Four separate events during the second half of July signal that virtual currency and blockchain are steadily becoming part of mainstream financial services. The interconnected histories of Bitcoin (the most common virtual currency), blockchain and distributed ledger technology (DLT) have a common arc: from systems created to circumvent traditional financial and legal structures, to innovations destined to disrupt financial incumbents, to the focus of intensive investment by the financial sector. In recent weeks, developments in corporate law, securities regulations, financial crimes enforcement and state legislation have moved these technologies ever closer to full legitimacy.
July 19 through July 27, 2017, will likely be remembered as one the more consequential periods for development of the legal framework surrounding the use of virtual currency and blockchain (VC&B) by the financial services industry. Each of the following events advanced the development of a different aspect of the law as it applies to VC&B:
- July 19, 2017 – The Uniform Law Commission (ULC, also known as the National Conference of Commissioners on Uniform State Laws) approved a Uniform Regulation of Virtual Currency Business Act (Uniform VCBA) to be used as a model law for states seeking to adopt such legislation.
- July 21, 2017 – Governor John C. Carney Jr. of Delaware signed a bill to allow corporations registered in the state to use blockchain to issue, trade and record stock.
- July 25, 2017 – The US Securities and Exchange Commission (SEC) issued an Investor Bulletin and Report of Investigation of The DAO, which included a finding that virtual coins or tokens sold through initial coin offerings (ICOs) are securities under federal securities law.
- July 27, 2017 – The Financial Crimes Enforcement Network (FinCEN), for the first time assessed civil money penalties against a foreignlocated virtual currency exchange, for violating US anti-moneylaundering (AML) laws.
Longstanding Bitcoin developers and dedicated members of the virtual currency community—a group that tends to harbor strong views opposing government intrusion and legal formalities—appear to be somewhat dismayed by these events. But consumers, institutional investors, banks, fintech developers and other groups looking to use or develop VC&B-based products and services should take comfort: a regulatory framework is steadily coalescing and the uncertainty that typically surrounds the use of novel technology continues to fade.
The brief history of bitcoin and blockchain
When the pseudonymous Satoshi Nakamoto published Bitcoin: A Peer-to-Peer Electronic Cash System on October 31, 2008, he/she could not have envisioned that a system specifically designed to obviate the need for trusted third-parties in financial transactions, including government regulators, would eventually become embedded in the traditional financial system. Blockchain or DLT is the technology that enables Bitcoin's defining features—trustless, distributed and immutable—and it did not take long for other developers, companies and even financial institutions themselves to recognize the utility of blockchain.
The unit of currency within the Bitcoin network is bitcoin (not capitalized, or BTC), and each bitcoin is created when a miner (a computer connected to the Bitcoin networking that participates in processing transactions) completes the computations necessary to write the next block of transactions to the blockchain. A bitcoin, therefore, is a virtual coin or token that the individual miner earns in return for the work their system performed in processing the Bitcoin encryption algorithms.
There are now hundreds of virtual currencies (of widely varying popularity and valuation) based on the blockchain architecture, the most notable of which include Ethereum, Litecoin, Zcash, Ripple and Monero. These virtual currencies can be traded on exchanges and converted to fiat currency, which enables markets to track their valuations. With a current market capitalization for Bitcoin more than $45 billion and for Ethereum more than $20 billion (several others are more than $1 billion), it is unsurprising that virtual currency has long attracted the attention of both investors and regulators.
Changing perceptions shaping law and regulation
Early on, Bitcoin was often associated in popular opinion with illicit transactions, due in part to the impression that virtual currencies are completely unregulated. While that was initially the case, over the past several years regulators have been slowly creating a legal framework for VC&B.
At the federal level, FinCEN issued guidance in March 2013 that defined virtual currency and interpreted the Bank Secrecy Act (BSA) as applying to exchangers and administrators of virtual currency. A year later, the IRS determined that, for federal tax purposes, virtual currency is property. In connection with a September 2015 order settling charges against Coinflip, Inc., a platform for trading BTC option contracts, the US Commodity Futures Trading Commission (CFTC) defined virtual currency as a commodity under the Commodity Exchange Act. Although the SEC had previously warned about the use of virtual currencies in the context of Ponzi schemes, until July 2017, the agency had not issued any formal guidance or interpretations related to VC&B.
States began regulating virtual currencies in 2015. Connecticut, New York, Oregon and Tennessee each enacted legislation that year defining virtual currency under their respective state laws and requiring money transmitters dealing in the exchange of US dollars with virtual currencies to obtain licenses. Since then, at least five other states have passed similar laws. Frustratingly for VC&B developers and users, there is significant variation among these laws, and in some states, such as New York, there is uncertainty regarding which participants within a virtual currency network are required to obtain a license.
SEC and initial coin offerings
Among the July 2017 events, the SEC's determination that certain virtual coins or tokens are securities may have the most immediate impact. The determination arose out of the SEC's investigation into The DAO, a decentralized autonomous organization (a DAO, as opposed to The DAO) built on the Ethereum Blockchain.
