Blog

<hr><h2 id="series-defi-infrastructure-for-institutions">Series: DeFi Infrastructure for Institutions</h2><p>P2P.org's content series for regulated institutions evaluating on-chain capital allocation. Each article addresses a specific infrastructure, governance, or compliance dimension that determines whether a DeFi allocation can clear institutional approval and operate within mandate.</p><p>This article opens the third trilogy of the series, shifting from the structural and regulatory dimensions examined in the first two trilogies to the operational reality for specific institutional profiles. The first article in this trilogy addresses custodians. The second will address hedge funds. The third will address institutional treasury teams.</p><p>The previous trilogy examined how conflict-of-interest frameworks across MiFID II, AIFMD II, and IOSCO's DeFi recommendations are converging on the curator model. Read it here: <a href="https://p2p.org/economy/conflict-of-interest-defi-vault-regulation-institutional/">How Conflict-of-Interest Regulatory Frameworks Are Catching Up to the Curator Model</a></p><h2 id="learnings-for-busy-readers">Learnings for Busy Readers</h2><p>Short on time? Here are the key takeaways. For the full analysis and supporting data, continue reading below.</p><ul><li>Vault token custody is architecturally different from direct asset custody. When client assets enter a DeFi vault, the custodian holds vault tokens, not the underlying assets. Those tokens require dedicated valuation infrastructure, daily NAV reconciliation against the vault's on-chain portfolio, and client-level segregation built on top of the vault's pooled architecture.</li><li>Pre-execution mandate validation cannot be delegated to the vault. Curators have no visibility into individual client mandates. The custodian must maintain an independent validation layer that checks every vault interaction against each client's documented investment parameters before execution.</li><li>The Travel Rule obligation attaches at the custodian level. Smart contract-initiated vault rebalances do not generate originator or beneficiary data automatically. Custodians need vault-specific Travel Rule infrastructure that maps client identity to vault addresses and generates compliant data at the point of execution.</li><li>Client asset segregation requirements extend to vault token positions. MiCA and OCC qualified custodian standards require insolvency-remote, segregated structures. That requirement applies to vault token holdings, not just static asset custody.</li><li>Digital asset native custodians and traditional custodians face different gaps. Digital asset native custodians typically need to deepen governance and compliance infrastructure. Traditional custodians typically need to build technical access capability. Both need to close their respective gaps before offering institutional-grade DeFi vault access.</li></ul><h2 id="introduction">Introduction</h2><p>The digital asset custody market is projected to grow from approximately $1 trillion in assets under custody in 2026 to over $7 trillion by 2035, driven by institutional uptake and the expansion of tokenised real-world assets (Source: <a href="https://www.financemagnates.com/thought-leadership/how-digital-asset-platform-and-custody-technology-secure-institutional-funds/?ref=p2p.org">Finance Magnates, How Digital Asset Platform and Custody Technology Secure Institutional Funds</a>, February 2026). That growth is not coming from passive storage. It is coming from clients who want their custodians to do more: access DeFi protocols, generate yield on idle assets, and interact with on-chain capital markets on their behalf.</p><p>The regulatory environment has moved to support that expansion. The repeal of SAB 121 in January 2025 removed the accounting barriers that had prevented US banks from offering crypto custody at scale. The OCC's 2025 guidance reinforced that national banks can act as qualified custodians for digital assets. MiCA established comprehensive custody standards across all 27 EU member states from December 2024. The Responsible Financial Innovation Act, introduced in late 2025, is advancing a legislative framework for digital asset custody in the US.</p><p>But regulatory clarity on custody does not automatically produce operational clarity on DeFi vault access. The infrastructure requirements for holding digital assets and the infrastructure requirements for interacting with DeFi vaults on behalf of institutional clients are related but not equivalent. A custodian that has solved for asset segregation, key management, and regulatory reporting in the static custody context faces a different and more demanding set of requirements when those same assets are deployed into a DeFi vault, interacting with smart contracts, generating yield positions, and being managed by a curator whose incentive structure creates a conflict of interest that the custodian's governance framework must address.</p><p>This article examines what those requirements look like in practice, both for digital asset native custodians who are already building DeFi capabilities and for traditional custodians evaluating DeFi vault access for the first time.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://p2p.org/economy/content/images/2026/05/custodian-defi-vault-infrastructure-stack.jpg" class="kg-image" alt="A vertical stack diagram showing the custodian infrastructure requirements for DeFi vault access. From top to bottom: client mandate layer with documented investment parameters, pre-execution validation layer checking every vault interaction before execution, a red gap marker labelled missing in standard custody architecture, vault token custody layer covering ERC-4626 token holding and client-level segregation, the DeFi protocol layer showing Aave, Morpho, and Euler, and a Travel Rule compliance layer for originator and beneficiary data at execution level." loading="lazy" width="1600" height="900" srcset="https://p2p.org/economy/content/images/size/w600/2026/05/custodian-defi-vault-infrastructure-stack.jpg 600w, https://p2p.org/economy/content/images/size/w1000/2026/05/custodian-defi-vault-infrastructure-stack.jpg 1000w, https://p2p.org/economy/content/images/2026/05/custodian-defi-vault-infrastructure-stack.jpg 1600w" sizes="(min-width: 720px) 720px"><figcaption><i><em class="italic" style="white-space: pre-wrap;">The four infrastructure layers a custodian must build to offer institutional-grade DeFi vault access.</em></i></figcaption></figure><h2 id="the-two-custodian-starting-points">The Two Custodian Starting Points</h2><p>The infrastructure gap between standard custody architecture and DeFi vault access looks different depending on where a custodian is starting from.