UK FCA Guidance on Regulation of CryptoAssets

The regulation of 'cryptoassets' including cryptocurrencies is under permanent review, with the UK's Financial Conduct Authority perhaps the latest financial regulator to finalise its guidance. Despite the often-repeated statement that financial regulation is 'technology-neutral', the decentralised nature of cryptographic or 'distributed ledger technology' (DLT) is awkward because there is no central issuer, operator or service provider to which regulatory responsibility and accountability can be attached. Add to that the flexibility of DLT and the wide range of use-cases, and you have the recipe for widespread regulatory confusion.

The guidance itself is set out in Appendix 1 to the FCA's paper (pp 29-54), including useful case studies and examples, but I've only discussed the different types of cryptoasset below - including a new category added by the FCA.

The FCA's guidance in this context is also separate from:

• anti-money laundering: the fifth money laundering directive (5MLD) will be gold-plated implemented in the UK by January 2020, which will impose anti-money laundering requirements on certain cryptoasset firms, amongst other types of businesses.
• the use of Distributed ledger technology (DLT) for regulated activities such as custody, and settlement.

The guidance may also change pretty quickly because:

• the FCA itself will consult on banning the sale of derivatives linked to certain types of unregulated cryptoassets to retail clients; and
• the UK Treasury will consults on whether (further) regulation of (unregulated) cryptoassets is required; and
• other countries may regulate in a way that it makes sense for the UK to match.

What Are Cryptoassets?

Like the regulatory authorities in most developed markets, the FCA initially embraced the idea that cryptoassets can be defined in terms of three types of cryptographically-generated 'tokens': exchange tokens, utility tokens and security tokens. 

But the FCA has now added a fourth category of "e-money tokens" (those which meet the definition of "electronic money" discussed below). The intention is to leave exchange tokens and utility tokens outside the regulatory perimeter as "unregulated tokens"; and to differentiate the use of tokens as e-money from security tokens (which carry rights and obligations that are essentially the same as specified investments covered by existing securities regulation).

"Stablecoins" don't constitute a separate category because while they're all structured in a way that seeks to limit changes in their perceived value, those structures vary a lot. Some could meet the definition of e-money (e.g. equating in value to a fiat currency and meeting the other requirements), or a security ('backed' by other securities), while others would not.

So, basically, the FCA considers that only e-money tokens and securities tokens will be regulated.  But note that firms which are already regulated by the FCA may have regulatory obligations relating to their unregulated activities where they are carried out by the regulated firm in connection with, or held out as being for the purposes of, a regulated activity. In such cases, the FCA's 11 Principles for Business (PRIN) and individual conduct rules under the Senior Managers and Certification Regime (SMCR) will still apply. The FCA also works with other agencies to indirectly mitigate harm from other types of unlawful activity involving cryptoassets.

It's also possible that tokens could shift categories over time, or meet the definitions of two or more types. The FCA says that: 

"...the regulatory treatment depends on the token’s intrinsic structure, the rights attached to the tokens and how they are used in practice. If the token at a point in time reaches the definition of an e-money token or a security token, then it will fall under regulation. We have provided additional case studies on the fluidity of tokens within the Guidance."

Exchange Tokens

These are cryptoassets that are decentralised and primarily used as a means of exchange (e.g. ‘cryptocurrencies’, ‘crypto-coins’ or ‘payment tokens’) that are typically designed to provide limited or no rights for the holder, and there is usually no (single) issuer to enforce rights or make claims against.

The FCA does not want to regulate exchange tokens themselves (without a change in the law), but may already regulate the participants at either end of the exchange, for instance, where the cryptoasset is used by regulated payment service providers to more efficiently facilitate the processing of payment transactions in 'fiat' currency. 

Anti-money laundering regulation may also apply (particularly from 10 January 2020), but the FCA sees this as a separate to its financial regulatory perimeter (even though it is also a supervisory authority for AML regulation).

Utility Tokens

These are cryptoassets that provide users with access to a current or prospective product or service and often grant rights similar to pre-payment vouchers. Again, these are unregulated where they just provide this type of utility.

Security Tokens

These are cryptoassets with essentially the same rights as regulated investment instruments (securities) such as shares, debentures or units in a collective investment scheme; and the FCA says it will regulate these the same way they regulate their traditional cousins.

Of course, the security tokens are often distributed by means of 'initial coin offerings' and/or 'airdrops' that cross multiple jurisdictions, each of which may treat/regulate them differently. The problem with consistent international regulation is that (certainly outside the 31 countries in the European Economic Area) there are differences in the classification and regulatory treatment of securities that will also affect crypto-securities with the same characteristics. The FCA points to bilateral harmonising efforts and multilateral discussions through the Global Financial Innovation Network (GFIN), the International Organization of Securities Commissions (IOSCO), the European Commission (EC) and the European Supervisory Authorities (ESA) - and one could add central bank co-ordination on the impact of cryptoassets on fiat currencies and currency regulation via the Bank of International Settlements.

E-money Tokens

These are tokens that meet the definition of "electronic money" in the Electronic Money Regulations 2011 (derived from the second EU E-money Directive):

electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions [as defined in PSD2], and which is accepted by a natural or legal person other than the electronic money issuer;

There are also certain specific exclusions, which include instruments used within 'limited networks'  but that's worth a whole series of posts in itself.

