Compliance Issues in Cryptocurrency
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
More than 10 years have passed since Satoshi Nakamoto introduced the first blockchain network and associated digital asset, Bitcoin. In that time, the blockchain industry has grown into a trillion-dollar ecosystem attracting the attention of consumers, investors, enterprises and governments around the world. Blockchain technology and the associated digital assets raise exciting prospects of new forms of economic development but also present a serious challenge to existing regulatory and compliance regimes. This chapter provides an overview of those challenges and of the current regulatory landscape, primarily in the United States but also in a number of jurisdictions where the regulatory landscape and compliance regimes are evolving to address these challenges.
Regulatory challenges of digital assets
Digital assets present unique regulatory challenges for a number of reasons. Many of those challenges stem from the core innovation of blockchain: to enable peer-to-peer transfer of value with less need for trusted intermediaries. First, unlike many other technological innovations, blockchain networks disrupt highly regulated financial markets. Second, the core disruption is to reduce the need for intermediaries, but many existing regulatory frameworks are built around regulating those intermediaries. Third, blockchain technology enables myriad new forms of assets that do not fit neatly within the categories of financial instruments addressed by existing regulations, even though they may trade in markets resembling conventional financial markets. Fourth, the technology and resulting markets are global, thus requiring some measure of coordination and limiting the efficacy of efforts to regulate in any one jurisdiction.
As a result, the extensive global infrastructure of financial regulation is confronting fundamental questions of what existing regulations apply and to whom, and how to enforce them, in a rapidly evolving blockchain ecosystem that continues to adapt and raise new questions faster than the law can evolve to provide answers.
Broadly, there are two primary approaches taken by governments, in varying combinations: (1) seek to fit digital assets into existing regulatory and compliance regimes (the approach primarily relied on at the federal level in the United States to date); and (2) create new laws or amend existing laws specifically to address digital assets (as is evident in jurisdictions such as Switzerland and Dubai, and certain states in the United States such as New York).
This chapter offers a high-level overview of the relevant laws in selected jurisdictions that will be relevant for compliance concerns. Although approaches differ, a few recurring themes emerge. First, most jurisdictions recognise that digital assets are at times used as an investment vehicle and, thus, may implicate the laws and regulations governing securities markets, largely with an investor protection objective. Second, governments recognise that digital assets could be used as a tool for money laundering, sanctions avoidance or other illicit transactions and, therefore, seek to apply know-your-client or anti-money laundering regulations (or both), either by fitting certain digital asset transactions within existing laws or by crafting new laws to make these obligations explicit for digital assets.
Current regulatory landscape for digital assets
There are a number of US regulators with overlapping authority over digital assets at both the federal and state levels. Unlike other jurisdictions, there is no overarching digital asset regulatory regime to which a participant can look for compliance obligations. Instead, businesses must consider distinct areas of US federal law – and, in some instances, state law – that may be relevant to any given digital-asset activity.
Although it is not an exhaustive list, prominent areas of regulatory and compliance obligations include federal and state securities and commodities laws, and federal and state banking laws governing money services businesses. Furthermore, a presidential Executive Order on digital assets issued by the Biden administration called on the Consumer Financial Protection Bureau, the Federal Trade Commission and other agencies to attend inter-agency meetings on digital asset regulatory questions, each of which has its own regulatory ambit that may be implicated by certain digital asset activities. On 7 July 2022, the Secretary of the Treasury, in coordination with the heads of other relevant agencies, delivered to President Biden a framework for international engagement on digital assets, which emphasises active engagement with international partners through standard-setting bodies such as the Financial Stability Board, the Financial Action Task Force and others. Certain states also have developed digital asset regulations, including the New York State Department of Financial Services BitLicense requirement for ‘virtual currency business activity’.
