, but that another business facilitating access to decentralized infrastructure (such as a for-profit website providing access to a decentralized exchange protocol like Uniswap) should be allowed to earn commissions on those same types of trades. Such a regulatory framework could give businesses using decentralized protocols a significant competitive advantage over centralized exchanges and would lead to regulatory arbitrage. As a result, such differences in approach would need to be justified by a compelling policy objective, such as to promote decentralized innovation (as we discuss further below).

The foregoing examples are only the tip of the iceberg when it comes to the wide array of regulations that could apply to web3 apps. However, from the above examples it should be evident that effective regulation should have a clear and relevant purpose, an appropriate scope, and a productive effect. Taxonomy and classification questions like the ones above are the analytical floor: how DeFi works must be understood at a granular level. What every good faith regulator learns upon starting their blockchain learning journey is that superficial naming homologies between traditional finance and blockchain finance occlude deep operational, organizational, and functional differences.

Characteristics of web3 apps

The characteristics of a given web3 app establish what risks such app may create and therefore play a significant role in determining whether and to what extent regulation should apply. For example, many web3 apps may not be entirely trustless, for instance, because they take custody of user assets, intermediate user’s transactions, and/or market or advertise certain assets, products, or services to users. Apps with these characteristics are the most likely to require regulation since they are more likely to introduce legacy centralization risks to users or, if left unregulated, to run counter to policy objectives. Beyond characteristics that introduce centralization risks, two important characteristics of web3 apps also have regulatory implications where web3 technology doesn’t obviate a regulation’s purpose. These are (1) whether the app is operated by a business for profit and (2) whether the app’s intended primary purpose is to facilitate the activity to be regulated (i.e., whether the primary purpose is lawful or unlawful). We will analyze many additional factors in future installments, but for now, these two factors are useful jumping off points.

For-profit versus not for-profit

Where web3 technology doesn’t obviate a regulation’s purpose then, regardless of whether or not a web3 app utilizes a truly decentralized protocol, if it is operated by a business for profit, there is a strong existing presumption that such business should be subject to such regulation. First, the very fact that the app is operated by a business for profit could subject users to certain risks. For instance, if such an app were to facilitate certain types of financial transactions, the operator’s profiting off of such transactions could create inherent conflict of interests. Second, if the regulation did not apply and failed to prohibit a business from profiting from the facilitation of the illicit activity the regulation was intended to prevent, then such regulation would effectively be incentivizing the facilitation of such illicit activity and would likely lead to an increase in such activity. For example, permitting businesses to charge commissions on unlawful trading of tokenized securities or derivatives would likely lead to an increase in such unlawful trading, which would be counterproductive to the policy objectives behind such regulation (to reduce the prevalence of such trading). Aiding and abetting laws use this argument as a central tenet.

Notwithstanding the foregoing, a more flexible regulatory approach for web3 apps that are operated for profit may be justifiable due to the benefits that web3 technology delivers. In particular, because the decentralized protocols of web3 add to the native functionality of the Internet and can be used by anyone, they effectively serve as public infrastructure (similar to SMTP/email). A flexible regulatory approach to web3 apps operated for-profit could drive growth of these protocols, increasing development and even empowering developers to self-fund such progress through the operation of for-profit apps. Conversely, significantly burdensome regulatory barriers to entry or regulatory economies of scale would be detrimental to this technology reaching its full future potential. Requiring developers to register under an overly burdensome regime or obtain a costly, time consuming license in order to deploy a frontend website providing access to a decentralized protocol could have a stifling effect on web3 innovation in the United States. As a result, there are strong public policy arguments in favor of shielding web3 apps in their nascent stages from cumbersome regulation in order to incentivize the development and availability of web3 infrastructure in the United States.

Where web3 apps are not operated by a business for profit, the case for leniency is even more compelling. For instance, many web3 apps effectively run as public goods – that is, as pure non-custodial communications and/or consensus software for interacting with decentralized protocols. These web3 apps likely don’t raise the same concerns outlined above because, if no one is profiting, then there are fewer or no incentives creating conflicts of interest or encouraging operators to facilitate illicit activity. As discussed above, the goal of any web3 app regulatory framework should be to reduce the risk of and disincentivize illicit activity, not eliminate the possibility of it occurring. As a result, where web3 apps are not operated by a business for profit, cumbersome regulation should be resisted to the extent possible, as such regulation would undermine the important policy objective of fostering innovation in the United States.

Primary purpose

Even where web3 apps are not operated by a business for profit, their underlying purpose may matter, potentially significantly, for regulatory purposes. If the app is purpose-built to facilitate activity that is otherwise intended to be regulated then there would again be a presumption that such app should be subject to regulation. In fact, many such apps could potentially already be subject to regulation on this basis, even if they are just frontend websites that display information from blockchains and assist users in communicating with such blockchains. For example, through its enforcement actions, the CFTC previously determined that certain communications systems were Swaps Execution Facilities (“SEFs”) and thus subject to certain regulations. These communications systems were, the CFTC found, managed by a centralized entity, built for the purpose of trading derivatives, and provided enhanced functionality that met the definition of SEF. Importantly, however, other similar communications systems which have SEF-like functionality have not been identified as SEFs, arguably because they were not built for the purpose of facilitating derivatives trading, notwithstanding that such derivatives trading happens on such communication systems.

Based on these CFTC examples, one might expect different treatment for a frontend specifically built for a derivatives trading protocol (e.g., the much maligned Ooki protocol) as compared to the frontend of a decentralized exchange that enables the permissionless listing and trading of any digital asset (e.g., the Uniswap protocol), whereas a simple block explorer (e.g., Etherscan) should be treated with the greatest leniency. Such different regulatory treatment makes sense, as the primary purpose behind Ooki’s frontend is alleged to be the facilitation of illegal transactions in the United States, whereas the primary purpose behind Uniswap’s frontend and Etherscan are to facilitate activity that is inherently legal.

