Crypto Policy 2018: Finding a Legal Safety Zone

Lauren Saine, Clashbit ~

(See Regulatory Agencies Reference Document)

10.8   Tokens as Scrip: Implications for payment and utility tokens under U.S. labor law

under construction...

6.19   An anti-SRO view of self-regulation

Self-regulatory organizations (SROs) are membership-based nonprofits overseen by the SEC or CFTC, with statutory powers to regulate their members. Some industry leaders have proposed a SRO for crypto--but a government-sanctioned organization is antithetical to the promise of a trustless, decentralized public blockchain. (See the FINRA rulebook and be very afraid.) Similarly, creation of a new crypto asset class makes perfect sense in the context of the many complex financial instruments now recognized by regulated exchanges--but this would largely serve industry insiders using crypto for speculation, rather than new small investors hoping to build wealth.

Regulatory uncertainty

U.S. officials have speechified about cryptocurrencies, but as yet there are no agency rules, or even any rulemaking proceedings. This means that emergent cash-heavy markets, such as marijuana, can't benefit from cryptocurrency due to regulatory conflicts and uncertainty. While the regulatory void has allowed positive experimentation at the state level, it may also have encouraged regulatory overreach. In one notorious example, Kraken discontinued service in New York, calling the state's BitLicense "a creature so foul, so cruel that not even Kraken possesses the courage or strength to face its nasty, big, pointy teeth," and refused to respond to New York's data demand.

In the absence of crypto-specific statutes or agency rules, federal and state regulators are using existing securities and commodities, consumer protection, general business, and criminal law to rein in bad actors. Historically, individuals have relied on tort law--and the associated insurance costs--to limit egregious wrongdoing. Today, they are testing the limits of tort law in the context of crypto trading. (The insurance industry is struggling to catch up.) The Securities Exchange Act provides for private lawsuits, and investors are also using securities law claims.

Jurisdictional issues

Transnational jurisdictional issues are complex and location-specific. For example, a local European court prevented Facebook from transferring data across the Atlantic, under the new GDPR and country rules. (The case is pending.) A blockchain KYC/AML compliance service shut down because of uncertainties within the GDPR.

With governments colluding to seize data across borders, it is nearly impossible for crypto-related businesses to avoid jurisdiction by locating offshore, although a federal court in New York recently found that personal jurisdiction cannot be based on an interactive website alone.

Existential threats

With public blockchains riding on the global telecommunications physical infrastructure, a system of bottlenecks and control points and "common backbone" sites, it is nearly impossible for crypto-related businesses to escape government and corporate intrusions of any kind. Verizon continues to embrace the security state, and wireless carriers are similarly complicit.

DeFilippi recognizes that blockchains can be controlled indirectly through the hardware they rely on--the cables and airwaves, mining rigs, chip manufacturers, and so on--although she sees the primary danger of unregulated blockchains as the disruption of the financial system.

Thus, hostile external entities can control blockchain transactions through the infrastructure on which a global P2P network depends, but there are other threats as well. Governments could use their spending power to become large-scale miners with control over blockchain governance decisions and token supply, or multinationals with what Pasquale calls functional sovereignty could exert their own indirect controls.

Regulatory failures

U.S. securities rules are meant to remove the information asymmetry between promoters and investors. However, regulation has failed to protect small-scale savers and investors. Federal regulators are captured by the industries they regulate. Sanctions are often used for political gain. And as we saw after the financial meltdown, the SEC has never brought a case to trial.

The SEC does not jail those who are too big to fail--no Countrywide directors or officials went to jail for conning people desperate to acquire a bit of wealth--but it does jail those who are “small enough to jail” like Abacus Bank. Agencies blessed by the SEC contributed to the widespread losses. Why are the nationally recognized statistical rating organizations (NRSRO) like S&P still operating, one might ask.

When the SEC does fine big companies, it's often laughable, as when SEC this month finally penalized Merrill Lynch $15.7 million for trades in non-agency RMBS that took place during the post-crash recovery. Merrill Lynch is a division of Bank of America, with a market cap of $70.7 billion and assets of $680 billion.

This is all happening in the context of the U.S. government’s utter and complete regulatory failure at protecting internet connections as a public utility, rendering running a blockchain node prohibitively expensive for small players who would like to participate.

At the same time, the U.S. government's parental, multi-agency, multi-level approach to consumer protection in the crypto market is limiting investment options to the wealthy. It's true that trustless blockchains pose a risk to consumers, who are responsible for their own private keys and due diligence, but they also allow more people to participate.

Regardless of individual risks, a huge moral challenge for trustless blockchains remains--how to prevent despots, tyrants, oligarchs, and other global evildoers from using crypto to pillage their countries or traffick in humans, drugs, or weapons (although the legacy financial and real estate systems have been laughably ineffective at this).