</p><h3 id="digital-asset-native-custodians">Digital asset native custodians</h3><p>They have already solved for the core technical requirements of on-chain asset interaction: MPC key management, smart contract interaction, on-chain transaction signing, and basic DeFi protocol access. Their gap is typically at the governance and compliance layer. They can interact with DeFi protocols technically, but their frameworks for mandate validation, conflict of interest management, Travel Rule compliance for vault-specific transaction types, and audit trail production may not be built to the standard that their institutional clients' own compliance functions require. The infrastructure challenge for digital asset native custodians is governance depth rather than technical access.</p><h3 id="traditional-custodians">Traditional custodians</h3><p>These, when entering the DeFi space, are often starting from a stronger governance and compliance foundation, with established frameworks for mandate validation, client asset segregation, regulatory reporting, and audit trail production built over decades of traditional asset management. Their gap is typically at the technical access layer. They may not have the onchain infrastructure to interact with DeFi protocols directly, to custody vault tokens natively, or to generate compliant Travel Rule data for smart contract-initiated transactions. The infrastructure challenge for traditional custodians is technical access capability rather than governance depth.</p><p>Both profiles need to close their respective gaps before they can offer institutional-grade DeFi vault access to clients. The sequencing differs: digital asset native custodians build governance on top of existing technical access; traditional custodians build technical access within existing governance frameworks.</p><h2 id="infrastructure-requirements">Infrastructure Requirements<br></h2><h3 id="vault-token-custody-and-valuation">Vault Token Custody and Valuation</h3><p>When a custodian deposits client assets into a DeFi vault, the transaction produces vault tokens: ERC-4626 standardised tokens representing the client's proportional claim on the vault's portfolio. These vault tokens are the asset the custodian holds in custody. The underlying assets, the ETH, USDC, or other tokens that the vault has deployed into lending markets, are held in smart contracts. The custodian does not hold them directly.</p><p>This creates a custody architecture problem that does not exist in static asset holding. The custodian must maintain infrastructure that holds vault tokens securely using the same MPC and key management standards applied to direct asset custody, values vault tokens accurately against the underlying portfolio daily, generates client reporting in a format that maps vault token positions to the underlying asset exposures they represent, and maintains segregated vault token positions for each client to prevent commingling.</p><p>The valuation problem is particularly demanding. Vault tokens do not have a fixed price. Their value is a function of the vault's net asset value, which changes as the curator rebalances positions, as lending markets generate yield, and as market conditions shift collateral valuations. A custodian offering vault token custody to institutional clients must have infrastructure that can pull accurate vault NAV data from on-chain sources, reconcile that data against the client's reported position, and produce a daily valuation that an auditor can verify independently.</p><p>The ERC-4626 vault standard, which became the dominant architecture for institutional vault deployments through 2025, provides a universal interface for deposits, withdrawals, and share accounting. Total value in curated ERC-4626 vaults grew 28 times in twelve months, from under $150 million to over $4.4 billion by mid 2025, reflecting the speed at which institutional capital is moving into the standard (Source: <a href="https://www.zircuit.com/en/blog/vault-infrastructure-the-institutional-upgrade-traditional-asset-management-has-been-waiting-for?ref=p2p.org">Zircuit, Vault Infrastructure: The Institutional Upgrade Traditional Asset Management Has Been Waiting For</a>, 2025). Custodians building vault token custody infrastructure should build against the ERC-4626 standard as the baseline integration layer.</p><h3 id="pre-execution-mandate-validation">Pre-Execution Mandate Validation</h3><p>The curator managing a DeFi vault's allocation strategy operates at the portfolio level. They set strategy parameters for the vault as a whole: concentration limits across lending markets, collateral type allowlists, leverage bounds, oracle feed specifications. Those parameters apply to all depositors in the vault equally. The curator has no visibility into any individual client's mandate parameters, and no obligation to validate that their allocation decisions are within any specific client's mandate before executing them.</p><p>For a retail depositor, this is acceptable. The depositor chose the vault and accepted the curator's strategy.</p><p>For a custodian's institutional client, it is a governance problem. The client has a mandate with specific investment parameters: maximum concentration in any single protocol, allowlisted asset types, leverage restrictions, reporting requirements. Those parameters are the custodian's responsibility to enforce. The curator cannot enforce them because the curator does not know what they are.</p><p>The custodian must maintain a pre-execution validation layer that sits between the curator's strategy and the client's capital. Before any vault interaction is executed on the client's behalf, every transaction must be checked against the client's mandate parameters: does this vault interaction increase concentration in a restricted protocol? Does it expose the client to an asset type outside the mandate's allowlist? Does it create a leverage position that exceeds the client's risk parameters? Only if the transaction passes all checks does it proceed to execution.</p><p>This validation function is independent of the vault. It is a custodian infrastructure requirement, not a vault product feature. Building it requires a mandate parameter management system that holds each client's investment restrictions in a codified, queryable format, a transaction interception layer that captures every proposed vault interaction before it executes, a parameter checking engine that evaluates each proposed transaction against the relevant client's parameters, and a logging system that records every check, every block, and every approved transaction in a format that satisfies audit requirements.</p><blockquote><strong>The institutional digital asset space moves fast.</strong> Our subscribers get structured analysis across staking, DeFi vaults, and regulation through <em>DeFi Dispatch</em>, <em>Institutional Lens</em>, <em>DeFi Infrastructure for Institutions</em>, and <em>Legal Layer</em>. No noise. Just the signals that matter. <strong>Subscribe to the newsletter at the bottom of this page.