Digital Asset Spot Market Regulation: Distinguishing CeFi vs. DeFi
January 12, 2026
As the Senate advances market structure legislation that establishes the jurisdiction of the Commodity Futures Trading Commission (CFTC) over digital commodity spot market intermediaries, we are optimistic that they will include provisions reflecting the key differences between centralized/custodial (CeFi) spot markets and decentralized/noncustodial (DeFi) spot markets matching those passed by a bipartisan supermajority in the Digital Asset Markets Clarity (Clarity) Act. Specifically, we are hopeful that the Senate will build in robust developer protections, such as those in Section 409 of the Clarity Act, that clearly recognize that software developers who do not take custody or control over other people’s assets are not intermediaries.
The regulation of crypto spot market intermediaries is a major focus of policymakers and regulators in Washington. In July 2025, the House of Representatives passed the Digital Asset Market Clarity Act, which would assign jurisdiction over “digital commodities” traded in spot markets to the CFTC, making it the primary digital assets regulator. In the Senate, parallel momentum is driving the Responsible Financial Innovation Act, which also clarifies the scope of the Securities Exchange Commission’s jurisdiction with respect to digital assets.
As Congress continues finalizing a regulatory framework for digital asset markets in the United States, it is critically important that the legislation contains robust developer protections that differentiate between centralized securities or commodities intermediaries and developers of noncustodial, peer-to-peer software. Appropriately calibrated developer protections, resembling Section 409 of the Digital Asset Market Clarity Act, will ensure that definitions of digital commodity intermediaries do not inadvertently subject software developers to CFTC regulation or liability that is incompatible with their actual activities and the technology they create.
Digital Asset Spot Markets and the Commodity Exchange Act
First off, what is a “spot market”? The spot market is where assets (e.g., commodities, securities, or currencies) are bought and sold for immediate delivery at its current market price. In digital assets, this means buying a digital asset for instant settlement at its prevailing market price, with the purchaser obtaining ownership of the asset immediately upon execution of the transaction.
The Commodity Exchange Act (CEA) is a federal law that regulates commodity derivatives trading in the United States and establishes the statutory framework for the CFTC. Under the CEA, the CFTC has the authority to oversee commodity derivatives markets by regulating registered trading facilities and intermediaries. The CEA broadly defines “trading facility” as “a person or group of persons that constitutes, maintains, or provides a physical or electronic facility or system in which multiple participants have the ability to execute or trade agreements, contracts, or transactions.” Namely, trading facilities include designated contract markets (DCMs) and swap execution facilities (SEFs).
Today, while the CFTC does not have the authority to regulate spot commodity transactions, it does have antifraud authority over spot markets, i.e., the CFTC has limited authority to pursue charges for fraud or manipulation in the spot market. However, pending digital asset market structure legislation would provide the CFTC with additional jurisdiction over digital asset spot market intermediaries.
What are the fundamental differences between Centralized (CeFi) and Decentralized (DeFi) digital asset spot markets?
| CeFi Digital Asset Spot Markets | DeFi Digital Asset Spot Markets | Policy Considerations |
| Transparency | ||
| Only the exchange operator has full transparency into and control over the operation of the trading protocol, including any matching algorithm, order types, order handling, market data, etc. | The code automating how the protocol operates is transparent, and transactions take place on a public blockchain, giving regulators and market participants the ability to view and audit the market in real-time. No person or group of persons acting in concert has unique visibility into trading activity or the unilateral ability to control such activity. | The CFTC regime assumes opacity and requires mandatory reporting. DeFi is transparent by design, offering code-level transparency, and lacks a “reporting entity” or person with control over other people’s transactions or assets. |
| Conflicts | ||
| The exchange operator not only has access to confidential trading information but also may face conflicts of interest with the market in handling that information or engaging in proprietary trading and other activities. | The protocol is neutral and no users have a “leg up” due to affiliation with a market operator. | CFTC rules target institutional conflicts (human discretion). Because DeFi developers and projects have no unilateral control over other people’s assets or the network, the risk of institutional conflicts of interest is lower than in traditional markets or CeFi. |
| Market Access | ||
| The exchange operator decides who can access the market and the terms for such access. | A decentralized/noncustodial system affords open access to anyone who can establish connectivity to the protocol. | When exchange frameworks assume gatekeepers, in which customers must seek and obtain permission to access financial services provided by an intermediary, they don’t work for DeFi. Imposing permissioning or limiting participant eligibility would require fundamental changes to DeFi technology that undermine decentralization and require “re-intermediation” of the technology. |
| Custody | ||
| In a centralized/custodial system, the exchange operator holds users’ assets for purposes of safekeeping, effecting settlements and, if applicable, for margin or collateral. Assets are typically held by the centralized market operator (or a related clearing/settlement entity) in an omnibus account in its own name, directly or with a third party depository. | Users are responsible for custodying their own assets (or assets pledged to them by counterparties) and arranging themselves for custody and settlement through third party custodians. Any margin or collateral may be held directly, by a third party custodian, or through smart contracts on the decentralized system. Decentralized/noncustodial systems mitigate the risk that users will lose funds due to custodial mismanagement. | CFTC custody rules currently presuppose a custodian. In DeFi, users custody and control their own assets and engage in self-directed transactions. There is no entity in DeFi that is capable of asset segregation or return obligations, making compliance with intermediary-suited rules structurally impossible. |
| Governance/Control | ||
| A single entity or group of affiliated entities provides execution, settlement, and custodial services on behalf of customers, with control over customer trading activity and assets. | A decentralized/non-custodial system is not unilaterally controlled by any single entity or group of affiliated entities. | CFTC oversight requires a responsible operator with authority to intervene. DeFi protocols are automatic and intermediary-less, and are generally unable to unilaterally halt trading or reverse transactions without violating the decentralization of the technology. |
Do centralized/custodial and decentralized/noncustodial digital asset spot markets present the same risks?