However, even in cases where an app is purpose-built to facilitate activity that is otherwise regulated, it may nevertheless be in the public interest to exempt the app from an onerous regulatory regime. For example, if the trading of digital assets were to become regulated in the United States and all exchanges were required to register, there are compelling reasons why the full scope of such regulation should not be extended to an app that is purpose-built to provide users with access to a decentralized exchange protocol (assuming it is not operated for profit or is in the nascent stages of development). In particular, the decentralized nature of the protocol and the characteristics of the app may eliminate many or all of the risks intended to be addressed by such regulation (per the prior section) and the potential societal benefits from empowering the Internet with unencumbered exchange functionality may significantly outweigh any lingering policy objectives that gave rise to such regulation.

Finally, regardless of whether a web3 app is operated for profit and whether its primary purpose is lawful, all apps should continue to be subject to certain existing legal frameworks and many apps should become subject to new narrowly-tailored customer protection requirements. First, there is value in maintaining existing legal frameworks relating to fraud and other types of proscribed malicious activity. But enforcement actions against protocol or app operators who had no involvement with malicious activity violates fundamental notions of due process and justice. Second, consumer protection regulations like disclosure requirements could help to inform users of the risks of using a specific DeFi protocol, and code audit requirements could protect an app’s users against smart contract failures of an underlying protocol. However, any such requirements would also need to be tailored to enable web3 apps and their developers to comply, even without controlling the decentralized protocols to which they provide access.

Constitutional implications

The regulation of web3 has potential constitutional implications, and there are good reasons to believe the courts will eventually come to web3’s defense. While today’s constitutional law arguments in defense of web3 focus on discrete issues presented, they foreshadow a series of fundamentally important national and global legal contests regarding the very essence of individual, collective, and national sovereignty.

For now, consider these trendlines and corollary questions. While they are framed in American constitutional law terms, the parallels to other constitutional and international legal frameworks are self-evident:

  • Many people believe that the First Amendment may protect software developers on the basis of code being speech. Is the right to transact in cryptocurrencies covered under the First Amendment’s bundle of rights? Does freedom of association include a fundamental right to on-chain privacy?
  • Many people also believe the Fourth Amendment may protect DeFi protocols from having to use intermediaries to collect know-your-customer information or meet regulatory compliance burdens. Do people have a right to be secure in their on-chain identities, games, social networks, and assets against unreasonable searches and seizures (e.g., via expansion of global civil asset forfeiture regimes)?
  • Recent case law further suggests that rulemakings by regulators to expand their reach to cover web3 could be unconstitutional absent the specific granting of authority by Congress. What should multi-agency cooperation look like to assure compliance with constitutional norms, transparency, legitimacy, and, ultimately, effectiveness? That goes not just for the SEC and CFTC, but also for the U.S. Treasury, the Federal Reserve, the Federal Trade Commission, the Department of Justice, and global regulatory peers.

All of these are valid areas of discussion and raise fundamental civil rights questions. Regardless, however sure these constitutional challenges may appear, their strength remains uncertain. It would therefore be foolish for web3 industry actors to refuse to engage in the shaping of policy or to reject all regulation on the basis that the Constitution will protect web3, as that protection may not end up materializing. Web3 industry actors must engage with policy makers and regulators to shape regulatory policy, and only rely on the courts to uphold constitutional rights against specific overreaches later.

Given the potential for constitutional challenges, web3 regulation needs to be carefully and deliberately crafted. Otherwise, good faith efforts by policy makers to provide regulatory clarity to the industry could inadvertently introduce even greater uncertainty. Further, rulemaking by regulators needs to be taken seriously and addressed openly on the basis of a complete costs and benefits analysis; not decided opaquely, through enforcement actions, or implicitly in a broader overhaul of existing regulations.


The effective regulation of web3 apps is a significant undertaking. It requires a reassessment of existing regulatory schemes, a deep understanding of web3 technology, and a delicate balancing of policy objectives. Undertaking these tasks is of critical importance. If web3 apps remain soulbound to pre-existing regulatory frameworks applicable to traditional businesses without any room for reevaluation and technical nuance, the evolution of the Internet in the United States will be halted dead in its tracks. Outdated “red flag acts” must be re-thought and new regulations must be implemented to meet policy objectives.

That process must begin with the establishment of clear policy objectives for web3. Critically, these objectives need to be calibrated properly so that the societal benefits created by web3 technology far exceed its costs. That does not require the elimination of the possibility that web3 technology may be used for illicit activity, but it does require measures designed to reduce the risk of and disincentivize illicit activity. Subsequent installments of this series will explore how further disincentivization of illicit activity can be accomplished, along with other important web3 policy-related topics, including a discussion of specific regulatory schemes, the differences between apps and protocols and the importance of U.S. leadership.

Ultimately, harnessing web3 technology and its ability to transfer value at the speed of the Internet will result in the addition of many new forms of native internet functionality and give rise to millions of new internet businesses.  However, doing so necessitates that we apply regulation carefully to support innovation and limit the creation of unnecessary gatekeepers. To accomplish this, policy makers, regulators, and web3 participants should continue to engage in respectful, open, good-intentioned, and deliberate discourse.


Edited by Robert Hackett, with special thanks to the exceedingly thoughtful advice, feedback, and edits from many members of the web3 community


The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the current or enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see for additional important information.