</strong></blockquote><h3 id="travel-rule-compliance-for-vault-transactions">Travel Rule Compliance for Vault Transactions</h3><p>As examined in detail in the second regulatory trilogy article, the Travel Rule requires originator and beneficiary data to accompany every qualifying crypto-asset transfer involving a CASP. For custodians, this obligation attaches at the point of every vault interaction executed on a client's behalf.</p><p>The specific challenge for vault interactions is that most rebalances within a DeFi vault are executed by the vault's smart contract, not by a named human originator. When the curator initiates a rebalance and the smart contract executes transactions across lending markets, the transaction does not have a named originator in the format the Travel Rule requires. The custodian must generate that originator data from outside the protocol and attach it to the transaction chain.</p><p>Under the EU Transfer of Funds Regulation, which has applied to all CASP-to-CASP transfers with no minimum threshold since December 30, 2024, the required data includes the client's full name, account or wallet identifier, and either a physical address, official personal document number, customer identification number, or date of birth. For custodians managing DeFi vault positions for multiple institutional clients, generating this data at the transaction level requires a data architecture that maps each client's verified identity to the vault addresses associated with their position, intercepts vault transactions at the point of initiation, generates compliant Travel Rule data from the identity mapping, and transmits that data to counterparty VASPs before settlement.</p><p>Custodians whose Travel Rule infrastructure was built for direct asset transfers will find that it does not automatically extend to vault-specific transaction types. The smart contract initiation problem, the multi-hop transaction structure of vault rebalances, and the beneficiary identification challenge for protocol addresses all require vault-specific extensions to standard Travel Rule infrastructure.</p><h3 id="client-asset-segregation-at-the-vault-token-layer">Client Asset Segregation at the Vault Token Layer</h3><p>Institutional custody standards require client asset segregation: each client's assets must be held in segregated, insolvency-remote structures that are identifiable and accessible even if the custodian becomes insolvent. The repeal of SAB 121 and the OCC's 2025 guidance reinforced that these standards apply to digital assets held in custody by national banks, on the same basis as traditional asset custody. MiCA's client asset safeguarding requirements apply equivalent standards to CASPs across the EU.</p><p>For static asset custody, segregation is straightforward: each client's assets are held in dedicated wallets with documented ownership records. For vault token custody, the segregation requirement extends to the vault token layer. A custodian holding vault tokens on behalf of multiple clients must maintain a separate, documented vault token position for each client, ensuring that the client's proportional claim on the vault's portfolio is accurately recorded, insolvency-remote, and separable from other clients' positions and from the custodian's own assets.</p><p>The complication is that DeFi vaults are pooled products. Multiple depositors contribute to the same vault pool, and the vault's smart contract tracks each depositor's proportional share through vault tokens. The custodian must maintain its own client-level segregation on top of the vault's pooled architecture: tracking which vault tokens belong to which client, maintaining accurate client-level NAV calculations based on the vault's overall performance, and ensuring that client redemptions can be processed in a way that correctly reflects each client's proportional position.</p><p>Academic research covering six major lending systems found that a small set of curators intermediates a disproportionate share of system TVL and exhibits clustered tail co-movement (Source: <a href="https://arxiv.org/html/2512.11976v1?ref=p2p.org">Institutionalizing Risk Curation in Decentralized Credit, arXiv, December 2025</a>). For custodians, this systemic risk dimension means that client asset segregation at the vault token layer is not just a regulatory compliance requirement. It is the mechanism through which client exposure is identifiable and manageable if a curator-layer failure creates cascading effects across the protocols where the vault holds positions.</p><h2 id="risk-considerations-for-custodians">Risk Considerations for Custodians</h2><p>Beyond the infrastructure requirements, DeFi vault access introduces three categories of risk that custodians must model explicitly in their risk frameworks.</p><h3 id="smart-contract-risk">Smart contract risk</h3><p>DeFi vault interactions expose client assets to smart contract vulnerabilities in the vault itself, in the underlying lending protocols the vault interacts with, and in any bridge or oracle infrastructure the vault depends on. Unlike traditional asset custody where the primary risk is operational or custodian counterparty risk, smart contract risk is protocol-level and non-recoverable if exploited. Custodians must evaluate the audit history and security track record of every protocol layer in the vault's execution stack before offering vault access to clients.</p><h3 id="curator-concentration-risk">Curator concentration risk</h3><p>The research finding that a small number of curators intermediate a disproportionate share of total value locked and exhibit clustered tail co-movement means that custodian exposure to the curator layer is a systemic risk variable, not just a counterparty risk variable. A custodian offering multiple clients access to vaults managed by the same curator creates correlated exposure that needs to be modelled and disclosed. Custodians should track curator concentration across their client base and include curator-layer correlation in their stress testing frameworks.</p><h3 id="liquidity-and-redemption-risk">Liquidity and redemption risk</h3><p>DeFi vault positions may not be instantly redeemable. Vault liquidity depends on the available liquidity in the underlying lending markets, which can tighten during market stress events. Custodians whose client agreements specify withdrawal timelines must model vault liquidity conditions as a variable in their redemption planning. The assumption that vault positions can always be liquidated on demand at current NAV does not hold in all market conditions.</p><h2 id="what-this-means-for-custodians-evaluating-defi-vault-access">What This Means for Custodians Evaluating DeFi Vault Access</h2><p>The infrastructure requirements and risk considerations examined in this article are not arguments against custodians offering DeFi vault access. They are a map of what offering it properly requires.</p><p>Custodians that build vault token custody infrastructure, pre-execution mandate validation, vault-specific Travel Rule compliance, and client-level segregation at the vault token layer will be positioned to offer institutional-grade DeFi vault access as the market matures. Custodians that treat DeFi vault access as a straightforward extension of their existing product will encounter the infrastructure gap when institutional clients begin the due diligence process.