The Key Areas of ICO Compliance

The simple truth is that as well as you may have structured your white paper and token model, there is always the risk that your ICO might be considered selling securities. No matter how hard people are trying to sell us their ICOs as the issuance of a utility token or a donation, the regulatory reality is different.

When the chairman of the U.S. Securities and Exchange Commission (SEC) recently stated in front of the Senate a few weeks ago that almost all tokens that have been issued so far should be considered securities, everyone in the cryptocurrency business knew that their ICOs better complied with U.S. securities laws. And if that wasn’t enough, a recent letter from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) should make it clear to everyone that ICOs are from operating in a legal no-man’s land. Shortly after the letter, FinCEN also published guidance that stressed that any administrator or exchanger of virtual currencies is a money services businesses under FinCEN’s regulations. And that is that.

So, now that we have decided to focus on complying with financial regulation, what are the key aspects we need to consider?

AML and KYC

The first thing you should be taking very seriously is Anti-Money Laundering (AML) and Combatting the Financing of Terrorism (CFT). Wherever you operate, laws and regulations about Knowing Your Customer (KYC) exist and while these may not be explicitly targeting ICOs, this is one of the key concerns if you want to avoid the orange jumpsuits. Several regulators already have addressed this subject, for instance, the EU will bring crypto currencies in the remit of the AML IV directive, and Australia has integrated the requirement for AML/CTF programs and customer identification procedures in its new rules for Digital currency exchange providers that came into force yesterday.

Any solid KYC process needs to consist of a framework for identifying customers and beneficial owners of customers. This framework needs to put a company in a place where it can be reasonably satisfied a customer is who they claim to be. To give you an idea of what that entails, let’s  take another look at the Australian rules that actually refer to the existing rules for all financial firms. According to chapter 6 in the AUSTRAC compliance guide, a AML/CTF program covers identifying, managing and reducing the money laundering and terrorism financing risk faced by a reporting entity. This includes:

• an ML/TF risk assessment of the business conducted by the entity. This assessment must be reviewed and updated periodically
• approval and ongoing oversight by boards (where appropriate) and senior management
• appointment of an AML/CTF compliance officer
• regular independent review of Part A
• an employee due diligence program
• an AML/CTF risk awareness training program for employees
• policies and procedures for the reporting entity to respond to and apply AUSTRAC feedback
• systems and controls to ensure the entity complies with its AML/CTF reporting obligations
• ongoing customer due diligence (OCDD) procedures, which provide for the ongoing monitoring of existing customers to identify, mitigate and manage any ML/TF risks. These include a transaction monitoring program and an enhanced customer due diligence (ECDD) program.

Licences?
Now, to the second step, specific regulations for the business you intend to conduct. There are a number of questions from a compliance perspective you need to ask yourself to define what is applicable to you. For example, do you handle Client Money? Are you executing transactions on behalf of others? Or do you in the course of your business decide on whether a transaction should take place or should be blocked? If the answer to any of these questions (and potentially various others), the activity you’re conducting is a financial service and is regulated. We’ve already touched upon the American view of things above, but to add insult to injury let’s dive a little deeper into the findings of the U.S. authorities: FinCEN found that anyone who sells a convertible virtual currency, including in the form of ICO coins or tokens, is a money transmitter including cryptocurrency exchanges. However, FinCEN also pointed to the possibility of an ICO being categorised as an offering or sale of securities or derivatives – in which case the SEC may be the port of call for a licence a securities broker or dealer – or a commodity – in which case it would be subject to the rules for merchants and brokers in commodities that the CFTC oversees.

Admittedly, the US is one of the most complicated places for financial regulation, and given the imminent risk of class actions, many ICOs stay clear of U.S. customers and even IPs in the U.S.