Whether this meets the concern of the Financial Markets Law Committee that there's a gap in AML regulation for virtual currencies that share the characteristics of money remains to be seen.

FCA Defines Crypto-derivatives That Are Within Scope of Existing Regs

The UK's Financial Conduct Authority has explained that regulatory authorisation is required where someone is: 

• dealing in;
• arranging transactions in;
• advising on; or 
• otherwise providing services by way of business in the UK that amount to regulated activities, 

in relation to derivatives that reference either:

• cryptocurrencies or 
• tokens issued through an initial coin offering (ICO). 

This includes:

• Cryptocurrency futures: A derivative contract in which each party agrees to exchange cryptocurrency at a future date and at a price agreed by both parties;
• Cryptocurrency contracts for differences (CFDs): A cash-settled derivative contract where the parties seek to secure a profit or avoid a loss by agreeing to exchange the difference in price between the value of the cryptocurrency CFD contract at its outset and at its termination;
• Cryptocurrency options: A contract that grants the beneficiary the right to acquire or dispose of cryptocurrencies.

The Trouble With Categorising Cryptocurrencies As The Basis For Regulating ICOs

Securities regulators are trying to figure out whether and how to regulate Initial Coin Offerings (ICOs). In doing so, they are tending to focus on the economic function and purpose of the 'coins' or 'tokens' offered, to put them in categories that most stakeholders should understand. They are then proposing different regulatory treatments for the process of issuing the coins according to the different categories. The challenge is that tokens - like 'fiat' currencies (and barter goods, for that matter) - generally have multiple uses that are completely independent of the 'issuer' or protocol for issuing them, and which may vary from one 'holder' to the next. Therefore it is suggested that it should not be the economic function or purpose of the token itself that should drive the regulatory treatment, but the activities in which the issuers, holders and potential holders of the tokens are engaged. At any rate, before regulating or threatening the impact of existing regulation, we need to develop a much more comprehensive overview of distributed ledger technology; the role and use of 'tokens', 'coins' and 'cryptocurrencies'; and the participants and their activities. 

In its recent guidelines, the Swiss regulator (FINMA) categorises tokens into three types, although it admits hybrid forms are possible:

• Payment tokens are synonymous with cryptocurrencies and have no further functions or links to other development projects. Tokens may in some cases only develop the necessary functionality and become accepted as a means of payment over a period of time.

• Utility tokens are tokens which are intended to provide digital access to an application or service.

• Asset tokens represent assets such as participations in real physical underlyings, companies, or earnings streams, or an entitlement to dividends or interest payments. In terms of their economic function, the tokens are analogous to equities, bonds or derivatives.

FINMA says the resulting regulatory treatment may be flexible where a hybrid of the above is involved, e.g. anti-money laundering regulation would apply to utility tokens that can also be widely used as a means of payment (or are intended to be used that way in time).

The Malta Financial Services Authority says that these are all forms of "virtual currency" (i.e. digital currencies that are not backed by government - as opposed to e-money, which is the digital version of a country's 'fiat' currency). The Maltese definition of a virtual currency may also be wider, as the Swiss guidelines are only aimed at crypto-currencies - those issued or implemented using cryptographic or "distributed ledger technology".  The other differences seem to be in name only - the Maltese would refer to Swiss "payment tokens" as merely "coins" and prefer the name "securitised tokens" for the Swiss "asset tokens".

The MFSA says this approach to classifying types of “digital currency” reflects the Blockchain Policy Initiative Report of July 2017 (and an European Securities and Markets Authority statement from November 2017). 

But does it?

The crowd-sourced Blockchain Policy Initiative Report does not really give a succinct definition of 'cryptocurrency' and there is no mention of 'payment token' or 'utility token' according to my search of the pdf version. The report is a helpful, but long and discursive, explanation of distributed ledger technology (DLT).  It gives little insight into the uses of such technology beyond financial use-cases - which will likely be the majority in due course (if not already). In any event, with so many ICOs occurring so quickly, it's difficult to see how it could be comprehensive and therefore why it should be particularly reliable. It's even possible that there are initial coin offerings that are not presetned as "ICOs".

Consider "Filecoin", for example. Users can "earn" tokens for making available unused data storage capacity; the tokens become a "currency" for exchange with others; and the result is a means of those with flexible storage needs to manage their data storage costs and capacity. Couldn't this satisfy all three categories outlined above? Should a securities (or payments) regulator be involved in data storage capacity management? Should the transfer or sale of 'coins' representing storage capacity be seen as making a "payment" or "exchange" of "currency"? Consider that certain "carbon credits" or "emission allowances" are regulated securities... but why?

This underscores why we need to develop a much more comprehensive overview of distributed ledger technology; the role and use of 'tokens', 'coins' and 'cryptocurrencies'; and the participants and their activities, before regulating or threatening the impact of existing regulation. 