</p><p>The market signal is clear. 83% of institutional investors plan to increase crypto allocations, with over two-thirds specifically targeting DeFi mechanisms, including lending and staking (Source: <a href="https://www.coinbase.com/institutional/research-insights/research/institutional-investor-digital-assets-study?ref=p2p.org">EY-Parthenon and Coinbase Institutional Investor Digital Assets Study</a>, January 2025). DeFi TVL across all chains sits at approximately $130 to $140 billion in early 2026, with on-chain DeFi lending capturing roughly two-thirds of the record $73.6 billion crypto-collateralised lending market by late 2025. The clients are coming. The custodians who have built the infrastructure will capture the allocation.</p><p><a href="https://p2p.org/?ref=p2p.org#form">Talk to our team</a> if you are evaluating how <a href="http://p2p.org/?ref=p2p.org">P2P.org</a>'s protection layer integrates with custodian infrastructure for institutional DeFi vault access.</p><h2 id="key-takeaway">Key Takeaway</h2><p>Custodians are the infrastructure layer through which most institutional capital will access DeFi vaults. The infrastructure requirements that access imposes, vault token custody and valuation, pre-execution mandate validation, vault-specific Travel Rule compliance, and client asset segregation at the vault token layer, are not extensions of existing custody capability. They are a new infrastructure layer that needs to be built explicitly.</p><p>The regulatory environment is supportive: the OCC's 2025 guidance, SAB 121 repeal, and MiCA's custody standards have all removed barriers to custodians offering digital asset services at an institutional scale. What the regulatory environment does not provide is the operational infrastructure to interact with DeFi vaults in a way that satisfies the governance requirements of institutional clients. That infrastructure is the variable, and it is being built now by the custodians who understand the distinction between holding digital assets and enabling institutional DeFi allocation.</p><p><em>Next in this series: How Hedge Funds Are Approaching Onchain Yield Strategies in 2026</em></p><h2 id="frequently-asked-questions-faqs">Frequently Asked Questions (FAQs)<br></h2><h3 id="what-is-vault-token-custody-and-why-is-it-different-from-direct-asset-custody">What is vault token custody, and why is it different from direct asset custody?</h3><p>When a custodian deposits client assets into a DeFi vault, the client receives vault tokens representing their proportional claim on the vault's portfolio. Those vault tokens are the custodial asset. The underlying assets are held in the vault's smart contracts, not in the custodian's wallets. Vault token custody requires infrastructure to hold vault tokens securely, value them against the underlying portfolio on a daily basis, report on them in a format that maps to underlying asset exposures, and maintain segregated positions for each client. This is architecturally different from direct asset custody, where the custodian holds the asset itself.</p><h3 id="how-does-pre-execution-mandate-validation-work-in-a-custodian-context">How does pre-execution mandate validation work in a custodian context?</h3><p>Pre-execution mandate validation in a custodian context is a layer that sits between the curator's allocation decisions and the custodian's execution of vault interactions on behalf of clients. Before any vault transaction is executed for a client, the validation layer checks whether the proposed interaction is within the client's documented mandate parameters: concentration limits, protocol allowlists, asset type restrictions, and leverage bounds. The curator cannot perform this validation because the curator has no visibility into individual client mandates. It is a custodian infrastructure requirement that must be built and operated independently of the vault.</p><h3 id="what-does-travel-rule-compliance-require-specifically-for-defi-vault-interactions">What does Travel Rule compliance require specifically for DeFi vault interactions?</h3><p>DeFi vault rebalances are typically initiated by smart contracts rather than named human originators. The Travel Rule requires custodians to generate originator and beneficiary data for these transactions from outside the protocol, using a data layer that maps each client's verified identity to their vault address and intercepts transactions at the point of initiation. Under the EU TFR, this data must be generated and transmitted before settlement, with no minimum threshold. Custodians whose Travel Rule infrastructure was built for direct asset transfers need vault-specific extensions to handle smart contract-initiated rebalances and multi-hop vault transaction structures.</p><h3 id="how-does-client-asset-segregation-apply-to-vault-token-positions">How does client asset segregation apply to vault token positions?</h3><p>Regulatory requirements for client asset segregation, including those under MiCA and the OCC's qualified custodian standards, require that each client's assets be held in segregated, insolvency-remote structures. For vault token custody, this means maintaining a separate, documented vault token position for each client, with accurate client-level NAV calculations and the ability to process client redemptions in a way that correctly reflects each client's proportional position. The DeFi vault's pooled architecture does not eliminate this requirement: the custodian must maintain client-level segregation on top of the vault's pooled token structure.</p><h3 id="what-is-curator-concentration-risk-and-why-does-it-matter-for-custodians">What is curator concentration risk, and why does it matter for custodians?</h3><p>Curator concentration risk arises when a custodian offers multiple clients access to vaults managed by the same curator, creating correlated exposure across the client base. Academic research covering six major lending systems found that a small number of curators intermediate a disproportionate share of total value locked and exhibit clustered tail co-movement, meaning that stress at the curator layer can propagate simultaneously across multiple protocols. For custodians, this means that curator-layer correlation across the client book needs to be modelled and included in stress testing frameworks, not treated as isolated counterparty risk.</p><hr><h2 id="about-p2porg">About P2P.org</h2><p>P2P.org builds the protection layer that sits between regulated institutions and DeFi execution environments, independently of the curators who manage allocation strategies. If you are evaluating the infrastructure requirements for a DeFi allocation program, <a href="https://p2p.org/?ref=p2p.org#form">reach out to our team of experts</a>.</p><hr><h2 id="disclaimer">Disclaimer</h2><p>This article is provided for informational purposes only and does not constitute legal, regulatory, compliance, or investment advice. Regulatory obligations may vary depending on jurisdiction and specific business activities. Readers should consult their own legal and compliance advisors regarding applicable requirements.</p>