The SEC and the Securities Laws
The securities laws of the United States are enforced primarily by the Securities and Exchange Commission (SEC). Anyone engaged in digital asset transactions must be mindful of whether the digital asset activity in question amounts to an offer or sale of securities, or whether the digital asset itself is a ‘security’ under the securities laws. If so, then a host of registration and reporting requirements under the securities laws may come into play, and an entity must further enquire as to whether it meets the definition of an ‘issuer’, an ‘exchange’, a ‘broker’ or a ‘dealer’.
The SEC’s focus on digital assets continues to grow. On 3 May 2022, it announced that it was nearly doubling the size of its Crypto Assets and Cyber Unit, with a continuing focus on investor protection as reflected in a statement from the SEC’s director of enforcement, who commented: ‘Crypto markets have exploded in recent years, with retail investors bearing the brunt of abuses in this space’.
‘Securities’ under US federal law
The Securities Act of 1933 and the Securities Exchange Act of 1934 list a number of enumerated categories of instruments that fall within the definition of a ‘security’, including stocks, bonds, debentures, notes, investment contracts and many others. The category ‘investment contract’ functions as a catch-all for numerous investment transactions or schemes not otherwise captured in the statutory definitions, and it is the category into which the SEC places many digital asset transactions. The seminal test for what constitutes an investment contract was set forth in the Supreme Court case, SEC v. Howey. As the Court stated and the SEC maintains today, the term ‘investment contract’, as used to define a security, ‘embodies a flexible rather than static principle, . . . capable of adaptation to . . . countless and variable schemes’. Howey creates a four-part test that the SEC has used to determine whether a digital asset offering is a securities offering. Although there are slightly different articulations of the test, for a transaction or scheme to constitute a securities offering, it must generally involve (1) an investment of money (2) in a common enterprise (3) with a reasonable expectation of profits, (4) derived from the effort of others.
Although, to date, the SEC has not issued any rule-making or definitive guidance on the application of securities laws to digital assets, the Howey test has guided the SEC’s thinking as its position on digital assets has evolved across a series of reports, enforcement actions and public speeches. In 2019, the SEC released a ‘Framework for “Investment Contract” Analysis of Digital Assets’, which spelled out how the agency’s staff are likely to approach digital assets under Howey, though it is careful to state that it is not a binding standard.
An additional area in which the application of US securities laws to digital assets continues to evolve is in the distinction between a ‘securities offering’ and a ‘security’. Although the SEC maintains the position that initial coin offerings (ICOs) are securities offerings, it is a separate question whether the digital assets themselves are securities and must be regulated as such. For example, selling a token in a fundraising scheme may constitute a securities offering, but the token itself may not be a security if it carries no rights to any ownership or future payments.
Where compliance currently stands under US securities laws
To date, SEC officials have stated that the agency does not consider Bitcoin to be a security, and ETH may not be a security. However, the SEC has viewed most ICOs as securities offerings. Therefore, any activity that involves issuance and distribution of a new digital asset may constitute a securities offering under US law and trigger a variety of compliance obligations.
Compliance obligations fall on multiple sets of constituents under US securities law. In an offering such as an ICO, the offeror will be an issuer. An ‘issuer’ includes ‘every person who issues or proposes to issue any security’. An entity engaging in issuing a new digital asset that has the essential characteristics of an investment will likely be considered by the SEC to be an issuer subject to the full registration requirements as applicable to any other issuer of securities.
Separate from issuance, any business that effects digital asset transactions on behalf of others, or that engages in a business of buying and selling digital assets, should consider whether the requirements for brokers or dealers may apply. ‘Brokers’ are those who effect securities transactions ‘for the account of others’. A ‘dealer’ is any person buying or selling securities for that person’s own account, but there is a ‘trader exception’ when the buying or selling is ‘not part of a regular business’.
Besides token sales and exchanges, the SEC is also seeking to regulate accounts that offer interest or similar rewards on token balances. In February 2022, the SEC announced a settled enforcement against BlockFi, in which it found that BlockFi’s cryptocurrency-based interest accounts were unregistered securities offerings and that BlockFi operated as an unregistered investment company. BlockFi paid a total US$100 million in penalties to the SEC and state-level securities enforcers, and embarked on a process to register its interest accounts with the SEC as securities.