US Regulator Explains The Challenges For Registered CryptoFunds

The Maltese and Swiss securities regulators were not alone in focusing on cryptocurrencies over the Christmas break, as staff at the SEC were also at it in Washington DC.  Importantly, none of these regulators have poured scorn on the notion of ICOs or even funds holding cryptographic assets. All are merely concerned to signpost issues to be resolved.

While the civil law Europeans were typically eager to be as definitive as possible in how they will treat ICOs (since they believe nothing is possible unless the government spells out how it can be done), the common lawyers in the US were more circumspect (as they abide by the maxim that the law must follow commerce), merely explaining "a number of significant investor protection issues that need to be examined before sponsors begin offering these funds to retail investors."

Yet similar issues arise in relation to ICOs as for funds investing in cryptographic assets, particularly those of "securitised tokens" or "asset tokens" which are analogous to equities, bonds or derivatives in their economic function, if not the rights that attach to them.

Specifically, the SEC's concerns relate to valuation, liquidity, custody, arbitrage for exchange traded funds (ETFs), potential manipulation and other risks. For instance:

• do funds have enough information to value their crypto assets each day, including accounting for events like 'hard forks' or differences in types of currency and potential for market manipulation?

• could open-ended funds support daily redemptions?

• how would a fund arrange custody and validate the existence, exclusive ownership and software functionality of private cryptocurrency keys and other ownership records?

• an ETF is required to have a market price that would not deviate materially from the ETF’s net asset value, so in light of the fragmentation, volatility and trading volume of the cryptocurrency marketplace, how would ETFs comply with this term of their orders?

• Although some funds may propose to hold cryptocurrency-related products, rather than cryptocurrencies, the pricing, volatility and resiliency of these derivative markets generally would be expected to be strongly influenced by the underlying markets, which feature substantially less investor protection than traditional securities markets, with correspondingly greater opportunities for fraud and manipulation. So:

• Would investors, including retail investors, have sufficient information to consider any cryptocurrency-related funds and to understand the risks?

• How would broker-dealers analyze the suitability of offering the funds to retail investors?

• Could investment advisers meet their fiduciary obligations when investing in cryptocurrency-related funds on behalf of retail investors?

Assuming the industry can solve these problems, we'll be in a strange new world.

Switzerland Explains How It Will Handle Initial Coin Offerings

Not to be outdone by Malta's announcements, the Swiss regulator (FINMA) has published its own ICO guidelines, which complement earlier Guidance. Unlike Malta, there is no specific regulation proposed at this stage. But FINMA has tried to clarify that, when assessing ICOs, it will focus on the economic function and purpose of the tokens issued by the organiser, and whether they are (or will be) tradeable or transferable.  FINMA categorises tokens into three types, although admits hybrid forms are possible:

• Payment tokens are synonymous with cryptocurrencies and have no further functions or links to other development projects. Tokens may in some cases only develop the necessary functionality and become accepted as a means of payment over a period of time.

• Utility tokens are tokens which are intended to provide digital access to an application or service.

• Asset tokens represent assets such as participations in real physical underlyings, companies, or earnings streams, or an entitlement to dividends or interest payments. In terms of their economic function, the tokens are analogous to equities, bonds or derivatives.

Malta says that these are all forms of "virtual currency" (i.e. digital currencies that are not backed by government - as opposed to e-money, which is the digital version of a country's 'fiat' currency). The Maltese definition of a virtual currency may also be wider, as the Swiss guidelines are only aimed at crypto-currencies - those issued or implemented using cryptographic or "distributed ledger technology".  The other differences seem to be in name only - the Maltese would refer to Swiss "payment tokens" as merely "coins" and prefer the name "securitised tokens" for the Swiss "asset tokens". 

On the basis of the function and transferability of the relevant crypto-currency), FINMA will treat Swiss ICOs as follows (see diagram on page 8 of the Guidelines):

• Payment ICOs: For ICOs where the token is intended to function as a means of payment and can already be transferred, FINMA will require compliance with anti-money laundering regulations. FINMA will not, however, treat such tokens as securities.

• Utility ICOs: These tokens do not qualify as securities only if their sole purpose is to confer digital access rights to an application or service and if the utility token can already be used in this way at the point of issue. If a utility token functions solely or partially as an investment in economic terms, FINMA will treat such tokens as securities (i.e. in the same way as asset tokens).

• Asset ICOs: FINMA regards asset tokens as securities, which means that there are securities law requirements for trading in such tokens, as well as civil law requirements under the Swiss Code of Obligations (e.g. prospectus requirements).

This may be flexible where a hybrid of the above is involved, e.g. anti-money laundering regulation would apply to utility tokens that can also be widely used as a means of payment (or are intended to be used that way in time).

Malta's Proposals On Regulating Virtual Currencies, ICOs etc - Updated

The Malta Financial Services Authority, like other regulators, is in the process of consulting on the policy it proposes to adopt for regulating virtual currencies, the process of issuing them ("Initial Coin Offerings" or "ICOs") and the service providers involved. The MFSA has proposed new legislation that would extend create an additional regime beyond the scope of existing securities and investment regulation, to cover virtual currencies that are not deemed to be financial instruments and therefore already caught by existing laws.