Blockchain integrity

Some attempts at self-regulation through non-governmental organizations have arisen, including Japan’s Cryptocurrency Exchange Organization, although governance is already an issue there. The challenge is to help users protect themselves from scammers' outright lies and thievery--or from their own irrational exuberance and/or knowledge deficit--in the absence of a regulatory framework.

Developer groups have informally published values statements and best practices for others to emulate in the development process. However, public blockchain integrity must ultimately depend on a trustless solution--perhaps an independent crypto information service using crowdsourced information, perhaps a partial technical fix limiting the size of transactions from any one group or entity....

6.17   Business policies for crypto startups

Your lawyer will recommend compliance measures to keep you out of jail. But, especially in a regulatory environment that is so immature and fast-changing, this advice should be seen as only one factor in your overall risk analysis.

For a young business, the assurance of a conservative compliance approach must be balanced with the time- and money-sucking compliance costs that could sink the business. (See one founder’s experience, at 49:23-50:47.) Startups might be able to navigate the uncertainties by following industry best practices while still small, and then staying close to regulators as they grow. One commentator opined that the SEC would probably leave Ripple alone because of its well-connected board and because it is “too big to fail.”

General recommendations for lowering the risk of regulator attention: 1) Use language that conforms to the regulatory regime you want; 2) Publicize internal trust policies to establish a reputation for integrity; 3) Make communications about what you do and who you serve bland and generic, describing services in factual terms that avoid loaded words.

Companies should consider when liability insurance makes sense, and probably publish an age recommendation in the spirit of protecting those unable to look out for themselves.

Company integrity policies should commit to transparency of operations and transparency of use. Operational policies and procedures should address the following areas, at minimum:

Digital identity protection
Data privacy, including a description of anti-surveillance measures
Confidentiality of user personal information
Data security, with security advisories for users
Uncensored transactions, or "blockchain neutrality"
Trustworthy communications in advertising, correspondence, etc.
Operational transparency
Governance, with dispute resolution process, protections against bad actors, user accountability

5.01   Regulatory challenges for token users and startups

Bitcoin was conceived as "electronic cash" for making payments without an intermediary, and U.S. standards agency NIST views it as “electronic money” or "electronic currency." But federal regulators have lumped tokens together as property (see updates), regardless of their use as payments, assets, or utilities. The SEC, CFTC, and FinCEN are actively regulating tokens and exchanges, and the IRS stepped in some years ago.

A key concern for crypto token users is taxation. IRS Guidance published back in 2014 advised that tokens may trigger capital gains on transactions. (See Q-8.) In contrast, gains on foreign fiat currency exchnge rates are normally taxed as ordinary income.

So token users should know their property recordkeeping requirements for income tax purposes, and they should also be aware that token exchanges, as "money services businesses," keep their personal identification information available for government inspection. In November 2017, the U.S. government won a court order requiring token exchange Coinbase to turn over the personal information of more than 14,000 users to the IRS.

Most coinbase customers dodged the bullet in 2017, but now anyone who trades on a centralized exchange and decides to cash out their crypto for fiat currency should be prepared to receive a letter from the IRS. (See Crypto Threat Tracker.)

Startups can avoid regulatory nightmares by integrating know-your-customer (KYC), anti-money-laundering (AML), and countering the financing of terrorism (CFT) features--required of financial institutions under the Bank Secrecy Act (BSA)--into their business model from the start. The inability to verify customers and counterparties, or transacting with sanctioned parties, could lead to significant penalties. The challenge for startups is to insure compliance without sinking under the costs of contacting a regulatory agency.

Tech startups in particular face threats on many fronts, including government and corporate surveillance, censorship, throttling, and outages. The IRS has been tracking bitcoin transactions since 2015. And blockchains are at the mercy of the corporate physical infrastructure owners, who now have unfettered discretion to block or throttle any traffic, after the FCC’s repeal of open access (net neutrality) rules in late 2017.

4.03   CFTC wins court ruling that tokens can be regulated as commodities

A U.S. District Court has held that "virtual currencies" can be regulated as commodities. The court deferred to the CFTC, even though there was no agency rulemaking. Defendants in another case are challenging CFTC authority, arguing that tokens are a "commodity" only if futures contracts are traded on them.

The court recognized the CFTC's concurrent authority with the SEC, IRS, DOJ, Treasury Department, and state agencies, finding that their authority to regulate virtual currencies does not preclude other agencies' authority "when virtual currencies function differently than derivative commodities." Note that the SEC and CFTC's mission is to protect investors and markets, while Treasury bureau FinCEN's mission is to protect the financial system and national security.