In addition, each of the 50 states has its own securities laws. Compliance with state securities laws is often accomplished by registering with the SEC, but where a product or business is not registered with the SEC, it may be subject to registration requirements in one or more states.
The Commodities Futures Trading Commission and the Commodity Exchange Act
Although the SEC may view some digital assets as securities, many are also likely be commodities according to the Commodities Futures Trading Commission (CFTC), the agency that enforces the Commodity Exchange Act (as passed in 1936 and subsequently amended (CEA)). Furthermore, just because one digital asset is part of a securities transaction does not necessarily mean that it cannot also be a commodity, thereby creating the potential for overlapping regulation.
The CFTC does not have general regulatory jurisdiction over the ‘spot’ market in digital assets. Rather, the Commission regulates futures and other derivatives of commodities and the marketplaces or exchanges on which commodities trade. The CFTC also asserts jurisdiction over fraud within the spot market for commodities in which futures are traded.
Those engaged in any type of activity concerning swaps, futures or other derivatives of digital assets are likely to fall under the regulatory authority of the CFTC, which pursues enforcement against organisations that fail to register as swap execution facilities or future commission merchants. Likewise, if an organisation is a commodity trading adviser or commodity pool operator, the CFTC requires registration, record-keeping and disclosure. Beyond the regulatory requirements of certain business models under the CEA, organisations and individuals must comply with the CEA’s anti-fraud and anti-manipulation mandates, which are wide in scope. For example, the CFTC pursues enforcement action against a variety of potentially deceptive trading practices, such as ‘spoofing’, in which market participants place orders they do not intend to complete, and manipulation of commodity or foreign-currency benchmark prices.
Money services businesses and money transmitters under the Bank Secrecy Act
The Financial Crimes Enforcement Network (FinCEN), an enforcement body under the United States Treasury Department, has established regulation and compliance requirements for companies that move money as a business, such as currency dealers or cheque cashers. Money services businesses and money transmitters must register with FinCEN, and those businesses must ensure compliance with anti-money laundering regulations under the Bank Secrecy Act of 1970.
FinCEN has released specific guidance stating that money transmitter regulation applies equally to the national currencies of sovereign states and to cryptocurrencies. Guidance issued in 2019 by FinCEN analysed various virtual currency business models and concluded that many of them would qualify as money transmitters and thus fall under the registration and other requirements. Cryptocurrency businesses that transmit value between persons or entities are likely to be subject to FinCEN regulation.
Additionally, most states have their own registration requirements for money transmitters, thus requiring money services businesses to register in each state in which they do business (with some exceptions).
New York’s virtual currency business activity licence (BitLicense)
A handful of states have introduced cryptocurrency-specific legislation, including Wyoming, which has exempted cryptocurrency from money transmitter regulation and property tax. The most restrictive state in the digital-asset regulator space is New York.
Organisations that operate in New York are required to maintain a licence, known colloquially as a ‘BitLicense’, if they engage in ‘virtual currency business activity’. This includes receiving or transmitting virtual currency, holding custody of virtual currency on behalf of others, buying and selling virtual currency as a customer business, performing exchange services as a customer business, or administering or issuing virtual currency. In essence, New York creates an ex ante licensing requirement before cryptocurrency-based business activities can be undertaken. Although this is the same approach as taken in some other jurisdictions, such as Dubai, it is a notable departure from the prevailing regulatory norm in the United States, in which regulatory agencies exercise discretion to engage in ex post enforcement activities rather than creating up-front requirements to enter the market.
The United Kingdom
The primary regulator of note in the United Kingdom is the Financial Conduct Authority (FCA), which regulates financial services firms and the British financial markets. The FCA divides digital assets into regulated tokens and unregulated tokens. The two types of regulated tokens are security tokens, which provide the functional equivalent of equity or debt rights, and e-money tokens, which fall under the Electronic Money Regulations 2011 but do not include cryptocurrencies such as Bitcoin, which are sometimes referred to in UK guidance as ‘exchange tokens’.
