Legal Guide to DeFi Yield Aggregators

DeFi yield aggregation has evolved well beyond simple “vaults.” The modern yield aggregator identifies the best risk-adjusted opportunities across lending protocols, structured yield markets, and managed vaults; executes allocation through smart contracts or intent-based solvers; and rebalances as conditions change. The product thesis is commercially compelling: users want yield without complexity.

That simplicity, however, is also the core regulatory challenge. The more a protocol compresses yield generation into a single user action, the more it resembles managed money — even if the underlying infrastructure is permissionless. In practice, most regulatory analysis of yield aggregators reduces to one question: Is the protocol providing infrastructure that users operate, or is it running a yield program that users rely on?

Most yield-aggregator teams incorporate in offshore jurisdictions — Panama and the BVI are the two most common choices. That approach solves the corporate-domicile question, but it does not resolve the regulatory question. Financial regulation typically applies based on where the investor is located, not where the entity is formed. If your users are in the United States or the European Union, the securities, fund-management, and anti-money-laundering rules of those jurisdictions follow your product regardless of where you incorporate.

This guide starts with the offshore structuring landscape, then examines the U.S. and EU regulatory frameworks in depth, and sets out practical structuring options for founders and investors.

What Do Yield Aggregators Do?

A yield aggregator typically performs four core functions:

Sourcing yield. The protocol monitors a set of venues — lending markets, vaults, yield markets — and forms a view on the best available risk-adjusted returns.

Routing funds. Assets are deployed into those venues, either through a pooled vault model (users deposit into a strategy contract) or through non-custodial delegation and intents (users retain keys but pre-authorize execution).

Rebalancing. As rates and liquidity shift, the protocol adjusts allocations to maintain the target risk-return profile.

Charging. Revenue is captured through explicit fees, spreads, performance cuts, or token economics.

From a regulatory perspective, yield aggregators are not evaluated based on ideology (“DeFi vs. CeFi”). They are evaluated based on facts: who holds custody, who exercises discretion, whether assets are pooled, and what is communicated to users.

What Design Variables Drive Regulatory Outcomes?

Most yield-protocol regulation in the U.S. and EU is triggered — or de-risked — by three structural variables. A fourth variable (marketing posture) consistently appears as evidence in enforcement narratives and deserves separate attention.

Custody

If users retain control of their assets and private keys at all times, the product generally presents as tooling or infrastructure. If users deposit into a pool or a custodian-controlled wallet, the product begins to resemble a financial service. This distinction runs through virtually every regulatory framework relevant to yield aggregation.

Discretion

If a protocol team, risk committee, or admin-key holder decides where assets are allocated, regulators can argue that users are relying on someone else’s expertise and efforts — a central element of the Howey investment-contract analysis. If the user selects the destination or sets strict constraints and the protocol only executes, the argument weakens considerably.

Pooling

Pooling is an accelerant. When a protocol aggregates assets and allocates them pro rata, the product can be characterized as a collective investment vehicle, even if the underlying assets are crypto. Pooling was a central factor in the SEC’s investment-company theory in the BarnBridge matter and in the framing of staking-as-a-service cases.

Marketing Posture

Language matters. “Passive income,” “we generate yield for you,” “target APY,” and retail-friendly “one-click returns” messaging can carry as much regulatory weight as the underlying code. The SEC and other regulators routinely cite promotional screenshots in enforcement actions.

Where Do Yield Aggregators Incorporate?

The majority of yield-aggregator projects incorporate in offshore jurisdictions. The rationale is straightforward: favorable tax treatment, flexible corporate law, and — in some cases — the absence of crypto-specific regulation. Two jurisdictions dominate the landscape.

Panama

Panama has no crypto-specific regulatory framework. There is no licensing requirement for virtual-asset service providers, no dedicated supervisory authority for digital assets, and no registration regime for DeFi protocols. As a result, Panama is popular among crypto projects that want a clean corporate domicile with minimal regulatory overhead.

The absence of regulation is a double-edged sword. On the one hand, a Panamanian entity faces no local licensing obligations related to its yield-aggregation activity. On the other hand, Panama provides no regulatory “passport” or recognition that would facilitate access to regulated markets. A Panamanian company serving U.S. or EU users has the same regulatory exposure in those jurisdictions as any other foreign entity — the only difference is that it also lacks local regulatory cover.