<h2 id="series-defi-infrastructure-for-institutions"><strong>Series: DeFi Infrastructure for Institutions</strong></h2><p><a href="http://p2p.org/?ref=p2p.org">P2P.org</a>'s content series for regulated institutions evaluating on-chain capital allocation. Each article addresses a specific infrastructure, governance, or compliance dimension that determines whether a DeFi allocation can clear institutional approval and operate within mandate.</p><p>This is the third and closing article of the regulatory trilogy examining the external pressure making institutional-grade vault governance a requirement rather than an option. <a href="https://p2p.org/economy/mica-defi-vaults-institutional-allocators/">The first article</a> examined what MiCA means for DeFi vault operators and institutional allocators. <a href="https://p2p.org/economy/travel-rule-defi-vaults-onchain-compliance-gap/">The second article</a> examined Travel Rule enforcement and the on-chain compliance gap. This article examines how conflict-of-interest frameworks across MiFID II, AIFMD II, and IOSCO's DeFi-specific recommendations are converging on the same structural problem: the DeFi vault curator model creates conflicts of interest that existing and emerging regulatory frameworks now require to be identified, documented, and managed.</p><p><em>Previously in this series: </em><a href="https://p2p.org/economy/travel-rule-enforcement-and-the-onchain-compliance-gap/"><em>Travel Rule Enforcement and the Onchain Compliance Gap</em></a></p><h2 id="introduction">Introduction</h2><p>The second article of this series established that the DeFi vault curator model creates a structural conflict of interest: curators are incentivised by TVL growth and performance fees, not by mandate alignment with any individual depositor. The architecture places no independent check between their decisions and on-chain settlement. That conflict was examined as a governance problem in the first trilogy of this series.</p><p>What this article examines is a different dimension of the same problem: the conflict of interest in DeFi vault design is not just a governance gap. It is increasingly a regulatory gap. Three distinct regulatory frameworks, developed independently, in different jurisdictions, for different purposes, are converging on the same conclusion: the arrangement where a single entity designs an investment strategy, executes it, and benefits from its performance without independent oversight creates conflicts of interest that regulated institutions cannot accept and that regulators are now actively scrutinising.</p><p>MiFID II's conflict of interest requirements, currently under a 2026 ESMA Common Supervisory Action examining how firms comply, apply to any investment firm providing portfolio management services to EU clients. AIFMD II, which required transposition into national law by April 16, 2026, introduces expanded conflict of interest requirements for alternative investment fund managers, including specific rules on delegation arrangements where the delegating manager and the delegate have aligned financial incentives. IOSCO's DeFi Policy Recommendations, published in December 2023 and now being implemented across more than 130 jurisdictions covering 95% of global securities markets, include Recommendation 4, which explicitly requires regulators to mandate the identification and addressing of conflicts of interest in DeFi arrangements.</p><p>None of these frameworks were designed with the DeFi vault curator model specifically in mind. All of them, when applied, produce the same requirement: identify the conflict, document it, disclose it, and put in place governance controls that can be demonstrated to regulators. Most current DeFi vault products cannot satisfy that requirement. The regulatory gap is now closing faster than the infrastructure gap.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://p2p.org/economy/content/images/2026/05/conflict-of-interest-regulatory-frameworks-convergence.jpg" class="kg-image" alt="A three-column diagram showing MiFID II Article 23, AIFMD II, and IOSCO Recommendation 4 as three separate regulatory frameworks, each with subtitle details on scope and timeline, connected by converging arrows to a central box stating that the curator model conflict of interest requires governance infrastructure, resolving into three outcome boxes covering conflict of interest policy and disclosure, independent validation at execution level, and contractual role separation." loading="lazy" width="1600" height="900" srcset="https://p2p.org/economy/content/images/size/w600/2026/05/conflict-of-interest-regulatory-frameworks-convergence.jpg 600w, https://p2p.org/economy/content/images/size/w1000/2026/05/conflict-of-interest-regulatory-frameworks-convergence.jpg 1000w, https://p2p.org/economy/content/images/2026/05/conflict-of-interest-regulatory-frameworks-convergence.jpg 1600w" sizes="(min-width: 720px) 720px"><figcaption><i><em class="italic" style="white-space: pre-wrap;">Three regulatory frameworks converging on the same conclusion: the curator model requires governance infrastructure.</em></i></figcaption></figure><h2 id="learnings-for-busy-readers">Learnings for Busy Readers</h2><p>Short on time? Here are the key takeaways. For the full analysis and supporting data, continue reading below.</p><p>Three regulatory frameworks are independently converging on the conflict of interest in DeFi vault design.</p><p>MiFID II Article 23 requires investment firms to identify, prevent, and manage conflicts of interest when providing investment services. ESMA launched a Common Supervisory Action on MiFID II conflicts of interest compliance in 2026, with a specific focus on remuneration structures and the role of digital platforms in directing investors toward certain products. A vault operator providing portfolio management services to EU clients under a MiFID II license faces direct application of these requirements to its curator incentive structure.</p><p>AIFMD II, which required national transposition by April 16, 2026, reinforces that alternative investment fund managers must prevent, or where unavoidable, identify, manage, and monitor conflicts of interest to protect AIF investors. Its expanded delegation rules are directly relevant to the curator-as-operator arrangement: where the delegating manager and the delegate have aligned financial incentives, AIFMD II requires those conflicts to be explicitly managed and disclosed.