Exchange tokens are considered to be unregulated by the FCA, but since January 2020, they are subject to the UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Therefore, despite the lack of specific regulatory classification for many of the most common digital assets, compliance with anti-money laundering rules means that businesses exchanging or providing custodian services must register with the FCA, a process that requires disclosure of business plans, internal systems and controls, anti-money laundering risk assessment and other information.
The European Union
The European Union is in the process of adopting its Markets in Crypto-assets Regulation (MiCA), which will create a distinct regulatory regime for digital assets within the European Union. Previously, digital currencies were outside the scope of EU legislation. The proposed MiCA has been under debate in the European Parliament since 2020, and it will create an EU-wide authorisation requirement for offerors of digital assets. Unlike the British approach, MiCA will create a specific set of regulatory categories specific to digital assets. The details of compliance requirements remain to be settled but on 31 May 2022, EU financial officials called for the forthcoming MiCA to emphasise anti-money laundering and advised that authorised digital asset exchanges should lose their licences for AML violations.
Switzerland has taken specific steps to hold itself out as a hospitable regulatory environment for cryptocurrency and digital assets. Unlike the United States, the Swiss approach involves delineating specific new regulatory categories for digital assets. Switzerland has presented itself as a hub for crypto innovation, and it has succeeded in making itself an important centre for ICOs.
Although the Swiss Financial Market Supervisory Authority (FINMA) takes the general approach that the same financial markets laws apply regardless of whether new technology underlies transactions, FINMA also issued its 2018 ‘ICO Guidelines’, which create specific regulatory categories into which traditional cryptocurrencies, such as Bitcoin and other digital tokens, will fall.
The ICO guidelines recognise three types of tokens, though it emphasises that hybrids are possible, and, in the case of an ICO, a fact-specific, case-by-case inquiry may still be required to determine where a given token falls. The three enumerated categories are:
- payment tokens, which are synonymous with cryptocurrencies;
- utility tokens, which provide access to a digital application or service; and
- asset tokens, which represent rights in traditional assets and are analogous to equities, debt instruments, or derivatives.
FINMA has indicated that participants in the Swiss digital-asset space should prioritise their attention on Switzerland’s securities regulations and anti-money laundering laws. Payment tokens require compliance with the Swiss Anti-Money Laundering Act but not Swiss securities laws. Conversely, asset tokens are regulated as full securities under Swiss law, including with a full prospectus requirement. Utility tokens are a more complex category. If a utility token at the time of its issuance solely confers digital access to some application or service, then it is not regulated as a security. But if a utility token has even a partial function as an investment, then FINMA treats it just like an asset token (i.e., as a security).
Separately, in August 2021, Switzerland implemented its Distributed Ledger Technology Act (the DLT Act), which formally recognises and creates a framework for rights to securities to be recorded on a blockchain ledger rather than traditional registration and certification processes. The DLT Act recognises blockchain-based digital assets as their own category and regulatory target with their own compliance needs that may overlap with, but also be distinct from, traditional financial regulations, such as those covering securities.
Like Switzerland, Singapore has promoted itself as a crypto-friendly environment. It has been a successful hub of digital-asset activity, unlike many of its Asian neighbours (such as China, Indonesia and Thailand), which have at times restricted cryptocurrency trading or banned it outright. Singapore has taken the general approach that cryptocurrency businesses want to be regulated because they prefer to know what the rules are rather than to face uncertainties. To that end, cryptocurrency businesses operating in Singapore have long been regulated by the Monetary Authority of Singapore (MAS), and the Payment Services Act created a licensing regime for crypto activity.