British Virgin Islands

The BVI introduced a dedicated licensing regime for virtual-asset service providers under the Virtual Assets Service Providers Act, 2022 (VASP Act). The BVI Financial Services Commission (FSC) administers the regime and issues three categories of VASP licenses depending on the scope of activity.

For yield aggregators, the relevant question is whether the protocol’s activity falls within the VASP Act’s definition of “virtual asset services,” which covers exchange, transfer, custody, and administration of virtual assets, as well as financial services related to a virtual asset offering or sale. A yield aggregator that takes custody of user assets, pools them, or exercises discretion over deployment may be caught by the custody or administration limb of the definition.

A BVI VASP license provides a recognized regulatory status and imposes AML/KYC obligations, fit-and-proper requirements for directors and officers, cybersecurity standards, and ongoing reporting to the FSC. For projects that need a regulated entity in their corporate chain — particularly those pursuing institutional distribution or operating as a fund — the BVI offers a more structured option than Panama.

Offshore Is Not a Compliance Strategy

Incorporating in Panama or the BVI addresses where the entity lives. It does not address where the regulation applies. Financial regulation — securities law, fund management, AML — is typically triggered by the location of the investor, not the location of the issuer. A Panamanian foundation serving U.S. retail users is subject to U.S. securities law. A BVI company marketing yield products to EU residents must consider the Markets in Crypto-Assets Regulation (MiCA).

For yield-aggregator founders, the practical implication is clear: offshore incorporation is a starting point for corporate structure, not a substitute for regulatory analysis. The jurisdictions that matter most are the ones where your users are — and for most projects, that means the United States and the European Union.

United States

The United States is typically the jurisdiction where yield-aggregator teams either build a robust compliance framework or implement strong exclusions. Classification risk is high, enforcement has been active, and multiple regulatory theories can apply to the same product simultaneously.

Securities Risk: When Yield Becomes an Investment Contract

A significant portion of U.S. crypto enforcement has targeted products that operate as pooled yield programs marketed to the public. Several enforcement actions are directly instructive for yield-aggregator founders.

BlockFi Lending (February 2022). In February 2022, BlockFi agreed to pay $100 million ($50 million to the SEC, $50 million to state regulators) to settle charges that its BlockFi Interest Accounts (BIAs) constituted unregistered securities. The BIAs allowed retail investors to deposit crypto assets and earn monthly interest; BlockFi pooled those assets and deployed them through lending and proprietary trading. The SEC found that the BIAs satisfied all four prongs of the Howey test — including the “common enterprise” element, based on the pooling of investor assets and BlockFi’s discretion over deployment. For a detailed analysis of the BlockFi enforcement action, see our earlier publication.

Gemini Earn / Genesis (January 2023). In January 2023, the SEC charged Gemini Trust Company and Genesis Global Capital with the unregistered offer and sale of securities through the Gemini Earn program, which had attracted approximately $940 million in assets from roughly 340,000 investors. Under the program, Gemini customers could lend their crypto assets to Genesis (a subsidiary of Digital Currency Group) in exchange for yield, and Genesis deployed those assets to generate returns. The SEC alleged that Gemini Earn constituted a securities offering because investors pooled assets, earned returns derived from Genesis’s lending and trading activities, and relied on Genesis’s and Gemini’s efforts.

The case was ultimately dismissed with prejudice in January 2026, after all Gemini Earn investors received 100% in-kind recovery through the Genesis bankruptcy proceedings. Genesis separately paid $21 million to the SEC, and Gemini paid $37 million to the New York Department of Financial Services. The dismissal does not reflect a determination on the merits of whether Gemini Earn was a securities offering.

Source: SEC Press Release No. 2023-7 (Jan. 12, 2023); SEC Complaint, SEC v. Gemini Trust Co. et al., No. 23-cv-287 (S.D.N.Y.); Stipulation of Dismissal (Jan. 23, 2026).

Kraken Staking-as-a-Service (February 2023). In February 2023, the SEC charged Payward Ventures, Inc. and Payward Trading Ltd. (collectively, Kraken) with offering and selling unregistered securities through its crypto-asset staking-as-a-service program. According to the SEC’s complaint, Kraken pooled investors’ crypto assets, staked them on various proof-of-stake blockchains, and retained discretion over which assets to stake, which validators to use, and how to distribute returns.

