The Malta Financial Services Authority (MFSA) has launched a public consultation on whether decentralised finance protocols that retain centralised features should fall within the European Union's Markets in Crypto-Assets Regulation (MiCA). The discussion paper, published on 12 June 2026 and open for responses until 10 July, acknowledges that MiCA excludes crypto-asset services provided in a fully decentralised manner without any intermediary. However, it notes that most DeFi protocols still maintain administrator keys, concentrated governance, upgrade rights, and control over user-facing interfaces — features that could pull them back inside the regulatory perimeter.
The MFSA stresses that the paper sets out no policy position and its proposals remain non-binding. The exercise extends Malta’s track record as a primary EU licensing base, where firms like Blockchain.com have won EU-wide approval through the MFSA.
MiCA’s Recital 22 places fully decentralised services outside the regulation, but does not define the threshold. The MFSA proposes a case-by-case assessment of governance, operational, and control features. Drawing on the European Commission’s MiCA review consultation, the paper lists indicators of incomplete decentralisation: an identifiable intermediary, admin key control, concentrated governance, custody of user assets by the protocol, absence of open-source code, and marketing by an identifiable entity. It asks whether decentralisation should be treated as a spectrum rather than a binary state, and whether authorised crypto-asset service providers integrating DeFi components should run smart-contract audits, governance reviews, and risk assessments.
Financial crime is also highlighted. The MFSA cites the Financial Action Task Force’s “same risk, same rule” principle, under which persons exercising control over a protocol may qualify as virtual asset service providers. It records that stablecoins accounted for roughly 84 percent of illicit virtual asset transaction volume in 2025, a risk that sharpens as licensed players passport stablecoin infrastructure across the EEA under MiCA.
The paper canvasses legal structures for DeFi projects, including recognising software-based organisations as a legal category, treating DAOs as one type, and using segregated cell companies to ring-fence assets. It also examines guardian agents and account abstraction, questioning when guardian authority amounts to effective control that might be captured by MiCA’s custody provisions.
The consultation lands amid an EU supervision dispute, after the MFSA rejected calls to hand crypto oversight to ESMA, which has moved to expand its mandate over crypto trading platforms. The Authority will review feedback before deciding whether to develop detailed proposals.
