Part One of a Two-Part Article

Reprinted with permission from ALM's Cybersecurity Law & Strategy

As we head into 2018, cryptocurrency and blockchain will continue to be a top initiative for pioneers in the financial services industry. Within financial services, this space includes everyone from those looking to issue a new cryptocurrency, FinTech firms looking to disrupt the financial services industry though creative uses and implementation of the technology, and banks and non-bank lenders of all sizes looking to see how they can best utilize the technology to cut costs and drive advancements in service. As with any innovation within the financial services industry, the regulators are never far behind and are doing their best to keep up. Those that enter this space will find that they also have to pioneer the controls to manage the regulatory risks this technology presents.

For the benefit of the uninitiated, cryptocurrencies, also known as "virtual currency," such as the well-known "BitCoin" and "Ethereum," are the results of just one application of blockchain technology. One should not visualize cryptocurrencies as actual currency or legal tender (we discuss why below). Instead, think of cryptocurrency as a means of utilizing the underlying blockchain technology to create a "store of value." Anything that can function as a vehicle to save, house, move and maintain value and/or wealth can be utilized as a "store of value." For example, gold, silver, real estate, diamonds, fine art and stocks are all "stores of value." Viewing cryptocurrency in this manner will enable you to understand its regulation within the financial services industry.

As previously stated, blockchain is the technology upon which cryptocurrencies are built. At a high level, blockchain technology is simply a decentralized or distributed ledger, meaning that there is no master copy of a ledger maintained by an individual or a single organization (although some banks are beginning to keep a "master copy" or "golden copy" as a means to control risk). The potential applications for this technology within the financial services industry are enormous. For example, recently a group of Japanese financial institutions came together and announced their successful testing of blockchain technology in Over the Counter (OTC) derivative contracts such as the ISDA Master Agreement. Others are exploring how to use the technology as a means to complete debt offerings, settle and maintain a record of credit default swaps, revolutionize mortgage lending, title insurance, simplify and manage correspondent banking relationships and the implementation of smart contracts to speed clearing and reduced counterparty costs.

The proliferation of cryptocurrency and blockchain is being driven by the efficiencies and protections afforded to early adopters. The operational efficiencies and resulting cost savings are readily apparent in the financial services industry and are equally coveted by the entities trying to implement them and by the customers who will benefit from the implementation.

However, neither party can fully enjoy these benefits without first understanding and overcoming the various regulatory hurdles.

By no means is this meant to be an exhaustive discussion of the financial regulatory burdens faced by this technology. To cover the entire regulatory landscape would be too great an endeavor, given what we can cover in this article. In Part I of this article, we would like to focus on some of the common regulatory issues faced by market participants in this space. The Securities and Exchange Commission (SEC)

The regulatory uncertainty for cryptocurrencies, aka virtual currencies, starts as early as their Initial Coin Offerings (ICOs). This uncertainty is in part thanks to the diverse views of what is being offered along with the objectives and motivations each architect of various ICOs has in mind when defining what differentiates their coin. First there is the definition. Some are offering coins, others tokens and others altcoins. It is easy to get lost in the semantics of each term. Some are issuing coins to build a completely new cryptocurrency, others as a means of fundraising to develop "improved" blockchain technology and others to develop completely unrelated technology and products such as coins that are backed by Real Estate Investment Trusts (REITs). An ICO's "pitch" as to why a prospective purchaser should buy into an ICO is delivered through its white paper. This is where the ICO's technology, financials and overall application are laid out and it is also where the SEC will begin to evaluate if the ICO should be considered a security.

In July of this year the SEC issued release No. 81207, titled "Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO," which contemplated the threshold question as to when an ICO would be considered a security and subject to the federal securities laws and regulated by the SEC. The guidance stopped short of stating all ICOs are securities but rather applied a test (known as the Howey test) for when a coin offering should be treated as a security offering. Citing both federal regulation and current case law, the SEC noted that a security includes an "investment contract," which is: 1) an investment of money or other valuable consideration (it need not be fiat currency, other cryptocurrencies will do); 2) in a common enterprise; 3) with an expectation of profits; and 4) to be derived from the entrepreneurial or managerial efforts of others.

One may be able to create arguments to support a narrative as to why a particular ICO should not be considered a security, but the SEC left a lot of open questions and regulatory uncertainty in the market with the "The DAO" release. And the market is continuing to observe a "growing wave" of ICOs that are not heeding the SEC's July warning to adhere to the federal securities laws if applicable. In recent months the SEC has taken enforcement action against individuals, companies and unlicensed brokers for violating SEC registration and disclosure requirements in connection with the sale of tokens that constitute securities. It is advisable to adhere to federal and state securities regulations, if there is a chance that your ICO can be deemed a security under the guidance in The DAO or applicable state securities regulations. The Financial Crimes Enforcement Network (FinCEN)