The SEC’s core theory was that Kraken’s staking program constituted an investment contract under Howey. The Commission alleged that investors transferred crypto assets to Kraken; Kraken commingled those assets and staked them on behalf of investors; and Kraken determined the payout methodology and timing, marketing “advertised annual investment return rates” of 5% to 21% on its website. In announcing the action, then-Chair Gensler stated: “Whether it’s through staking-as-a-service, lending, or other means, crypto intermediaries, when offering investment contracts in exchange for investors’ tokens, need to provide the proper disclosures and safeguards required by our securities laws.”

Kraken settled without admitting or denying the allegations, agreed to pay $30 million in disgorgement, prejudgment interest, and civil penalties, and immediately ceased its U.S. staking-as-a-service program.

Source: SEC Press Release No. 2023-25 (Feb. 9, 2023); SEC Complaint, SEC v. Payward Ventures, Inc. et al., No. 23-cv-588 (N.D. Cal.).

BarnBridge DAO / SMART Yield (December 2023). In December 2023, the SEC issued a settled administrative order against BarnBridge DAO, its co-founders, and its operating company in connection with the SMART Yield and SMART Alpha structured digital asset securities. BarnBridge’s SMART Yield product allowed users to deposit stablecoins into pools that deployed capital across DeFi lending protocols (including Aave and Compound) and divided returns into senior and junior tranches — providing “fixed or variable returns” to investors based on their selected risk tier.

The SEC’s order applied two separate regulatory theories. First, the Commission found that the pools constituted unregistered securities offerings under Section 5 of the Securities Act — users invested money in a common enterprise and expected profits derived from the efforts of BarnBridge’s team. Second, and notably for yield-aggregator founders, the Commission also found that the pools operated as unregistered investment companies under the Investment Company Act of 1940, because they pooled investor assets and invested in securities (the underlying DeFi lending positions).

The order was particularly significant for DeFi protocols because it addressed a DAO structure head-on. The SEC described BarnBridge as a “purportedly decentralized” organization, noting that the co-founders retained substantial control despite the DAO label. The SMART Yield pools had attracted approximately $509 million in total deposits. BarnBridge, its co-founders, and the operating company collectively agreed to pay approximately $1.7 million in disgorgement and penalties and to cease and desist from further violations.

Source: SEC Administrative Proceeding, In the Matter of BarnBridge DAO et al., Release No. 33-11262, File No. 3-21817 (Dec. 22, 2023); SEC Press Release No. 2023-258.

These cases are not perfect analogies for every DeFi aggregator, but they illustrate a consistent enforcement pattern: if a product pools user assets, exercises discretion over deployment, and markets returns to users, the SEC will evaluate it as a securities offering — and potentially as an unregistered investment company.

The SEC’s 2025 Staff Statements on Protocol Staking and Liquid Staking

On May 29, 2025, the SEC’s Division of Corporation Finance published a staff statement titled “Statement on Certain Protocol Staking Activities.” The statement describes certain protocol-level staking arrangements on public, permissionless proof-of-stake networks that the staff views as generally not involving the offer and sale of securities.

The statement draws a distinction between staking that is “administrative or ministerial” in nature (validating transactions, securing a network) and staking that involves “entrepreneurial or managerial” efforts by an intermediary to generate returns for investors. Where a user stakes their own assets directly to a network validator and retains the ability to unstake, the staff’s view is that the activity is more analogous to a network function than an investment.

On August 5, 2025, the Division issued a follow-up statement — “Statement on Certain Liquid Staking Activities” — extending its analysis to liquid staking. The staff concluded that, under certain conditions, liquid staking and the issuance of liquid staking receipt tokens (LSTs) do not constitute securities offerings. The core reasoning is the same: where a liquid staking provider performs administrative rather than entrepreneurial or managerial functions, the fourth element of the Howey test (reliance on the efforts of others) is not satisfied. However, the statement expressly excludes arrangements where (i) the liquid staking provider exercises discretion over whether, when, or how much of the depositor’s assets are staked, (ii) the provider guarantees or sets rewards, or (iii) the receipt tokens provide returns beyond evidencing ownership of the staked assets. The statement also does not address restaking.

