By: Rob Griffitts
This is the first in a series of posts in which I’ll examine the US regulations that impact cryptocurrency businesses.
Many describe bitcoin and other cryptocurrencies as being unregulated. As a blanket statement, this is not true.
What is true is that regulators so far have provided only limited guidance on how existing regulations apply to cryptocurrencies. But that doesn’t mean those regulations don’t apply. This is because regulations typically apply to some activity, not to a particular technology. So, for instance, if you’re committing fraud, it doesn’t matter whether you’re doing so using pen and paper, or whether you’re using email. Similarly, if you’re laundering money, it doesn’t matter whether you’re using the traditional banking system or using bitcoin.
The consequences of violating the regulations can be devastating. So, it’s important that operators of cryptocurrency businesses become familiar with the lay of the regulatory land (in addition to hiring knowledgeable advisers).
This is the first in a series of posts in which I’ll explain the regulations that come up most frequently in our work with cryptocurrency businesses. These regulations fall into three categories:
– Financial surveillance
– Investor protection
– Consumer protection
In this post, I’ll give a short overview of each. In my next three posts, I’ll dive into each more deeply. I’ll tell you what we know, and what remains unclear. And to the extent regulators have provided unambiguous guidance, I’ll try to frame things in the context of the different actors that participate in the crypto-space, which I loosely categorize as software developers, miners, exchange operators and promoters.
Let’s dive in…
The purpose of financial surveillance laws is to prevent money-laundering and terrorist financing, and to help law enforcement agencies prosecute crime. This is carried out primarily by the Bank Secrecy Act (BSA), which is a federal law that requires financial institutions to monitor the transactions of its customers, and to report large transactions and suspicious activity to the government. This is where the acronyms KYC (Know Your Customer), AML (Anti-Money Laundering) and CTF (Counter-Terrorism Financing) come from.
In the past, there wasn’t much ambiguity as to whether the BSA applied to a particular business. If you handled currency on behalf of your customers, like a bank or Western Union, you were subject to the regulations. However, it was far from clear whether the BSA’s regulations applied to cryptocurrencies, and for a period of time, cryptocurrency businesses had the luxury of operating in what many considered an unregulated field.
That changed on March 18, 2013, when FinCEN (which administers and enforces the BSA) announced that it would make no distinction between virtual currencies and regular (“fiat” or government) currencies. Overnight, software developers and other cryptocurrency innovators – businesses that looked nothing like a traditional financial institution – were subject to a very burdensome set of regulations, and consequently, were immediately in violation of those regulations.
Since 2013, FinCEN has issued additional guidance on the applicability of the BSA to virtual currency businesses, with mixed results in terms of clarity provided. Some actors, like miners, for instance, can take comfort that their activities are not subject to the BSA. Others, including companies conducting ICOs, still operate in muddied waters.
Much of the conversation about cryptocurrency regulation these days revolves around this question: are my tokens a “security”, and therefore subject to regulation by the federal securities laws? Much commentary has been offered on the topic, and while the SEC’s guidance has been limited, some consensus among practitioners about best practices has begun to emerge (of course, whether the SEC will ultimately agree with this consensus approach is anyone’s guess).
The consensus I’m referring to began to jell after the SEC released a report of its investigation into The DAO in July 2017. In that release, the SEC began to set the stage by reiterating some points that weren’t much of a surprise to securities lawyers, but which nonetheless provided some welcome clarity on its thinking. Most notably, the SEC said that cryptocurrencies can be, but aren’t necessarily, regulated securities, and that the determination of that question turns on application of the so-called “Howey Test” to the particular facts and circumstances of each case.
Based on the factors of the Howey Test (more on those later), securities lawyers began to draw a distinction between tokens issued before the network on which they will function has been built, and tokens issued after the network has been built. The former are likely securities; the latter may escape that fate – and therefore be unregulated as far as securities laws are concerned. Out of this construct came the SAFT – a Simple Agreement for Future Tokens – a new, hopefully compliant way to conduct token offerings.
The SEC’s concerns extend beyond the initial sale of tokens in an ICO. It also regulates the trading of securities after their initial issuance (in the so-called secondary markets). So exchanges on which tokens are traded, and intermediaries that participate in that trading, have to carefully consider the securities laws, as well as the commodities laws.
Consumer protection is a broad term that means different things depending on the context. In the context of cryptocurrency businesses, consumer protection laws refer to the various money transmission laws enacted at the state level aimed at custodial businesses – namely, those businesses that maintain custody over the funds of another. The concern is that custodial businesses may be mismanaged, hacked, suffer from illiquidity or otherwise may lose those funds. Each state, except Montana, has such laws on its books.
The state money transmission laws are particularly frustrating for cryptocurrency innovators because complying with them is a cumbersome and costly affair — each of the 49 states has a different set of laws, and each state’s laws reach anyone that services or even solicits a resident of that state. This means that a cryptocurrency business that intends to offer its services nationwide must satisfy each state’s licensing regimes. Exacerbating things is that these statutes are archaic, and with only few exceptions, state regulators haven’t offered guidance on whether, or how, their laws apply to cryptocurrency businesses.
In the next post, I’ll begin to examine these regulations in more depth.