FinCen (a bureau of the U.S. Department of the Treasury) issued FIN-2013-G001 in 2013 that defined the participants in generic virtual currency arrangements, using the terms "user," "exchanger," and "administrator." A user is a person who obtains virtual currency to purchase goods or services. An exchanger is a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency. An administrator is a person engaged as a business in issuing (putting into circulation) a virtual currency and who has the authority to redeem (to withdraw from circulation) such virtual currency. An administrator or exchanger who: 1) accepts and transmits a convertible virtual currency; or 2) buys or sells convertible virtual currency for any reason is a money transmitter under FinCEN's regulations, unless a limitation to or exemption from the definition applies to the person. This is significant as it creates a large regulatory burden. For example, now the exchanges must have a robust Anti-Money Laundering (AML) program and must establish and maintain an effective Office of Foreign Assets Control (OFAC) compliance program (discussed below).

Under the regulations, a "money transmitter" shall not include a person that only:

  • Provides the delivery, communication or network access services used by a money transmitter to support money transmission services; Acts as a payment processor to facilitate the purchase of, or payment of a bill for, a good or service through a clearance and settlement system by agreement with the creditor or seller; Operates a clearance and settlement system or otherwise acts as an intermediary solely between BSA regulated institutions. This includes but is not limited to the Fedwire system, electronic funds transfer networks, certain registered clearing agencies regulated by the SEC, and derivatives clearing organizations or other clearinghouse arrangements established by a financial agency or institution; Physically transports currency, other monetary instruments, other commercial paper or other value that substitutes for currency as a person primarily engaged in such business, such as an armored car, from one person to the same person at another location or to an account belonging to the same person at a financial institution, provided that the person engaged in physical transportation has no more than a custodial interest in the currency, other monetary instruments, other commercial paper or other value at any point during the transportation;
  • Provides prepaid access; or
  • Accepts and transmits funds only integral to the sale of goods or the provision ofservices, other than money transmission services, by the person who is accepting andtransmitting the funds.

In 2014, FinCen clarified with FIN-2014-R011. Here the agency states "that a company which facilities the transfer of value, both real and virtual, between third parties meets the definition of money transmission." Virtual currency exchanges often argued that they were not moving money but were rather acting as a "payment processor" facilitating the purchase of a good (the coin/virtual currency) through a clearance and settlement system (the exchange) by agreement with the seller. Within their guidance, FinCen quickly dismantled this argument and stated they do not consider providing virtual currency for real currency or vice versa as a non-money transmission related service.

Part Two of a Two-Part Article

Reprinted with permission from ALM's Cybersecurity Law & Strategy

The proliferation of cryptocurrency and blockchain is being driven by the efficiencies and protections afforded to early adopters. The operational efficiencies and resulting cost savings are readily apparent in the financial services industry and are equally coveted by the entities trying to implement them and by the customers who will benefit from the implementation. However, neither party can fully enjoy these benefits without first understanding and overcoming the various regulatory hurdles. By no means is this meant to be an exhaustive discussion of the financial regulatory burdens faced by this technology. To cover the entire regulatory landscape would be too great an endeavor, given what we can cover in this article. In Part II of this article, we will continue to focus on additional common regulatory issues faced by market participants in this space.

The U.S. Commodity Futures Trading Commission (CFTC)

The CFTC regulates the futures and option markets within the U.S. financial services industry. In July 2017, the CFTC issued an order granting LedgerX, LLC registration as a derivatives clearing organization (DCO) for BitCoin options (the first of its kind). While this registration further legitimized cryptocurrencies/virtual currencies (specifically BitCoin) by demonstrating acceptance by a federal regulator, the CFTC was sure to include the following language in the press release accompanying the order, "[t]his authorization to provide clearing services for fully- collateralized digital currency swaps does not constitute or imply a Commission endorsement of the use of digital currency generally, or bitcoin specifically." Also, while the legitimacy was welcomed, it did come at the cost of setting a precedence of adhering to federal regulators.

The CFTC's seemingly favorable view of virtual currencies and the underlying blockchain technology was exhibited earlier in the year during a speech at the New York FinTech Innovation Lab. Here, the CFTC's chair (J Christopher Giancarlo) stated the agency "might collaborate with other authorities on leading development of best practices to support the development of "regulator nodes" on distributed ledgers, or experiment with collecting or distributing existing CFTC reports through blockchain technology." This again legitimized the adoption of the technology.

Anti-Money Laundering (AML) / Know Your Customer (KYC) and Office of Foreign Assets Control (OFAC) Concerns

Without getting too bogged down into the operation of the various underlying regulations, Anti- Money Laundering (AML), Know Your Customer (KYC) and the Office of Foreign Assets Control (OFAC) all require banks and other financial services industry participants to have policies, procedures and controls in place to identify the source of funds (AML), have a reasonable understanding of who your customer is (KYC) and checks in place to identify individuals and companies owned or controlled by certain countries that the U.S. government has blocked from utilizing the U.S. banking system and for individuals, groups and entities, such as terrorists and narcotics traffickers designated under various programs that are not country- specific.