Both statements matter for yield-aggregator founders, but in opposite directions. On one hand, they confirm that protocol-level staking and liquid staking — when structured without discretion or guaranteed returns — fall outside the securities framework. On the other hand, the carve-outs are narrow: the very features that define most yield aggregators (discretionary allocation, pooling across strategies, marketed returns) are precisely the features both statements exclude. If your product uses LSTs as an input but adds a discretionary allocation or yield-optimization layer on top, the staking statements do not shield the aggregation layer from securities analysis.

When a Yield Aggregator Triggers Investment Adviser or Investment Company Rules

The enforcement cases above focus on whether a yield product involves an unregistered securities offering. But U.S. law contains two additional statutes that become relevant when a yield aggregator starts to resemble a managed pool of assets — and they can apply even where the underlying tokens are not themselves securities.

The Investment Advisers Act of 1940 regulates any person who, for compensation, engages in the business of advising others on the value of securities or the advisability of investing in securities. For yield aggregators, the risk arises when a protocol team or DAO makes discretionary decisions about where to deploy user assets. If the protocol selects lending venues, sets allocation weights, or rebalances across strategies — and charges a fee for doing so — the SEC can argue that the protocol’s operators are providing investment advice for compensation. Registration as an investment adviser triggers fiduciary duties to users, a compliance program with written policies and procedures, SEC custody rules, and regular examinations.

The Investment Company Act of 1940 regulates pooled investment vehicles — entities that collect investor capital and invest it in securities. Under Section 3(a) of the Act, any issuer that is primarily engaged in the business of investing, reinvesting, or trading in securities qualifies as an investment company and must register with the SEC. The BarnBridge case is the clearest DeFi illustration: the SEC found that SMART Yield pools, which collected stablecoin deposits and deployed them into DeFi lending protocols, operated as unregistered investment companies. The BlockFi settlement involved a parallel theory — the SEC required BlockFi to attempt to register any future lending product under the same Act.

The practical consequences are significant. An investment company classification subjects the product to governance requirements, leverage limits, affiliated-transaction restrictions, and SEC reporting obligations — a regulatory burden designed for traditional mutual funds and ETFs. An investment adviser classification imposes fiduciary duties, custody and compliance obligations, and potential personal liability on the protocol’s operators.

In practice, the adviser and fund risk profile increases when a product combines three features: pooling of user assets, discretionary allocation or override authority exercised by the protocol team, and compensation tied to assets under management or performance. If you are building an allocator protocol, you should treat these “fund-like” regulatory theories as a first-class design constraint — not an afterthought.

FinCEN and Money Transmission

Separately from securities law, the Bank Secrecy Act (BSA) and FinCEN's implementing regulations impose a parallel set of obligations on money services businesses (MSBs). Under 31 CFR § 1010.100(ff)(5), a person qualifies as a "money transmitter" if they accept currency, funds, or "other value that substitutes for currency" from one person and transmit it to another person or another location. FinCEN has long held that convertible virtual currency falls within that definition.

FinCEN's 2019 Guidance “Application of FinCEN's Regulations to Certain Business Models Involving Convertible Virtual Currencies” draws a distinction between users and exchangers/administrators of convertible virtual currency (CVC). FinCEN defines CVC as a medium of exchange that either has an equivalent value in real currency or acts as a substitute for real currency but does not have legal tender status in any jurisdiction. Most crypto assets used in DeFi — including stablecoins, ETH, and governance tokens — fall within this definition. Under the Guidance, a person who obtains CVC to purchase goods and services is a user. A person who accepts and transmits CVC as a business is an exchanger and is subject to MSB registration and AML compliance obligations. The Guidance also addresses "anonymizing service providers" and "CVC wallets" — but notably, it predates the emergence of modern yield-aggregation models and does not squarely address DeFi protocol architectures.

For yield aggregators, the money-transmission question typically turns on whether the protocol's operations involve accepting user assets and transmitting them to a third-party venue. If a user deposits tokens into a protocol-controlled contract and the protocol moves those tokens to an external lending market or liquidity pool, the operational flow resembles "accepting and transmitting." This analysis applies regardless of how the token is classified under securities law — a token that is not a security can still be "value that substitutes for currency" under the BSA.

