Digital asset regulation has moved beyond its first phase. The early debate focused on perimeter questions: whether crypto-assets should be treated as securities, commodities, payment instruments, deposits or something entirely new. That debate remains important, but it is no longer sufficient. The harder question now is supervisory: how can regulators see, interpret and supervise digital asset activity across users, service providers and products that traverse jurisdictions and legal regimes by virtue of the infrastructure they choose?
To start off, the blockchain itself is not the main blind spot. Ledgers, whether permissioned or public, already generate abundant transaction data. The deeper problem is that the information most relevant to regulation remains fragmented. This information includes elements such as identity, tax residency, nature of the asset, nature of the entity, beneficial ownership and other attribution data, which is needed when applying rules relating to counterparty status, risk, investor eligibility, transfer restrictions, tax attributes and legal responsibility. This data is also inconsistently structured and lacks interoperability and coordinated enforcement across the supervised financial system. In fact, during a 2025 review, the Financial Action Task Force (FATF), which leads global action to tackle money laundering, terrorist and proliferation financing, found that a majority of jurisdictions have been unable to supervise or enforce rules surrounding cross-border payments, including its Recommendation 16 on payment transparency — also known as the “Travel Rule” in relation to virtual assets — partly due to the laws’ recency and their implementation timelines.
The missing layer in digital asset regulation is therefore not simply a data layer, but rather a governance layer: a way of making legally relevant information machine-readable and interoperable across regulated ecosystems, while preserving domestic legal authority, sector-specific mandates and democratic accountability.
Convergence Without a Single Global Code
Global standard setters and major jurisdictions are converging on functional regulation, organized around activities, intermediaries and integrity risks associated with crypto-asset service providers, and have issued separate recommendations on various aspects of decentralized finance (DeFi). The Financial Stability Board (FSB) focuses on financial stability and activity-based oversight, while the FATF remains centred on anti-money laundering (AML) activities and measures to counter the financing of terrorism (CFT); licensing; supervision; and implementation of the Travel Rule. The Crypto-Asset Reporting Framework (CARF) of the Organisation for Economic Co-operation and Development (OECD) is narrower still, focusing on tax transparency and exchange of information, and the European Union has also kept market regulation and transfer traceability institutionally distinct through the Markets in Crypto-Asset Regulation (MiCA) and Regulation (EU) 2023/1113. The Basel Committee on Banking Supervision adds a distinct, prudential mandate: its standard for banks’ crypto-asset exposures, with an implementation date of January 1, 2026, sets capital and disclosure treatment for regulated banks.
In other words, the emerging global framework for DeFi regulation does not support the idea of a universal code for all tokens, all markets and all legal questions. Rather, it supports a more practical proposition: interoperable, machine-readable standards for regulated intermediaries; accountable arrangements; and regulated transaction flows.
A survey of the domestic regulation for DeFi’s closest cousin, digital public infrastructure, shows that frameworks and implementation often take distinct paths to arrive at the same destination. Doing otherwise would require states with different legal traditions, monetary regimes, capital markets and developmental priorities to collapse their choices into a single framework. Essentially, a federated standards layer does not require one global regulator or one legal taxonomy. It simply requires the adoption of standards that enable sufficient interoperability for relevant information to travel across firms, sectors and borders in ways that are meaningful to the competent authority receiving it.
From Data to Machine-Readable Supervision
The next stage of digital asset regulation should be understood as a move toward machine-readable supervision. Regulated firms already collect significant information about customers, wallets, transactions, counterparties and risks. The problem is that this information is often trapped inside institutions, expressed in incompatible formats and difficult to transmit across supervised boundaries.