The MFSA published a “Discussion Paper On Initial Coin Offerings, Virtual Currencies And Related Service Providers” in November 2017 and consultation ended on 18 January 2018. The MFSA is yet to finalise its policy or any proposed statute.

The MFSA clearly wishes to support innovation and new technologies for financial services, while ensuring effective investor protection, market integrity and financial stability.  

It’s proposed approach to classifying types of “digital currency” reflects the Blockchain Policy Initiative Report of July 2017 and an European Securities and Markets Authority statement from November 2017.  This contrasts “virtual currency” with “E-money” which is the digital representation of a fiat currency; and defines three types of virtual currency (any of which might also be cryptographic currencies operating on distributed ledger technology or DLT): 

• “utility tokens” (providing only platform or application utility rights or access rights);

• “securitised tokens” (embedding an underlying asset/commodity or rights, like quasi-shares or bonds); and

• “Coins” (that are intended to be, or have become, a means of payment). 

The MFSA is proposing to seek the adoption by the Maltese Parliament of a Virtual Currencies Act to regulate virtual currencies:

• that constitute “financial instruments” (under a test to be devised), by confirming they are subject to existing EU and national financial services regulation; and

• those that do not qualify as financials instruments, by making them subject to new “similar high level regulatory principles on transparency and merit-based regulation as those currently applicable to securities seeking a listing on a regulated market” – although they will be deemed “complex instruments” so their regulatory treatment will be akin to how such instruments are regulated under MiFID. 

Persons involved in activities related to virtual currencies would need to be "'fit and proper', have the competence, sufficient knowledge and expertise, experience, business organisation and systems necessary in the field of information technology, VCs and their underlying technologies, including but not limited to DLT."

Providers of investment services will need a separate licence to provide services in support ICOs etc in relation to virtual currencies that do not qualify as financial instruments under existing laws; and will need to set up a dedicated subsidiary for that purpose. 

All persons subject to the Act would also be subject to anti-money laundering requirements. 

There are specific proposals to regulate issuers, exchanges and investment funds (and other collective investment schemes) that deal in virtual currencies that do not qualify as financial instruments. 

Banks and payment service providers would be permitted to extend their activities to such virtual currencies, but only for clients and under a separate subsidiary licensed under the Act. 

But reinsurers, insurers and pension schemes would still be prohibited from dealing in virtual currencies for their clients or their own account. 

Update 22.02.18: The Maltese government has published a further consultation in response to submissions received on the MFSA discussion paper, which "presents a conceptual framework through which DLT Platforms can be subject to certification in Malta" which will extend to issuers of ICOs and certain service provides dealing in virtual currencies. Consultation responses are due by 9 March 2018.

Three new pieces of legislation are proposed:

• The MDIA Bill will provide for the establishment of an Authority to be known as the Malta Digital Innovation Authority.

• The TAS Bill will set out the regime for the registration of Technology Service Providers and the certification of Technology Arrangements.

• The VC Bill will set out the framework for ICOs and the regulatory regime on to the provision of certain services in relation to VCs. The intermediaries subject to the VC Bill include brokers, exchanges, wallet providers, asset managers, investment advisors and market makers dealing in VCs. 

Money Laundering Includes... Tax Evasion and Virtual Currencies?

Hot on the heels of the UK's consultation to introduce the 4th Money Laundering Directive comes the imminent EU approval of MLD5. 

A key element involves the creation of a central register of beneficial ownership of legal entities and related ownership arrangements, plus ongoing monitoring of those arrangements, with the intention that: 

"The enhanced public scrutiny will contribute to preventing the misuse of legal entities and legal arrangements for ...predicate offences such as tax evasion."

Other key provisions may be seen as closely related to this ambition: 

• creating a central register of all citizens' bank/payment accounts;
• enabling authorities to go hunting for evidence of suspicious activity even in the absence of a 'suspicious activity report';
• imposing customer due diligence and transaction monitoring obligations on 'virtual currency' exchanges and wallet providers; and
• reducing the limit of anonymity for prepaid cards/instruments.

Needless to say, the members of the European Banking Federation are very uncomfortable with the idea of equating tax evasion with money laundering. The nub of EU banks' concern seems to be that their tax evading customers will simply move their accounts to banks based outside the EEA, the implication being that they'd quite like to retain the business! To be fair, it is a little odd that the list of countries with deficient anti-money laundering regimes doesn't include tax havens typically associated with tax evasion.

But there are reasonable objections on the basis that centralising such sensitive and valuable personal data would be a 'snoopers/fraudsters charter'; and creating a central record of every citizen's bank account and financial arrangements seems mightily disproportionate to the benefit of collecting evidence on the comparatively small proportion of the population that would be involved in significant organised crime or tax evasion. It's surprising that the European Economic and Social Committee ("EESC") did not object on these grounds - either the 'social' aspect of the committee's remit is subordinate to the 'economic' interest, or they consider that the whole of society should happily sacrifice privacy and security to ensure everyone pays their fair share of tax. That's certainly the Scandinavian practice. At any rate, the European Central Bank says that member states' central banks shouldn't have to operate the central registers unless they can bill the government for doing so - highlighting the more important point, that governments are better at wasting the taxes they do manage to collect than collecting taxes in the first place.