These regulations are at odds with one of the fundamental ideologies of cryptocurrency and blockchain technology. When blockchain was developed to create BitCoin, the developers were looking to create a secure way to store and move value while also protecting the owner's privacy from everyone, including any government. This creates problems for anyone subject to AML, KYC and OFAC regulations. As mentioned earlier, when an entity is deemed a MSB, it must have robust programs covering these regulations. Also, depositories may want to maintain a correspondent relationship with a virtual currency exchange. The challenge then arises as to how to develop programs to implement these requirements.

Currently, there are no bright-line tests or rules put forth by any of the financial services regulators when creating AML/KYC and OFAC procedures and controls to govern a product or process using blockchain technology. Nor are there any safe harbors for those who want to pioneer the applications. At the same time, most of the regulators have identified AML/KYC concerns as an area of focus for 2017 and 2018. This all adds to the regulatory uncertainty and apprehension within the industry while the severity of AML fines leaves no room for noncompliance. Finally, the fact that a majority of the teams of legal and compliance professionals who support the financial services industry do not understand the technology or the possible remedies to achieve compliance while implementing the technology add to the headwinds and the uncertainty.

On the flip side to viewing the use of blockchain as a roadblock for those working in KYC compliance, there are entities that are exploring how the Ethereum blockchain technology can ease the burden of KYC compliance through the use of a smart contract. This can be accomplished because the technology can operate as "self-proving" through verification of its own chain/dataset. This provides an opportunity to build customer identification into the technology itself where it can be set as a condition precedent prior to contract execution. If successful, this would drastically lower the cost of each institution's having to investigate and identify each customer as the chain would have the ability to authenticate said customer.

State Regulation

The regulatory burden is again amplified when you start to consider the pace at which states are introducing and adopting legislation that governs the use of blockchain. For example, in June 2017, Arizona signed House Bill 2417 into law that acknowledges the legitimate use of blockchain technology to secure an electronic signature and that states that "smart contracts" (which utilize blockchain) cannot be denied effect. In 2016, North Carolina signed House Bill 289 into law which updated North Carolina's Money Transmitter Act to include the transmission of virtual currency. In Connecticut, the governor just signed House Bill 07141 in June 2017.

If and when this regulation is adopted, it will establish capital requirements for money transmitters dealing in virtual currency. Texas, Nevada, Delaware, Florida, New Hampshire and others have all recently adopted legislation that addresses blockchain technology in certain aspects. The speed at which states are adopting legislation around virtual currency and blockchain makes the need for a current 50-state survey of applicable state law a necessity to minimize your regulatory risk in the space.

Unsurprisingly, New York perhaps has the most robust regulations codified at 23 CRR-NY 200 entitled "Virtual Currencies." New York requires any person engaged in any "virtual currency business" activity to obtain a license. The regulation defines "virtual currency business" as activity involving any one of the following types of conduct that takes place in New York or involves a New York Resident:

(1) Receiving virtual currency for transmission or transmitting virtual currency, except where the transaction is undertaken for non-financial purposes and does not involve the transfer of more than a nominal amount of virtual currency;

(2) Storing, holding, or maintaining custody or control of virtual currency on behalf of others;

(3) Buying and selling virtual currency as a customer business;

(4) Performing exchange services as a customer business; or

(5) Controlling, administering, or issuing a virtual currency.

The regulation goes on to require that each licensee maintain and enforce written compliance policies, including policies with respect to anti-fraud, AML, cybersecurity, privacy and information security and a customer identification program. The AML and customer identification requirements are further discussed in a separate section (23 CRRNY 200.15). For example, a complaint customer identification program under the regulation will require at a minimum: 1) verification of the customer's identity, to the extent reasonable and practicable; 2) maintenance of records of the information used to verify such identity, including name, physical address, and other identifying information; and 3) a check of customers against the Specially Designated Nationals (SDNs) list maintained by

OFAC. The regulation also goes on to state that enhanced due diligence may be required based on additional factors, such as for high-risk customers, high-volume accounts or accounts on which a suspicious activity report has been filed.

While the regulation is very dense, the fact that it covers activity involving any New York resident is almost a relief, given the fact that it insures that if you want New Yorkers as customers, you will now have a clear set of guidelines for best practices in multiple areas. Although the regulation of blockchain technology and virtual currencies within the financial services industry presents certain challenges, and is evolving month to month, the explosion in the use of the technology is not slowing down. As of October 2017, there were slightly less than 1,200 different virtual currencies in circulation that can trade on a little more than 6,000 different exchanges. All while depositories, lenders, FinTech vendors and other players all continue to innovative by creating new ways to deploy blockchain technology every day. The speed of the development of the technology, as well as the regulation, demands that you consult an attorney well versed in both financial regulation and the underlying technology as a means to best limit your regulatory exposure.