</p><p>IOSCO's Recommendation 4, applying its "same activity, same risk, same regulation" principle to DeFi, requires regulators to mandate that DeFi Responsible Persons proactively identify and resolve conflicts arising from various roles or affiliations. IOSCO specifically identifies the vertical integration of strategy design and execution, the same structural feature that characterises the curator model, as a category of conflict that is not capable of being managed through disclosure alone and may require structural remedies, including legal disaggregation of functions.</p><p>For vault operators, the regulatory direction is unambiguous. The curator model, as currently structured, does not satisfy these frameworks without additional governance infrastructure. For institutional allocators, the convergence of these frameworks changes the due diligence question from "does this vault operator have a conflict of interest policy?" to "can they demonstrate that the conflict is structurally managed at the execution level?"</p><h2 id="mifid-ii-conflict-of-interest-requirements-for-investment-firms">MiFID II: Conflict of Interest Requirements for Investment Firms</h2><p>MiFID II Article 23 requires investment firms to take all appropriate steps to identify and prevent or manage conflicts of interest between themselves and their clients, and between clients, when providing investment services, including portfolio management. The requirements are not disclosure-only: firms must first prevent conflicts where possible, and where prevention is not possible, manage them through governance controls and disclosure.</p><p>The practical requirements under MiFID II include maintaining and operating effective organisational and administrative arrangements to prevent conflicts from adversely affecting client interests, maintaining a conflicts of interest policy that identifies circumstances giving rise to conflicts and specifies procedures to manage those conflicts, and disclosing the general nature and sources of conflicts to clients where organisational arrangements are insufficient to prevent damage to client interests.</p><p>The relevance to DeFi vault operators is direct. Any entity providing crypto-asset portfolio management services under a MiFID II license, or under MiCA's CASP framework, which incorporates MiFID II conflict of interest standards by reference, faces the full application of these requirements. A vault operator whose curator function is incentivised by TVL growth and performance fees has a documented conflict between its own economic interests and its clients' interests in mandate-aligned execution. That conflict must be identified in the conflicts of interest policy, managed through governance controls, and disclosed where those controls are insufficient.</p><p>The stakes of non-compliance have increased materially in 2026. ESMA launched a Common Supervisory Action on MiFID II conflict of interest requirements, running through 2026, specifically examining how firms comply with their obligations when offering investment products to clients. The supervisory action focuses on the possible impact of staff remuneration and inducements on what products are offered to investors, the role of digital platforms in directing investors toward certain products, and whether firms manage potential conflicts between their own profits and client needs. All three focus areas apply directly to the curator incentive structure in DeFi vault products.</p><p>Source: <a href="https://cms.law/en/int/regulatory-news/esma-mifid-ii-conflict-of-interest-requirements?ref=p2p.org">ESMA, Common Supervisory Action on MiFID II Conflicts of Interest Requirements</a>, 2026.</p><h2 id="aifmd-ii-delegation-conflicts-and-the-curator-as-operator-arrangement">AIFMD II: Delegation, Conflicts, and the Curator-as-Operator Arrangement</h2><p>AIFMD II, which required national transposition by April 16, 2026, introduces expanded requirements for alternative investment fund managers on delegation, conflicts of interest, and the management of arrangements where the delegating manager and the delegate have aligned financial incentives.</p><p>The conflict of interest provisions in AIFMD II are particularly relevant to the DeFi vault context because they address a scenario that maps precisely onto the curator-as-operator arrangement: where a third-party AIFM manages an AIF initially backed by a delegated portfolio manager or a related group entity. In this setup, AIFMD II explicitly acknowledges that potential conflicts of interest are expected and emphasises the need for AIFMs to prevent, or if unavoidable, identify, manage, and monitor these conflicts to protect the interests of the AIF and its investors. (Source: DLA Piper, New AIFMD II Rules on Delegation and Conflicts of Interest, April 2024.)</p><p>For institutional allocators that are AIFMs or UCITS management companies, AIFMD II's delegation requirements now extend to the oversight of delegates. An AIFM that delegates portfolio management functions to a third party, including interaction with DeFi vault protocols through a curator, must verify that the delegate complies with AIFMD II standards applicable to those functions. The fact that a delegate is regulated in its home jurisdiction does not relieve the AIFM of this obligation.</p><p>Source: Arthur Cox, <a href="https://www.arthurcox.com/knowledge/delegation-under-aifmd-ii-practical-implications-for-aifms/?ref=p2p.org">Delegation Under AIFMD II: Practical Implications for AIFMs</a>, December 2025.</p><p>The practical implication for DeFi vault allocation is that institutional allocators operating as AIFMs cannot treat the vault operator as a black box. They must verify that the vault operator's governance arrangements for managing curator conflicts of interest satisfy AIFMD II standards, including documentation of the conflict, controls preventing the conflict from adversely affecting allocation decisions, and disclosure to the AIFM that allows it to fulfil its own regulatory obligations.</p><blockquote><strong>The institutional digital asset space moves fast.</strong> Our subscribers get structured analysis across staking, DeFi vaults, and regulation through <em>DeFi Dispatch</em>, <em>Institutional Lens</em>, <em>DeFi Infrastructure for Institutions</em>, and <em>Legal Layer</em>. No noise. Just the signals that matter. <strong>Subscribe to the newsletter at the bottom of this page.</strong></blockquote><h2 id="iosco-recommendation-4-conflict-of-interest-in-defi-at-global-scale">IOSCO Recommendation 4: Conflict of Interest in DeFi at Global Scale</h2><p>IOSCO's Policy Recommendations for Decentralized Finance, published in December 2023 and now being implemented across jurisdictions covering more than 95% of global securities markets, include Recommendation 4, which requires regulators to mandate that DeFi Responsible Persons proactively identify and resolve conflicts of interest arising from various roles or affiliations.