The FinTech crowd will no doubt be concerned about stealth regulation of distributed ledger technology or blockchains, via the virtual currency requirements. A "virtual currency" is quite broadly defined as:

"...a digital representation of value that is neither issued by a central bank or a public authority, nor necessarily attached to a fiat currency, but is accepted by a natural or legal person as a means of payment and can be transferred, stored or traded electronically."

Even if exchanges and wallet providers are prepared to tolerate AML regulation as the price for entering the 'mainstream', trying to regulate 'virtual currencies' (or any aspect of digital ledger technology or blockchains) at this early stage is very problematic. The above definition is broad but still does not cover every characteristic of a currency (which the Isle of Man has tried to capture). Indeed, the ECB has bluntly responded that so-called 'virtual currencies' are not currencies or money, pointing out they can also be used for other purposes and the holders don't need to use exchanges or wallet providers. The courts are also struggling with the concept that such 'currencies' are 'ownable' or 'property', as Lavy and Khoo have also explained.

Little wonder that the EESC recommends creating some kind of "European tool for monitoring, coordinating and anticipating technological change." But quite how Europe intends to 'anticipate' let alone 'coordinate' blockchain development is anyone's guess!

In any event, retailers should breathe a sigh of relief. Gift cards and other 'closed loop' instruments generally would not fit the MLD5 definition of a virtual currency, since they typically cannot be transferred or traded electronically. And there is a specific exclusion consistent with the 'limited network' exemption from the definition of electronic money (and therefore 'funds') for instruments that can be used to acquire goods or services only in the premises of the issuer, or within a limited network of service providers under direct commercial agreement with a professional issuer, or that can be used only to acquire a very limited range of goods or services. But note that the limited network exemption will be significantly narrower from January 2018, especially for programs transacting more than EUR1m a year.

At least someone wins!

Distributed Ledger Technology: Cutting Through The Hype

A busy start to 2016 has meant the blog has suffered, but I have at least co-written an article with Susan McLean of Morrison & Foerster that cuts through the hype around blockchain and other distributed ledger technology (DLT). 

The article includes updates on a range of DLT initiatives across numerous business sectors; various policy and regulatory responses; as well as some thoughts on the challenges involved in implementing DLTs.

In January, I also posted on Pragmatist about on the potential use of DLTs for tracking and collecting royalties on music and other creative works. But whether this technology will address the root causes lurking beneath the biggest problems that the creative industry faces is another question...

Isle of Man Goes Crypto-Crazy

I'm indebted to my colleagues in the Isle of Man for pointing me to the IoM's recent Designated Businesses (Registration and Oversight Act 2015, which imposes various registration and anti-money laundering requirements on distributed ledger technology. Do we have a poster-child for how regulation of new technology can go way too far?

The IoM compliance obligations are aimed at: 

"the business of issuing, transmitting, transferring, providing safe custody or storage of, administering, managing, lending, buying, selling, exchanging or otherwise trading or intermediating convertible virtual currencies, including crypto-currencies or similar concepts where the concept is accepted by persons as a means of payment for goods or services, a unit of account, a store of value or a commodity;"

This seems likely to be counter-productive, to say the least, given that the 'currency' aspect of distributed ledgers is often merely there to reward the 'miner' or processor of transactions or events that occur on the ledger, regardless of whether those events are themselves financial in nature - financial services being merely one of many different potential applications.

So, should every business on the IoM that uses, or might wish to use, distributed ledgers register with the authorities and introduce AML controls on everyone it deals with, just in case? Maybe so...

Two specific points to make:

1. ‘convertible virtual currencies’ are defined more broadly than one would expect:

“including crypto-currencies or similar concepts [neither term being defined, except by what follows…] where the concept is accepted by persons as a means of payment for goods or services, a unit of account, a store of value or a commodity”, 

Most definitions of a ‘currency’ require all these criteria to be met, not just any one of them. Imagine what would happen to the US Dollar, for example, if suddenly it was not accepted as meeting just one of the above criteria...  Indeed, for this reason many people disagree that Bitcoin - the most widely used form of 'crypto-currency' - is still nothing more than a commodity.

In addition, none of the typical exemptions under payment services regulations seem to be imported here. To take but one relevant example: consumer loyalty/rewards programmes are typically exempt on the basis that the rewards are only accepted as a means of payment within a 'limited network'. Do the local authorities really want every business participating in a loyalty scheme on the Isle of Man to register and apply AML controls just because the scheme involves distributed ledger technology? Maybe so...

2.  Similarly, the list of activities that trigger the relevant compliance obligations would seem to cover a vast array of potential services and their providers/users - recognising that these are distributed ledgers to which all computers running the protocol have the same access. Again, just think of consumer loyalty programmes as you go through the list:

the business of issuing, transmitting, transferring, providing safe custody or storage of, administering, managing, lending, buying, selling, exchanging or otherwise trading or intermediating...

Even payment services regulation, for instance, exempts technology services that support transactions without the service provider handling funds. And the whole point of the ledger is that no intermediary is actually handling funds - its all happening peer-to-peer amongst machines - indeed perhaps everyone's device is handling the funds. Furthermore, there will be instances where access to a distributed ledger is just one element of a wider system - as in the car-rental example, or tracking shipping containers - and it may not be clear to everyone that a distributed ledger is involved if it's just to share the location or state of a vehicle or container.

