On 9 January 2019, the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) published two reports with their advice on cryptoassets for the European Commission (EC) (and in ESMA's case, the EU Parliament and Council). These respond to the EC's 2018 FinTech action plan request for the European Supervisory Authorities (ESAs) to assess the suitability of the current EU regulatory framework.
Separately, on the same day, ESMA published the outcome of its 2018 survey of EEA Member States' transposition of the Markets in Financial Instruments Directive II (MiFID II) and their application of its "financial instruments" definition to a sample set of six cryptoassets under their particular national regulatory regimes, covering a range of characteristics, including investment, utility and hybrids of both (including payment hybrids). Pure payment-type cryptoassets such as Bitcoin were excluded. The survey results fed into ESMA's advice.
What does this mean for market participants?
ESMA's advice and survey and the EBA's advice provide some cogent clues as to how regulators in Europe may, in the short term, pending any regulatory reform, view the provision of cryptoasset services in their territories against the existing regulatory framework. The publications should be reviewed by any participant intending to develop a new cryptoasset service.
Regulatory perimeter – ESMA
Cryptoassets in scope as transferable securities, financial instruments
ESMA's survey results show that different Member State regulators have different interpretative approaches to some aspects of the definitions of MiFID II "financial instrument", creating difficulties for the regulation and supervision of cryptoassets. Those qualifying as "transferable securities", or other types of MiFID II "financial instrument", would render their issuer and related service providers potentially subject to the full set of EU financial rules, including the Prospectus Directive, the Transparency Directive, MiFID II, the Market Abuse Directive, the Short Selling Regulation, the Central Securities Depositories Regulation (CSDR) and the Settlement Finality Directive (SFD). ESMA's advice takes each of these rules in turn and shows how they might apply to cryptoassets, highlighting areas requiring additional review, amendment, interpretation or reconsideration.
Most Member State regulators who responded to ESMA's survey viewed ancillary rights to profit alone (and not alongside ownership or governance rights as well) as sufficient to qualify a cryptoasset as a "security", and hence, as a "transferable security" (in additional to the required MiFID II criteria). None viewed a pure utility token as a "transferable security" or a "financial instrument", enabling ESMA to conclude that utility tokens fall outside the regulatory perimeter. Most felt that those qualifying as "financial instruments" should be regulated as such, with necessary changes to accommodate issues, such as the risk of forking (i.e. changing the underlying software to create two versions going forward) and the custody of private keys, and a potential review of current rules on clearing, settlement, safekeeping and record of title. The vast majority viewed any move to classify all cryptoassets as "financial instruments" as unwelcome, since it would legitimise them andhave unwanted collateral effects.
Respondents' views on the creation of a bespoke new regime outside MiFID II were mixed, but ESMA flags the fact that, out of eight Member State regulators who viewed the mooted creation of a new C12 category of "financial instrument" in MiFID II as beneficial for legal certainty and EU harmonisation reasons, six believed the full set of EU financial rules should apply. Several survey respondents viewed some types of cryptoassets as units in alternative investment funds falling under the Alternative Investment Fund Managers Directive.
ESMA gives an overview of how the MiFID II rules are likely to apply to platforms trading cryptoassets qualifying as "financial instruments" and their operators and investment firms, covering minimum capital, organisational, governance and investor protection rules, open access, pre- and post-trade transparency, transaction reporting and record-keeping. It is not clear to ESMA how to apply MiFID II rules to decentralised trading platforms using smart contracts to match orders with no identifiable platform operator, without significant review and amendment of current rules. Changes to the transparency requirements to apply them to platforms trading cryptoassets would also present a significant challenge. Data reporting and recordkeeping rules would need amendment to apply to the specificities of cryptoassets, but would not be workable until common identifiers and classifications (CFI codes, ISINs) are developed for cryptoassets.
ESMA also notes that the Market Abuse Regulation may not capture inside information held by miners and wallet providers, and that it is not clear how miners would be treated under the CSDR in terms of governance and technical requirements due to their novel and essential role in the settlement process. It is similarly unclear how settlement finality would be achieved under the SFD in a distributed ledger technology (DLT) environment from an operational and legal perspective in light of consensus validation, the risk of forks and governance issues with permissionless DLTs, or how national law variables regarding the legal effect of book entries would interface with the CSDR requirement to represent securities in book entry form when applied to cryptoassets. The application of EU rules on safekeeping and segregation under the CSDR and the Financial Collateral Directive raises the question of whether the provision of safekeeping services equates in the cryptoasset world to having control of private keys on clients' behalf and how this applies in different contexts, e.g., multi-signature wallets with several private keys.
Other identified gaps in applying existing legislation to cryptoassets as MiFID II financial instruments include rules to ensure that the protocol and smart contracts underpinning cryptoasset activities meet minimum reliability and safety requirements, and rules addressing the novel cyber security risks of DLT.