</p><p>IOSCO's approach is grounded in its "same activity, same risk, same regulation" principle: DeFi arrangements that provide financial products and services equivalent to those provided by traditional market intermediaries should be regulated to achieve the same outcomes for investor protection and market integrity. Applied to DeFi vault curators, this means that an entity managing assets on behalf of others in a fiduciary-like capacity faces the same conflict of interest requirements as a traditional investment manager, regardless of whether the arrangement is characterised as decentralised.</p><p>IOSCO specifically identifies vertical integration of activities and functions as a category of conflict that creates particular regulatory concern. Its Policy Recommendations for Crypto and Digital Asset Markets noted that a CASP engaging in multiple activities in a vertically integrated manner gives rise to conflicts of interest that may not be capable of being managed through disclosure alone and may require structural remedies. (Source: IOSCO, Policy Recommendations for Crypto and Digital Asset Markets, November 2023.) Recommendation 4 for DeFi goes further, urging regulators to consider robust intervention for significant conflicts, including enforcing legal disaggregation and separate registration and regulation of certain activities.</p><p>Source: <a href="https://www.iosco.org/library/pubdocs/pdf/ioscopd754.pdf?ref=p2p.org">IOSCO, Final Report with Policy Recommendations for Decentralized Finance</a>, December 2023.</p><p>The October 2025 IOSCO thematic review assessing implementation of its crypto and digital asset recommendations found that all participating jurisdictions had made progress implementing Recommendation 2 on governance and disclosure of conflicts of interest, with ten jurisdictions having relevant requirements already in force. The assessment methodology for consistent assessments by IOSCO's Assessment Committee is being developed in 2026, with regular consistency assessments beginning afterwards.</p><p>Source: <a href="https://www.iosco.org/library/pubdocs/pdf/IOSCOPD801.pdf?ref=p2p.org">IOSCO, Thematic Review Assessing the Implementation of IOSCO Recommendations</a>, October 2025.</p><h2 id="what-the-curator-market-is-doing-in-response">What the Curator Market Is Doing in Response</h2><p>The regulatory direction is visible in how the curator market itself is beginning to evolve. A public report published in December 2025 that analysed the DeFi curator market noted that the curator market currently operates in a regulatory grey area, with curators not holding assets or controlling capital directly but performing work that closely resembles activities of regulated investment advisors. The analysis found that none of the major curators are licensed as of late 2025, but concluded that to serve banks and registered investment advisors, curators will need investment advisor registration, KYC capabilities, and institutional custody integration, the compliance stack that crypto-native players have deliberately avoided.</p><p>The same analysis identified the direction of travel explicitly: over the coming years, resolving gaps in regulatory clarity, risk metrics, and technical interoperability will transform curators from crypto-native specialists into a fully licensed, ratings-driven infrastructure that channels institutional capital into on-chain yield with similar standards to traditional finance.</p><p>Source: <a href="https://chorus.one/reports-research/defi-curators-in-2025-navigating-chaos-building-resilience?ref=p2p.org">Chorus One, DeFi Curators in 2025: Navigating Chaos, Building Resilience</a>, December 2025.</p><p>This trajectory is significant for both vault operators and institutional allocators. For vault operators, it signals that the conflict of interest question is not a temporary compliance gap to be managed around. It is a structural feature of the curator model that regulatory frameworks across multiple jurisdictions are independently identified as requiring governance infrastructure. The operators who build that infrastructure now will be positioned as the curator market professionalises. Those who defer it will face a harder transition when licensing requirements arrive.</p><p>For institutional allocators, the trajectory creates a timing question. The conflict of interest frameworks that apply to their counterparties today, MiFID II, AIFMD II, and MiCA, already require governance controls that most current vault products do not provide. The IOSCO implementation timeline means that equivalent requirements will apply in an expanding set of jurisdictions. The due diligence question is not whether these requirements will apply. It is whether the vault operators they are considering can satisfy them now.</p><h2 id="the-regulatory-trilogy-in-summary-three-requirements-one-missing-layer">The Regulatory Trilogy in Summary: Three Requirements, One Missing Layer</h2><p>This trilogy has traced three distinct regulatory developments, each examining a different dimension of the institutional DeFi compliance environment.</p><p>The first article established that MiCA, while not directly regulating DeFi protocols, comprehensively regulates the operators serving institutional clients through them. Its CASP framework introduces mandatory governance standards for conflict of interest management, client asset safeguarding, and audit trail production that apply to any entity providing vault management services to EU clients.</p><p>The second article established that Travel Rule enforcement, now applying to every CASP-to-CASP transfer with no minimum threshold in the EU since December 30, 2024, creates a structural compliance gap in DeFi vault architecture. Smart contracts do not generate originator and beneficiary data. Closing the gap requires a data layer above the execution environment that most vault products were never designed to include.</p><p>This article establishes that conflict of interest frameworks across MiFID II, AIFMD II, and IOSCO's DeFi recommendations are independently converging on the curator model as a compliance problem. The vertical integration of strategy design, execution, and economic benefit without independent oversight creates conflicts that these frameworks require to be identified, documented, disclosed, and managed through governance controls that can be demonstrated to regulators.</p><p>All three regulatory developments point to the same missing infrastructure layer: an independent governance function sitting above the execution environment, operating at the transaction level, independent of the curator, validating mandate alignment, producing an exportable compliance log, and maintaining contractually defined role separation. The first trilogy of this series established that this layer is missing from most DeFi vault products. This trilogy establishes that its absence is now a regulatory compliance problem across three distinct and converging frameworks.