On 23 May 2023, the International Organisation of Securities Commissions (IOSCO) published a consultation report with the aim of proposing a set of recommendations related to crypto and digital asset markets to address market integrity and investor protection.Said consultation is part of the works by the Financial Stability Board (FSB) on crypto-assets and financial stability, such as those published on 17 July 2023 entitled (1) “Global regulatory framework for crypto-asset activities” and (2) “High-level recommendations for the regulation, supervision and oversight of global stablecoin arrangements”, as well as of stable crypto-currencies, or that published on 7 September, along with the International Monetary Fund (IMF), titled “Synthesis Paper: Policies for Crypto-Assets”.

IOSCO’s consultation of May 2023 discusses the activities of crypto-asset service providers (CASPs) such as offering a crypto-asset, admission to trading, trading, settlement of transactions, market supervision, custody, and marketing and distribution to retail investors. Moreover, the consultation requests comments on recommendations related to the exchange of information between supervisors in this area, which by its nature is borderless. In order to develop these recommendations, IOSCO has followed the principle of: “same activity, same risk and same regulatory outcome”. Additionally, IOSCO adds for each recommendation by reference, the principles of the IOSCO Standards, which form the basis of any regulation of securities markets and participants seeking recognition by the IMF or the World Bank. The aforementioned principles make the basis for each recommendation and complement their corresponding implementation.

On 6 September 2023, IOSCO also published the consultation report for Policy recommendations for decentralised finance aimed at addressing the effects of said activities on market integrity and investor protection.

The May 2023 public consultation includes 18 recommendations that cover six relevant areas of CASPs activities in line with IOSCO’s principles, such as: 1) Conflicts of interest arising from vertical integration of activities and functions; 2) Market manipulation, insider trading and fraud; 3) Cross-border risks and regulatory cooperation; 4) Custody and client asset protection; 5) Operational and technological risks; and 6) Retail investor access, suitability and distribution.Taking into account the different development of these markets of IOSCO members, the approach used has been to propose principles to suit each member’s situation. Said 18 recommendations are divided into nine sub-sections detailed below.

1. Overarching recommendation addressed to all regulators

With this recommendation, IOSCO requests all its members to implement or adopt these recommendations in a consistent and results-oriented manner. It is relevant to remember that IOSCO recommendations are of voluntary application. With such recommendations, IOSCO promotes an equal treatment of the requirements of both traditional financial actors and those in crypto-asset-related markets and activities, including stable crypto-assets. Therefore, IOSCO suggests that regulators analyse whether their regulatory framework is applicable and appropriate for crypto-assets, if such crypto-assets are or have been acting as substitutes for traditional financial products and if investors have replaced traditional investments with crypto-asset investment activities. The IOSCO principles supporting such recommendation are principles 1 to 7 related to regulators.

2. Recommendations on governance and disclosure of conflicts of interest

CASPs often present themselves as “exchanges”, but offer several services under a single umbrella, ranging from market-based services to clearing and custody services. IOSCO requests regulators to assess whether it is appropriate to offer a fusion of services under the same group, which, being vertically integrated, may give rise to several conflicts of interest. If the regulator does not require separation of said services, it should at least require that there be different entities with separate boards and teams. These suggestions are grouped under recommendation number two, which is supported by IOSCO principles numbers 8, 23, 31, 33 and 34 related to ensuring that conflicts of interest and misalignment of incentives are avoided or at least managed, protecting the interests of clients of investment firms and ensuring the integrity of markets.

Recommendation number three deals with the advertisement of CASPs role and capacity, as well as disclosure of conflicts of interest, supported by IOSCO principles 31, 34, 35 and 37 on the protection of clients’ interests by investment firms and securities markets operations. IOSCO believes that investors should be aware of the services provided by a CASP, including the legal entity offering them, the types of services differentiating, for example, whether in the execution of client orders, the CASP acts as a counterparty or as an agent and whether there are market making services, in which case front running protection systems should be established.

3. Recommendations on order handling and trade disclosure

Although CASPs are known as exchanges, they can, at times, be mere intermediaries, having to act fairly with any orders from their clients, which is why they should implement systems, policies and procedures to provide fair treatment and advertise the latter, as may correspond, to existing and prospective clients. Clients may not understand that their CASP is their counterparty, trading against them and therefore not acting in their best interest. In this regard, recommendation number four, on the management of client orders, demands avoiding front running and promoting fair treatment of all clients, advertising its procedures to such effects and recording client mandates. This recommendation is supported by IOSCO principles 29 and 31 on intermediaries, and more specifically those relating to minimum requirements for authorisation and internal procedures.

Where a CASP acts as a market or as an intermediary on behalf of its clients, IOSCO considers that it should be required to provide pre- and post-trade information in a way similar to that required in traditional markets and to its members (recommendation number five). This promotes transparency, price formation and competition. This recommendation is supported by IOSCO principles 33 to 35 on secondary markets.