Still, the Isle of Man's approach might at least be useful in demonstrating how regulation in this area can go too far...

Of #Smart Contracts, Blockchains And Other Distributed Ledgers

Seems I caught Smart Contract Fever at last week's meeting of the Bitcoin & Blockchain Leadership Forum. So rather than continuing to fire random emails at colleagues, I've tried to calm myself down with a post on the topic.

For context it's important to understand that 'smart contracts' rely on the use of a cryptographic technology or protocol which generates a 'ledger' that is accessible to any computer using the same protocol. One type of 'distributed ledger' is known as a 'blockchain', since every transaction which is accepted is then 'hashed' (shortened into a string of letters and numbers) and included with other transactions into a single 'block', which is itself hashed and added to a series or chain of such blocks. The leading distributed ledger is 'Bitcoin', the blockchain-based virtual currency. But virtual currencies (commodities?) are just one use-case for a distributed ledger - indeed the Bitcoin blockchain is being used for all sorts of non-currency applications, as explained in the very informative book, Cryptocurrency: How Bitcoin and Digital Money are Challenging the Global Economic Order. As Jay Cassano also explains, another example is Ripple, which is designed to be interoperable with other ledgers to support the wider payments ecosystem; while Ethereum is even more broadly ambitious in its attempt to use smart contracts as the basis for all kinds of ledger-based applications.

Generally speaking, the process of forming a 'smart contract' would be started by each party publishing a coded bid/offer or offer/acceptance to the same ledger or 'blockchain', using the same cryptographic protocol. These would be like two (or more) mini-apps specifying the terms on which the parties were seeking to agree. When matched, these apps would form a single application encoding the terms of the concluded contract, and this would also be recorded in the distributed ledger accessible to all computers running the same protocol. Further records could be 'published' in the ledger each time a party performed or failed to perform a contractual obligation. So the ledger would act as its own trust mechanism to verify the existence and performance of the contract. Various applications running off the ledger would be interacting with the contract and related performance data, including payment applications, authentication processes and messaging clients of the various people and machines involved as 'customers' or 'suppliers' in the related business processes. In the event of a dispute, a pre-agreed dispute resolution process could be triggered, including enforcement action via a third party's systems that could rely on the performance data posted to the ledger as 'evidence' on which to initiate a specific remedy. 

Some commentators have suggested this will kill-off various types of intermediaries, lawyers and courts etc. But I think the better view is that existing roles and processes in the affected contractual scenarios will adapt to the new contractual methodology. Some roles might be replaced by the ledger itself, or become fully automated, but it's likely that the people or entities occupying today's roles would be somehow part of that evolution (if they aren't too sleepy). The need for a lot of human-readable messages would also disappear, signalling the demise of applications like email, SMS and maybe even the humble Internet browser. Most data could flow among machines, and they could alert humans in ways that don't involve buttons and keyboards.

So what are the benefits?

Well, it might take significant investment to set up such a process, but it should produce great savings in time, cost, record-keeping and so on throughout the lifetime of a contract. And, hey, no more price comparison sites or banner ads! Crypto-tech distributed ledgers would enable you to access and use a 'semantic web' of linked-data, open data, midata, wearables, smart meters, robots, drones and driverless cars - the Internet of Things - to control your day-to-day existence.

The downside?

This also might also play into the hands of the Big Data crowd (if they find a way to snoop on your encrypted contracts), or even the machines themselves. So it's critical that we figure out the right control mechanisms to 'keep humans at the heart of technology - the topic of the SCL's Tech Law Futures Conference in June, for example.

Meanwhile, I'm reviewing my first smart contract, which is proving rather like being involved in the negotiation of a software development agreement - which it is, of course. I'll post on that in due course, confidentiality permitting...

Of #Blockchains And #MultiFactorAuthentication

Okay, so yesterday I was trying to use the car rental scenario to understand the concept of blockchains and distributed ledger technology and ended with the point that all sorts of computer applications could run "on" the blockchain. Some could act as gateways between/among blockchains, and some could link applications on blockchains with the applications running on the Internet - like social media, email - or applications on mobile networks, including SMS. 

So, in the example, the contractual program running on the blockchain that doubles as my car rental contract could also initiate a text message telling me where and when to pick up my rental car. 

I also mentioned that my own request to rent a car could provide the details for where the car rental company's program could go to verify my driver's licence. I didn't mean for identification purposes, but to work out if I'm licensed to drive a vehicle.

On the identity front, I mentioned that both me and the car rental company would be acting pseudonymously. That's important because blockchain transactions are accessible by anyone with a device running the relevant technology. So mine and the rental car company's respective bits of code would have to offer a way for us to authenticate each other. And this is where the public nature of blockchains really come into their own.

Back in 2011, we had a big discussion on identity at the CSFI from which my 'takeaways' were that (1) identity is dynamic, not static - we are better defined by the data generated by everything we do, rather than a birth date or fingerprints. So (2) verifying our identity could be based on a unique snapshot of our behavioural data, which could then be discarded, rather than a passport etc.  which could be copied and used by fraudsters.