A standards layer should begin in sequence, starting where templates, schemas and adoptions already exist. AML/CFT is the natural first step, followed by counterparty status as assessed by the regulated intermediary, transmission rules and interoperable risk flags as the unfinished work. Tax standards follow, where the OECD’s CARF shows how due diligence, reportable transactions and domestic reporting can be structured for cross-border exchange. However, market-facing standards are the hardest front, with no comparable template yet for investor status, eligibility conditions, transfer restrictions and product-level supervisory attributes. The purpose here is not surveillance but a more structured supervision of regulated flows. A regulator, intermediary or counterparty may need to know whether an instrument is circulating in a legally permitted way; whether the holder meets a threshold condition; whether the transfer is restricted by geography, lock-up, governance rule or institutional channel; and whether an accountable person or service layer stands behind the activity and modes of law enforcement.
Building a standards layer would allow regulatory meaning to move with digital assets without requiring regulatory sovereignty to disappear.
What Standards Can and Cannot Do
The risk, however, is that enthusiasm for structured data outruns legal analysis. Machine-readable standards can improve observability, reduce compliance friction and support more consistent reporting, while also making some conditions auditable and verifiable closer to execution. But they cannot, by themselves, decide title, custody, settlement finality, insolvency treatment, investor rights, redress or priority of claims.
A transfer, for example, can carry impeccable metadata and still leave unresolved whether ownership has legally passed. A smart contract can execute atomically and still leave unanswered whether legal finality has occurred. A token can be fully attributed and still leave open whether it is the authoritative legal record or only a wrapper around an off-chain claim.
The policy conclusion is simple: standards are a complement to legal certainty, not a substitute for it.
This is particularly important for emerging markets. Jurisdictions with weaker legal infrastructure may be tempted to leapfrog directly to technical solutions such as smart contracts, tokenized registries, automated compliance or machine-readable reporting.
Tokenized Finance Is Not Generic Crypto
A common technical rail is no longer mistaken for a legal perimeter, thus creating a sui generis class of asset. Jurisdictions acknowledge that tokenized securities, fund units, payment instruments, insurance-linked products or deposit-like claims should not be collapsed into a crypto bucket simply because they use similar technological components.
In the European Union, MiCA (Regulation (EU) 2023/1114) is instructive because it regulates crypto-assets not already covered by other EU financial services legislation. In the United States, the GENIUS Act brought a federal regime for payment stablecoins while relying on existing nstitutions and laws such as the Financial Crimes Enforcement Network, the Office of Foreign Assets Control, the Options Clearing Corporation and the Bank Secrecy Act. Those choices reflect a broader principle: a change in technological representation does not automatically displace the legal framework governing issuance, disclosure, custody, governance, servicing, redress and enforceability.
Tokenization is a way to democratize access to financial assets, improve liquidity and reduce intermediation costs, but inclusion requires enforceability. If retail investors, small firms or low-income users receive access to tokenized claims without clear rules on custody, disclosure, redress and insolvency, tokenization may widen participation while shifting risk downward.
A development-sensitive approach must therefore ask not only whether users can access tokenized assets, but whether they understand the claim they hold, whether it is legally enforceable and whether recourse exists when infrastructure fails.
Accountable Service Layers, Not Just Gateways
Digital asset policy often says regulators should regulate gateways rather than protocols. That intuition is useful but incomplete. The better approach is to identify accountable intermediaries, interfaces, service layers and responsible persons.
Users rarely interact with base protocols alone, and when they do, they can be warned of the risks. Most often, they encounter digital asset markets through exchanges, wallets, brokers, custodians, stablecoin issuers, token managers, interfaces, routers, oracle-dependent systems, governance structures and institutional wrappers. Even where infrastructure is distributed, economically significant control or influence often sits somewhere in the surrounding stack.
Regulation should therefore attach where actors exercise meaningful control, benefit economically or provide access to regulated activity. That approach would avoid two extremes: first, trying to regulate base protocol code as the primary target, and, second, accepting that anything labelled “decentralized” lies beyond law.
The same logic applies to unhosted wallets and self-custody. Self-custody, that is, when the holder has the only key, should not be treated as unlawful or inherently suspicious. But higher-risk or institution-facing flows may justify additional verification, credential presentation, interface-based controls or routing through accountable entities. These verifications and credentials can, in turn, be enabled through protocols and open tools such as privacy-preserving credentials, public registries and zero-knowledge proofs. The goal is not to abolish autonomy, but rather to calibrate trust, traceability and accountability according to the transaction’s risk and legal significance.