Cryptoassets out of scope
Where cryptoassets neither qualify as MiFID II financial instruments nor fall within the scope of other EU rules, such as the second Electronic Money Directive (EMD2) or the second Payment Services Directive (PSD2), ESMA believes that consumers are exposed to substantial risks. Some EU Member States have, or are considering specific rules to address these, but, in light of the cross-border nature of cryptoasset activities, ESMA views an EU-wide approach as providing a more level playing field. ESMA believes that EU policymakers should consider how to address these risks with a bespoke approach, with risk disclosure rules and warnings as a priority.
Regulatory perimeter – EBA
Five Member State regulators have reported to the EBA cryptoassets qualifying in their view as e-money within scope of EMD2. Should a firm carry out a payment service with such assets, its activity would be within scope of PSD2. However, the EBA remains concerned about those forms of cryptoassets and related activities potentially falling outside the current regulatory perimeter, including the activities of cryptoasset custodian wallet provision services and cryptoasset trading platforms.
Risks and issues for EU regulators and policymakers
ESMA's report sets out risks for regulators to consider when dealing with cryptoassets. While both ESAs regard cryptoasset activity in the EU as relatively limited, with little current risk to financial stability, they remain concerned about consumer protection, shallow liquidity, operational resilience and market integrity issues where cryptoassets fall outside the regulatory perimeter. ESMA identifies the most significant risks as fraud, cyberattacks, money laundering and market manipulation, with investor protection undermined where cryptoassets fall outside the current regulatory perimeter, and thus do not benefit from regulatory safeguards. ESMA questions whether custodial wallet providers are safeguarding and segregating cryptoassets properly for their clients, noting that many also act as cryptoasset trading platforms. It highlights issues associated with DLT including governance, privacy and territoriality.
Anti-money laundering (AML)
ESMA and most of its survey respondents also believe that all cryptoassets and related activities should be subject to AML rules as a priority. The EBA asks the EC to consider the latest Financial Action Task Force (FATF) money laundering guidance in relation to cryptoassets and the need for a further review of EU antimoney laundering (AML) legislation to factor in providers of crypto-to-crypto exchange services and providers of financial services for ICOs. The EBA also notes that the ESAs will be producing a joint opinion in January 2019 on the AML and terrorist financing risks associated with virtual currencies.
EC tasked with follow up work
The EBA advises the EC to carry out a cost/benefit analysis to assess the feasibility of EU-level action to address the issues above, as well as the environmental impact of cryptoasset activity, adopting a technologyneutral and future-proof approach. The EC is due to commission a study on the legal, governance and interoperability aspects of blockchain technology. As the market develops, ESMA highlights the need for further work on the application of the existing regulatory framework to in-scope cryptoassets, and on the scoping of new rules for those which are out of scope. The EBA will also continue to monitor where cryptoassets stand in relation to the regulatory perimeter.
ESMA will continue to engage with global regulators and encourage international cooperation on cryptoasset regulation. A coordinated international response is also advocated by the EBA.
EBA monitoring and reporting template
The EBA will develop a template for regulators to send to banks and payment, e-money and other institutions to monitor the level and type of cryptoasset activities being conducted.
EBA assessment of information and disclosure to clients
During 2019, the EBA will assess the cryptoasset business practices and services of banks and payment, emoney and other institutions from a consumer protection perspective, including advertising (which should be well-balanced, clear and not misleading), pre-contractual information on related risks, and disclosure of rights and safeguards for clients.
Prudential and accounting treatment
Once the work of the Basel Committee on Banking Supervision (BCBS) on the prudential treatment of banks' holdings of and exposures to cryptoassets concludes, the EBA will report to the EC on whether the Capital Requirements Directive or the Capital Requirements Regulation need amendment or clarification. The EBA will also monitor the need for any guidance to support the common application of current regulatory capital rules to banks' exposures to and holdings of cryptoassets. Pending further regulatory developments, including the outcome of the BCBS work, the EBA notes that regulators and banks should adopt a conservative prudential approach to the treatment of exposures to cryptoassets in Pillar 1, supplemented by Pillar 2 requirements if necessary.
The EBA also calls on the EC to promote consistency in the accounting treatment of cryptoassets, in light of the current absence of clarity among accounting standards entities about whether, e.g., a holding of a cryptoasset should be treated as an intangible asset, potentially leading to questions around the resulting prudential treatment and with divergent approaches undermining the EU level playing field.
Benefits of DLT and ICOs
On the upside, ESMA notes the potential benefits of DLT, referencing its 2017 report on this topic, and of tokenisation in its enhancement of the liquidity of traditional assets represented on the blockchain. The speed and efficiency of funding from a diverse investor base via Initial Coin Offerings (ICOs) is also recognised as a benefit, provided appropriate safeguards are in place.