The challenge with multi-factor authentication in the Internet world is possibly that the data is subject to alteration (though on a mass scale it could be hard to alter every item of data about a person's behaviour).

But blockchains are infinitely harder to alter, since (I'm told) all the computers running the technology check each block when it is completed and that can't be undone, unless you control most of the computers at any one time (like a villain in a Bond movie).

So our identities could be verified by reference to a series of our blockchain transactions. For privacy and security reasons, each blockchain transaction should be coded so as not to give away much information about the transaction itself. That ought to be easy, since the code only needs to be understood by the computers who process each transaction at that time. At any rate, each transaction could somehow be combined into a unique identity token that would continually evolve to remain unique.

Hey presto, reliable multi-factor authentication!

Do I have any of this right?

 

Of #Blockchain And Other Distributed Ledger Technologies

I'm still trying to get my head around the concept of the blockchain and other 'distributed ledger' technologies, how they are useful and what else needs to happen to harness their potential. To that end, I'm trying to ignore the 'virtual currency' use-case that seems to get everyone tied up in knots. I mean, the Internet is more than a money remittance platform, right? Well, the concept of a 'distributed ledger' is similarly broad - maybe broader than the Internet. According to Ethereum, "a platform for decentralised applications", even the word 'ledger' is too limiting.

Recently, I read the 'call for evidence' on this topic from European Securities and Markets Authority (ESMA), especially as there's been a lot of talk about using the blockchain to cut the time and cost of central clearing and settlement in the financial markets.

Yet, as the call for evidence itself shows, even ESMA is struggling to understand the uses beyond investment products which (a) provide exposure to a virtual currency without buying it, or (b) require you to actually trade in virtual currency in ways that are recorded in the relevant 'blockchain' or other currency ledger. 

This could be because ESMA is viewing the technology through the lens of the existing, heavily intermediated financial market structures and how these might be somehow replicated using the new technology (see the two diagrams in section 4).  But as I've complained for years, financial regulation (for which ESMA is partially responsible) funnels investment funds and opportunities into marketplaces where comparatively few intermediaries are allowed to operate - so they can charge what they like and not bother innovating, except to suit themselves (high frequency trading?). Internet technology has helped a bit, by making it cheaper to build and host systems etc, but that technology is still based on the idea that transactions occur in separate computers and the related data remains locked away in proprietary databases, or displayed only to subscribers.  

Distributed ledger technology seems to herald something far more revolutionary.

As I see it, these technologies basically involve publishing machine-readable applications or programs that can be read by any device running the same technology. Each market participant just needs to publish or display to others what it is offering or what it needs and any 'deal' will be recorded or coded on a nominated blockchain or ledger. Certain stuff can still be kept secret, but enough information can be shared to enable the computers to record the deal publicly so that everyone knows the deal was done.

Take an ordinary consumer transaction like renting a car. The rental car company's computer could publish a certain program that identifies the company itself (pseudonymously), a specific car, the make/model, its current location and the price to rent it for the day (including full collision damage waiver!). If I need to rent a car, I could publish some code that identifies me (pseudonymously), what type of car I need, where, when, how much I'm prepared to pay per day, the payment method and how the rental company can authenticate my driver's licence. Our computers find each other, like what they see and submit a transaction to a third computer which writes it up in code that instructs other computers to take my payment, send me the collection details and so on. In other words, as well as being an open record that the transaction exists, the code can also refer others to more detailed information where necessary.

It seems that very little should need to change outside the above scenario for this begin to happen, since the programming languages are now expressive enough to enable such codes to be written about every day transactions without a lot of fuss over industry standards. However, over time the same technology could be at work all over the place in more technical scenarios. For instance, my driver's licence could also just be a computer code available on a separate blockchain or ledger, to which the rental company's computers could be referred to check when it expires, whether I have any demerit points and so on. Even credit references and so on might be ascertainable in this way. 

In other words, all sorts of computer applications could run "on" the blockchain and/or act as gateways between/among blockchains and between blockchains and the applications running on the ordinary old Internet, like social media, email or those running on mobile networks, like SMS. So, in the example, a program running on the blockchain could initiate a text message telling me where and when to pick up my rental car.

I'm now struggling a little to see the difference between 'distributed ledger technology' and the 'semantic web' or 'Web 3.0', Linked Data, Open Data and so on. But, hey, I'm taking it a day at a time. At any rate, it all seems to promise the death of human-readable price comparison sites and their corny advertising, so bring it on!

UK Plans For #VirtualCurrencies and #Blockchain Technologies

The Treasury has published its response to the recent call for evidence on virtual currencies. The plan is to apply anti-money laundering regulation to virtual currency exchanges and ensure effective enforcement related to the criminal use of the currencies themselves, including seizure. It will also foster the development of standards for consumer protection in conjunction with the British Standards Institute. The government will also invest £10m to address 'research opportunities and challenges'.

In addition to addressing the risks, the report also explores the benefits of digital currencies as methods of payment, including uses beyond the retail scenarios, as well as other applications of blockchain technology; as well as barriers to suppliers setting up in the UK and how the government can help clear the way.