In more general terms (especially from a European perspective) you predominantly need to consider four kinds of licences:

• If you’re a cryptocurrency exchange or your business in any other form executes payment orders, you need a licence as a payment service provider (PSP). It is the same procedure as for any other company who wants to provide online payments solutions or money remittance to their customers and, naturally, can vary from jurisdiction to jurisdiction. In the UK, for example, it is regulated under the Payment Services Regulations 2017that tells you what you need to do to obtain the authorisation. In Germany the detailed rules can be found in the Payment Services Supervision Actthat outlines the licensing requirements, which is overseen by the German financial watchdog, BaFin. In the EU, there is at least an element of harmonisation through common rules, in this case the revised Payment Services Directive (PSD2), which sets regulatory requirements for firms that provide payment services and creates a level playing field across the European Union, especially through the use of passporting into other EU jurisdiction without having to apply in every single member state.
• Another case would be an e-money licence, which is as a matter of fact the licence of choice for anyone issuing cards funded by cryptocurrency balances. Gibraltar seems to be a very popular destination for obtaining such a licence due to its open approach to all things blockchain and particular interpretation of the e-money directive(EMD) there. The EU’s EMD sets out the rules for the business practices and supervision of e-money institutions. The directive aims to lay the foundations for a single market for e-money services in the EU. It aligns EU requirements for e-money services and puts in place coherent set of requirements for obtaining a licence as an e-money institution. It also facilitates access for newcomers to the e-money market by ensuring prudential rules are proportional to the risks faced by e-money institutions. As all EU directives it requires transposition into national laws and the financial regulators of the member states like BaFinor the FCAprovide detailed information about the specifics.
• Again, from a European perspective, in particular in light of increased efforts with regard to investor protection, a licence as an investment provider under MiFID II might be relevant. It doesn’t appear to be the case just yet, but for obvious reasons it could well be way forward and national regulators like the Dutch Authority for the Financial Markets (AFM) list both the details and the application formfor an investment firm udner MiFID II. Since the remit of investment firms is fairly wide (the directive defines this as “any legal person whose regular occupation or business is the provision of one or more investment services to third parties and/or the performance of one or more investment activities on a professional basis”, so anything from the following: investment advice to clients, management of client portfolios, execution of clients’ orders on financial instruments, reception and transmission of orders on financial instruments, dealing with own account, market making, underwriting, placing of financial instruments, and operating trading facilities), you could easily think of an application, e.g. blockchain-based asset trading – something that a number of financial institutions currently look into.
• A licence as a regulated fund. Many operating cryptocurrency funds are nothing else than a hedge fund focusing on cryptocurrencies as an asset class, but with the maturation of the sector the formation of funds under the classic models is a possibility. The EU again offers a wide range of harmonised rules for collective investment schemes such as undertakings for collective investment in transferable securities (UCITS)directive, alternative investment fund managers (AIFM)directive, the European venture capital funds (EuVECA) regulation, or the regulation on money market funds(MMF).

Money market funds (MMFs) are investment vehicles where households, corporate treasurers or insurance companies can obtain a relatively safe and short-term investment for surplus cash. They are an important source of short-term financing for financial institutions, corporates and governments. In order to preserve the integrity and stability of the internal market, the EU adopted a regulation that will make MMFs more resilient to a future financial crisis.

Further considerations

And to conclude a couple of other considerations: First, an issue that isn’t solved conclusively is the question of the regulatory treatment of secondary markets for ICO tokens. Even if you had no intention of listing on an exchange, once it is traded somewhere it can be considered as security, so we are back at the start, but it’s certainly an argument for contemplating the consequences of your token being a security. The Swiss regulator recently published guidance for ICOsand also touched on other models, in particular payment tokens, utility tokens and asset tokens, which in certain circumstances would not be subject to Swiss securities regulation. If you read the guidance, there are plenty of ifs and buts and in one case (payment tokens) it even highlights the possibility that the token will eventually be considered a security regardless of the current regulatory practice and, of course, there are cases were utility tokens and asset tokens should be considered securities, too.

Another aspect is data protection. Data protection laws require all firms that handle personal information of their customers to comply with a number of important principles regarding privacy and disclosure. New rules like the General Data Protection Regulation (GDPR)that comes into force on 25 May 2018 set high standards for the management and use of client information and contain stern sanctions in case of non-compliance.

And lastly, what do you do when the regulator comes knocking. In has become somewhat fashionable amongst the authorities to investigate ICOs. If you get a request from a regulator – which sometimes can be rather generic such as whether an ICO complies with the jurisdiction’s securities laws – you can either choose to hide/tell them to bugger off or look into the request and provide the information demanded as good as possible. It’s probably not a good cause of action to simply hope that the trouble will go away by itself, so it highlights the case for solid arrangements from the start and the preparedness for all eventualities. Needless to say that the above isn’t legal advice and doesn’t replace the need to get a good legal opinion early on as well as compliance advice throughout the entire lifecycle.