</p><h2 id="key-takeaway">Key Takeaway</h2><p>Conflict-of-interest regulation did not arrive in DeFi. It was already there, in MiFID II and AIFMD, applied to the investment managers and fund operators who are the institutional allocators in DeFi vault products. What has changed is that AIFMD II has now extended those requirements to delegation arrangements, MiCA has applied equivalent standards to vault operators directly, and IOSCO's DeFi recommendations are extending the same framework globally across 95% of securities markets.</p><p>The curator model, as currently structured in most DeFi vault products, does not satisfy these frameworks without additional governance infrastructure. The conflict between curator incentives and institutional mandate alignment must be identified, documented, disclosed, and managed through controls that can be demonstrated to regulators. Most current products cannot produce that demonstration.</p><p>For vault operators, the direction is clear. The regulatory frameworks that govern their institutional clients are already applying conflict of interest requirements that reach into the vault architecture. The operators who build independent governance infrastructure now will be positioned for the institutional market as it matures. Those who treat conflict of interest management as a future compliance question will find it has already become a present one.</p><p>For institutional allocators, the two trilogies of this series have traced a complete picture: the structural gaps in DeFi vault architecture, the conflict of interest at the curator layer, the mandate validation standard that closes both gaps, and now the regulatory frameworks that make building that governance layer a legal requirement rather than a best practice.</p><p>The infrastructure that satisfies all three regulatory frameworks, pre-execution controls, exportable compliance logs, and contractual role separation, is the same infrastructure that the first trilogy identified as the missing governance layer in DeFi vault design. The regulatory environment is not creating a new requirement. It is formalising the one that was always there.</p><p><em>The DeFi Infrastructure for Institutions series continues. The next sequence examines specific dimensions of how the protection layer operates in practice for specific institutional profiles.</em></p><h2 id="frequently-asked-questions-faqs">Frequently Asked Questions (FAQs)<br></h2><h3 id="how-does-mifid-iis-conflict-of-interest-framework-apply-to-defi-vault-operators">How does MiFID II's conflict of interest framework apply to DeFi vault operators?</h3><p>MiFID II Article 23 requires investment firms providing portfolio management services to identify, prevent, and manage conflicts of interest between themselves and their clients. Any vault operator providing crypto-asset portfolio management services under a MiFID II license, or under MiCA's CASP framework, which incorporates MiFID II conflict of interest standards by reference, faces direct application of these requirements. A curator incentivised by TVL growth and performance fees has a documented conflict between its economic interests and its clients' interests in mandate-aligned execution. That conflict must be identified in the operator's conflicts of interest policy, managed through governance controls, and disclosed where those controls are insufficient to prevent damage to client interests.</p><h3 id="what-does-aifmd-ii-add-to-the-conflict-of-interest-requirements-for-institutional-allocators">What does AIFMD II add to the conflict of interest requirements for institutional allocators?</h3><p>AIFMD II, which required national transposition by April 16, 2026, expands conflict of interest requirements for alternative investment fund managers and introduces specific obligations around delegation arrangements. An AIFM that delegates portfolio management functions to a third party, including interaction with DeFi vault protocols through a curator, must verify that the delegate complies with AIFMD II standards applicable to those functions. The fact that a delegate is regulated in its home jurisdiction does not relieve the AIFM of this obligation. Institutional allocators operating as AIFMs must verify that vault operators' governance arrangements for managing curator conflicts satisfy AIFMD II standards, not just that the operator holds a relevant license.</p><h3 id="what-is-iosco-recommendation-4-and-why-does-it-matter-for-defi-vault-design">What is IOSCO Recommendation 4, and why does it matter for DeFi vault design?</h3><p>IOSCO Recommendation 4 from its December 2023 DeFi Policy Recommendations requires regulators to mandate that DeFi Responsible Persons proactively identify and resolve conflicts of interest arising from various roles or affiliations. IOSCO applies its "same activity, same risk, same regulation" principle to DeFi: arrangements providing financial services equivalent to traditional intermediaries face the same conflict of interest requirements. IOSCO specifically identifies vertical integration of strategy design and execution as a category of conflict that may not be manageable through disclosure alone and may require structural remedies, including legal disaggregation of functions. With implementation progressing across jurisdictions covering 95% of global securities markets, this recommendation is creating compliance obligations in an expanding set of regulatory frameworks.</p><h3 id="what-does-the-esma-common-supervisory-action-on-mifid-ii-conflicts-of-interest-mean-in-practice">What does the ESMA Common Supervisory Action on MiFID II conflicts of interest mean in practice?</h3><p>ESMA launched a Common Supervisory Action on MiFID II conflict of interest compliance in 2026, running through the year across national competent authorities in EU member states. The action specifically examines remuneration structures and their impact on product recommendations, the role of digital platforms in directing investors toward certain products, and whether firms manage conflicts between their own profits and client needs. All three focus areas apply directly to curator incentive structures in DeFi vault products. Firms under supervisory scrutiny that cannot demonstrate governance controls for these conflicts face regulatory action ranging from supervisory guidance to enforcement.</p><hr><h2 id="about-p2porg"><em>About </em><a href="http://p2p.org/?ref=p2p.org"><em>P2P.org</em></a></h2><p><a href="http://p2p.org/?ref=p2p.org"><em>P2P.org</em></a><em> builds the protection layer that sits between regulated institutions and DeFi execution environments, independently of the curators who manage allocation strategies. If you are evaluating the infrastructure requirements for a DeFi allocation program, </em><a href="https://p2p.org/?ref=p2p.org#form"><em>talk to our team</em></a><em>.</em></p><hr><p><strong><em>Disclaimer</em></strong><br>This article is provided for informational purposes only and does not constitute legal, regulatory, compliance, or investment advice. Regulatory obligations may vary depending on jurisdiction and specific business activities. Readers should consult their own legal and compliance advisors regarding applicable requirements.</p>