An MSB classification triggers federal registration with FinCEN, implementation of a written AML program, suspicious activity reporting (SARs), currency transaction reporting (CTRs), and recordkeeping obligations. Beyond the federal layer, money transmission is also regulated at the state level: 49 states (plus the District of Columbia and U.S. territories) maintain their own money-transmitter licensing regimes, each with its own application, bonding, net-worth, and examination requirements. The aggregate compliance burden is substantial.

Non-custodial architecture can mitigate money-transmission risk, but only if the design is genuinely non-custodial. If the protocol never takes possession or control of user funds — meaning the user signs each transaction, the protocol cannot unilaterally redirect assets, and no protocol-controlled intermediary holds value in transit — the "accepting and transmitting" element is harder to establish. However, if the protocol uses an intermediary smart contract that holds user funds (even temporarily) before deploying them, or if the protocol team has admin-key authority to redirect value, FinCEN may view the arrangement as functional money transmission.

How Should You Structure a Yield Aggregator In The U.S.?

The regulatory analysis above yields a practical question: given the constraints, how do you actually build and launch a yield aggregator? The answer depends on the product's fact pattern and the team's regulatory appetite. Below are the three principal structuring approaches available in practice.

Option 1: Non-Custodial Infrastructure

The cleanest regulatory profile belongs to products that genuinely do not manage user assets. In this model, the protocol provides routing, execution, or optimization infrastructure, but the user retains custody of assets at all times, selects or approves each allocation, and can withdraw or revoke permissions without dependence on the protocol team.

If the product is truly non-custodial and non-discretionary — meaning no pooling, no team-controlled rebalancing, and no marketing of returns — the Howey investment-contract analysis is substantially weakened: there is no "common enterprise," and the "efforts of others" element is difficult to establish. The investment-adviser and investment-company risks similarly recede, because the protocol does not exercise discretion over deployment or pool investor capital.

This model works well for B2B infrastructure (intent routers, execution SDKs, aggregator APIs) and for consumer-facing products that provide analytics and one-click execution but leave control with the user. The trade-off is UX complexity: the more control the user retains, the less the product feels like a "set-and-forget" yield solution.

Option 2: Regulated Fund Structure

If the product's value proposition requires custody, discretion, and pooling — in other words, if the protocol is genuinely managing assets on behalf of investors — the most defensible path may be to accept that characterization and structure accordingly.

In practice, this means operating as a private fund. The typical architecture involves a BVI-domiciled fund entity (or a Cayman exempted limited partnership) that deploys capital across DeFi yield strategies. The fund offers interests to investors under U.S. Regulation D (private placements to accredited U.S. investors) and Regulation S (for offshore offerings to non-U.S. investors), and relies on the Section 3(c)(7) exemption under the Investment Company Act to avoid registration as an investment company — provided that all investors are "qualified purchasers" as defined in the Act.

The fund's manager (or general partner) typically registers as an investment adviser with the SEC or operates under the private-fund adviser exemption, depending on assets under management. The manager exercises full discretion over strategy selection, allocation, and rebalancing — the same activities that create regulatory risk for unstructured protocols — but does so within a recognized legal framework that provides investor protections, disclosure obligations, and regulatory oversight.

This path is resource-intensive. It requires fund formation documents (private placement memorandum, limited partnership or operating agreement, subscription documents), compliance infrastructure (AML/KYC, investment adviser policies and procedures, custody arrangements), and ongoing reporting. But it enables the broadest market access, accommodates institutional capital, and eliminates the existential classification risk that hangs over unregistered yield programs.

Option 3: Restricted Access

Many early-stage protocols exclude the highest-risk jurisdictions (especially U.S. retail) and operate a restricted-access product while building audit maturity and compliance posture. This approach is most viable when the product retains some degree of pooling or discretion but manages exposure through access restrictions rather than structural redesign.

In practice, restricted access ranges from a private pilot with a small user group to a publicly available product with geo-blocking, KYC gates, and sanctions screening. The common thread is that the team has not yet committed to full regulatory registration but uses access controls to limit exposure while it builds toward a more permanent structure.

This is a transitional strategy, not a destination. It depends on execution discipline: geo-blocking must be technically robust, terms of service must be enforceable, marketing must not target restricted jurisdictions, and the team must have a credible plan for what comes next — whether that is a non-custodial redesign, a fund structure, or full regulatory registration. 