In other words, the right model is not blanket anonymity or blanket traceability, but context-specific proof: enough information to satisfy the legal requirement, without building a general-purpose surveillance architecture.
Why Emerging Markets Need a Different Lens
Digital asset regulation is often written from the perspective of advanced economies with deep supervisory capacity, mature legal systems and sophisticated compliance infrastructure. That lens is incomplete.
For emerging markets, digital assets carry both promise and risk. Tokenized assets, stablecoins, central bank digital currencies and programmable payment systems may lower remittance costs, improve cross-border settlement, expand access to savings and investment products, and create new infrastructure for small and medium enterprises. But they may also accelerate capital flight, weaken monetary sovereignty, expose consumers to poorly understood products and create dependence on foreign technology providers.
A standards layer that is too complex, too costly or too dependent on proprietary compliance vendors could deepen governance inequality. Machine-readable regulation should not become another channel through which powerful jurisdictions export compliance models that others must absorb. Nor should emerging-market financial systems become dependent on foreign analytics firms, cloud providers, identity vendors or compliance utilities to participate in tokenized finance.
A development-sensitive agenda should include open technical schemata, capacity building, shared supervisory tools, privacy-preserving compliance infrastructure and regulatory sandboxes that enable cross-border learning without surrendering domestic authority. The objective should be regulatory interoperability without regulatory dependency.
Regulatory Interoperability
Regulatory interoperability means that different legal and regulatory systems remain distinct but can exchange relevant information, recognize certain compliance outcomes and coordinate around shared risk thresholds, and be continuously adaptive and capable of co-evolving with financial innovation in (near) real time, effectively eliminating the regulatory delta. It accepts that securities law, tax law, AML law, payments law and private law will not be fused into one global regime, and considers how the information required by each regime can travel reliably and proportionately. Regulatory interoperability should rest on five principles:
- Mandate specificity: Information should be collected and shared because a competent authority has a legal mandate, not because it may be useful someday.
- Legal subordination: Machine-readable standards should support law, not replace it.
- Proportionality: Higher-risk flows may justify stronger verification, while lower-risk activity should not face surveillance-grade compliance.
- Portability: Regulated information should be reusable across institutions where appropriate, reducing duplication and compliance costs.
- Contestability: Individuals and firms must be able to correct inaccurate data, challenge erroneous classifications and seek redress when automated or semi-automated systems cause harm.
The Missing Governance Layer
Digital asset regulation does need a stronger standards layer. What it does not need is a myth of universal convergence. The emerging global framework is better understood as partial alignment across different mandates. The International Organization of Securities Commissions, the FSB, the FATF, the OECD and the European Union are not building one global code. Instead, they are revealing a shared operational problem: regulated digital finance cannot scale safely if legally relevant information remains fragmented, non-portable and trapped inside institutional silos.
The next phase should therefore build a federated, mandate-specific, machine-readable standards layer for regulated intermediaries, accountable service arrangements and regulated transaction flows. That layer should improve due diligence, reporting, traceability and verification, but it must also remain subordinate to legal architecture. It should not pretend to resolve title, custody, finality, insolvency or investor rights by technical means alone. The real frontier is not whether digital assets can be seen, but rather whether the right forms of legal and supervisory meaning can travel with them. That is the missing governance layer.
This article is the first in a three-part series from a new partnership between CIGI and Finternet Labs, exploring how international cooperation can help shape a more resilient, inclusive and trusted digital financial ecosystem.
Finternet Labs is a global technology and research hub building the technical infrastructure and governance frameworks for the “Finternet." CIGI contributes expertise in global governance and public policy, while Finternet Labs brings technical and research expertise on the future of interoperable digital financial infrastructure. Drawing on the partners' research and convening expertise, the series highlights the growing need for stronger cross-border governance to keep pace with digital financial innovation and to support a more secure, inclusive and interconnected global financial system.