Alternative uses for the “distributed ledger” technology (i.e. beyond retail payment services) that the Treasury identified were:

• transfer of title to digital assets, with inherent authentication, digital ‘signing’ and time-stamping and record-keeping e.g. recording and transferring the ownership of bonds, shares, securities and other financial instruments; passports, driving licences, criminal records, land registry and digital voting; 
• ‘smart contracts’ and smart payments, whereby users encode requirements into a payment instruction or other message in order to achieve autonomous, self-executing payments and contracts that adjust for specific conditions. 
• decentralised data storage solutions (using blockchain technology to store files securely and efficiently);
• encrypted peer-to-peer messaging networks; and 
• links with ‘smart property’ and the Internet of Things, whereby devices (including autonomous vehicles) communicate with each other and maintain and update themselves semi-autonomously.

Great news for the everyone that the government is positively engaging with this technology.

UK Remains Calm Over Virtual Currencies

Despite the ECB's recent attempt to "discourage" EU financial institutions from trading or holding virtual currencies, the UK Chancellor has explained that the UK will conduct its own investigation into the potential for virtual currencies, like Bitcoin, to encourage innovation in the financial sector, while also considering the risks and how best to mitigate them. 

This perfectly illustrates the common law adage that 'the law must follow commerce', as opposed to the civil law view that the State should first prescribe whether and how business should be done - a distinction that Eurocrats really need to understand. As George Osborne noted: 

"it is only by harnessing innovations in finance, alongside our existing world class knowledge and skills in financial services, that we'll ensure Britain's financial sector continues to meet the diverse needs of businesses and consumers here and around the globe".

 

EBA Seeks To Freeze Link Between Actual And Virtual Currencies

On Friday, the European Banking Authority advised EU national financial regulators to "discourage" credit institutions (banks), payment institutions and e-money institutions from buying, holding or selling virtual currencies, based on over 70 risks that it says will require substantial regulation. The EBA says that should include bringing virtual currency exchanges which deal between virtual and actual currencies within the anti-money laundering regime.

Somewhat cryptically, the EBA concludes:

"Other things being equal, this immediate response will allow VC schemes to innovate and develop outside of the financial services sector, including the development of solutions that would satisfy regulatory demands of the kind specified above. The immediate response would also still allow financial institutions to maintain, for example, a current account relationship with businesses active in the field of VCs."

But there are many flaws in the EBA’s approach, and it undermines the EU’s potential as a home for financial services innovation. A lot more work should have been done - and the EBA should have engaged with the market participants publicly and constructively - before taking such disruptive action. Especially given that those participants (including venture capitalists and possibly financial institutions) should have a legitimate expectation to be able to continue their lawful involvement, unless the law is changed by the usual process. 

The EBA concedes as much by saying that it is too early to collect enough data to understand exactly what they are "shielding" financial institutions from: 

"...the phenomenon of [virtual currencies] being assessed has not existed for a sufficient amount of time for there to be quantitative evidence available of the existing risks, nor is this of the quality required for a robust ranking."

So what is the basis for intervening in this way now? Gut instinct?

There is obvious duplication and overlap amongst the risks identified and many “are similar, if not identical, to risks arising from conventional financial services or products, such as payment services or investment products”, as are the regulatory controls that are suggested for the longer term. Key benefits of virtual currencies are also dismissed in the context of the EU and Eurozone on the basis of regulations that are yet to take effect. 

Oddly, the EBA points to a risk that regulating virtual currencies more leniently will create an unequal playing field that could result in service providers leaving fiat currency markets in favour of their virtual cousins. Surely that risk is heightened by denying financial institutions early access to virtual markets altogether. Has the EBA learned nothing from the rise of shadow banking? Won't this breed weak regulated institutions? Won't entrepreneurs simply operate outside the EU, leaving its institutions unable to capitalise on opportunities that virtual currencies might have brought? 

And why would the EU want to discourage borderless financial services while it's trying so hard to kickstart cross-border commerce?

A requirement for fully comprehensive regulation cannot be the price of institutional participation in virtual currency markets. There is a flawed belief amongst Eurocrats that ‘vigorous regulation’ is a pre-condition for consumer trust, as Paul Nemitz recently asserted. But that is not supported by the way in which the digital economy has evolved. Regulation can help build on existing trust, but cannot create trust where none existed before. This difference between the civil law and common law view of the role of regulation needs to be resolved in favour of a more acommodating EU approach to innovation and competition if the EU member states are to compete globally. For instance, the UK Cabinet Office convened a workshop on financial innovation in October 2013, which featured a session on virtual currencies; and UK revenue officials were helpful in merely clarifying their tax treatment of virtual currencies earlier this year. More recently, the Financial Action Taskforce (FATF) was also much more circumspect in a report that was intended to “stimulate a discussion” on how to introduce risk-based anti-money laundering controls in the context of virtual currencies. 

The EBA's intervention is further evidence that the EU financial regulatory regime needs to be much more open to innovation and competition if we are to avoid the pitfalls discussed in the Parliamentary Commission on Banking Standards.

A more detailed review of the EBA opinion has since been published at the Society for Computers and Law.