Until recently, Singapore’s approach was to regulate more lightly those cryptocurrency operators based in Singapore but who direct their services solely outside Singapore. In this way, Singaporean authorities aimed to adopt a ‘consumer protection’ approach for their own citizens, while offering their city state as a hub for innovations aimed at the citizens of other countries. However, this has changed. On 5 April 2022, Singapore passed the Financial Services and Markets Bill, under which digital-asset providers based in Singapore but conducting business in other countries must now abide by Singaporean anti-money laundering and anti-terrorism financing laws. The Bill also introduces a licensing regime for Singaporean digital-asset service providers in compliance with Financial Action Task Force standards adopted in 2019 requiring licensing or registration in the jurisdiction where digital assets are created. Meanwhile, MAS reiterated its position, in January 2022, that cryptocurrency services should not be targeted at the general public of Singapore itself.
The current status of Singapore’s digital-asset regulatory approach has established an extraterritorial reach outside Singapore at the same time that activity within Singapore is being curtailed. The effect of Singapore’s increasing regulation remains to be seen.
In March 2022, the emirate approved the Dubai Virtual Asset Regulation Law, which establishes the Dubai Virtual Assets Regulatory Authority (VARA), a first-of-its-kind regulator dedicated to digital assets. The Law requires authorisation from VARA before a person may engage in any business activity relating to digital assets, including exchanging digital assets for national currency, exchanging digital assets for other digital assets, and the creation or maintenance of services facilitating or managing such exchanges. The implementation of regulations remains in progress and VARA has not offered a timetable. However, the law establishes that Dubai requires a licence to engage in a token offering, to operate a digital-asset platform, or to otherwise offer exchange, transfer, custody or portfolio services for digital assets.
Digital asset businesses operate in a regulatory environment that is uncertain and constantly evolving. In most jurisdictions, compliance will focus on securities, commodities and banking laws. Given the rapid evolution of technology and the law, and the likelihood of multiple overlapping compliance regimes, it is crucial to stay abreast of the regulatory developments and frequently re-evaluate compliance policies and procedures.
 Kayvan B Sadeghi is a partner and Lawrence W McMahon is an associate at Jenner & Block LLP.
 The United Kingdom, the European Union, Switzerland, Singapore and Dubai.
 ‘Executive Order on Ensuring Responsible Development of Digital Assets’ (9 March 2022), at https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/09/ executive-order-on-ensuring-responsible-development-of-digital-assets/ (last accessed 4 July 2022).
 https://home.treasury.gov/news/press-releases/jy0854 (last accessed 11 July 2022).
 23 NYCRR § 200.
 For example, an issuer of securities to the public generally must register those securities with the US Securities and Exchange Commission (SEC) and disclose detailed information about the financials, structure and management of their underlying business. See 15 U.S.C. § 78l. After registration, issuers are also subject to ongoing annual, quarterly and other reporting requirements. See 15 U.S.C. § 78m.
 https://www.sec.gov/news/press-release/2022-78 (last accessed 4 July 2022).
 See 15 U.S.C. § 77b(a)(1).
 SEC v. Howey, 328 U.S. 293, 299 (1946).
 The SEC’s first substantial action relating to cryptocurrencies was its July 2017 ‘Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO’ (see https://www.sec.gov/litigation/investreport/34-81207.pdf (last accessed 11 July 2022)), in which the SEC staff made clear that they viewed the sale of DAO tokens as a securities offering. In June 2018, the director of the SEC’s Division of Corporations gave prepared remarks at a cryptocurrency summit, in a speech titled ‘Digital Asset Transactions: When Howey Met Gary (Plastic)’, which was interpreted as conveying the SEC’s staff’s position at the time – see https://www.sec.gov/news/speech/speech-hinman-061418 (last accessed 11 July 2022). The SEC also has brought dozens of enforcement actions, a list of which is maintained at https://www.sec.gov/spotlight/cybersecurity-enforcement-actions (last accessed 11 July 2022).
 https://www.sec.gov/files/dlt-framework.pdf (last accessed 4 July 2022).