No. In a CeFi system, the risk exposure is related to the central facility that is responsible for holding the users’ assets and settling the transactions. If that facility experiences issues, assets could be lost or settlements may fail. The protections against these risks are typically regulatory requirements regarding capital, segregation of assets, system safeguards and similar matters.
In a DeFi system, there is no risk exposure related to a central facility. Participants are responsible for ensuring that the manner in which they hold assets, including any margin or collateral transferred by third parties, is secure and that they utilize appropriate custody, systems or other mechanisms to effect settlements and protect against loss.
Both CeFi and DeFi markets can be exposed to risks arising from fraud, manipulation or other abusive or disruptive trading activity, as well as system shutdowns, errors or interruptions. In a centralized/custodial market, the exchange operator is responsible for safeguarding against these risks through identifying prohibited activity, how it detects and prevents that activity, and how it maintains the integrity of the systems over which trading activity occurs.
In DeFi markets, although there is no central exchange operator exercising this function, these issues are more readily apparent to participants due to the full transparency into the markets (visible on public blockchains) and the transparent source code through which the system operates, which increases the ability of market participants to take action collectively to address problems with the code or other issues.
From a regulatory perspective, does it make sense to differentiate between centralized/custodial and decentralized/non-custodial digital asset spot markets?
Yes. The two models are very different, and developer protections are essential to establish this differentiation. It makes sense to require centralized exchanges to comply with a regulatory regime that protects against misappropriation, negligence, errors, bankruptcy, settlement failures, etc., by the centralized facility, or by third parties in a manner that affects the facility. This type of regulation does not make sense for noncustodial and decentralized exchange developers for the reasons noted above – there is no sponsor or operator that can be required to comply with the same types of requirements nor is this type of regulation calculated appropriately to risk because the risk exposure of participants is not to a centralized entity. It is not a matter of regulatory arbitrage – these are two very different models that offer different advantages and different risk exposures.
Developer Protections Are Essential for DeFi Digital Asset Markets
Carefully calibrated developer protections, such as those included in the bipartisan Digital Asset Market Clarity Act Section 409, are essential to ensuring that developers of noncustodial software and neutral DeFi infrastructure are not inappropriately classified as financial institutions under federal law. Section 409 draws a clear and necessary line between noncontrolling, noncustodial technical activities and intermediary-based financial services that involve custody and control of customer assets.
At its core, developer protections codify the technological reality of noncustodial blockchain systems. They establish a principled legal distinction between regulatable intermediaries (entities that custody, control, or intermediate customer assets) and the software developers who develop and deploy noncustodial, peer-to-peer infrastructure. This distinction reflects a fundamental truth about blockchain technology: there is a material difference between centralized intermediaries that operate on behalf of customers and noncustodial, peer-to-peer systems that enable users to engage in self-directed transactions. Developers of such systems don’t intermediate transactions, hold customer funds, or engage in transactions on a customer’s behalf; they create tools that users use to execute their own transactions.
Accordingly, any legislation granting regulatory authority over digital asset spot market intermediaries must clearly differentiate between centralized exchange spot markets and decentralized noncustodial spot markets. Robust developer protections are not a carve-out or loophole, but are necessary safeguard to ensure that regulation targets custodial intermediaries where risk and control reside, while preserving innovation in open, noncustodial blockchain infrastructure.