3.05   FinCEN says token sellers are money transmitters

FinCEN released a letter to Congress saying they view token sellers as money transmitters subject to their authority. This raises the stakes for crypto exchanges and administrators. FinCEN is a criminal enforcement bureau within Treasury's Office of Terrorism and Financial Intelligence, that can impose criminal penalties up to 10 years in prison.

They are monitoring digital tokens and ICOs for compliance they claim is required by BSA regulations--FinCEN registration, AML programs, SARs, currency transaction reports, customer records, OFAC sanctions. (Note: FinCEN enforces the BSA; the SEC enforces securities laws).

According to the letter, since 2014 they have been examining "exchangers and administrators registered with FinCEN," using "blockchain network analytical tools." They can identify unregistered businesses through financial institutions' SARs.

FinCEN works with the FBI and, as a national security agency, can presumably also issue NSLs and apply to the FISA Court for orders approving electronic surveillance (shame on you Rosemary). In late 2017, FinCEN whistleblowers warned Congress that the bureau was illegally spying on citizens’ and residents’ financial records.

2.21   SEC says token exchanges are securities exchanges

The SEC is all over fraudulent crypto schemes. This month they called BitFunder an unregistered securities exchange, declaring that platforms acting as national securities exchanges must register, regardless of whether they involve digital assets, tokens, or coins. They say the founder defrauded users by misappropriating their bitcoins and by failing to disclose a cyberattack and resulting theft. The complaint seeks permanent injunctions and disgorgement plus interest and penalties.

2.16   Crypto is not anonymous: Keeping your digital identity safe

Several private user ID projects are working on how to comply with know-your-customer rules while protecting user identities. Many are so-called self-sovereign identity protocols (where individuals control their own digital IDs) and protocols built on public blockchains. The goal is to retain knowledge that can create crypto proof the company validated users and transactions.

The danger of ongoing U.S. government and corporate abuses--spying, entrapment, asset forfeiture, patent trolling, copyright takedowns--creates the urgency. The best case scenario would be for exchanges to be able to verify user identities without collecting user information.

Technical solutions that involve decentralizing the internet, or other blockchain mesh network scenarios, are not the answer. They take control of infrastructure at the last mile and in some areas the middle mile--but not the privately-owned Tier I backbone networks that circle the globe.

Europe is ahead of the US in digital ID protection, with the ambitious but flawed new GDPR (text). The GDPR makes access to and protection of personal data a “fundamental right” of all natural persons (not corporations), in contrast to the US. The regulation defines a very broad territorial scope, which will impact tech companies outside the EU.

Some fintech companies have relocated to escape the costs of regulation, but avoiding government scrutiny by using extraterritorial facilities may no longer work. Infraud evaded U.S. law enforcement using a server outside the country, but the U.S. Congress now thinks it can reach servers outside its territory. While Reg S exempts offshore sales from SEC registration, FATCA requires U.S. account holders to report offshore financial assets to the IRS.

2.15   What's happening within U.S. states and internationally

Delaware, the US state with the most developed corporate law regime, is the leader domestically, with stock tracking on blockchain, the Delaware Blockchain Initiative, and smart UCC filings. Vermont is considering a bill to create a new corporate form for crypto businesses, and two local governments are jumping in. Cook County (Chicago) is testing blockchain technology for recording real estate titles, and Berkeley California is experimenting with tokenized municipal bonds as a new source of funding.

States are primary regulators of money transmitters, a costly proposition for token exchanges. Several states are working to make those laws consistent by adopting the "Regulation of Virtual Currency Businesses Act" model state law. Crypto analysts have called for a new nationwide regulatory regime.

Internationally, Switzerland has taken the lead on creating a new regulatory regime tailored to the cryptocurrency market. Their FINMA identifies three categories of tokens: 1) payment tokens are a transferable means of payment--not securities but must comply with AML rules; 2) utility tokens confer digital access rights to an application or service--not securities; 3) asset tokens pay dividends or interest or give rights to earnings streams--subject to securities law. A 2018 law limits the tax advantages of locating a crypto foundation here. The Tax Justice Network’s Financial Secrecy Index shows that Switzerland, the US, and the Cayman Islands are the biggest facilitators of illicit cross-border financial flows.

Japan has also been a leader, recognizing bitcoin as legal method of payment, with associated currency requirements, and its biggest bank plans to release its own cryptocurrency.

On the other hand, China is cracking down on the cryptocurrency market. It has already banned ICOs and domestic exchanges, with plans to ban trading on overseas exchanges as well; it has also frozen bitcoin accounts and ended mining incentives (China is currently the biggest producer of bitcoins).