 https://www.sec.gov/news/speech/speech-hinman-061418 (last accessed 4 July 2022) (William Hinman, Director of the SEC Division of Corporate Finance, explains that, in his view, ‘current offers and sales of Ether are not securities transactions’ as is also the case with Bitcoin); but see https://decrypt.co/103926/sec-chair-gensler-bitcoin-not-security -what-about-ethereum (last accessed 14 July 2022) (quoting and linking to a video of an interview on 27 June 2022 with SEC Chairman Gary Gensler, in which he identifies Bitcoin as a commodity but makes clear that Bitcoin is the ‘only one’ for which he is willing to make that statement).
 15 U.S.C. § 77b(a)(4).
 https://www.sec.gov/news/press-release/2022-26 (last accessed 4 July 2022).
 See, e.g., https://www.cftc.gov/PressRoom/PressReleases/8433-21 (last accessed 4 July 2022).
 See, e.g., https://www.cftc.gov/PressRoom/PressReleases/8534-22 (last accessed 11 July 2022); https://www.cftc.gov/PressRoom/PressReleases/7181-15 (last accessed 11 July 2022).
 https://www.fincen.gov/sites/default/files/shared/FIN-2013-G001.pdf (last accessed 4 July 2022).
 https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20Guidance%20CVC%20FINAL%20508.pdf (last accessed 11 July 2022).
 See 23 NYCRR § 200.3(c).
 https://www.fca.org.uk/firms/cryptoassets (last accessed 4 July 2022).
 SI 2011/99.
 ‘Guidance on Cryptoassets: Feedback and Final Guidance to CP 19/3’ (July 2019), at 9, at https://www.fca.org.uk/publication/policy/ps19-22.pdf (last accessed 4 July 2022).
 https://www.fca.org.uk/firms/financial-crime/cryptoassets-aml-ctf-regime (last accessed 4 July 2022).
 https://www.fca.org.uk/cryptoassets-aml-ctf-regime/register (last accessed 11 July 2022).
 https://www.europarl.europa.eu/news/en/press-room/20220309IPR25162/cryptocurrencies-in-the-eu-new-rules-to-boost-benefits-and-curb-threats (last accessed 4 July 2022).
 ‘Joint ESAs Report on the withdrawal of authorisation for serious breaches of AML/CFT rules’, at 19–20, at https://www.esma.europa.eu/sites/default/files/library/joint_report _on_withdrawal_of_authorisation_aml_breaches.pdf (last accessed 4 July 2022).
 https://www.finma.ch/en/news/2018/02/20180216-mm-ico-wegleitung/ (last accessed 4 July 2022).
 https://www.mas.gov.sg/news/media-releases/2018/new-regulatory-framework-to -enhance-payment-services-in-singapore (last accessed 4 July 2022).
 https://www.mas.gov.sg/news/speeches/2022/financial-services-and-markets-bill-second -reading-speech-on-4-april-2022 (last accessed 4 July 2022).
 https://www.parliament.gov.sg/docs/default-source/default-document-library/financial-services-and-markets-bill-4-2022.pdf (last accessed 4 July 2022); see https://www.mas.gov.sg/news/speeches/2022/explanatory-brief-for-financial-services -and-markets-bill-2022 (last accessed 4 July 2022).
 https://www.mas.gov.sg/news/speeches/2022/explanatory-brief-for-financial-services -and-markets-bill-2022 (last accessed 11 July 2022).
 https://www.mas.gov.sg/news/media-releases/2022/mas-issues-guidelines-to-discourage -cryptocurrency-trading-by-general-public (last accessed 4 July 2022).
 https://u.ae/en/about-the-uae/digital-uae/regulation-of-digital-properties (last accessed 4 July 2022).
 https://mediaoffice.ae/en/news/2022/March/09-03/Mohammed-bin-Rashid-approves -Dubai-Virtual-Asset-Regulation-Law (last accessed 11 July 2022).