European Union: Structuring Around MiCA

MiCA became fully applicable in December 2024 and establishes a comprehensive licensing framework for crypto-asset service providers (CASPs) across all EU member states. For yield-aggregator founders, the practical question is not what MiCA says in general — it is whether the protocol can operate in the EU without a CASP license.

Two potential routes exist. Both are narrow, and neither should be treated as a long-term compliance strategy without careful structuring.

The “Fully Decentralised” Carve-Out (Recital 22)

MiCA Recital 22 states that crypto-asset services provided “in a fully decentralised manner without any intermediary” do not fall within the Regulation’s scope. This language has generated significant attention in the DeFi community, but its practical utility is limited.

First, the carve-out appears only in a recital, not in the operative articles of the Regulation. Recitals are interpretive aids; they do not create standalone legal exemptions. Second, the European Securities and Markets Authority (ESMA) and national competent authorities have signaled a functional approach: if identifiable persons or entities provide the service, promote it, or profit from it, the activity may not qualify as “fully decentralised” regardless of the protocol’s technical architecture. Third, the threshold is high — “fully” decentralised means no admin keys, no team-controlled upgrades, no discretionary parameter changes, and no centralised front-end that could be characterized as a service provider.

For most yield aggregators — which maintain team-operated interfaces, exercise some form of strategy discretion, and charge fees — the Recital 22 carve-out is unlikely to provide reliable protection. It is a factual argument, not a licensing exemption, and it requires the protocol to demonstrate that no intermediary exists at any point in the service chain.

Reverse Solicitation (Article 61)

MiCA Article 61 provides that where a client “initiates at its own exclusive initiative” the provision of a crypto-asset service by a non-EU firm, the MiCA authorization requirement does not apply. This is the reverse-solicitation principle: if the EU user found you and came to you, rather than you targeting or marketing to them, you may be able to serve that user without a CASP license.

In practice, reverse solicitation is difficult to rely on at scale. The exemption is client-by-client: each user interaction must be genuinely initiated by the user without prior solicitation. Any marketing, advertising, or promotional activity directed at EU residents — including social-media campaigns, localized landing pages, or referral programs — undermines the argument. ESMA has indicated that it will scrutinize patterns of activity, not just individual transactions, meaning that a protocol with a large EU user base will face questions about whether those users truly arrived through their own initiative.

Reverse solicitation can serve as a transitional strategy — particularly for projects that are in the process of obtaining a CASP license or restructuring their EU market access. As a permanent operating model for a product with meaningful EU traction, it carries significant enforcement risk.

Bottom Line for the EU

Neither the “fully decentralised” carve-out nor reverse solicitation provides a comfortable basis for operating a yield aggregator in the EU at scale. For projects that genuinely want EU market access, the realistic path is either to obtain a CASP license (or partner with a licensed entity) or to structure the product so that the EU-facing service layer is operated by a licensed provider. For projects that are not ready for that investment, the more honest approach is to restrict EU access and document the basis for any limited exposure through reverse solicitation.

How Can Founders Reduce Regulatory Exposure Without Sacrificing UX?

Keep custody as close to the user as possible. Intent-based models where users retain keys, grant narrowly scoped permissions, and can revoke those permissions present a more defensible posture than “deposit into our vault and trust our allocation.”

Constrain discretion. If the protocol reallocates, consider making rebalancing rule-based and transparent, with user-set parameters: whitelists and blacklists of venues, risk ceilings, and maximum exposure limits. The more a user can meaningfully control the strategy’s boundaries, the less the product resembles discretionary management.

Design fees like infrastructure. Execution or automation fees tend to read as payment for a service. Performance fees and “cut of yield” mechanics tend to read as asset-management economics.

Treat marketing as regulated surface area. In enforcement narratives, the screenshots matter. “Target APY” claims, “passive income,” and “easy returns” messaging can transform a technical product into a consumer yield program in the regulator’s eyes. Marketing review should be part of your launch checklist, not an afterthought.

Be transparent about audits and risk. If the product is in beta and unaudited, that should be reflected in user-facing disclosures, deposit limits, and operational controls. Understating risk is often worse than having risk.

* * *

If you are building or investing in a yield-aggregation protocol and need help with regulatory analysis, corporate structuring, or market-access strategy, our Fintech & Crypto team is available to discuss your specific situation. Reach us at crypto@buzko.legal.