Ethereum is more than a virtual currency in that its protocol includes the ability to create what are called smart contracts. These smart contracts are self-executing programs of varying complexity that are recorded on the blockchain, and are therefore immutable once written. A hypothetical smart contract could be an agreement to transfer a set amount of ether (ETH, the unit of currency on Ethereum) when a specific event occurs in the future. Once that agreement is written, the transfer will be executed without any further action by any party involved. The Ethereum Blockchain, like the Bitcoin Blockchain, is processed by a distributed network of computers that are compensated with ETH for their efforts.
Conceived in November 2015, The DAO was intended to be a mechanism for Ethereum developers to direct ETH, or funding, to projects that would further improve the Ethereum ecosystem and to profit from any successful efforts. Even though The DAO operated on the Ethereum Blockchain, it had its own virtual tokens (DAO Tokens) that could be used only within The DAO structure.
Its developers capitalized The DAO by launching an initial coin offering (ICO) that allowed people to use ETH to purchase DAO Tokens. The ETH paid was transferred to an Ethereum address controlled by The DAO, and each DAO Token provided the holder with voting rights within The DAO. The DAO structure allowed holders of DAO Tokens to submit project proposals (in the form of a smart contract) and to vote on other such submissions. Any projects that received the necessary votes for approval would trigger the smart contract to fund the project by transferring the proposed amount of ETH from The DAO's Ethereum address to the address designated in the smart contract. Before voting, holders of DAO Tokens would be able to evaluate the proposals, including the project description, amount of ETH required and the address to which the ether would be transferred.
By the end of May 2016, The DAO had sold 1.15 billion DAO Tokens in exchange for approximately 12 million ETH, at the time worth approximately $150 million. On June 17, 2016, before The DAO funded any projects, an unknown attacker exploited a flaw in the protocol and diverted more than one-third of the ETH from The DAO's Ethereum address to one controlled by the attacker. The attack triggered significant fallout within the VC&B community—including issues involving immutability, hard forks and 51 percent attacks—and ultimately lead the SEC to investigate whether The DAO violated US securities laws.
Although the SEC ultimately decided not to pursue enforcement action, it issued a Report of Investigation to stress that federal securities law may apply to offerings and sales, including the use of a DAO or other blockchain-based means to raise capital, without regard to the technology or corporate form used. Specifically, the SEC determined that DAO Tokens are securities under the Securities Act of 1933 (Securities Act) and the Securities Exchange Act of 1934 (Exchange Act) and, as such, The DAO ICO was a securities offering that should have been registered under the federal securities laws.
The SEC found that The DAO ICO had the same characteristics of traditional securities offerings. Under the Securities Act and Exchange Act, a security includes an investment contract, which is an investment of money in a common enterprise with a reasonable expectation of profits to be derived from the entrepreneurial or managerial efforts of others.1 The SEC reiterated that money in an investment contract does not need to be cash and that using ETH to purchase DAO Tokens constituted the investment of money. Further, The DAO investors had reasonable expectations of profits, which were primed by The DAO developers' statements during the ICO.
Most of the SEC's analysis focused on whether the expected profit from DAO Tokens depended on the efforts of others. The SEC found that the expertise of The DAO developers and project curators who were selected by the developers were critical to The DAO’s ongoing operations and to determining which proposed projects would be put up for vote by investors. DAO Token holders had limited voting rights and were able to vote only on curated projects. Further, the distributed and pseudonymous nature of underlying Ethereum Blockchain made it difficult for investors to coordinate their efforts, thereby increasing their dependence on The DAO developers.
The SEC concluded that because DAO Tokens are securities, The DAO violated section 5 of the Securities Act by failing to register with the SEC as an issuer. Moreover, the online platforms that traded DAO Tokens and provided users with a system that matched orders from buyers and sellers violated section 3 of the Securities Act by failing to register as securities exchanges. The SEC stressed that the DAO Token findings would apply to any virtual coins or tokens offered or sold through an ICO with similar facts and circumstances.
A move towards consistency
Earlier in July, the UCL completed a more than two year process to draft a Uniform VCBA. This model law— as with others promulgated by the UCL—is intended to be used as a template for state legislatures seeking to enact virtual currency legislation. Although the UCL does not have the authority to impose uniformity, the existence of a Uniform VCBA greatly increases the likelihood of a consistent regulatory framework for virtual currencies across all states.
The UCL effort on virtual currencies started in October 2015 with the first drafting committee meeting. Just prior to that meeting, two other virtual currency frameworks were released. In June 2015, the New York State Department of Financial Services (NYDFS) issued its BitLicense Regulatory Framework. Meanwhile, the Conference of State Bank Supervisors (CSBS) had been working on a multistate effort and released its Model Regulatory Framework for virtual currency activities. The UCL acknowledge using many components of the CSBS framework and, to a lesser degree, the BitLicense as a starting point.2
The Uniform VCBA focuses primarily on the licensing requirements for companies that host virtual currency exchanges or provide services that involve the transmission of money. The UCL sought to address two aspects of such licensing that had been criticized in the NYDFS BitLicense: clear definitions of what businesses must obtain a license and a reasonable AML framework.3 It accomplishes the former by requiring a license for any business that has the "power to execute unilaterally or prevent indefinitely a virtual currency transaction."4 This definition of when a business controls virtual currency is able to cover a wide range of activities and provides clarity to both the states that would enact the legislation and the virtual currency businesses in such state.
Importantly, by emphasizing "unilateral" and "indefinitely" in its definition, the Uniform VCBA distinguishes between entities that fully control consumers' virtual currency and those that provide non-custodial services, such as multisignature or "multisig" authentication. Multisig is a security technique that, among other functions, allows an owner of virtual currency to require multiple cryptographic keys (for these purposes, a key is analogous to a password) to initiate a transfer of coins. But implementing multisig requires an individual owner to allow a third party to store one (or more) keys that are associated with the coins. Multisig systems block the third party from initiating a transfer without authentication by the owner and establish mechanisms to ensure the third party cannot prevent the owner from initiating transactions. Providers of multisig authentication (and other non-custodial services) do not control consumers' virtual currency and, under the Uniform VCBA, would not be required to obtain a license.
The Uniform VCBA would require a licensee to maintain compliance programs that include procedures to prevent: fraud, funding terrorist activities and money laundering. Unlike the BitLicense, the Uniform VCBA's AML requirements are simply a cross reference to federal AML requirements, the BSA and any applicable state laws outside the virtual currency regime.5 In this regard, the Uniform VCBA is similar to most states' money transmitter licenses, in that it relies primarily on FinCEN to detect and enforce AML issues.
FinCEN reaches foreign exchanges
On July 27, 2017, FinCEN demonstrated that its authority to impose civil money penalties on money services businesses (MSBs) extends even to virtual currency businesses operating in foreign jurisdictions. Coming approximately one week after the UCL approved the Uniform VCBA that would encourage states to rely on FinCEN to monitor virtual currency businesses, the action against BTC-e, the subject of FinCEN's MSB action, shows the potential effectiveness of such an arrangement.
BTC-e is a Russia-based virtual currency exchange that facilitates the purchase and sale of fiat currency (US dollars, Rubles, Euros, etc.) and virtual currency (Bitcoin, Litecoin, Ethereum, Dash, etc.). FinCEN has jurisdiction over the MSB because a substantial part of its business is with customers in the US (both buyers and sellers) and because some computer nodes that participate in the processing of BTC-e's transactions are located in the US.
The FinCEN investigation found that the MSB facilitated transactions involving ransomware, computer hacking, identity theft, fraud schemes and drug trafficking. FinCEN also linked it to the transaction of more than 300,000 bitcoin that were related to the massive theft of the now-defunct Mt. Gox exchange. The $110 million civil money penalty against BTC-e is the first time FinCEN has ever taken action against a foreignlocated MSB and is the second such action against an MSB that exchanges virtual currency.
Improving corporate ledgers
Finally, July was also notable for DLT and blockchain as used in applications other than virtual currency. When Delaware governor John C. Carney Jr. signed the amendments to the Delaware General Corporation Law (DGCL), it was the culmination of a process started one year prior by former Governor Jack Markell. The amended DGCL now explicitly allows Delaware companies to maintain shareholder information on a blockchain instead of using existing database and record keeping methods. Further, Delaware corporations using DLT for their stock ledgers can use that as the basis for their required investor communications.
The SEC has previously approved companies to use DLT for specific offerings, such as when Overstock.com received approval in 2015. Similarly, NASDAQ and other exchanges around the globe are experimenting with blockchain based settlement for stocks traded on their system. The Delaware law, which is effective as of August 1, 2017, marks a significant step forward for the assimilation of blockchain technology into the law, and corporate law particularly, because it will allow companies to take advantage of DLT for trading without having to maintain duplicate records for corporate law compliance. Supporters of the amendment believe it will keep Delaware at the forefront of corporate law, and that blockchain will improve transparency, reduce settlement times and, thus, will be beneficial for large and small investors alike.
Virtual currency and blockchain technology are becoming an important component of the financial system. Although VC&B were founded on a non-governmental philosophy, the technology is steadily gaining legitimacy as federal and state agencies build a regulatory framework. Over nine days in July, VC&B took several important steps along that path. The SEC, FinCEN, UCL and State of Delaware each added to or clarified meaningful aspects of that framework. This does not mean that all (or even most) issues regarding VC&B are resolved. Notably, the full range of potential enforcement actions by the SEC and FinCEN remains untested, but they are important factors that must continue to be considered in the ever-expanding reach of VC&B technology. While this is certainly an important consideration for entrepreneurs, investors and banks that have been hesitant to launch VC&B initiatives, there are encouraging signs that the regulatory framework for these initiatives is providing a foundation for building a path to mainstream acceptance and legitimacy.