4. Recommendations in relation to listing of crypto-assets and conflicts of interest

Recommendations six and seven are related to primary markets, supply and admission to trading of crypto-assets. The ability to obtain both initial and periodic information on traded crypto-assets, that is on the instrument and its issuer, is vital to make informed decisions and establish asset prices, similar to traditional financial assets (recommendation six).

Many crypto-assets are being placed without appropriate information of the product or its issuer, although some jurisdictions already have regulations that promote the disclosure of minimal issuer and product information, as well as having protections against fraudulent misrepresentation in place.
The information promoted by this recommendation includes, but is not limited to, a comprehensive description of the crypto-asset, the issuer and its business activities, its financial statements and management team. CASP should publish historical price and volume information, crypto-asset operational description and cases of manipulation or computer security breaches, position concentration, insider list (including periods of non-market action), crypto-asset transfer protocols, hard forks or distributions to holders of new crypto-assets.

CASPs should also have procedures in place to manage and mitigate conflicts of interest related to the issuance, admission and trading of crypto-assets, including prohibiting or inappropriately advertising the admission and trading of crypto-assets issued by the CASP (recommendation number seven). This would avoid the incentive to promote trading in crypto-assets when they are not suitable or not in the best interest of the client. These recommendations are supported by IOSCO principles 16 and 17 on issuers and 29, 31, 33 and 34 on intermediaries and secondary markets.

5. Recommendations to address abusive behaviours

Traditional market regulators prohibit abusive practices and fraud in the markets, whether illegal or false dissemination of information, insider trading or market manipulation. To prevent such practices, regulators rely on and require traditional markets to have systems in place to identify such practices. They also require issuers and intermediaries to manage non-public information that could lead to manipulation or insider trading. These obligations would be applicable to crypto-asset markets in recommendations numbers eight, nine and ten of this public consultation regarding fraud and market abuse, market oversight and the management of non-public insider information.

These recommendations also include Financial Action Task Force (FATF) money laundering obligations with, at least, a requirement to conduct due diligence with clients. These recommendations are supported by IOSCO principles 31 to 36 on secondary markets.

6. Recommendation on cross-border cooperation

IOSCO acknowledges the transnational nature of crypto-asset issuance and markets, thus encourages regulators and other relevant authorities to exchange information and cooperate with each other. To this effect, recommendation 11 suggests the establishment of agreements or other mechanisms to allow for cooperation among authorities in different jurisdictions. These mechanisms can be bilateral or multilateral agreements, such as IOSCO’s Multilateral Supervisory Agreement in the Asia Pacific region on the supervision of traditional finance activities, associations or networks. This recommendation is supported by IOSCO principles 13 to 15 on cooperation.

7. Recommendations on custody of client monies and assets

With recommendations numbers 12 to 14, IOSCO consults on one of the issues that has had the greatest impact on retail clients in significant crypto-asset platform failures.

Recommendation number 12 is a general recommendation on custody that encourages regulators to apply IOSCO’s criteria on the protection of client assets when assessing the implementation of existing or new frameworks that address the issues of CASPs holding client assets.
No specific proposals or thresholds are prescribed involving automatisms related to the maintenance of private keys in hot wallets, that have permanent internet connection, or in cold wallets.

Clients should understand their rights to their crypto-assets in the event of bankruptcy or insolvency. In this specific case, in recommendation 13, IOSCO presents for consultation whether CAPS should place clients’ assets in a trust or if they should be, at least, segregated from the CASP’s own assets.

Lastly, IOSCO requests views on the specific information to be published, in non-technical language, by CASP on this issue, concerning: 1. How client assets and arrangements are maintained in order to safeguard such assets and/or their private keys. 2. The use (if any) of an independent custodian, sub-custodian or related third party. 3. The extent to which client assets are aggregated or grouped in omnibus accounts, the rights of individual clients with respect to the aggregated or grouped asset accounts and the risks of loss resulting from grouping or aggregation activity. 4. Risks resulting from the management or movement of client assets by the CASP, either directly or indirectly, such as through a cross-chain bridge (a decentralised application that allows the transfer of assets between blockchains) and 5. Complete and accurate information on the obligations and responsibilities of a CASP with respect to the use of client assets, as well as private keys, including the term for their restitution and possible risks. Recommendations 15 and 16 cover a very relevant aspect related to the segregation of client assets, such as ensuring the holding of assets by clients. To such effects, IOSCO recommends regular conciliation of assets and these to be subject to independent verification, in addition to CASPs adopting adequate systems, policies and procedures. These recommendations are supported by IOSCO principles 31, 32 and 38 on intermediaries, central securities depositories and central counterparty clearing houses (the latter developed by the CPMI-IOSCO principles).

8. Recommendation to address operational and technological risks

IOSCO believes that CASPs not only face operational and technological risks, similar to those faced by traditional financial institutions, but also incorporate new and very special risks resulting from the use of DLT (distributed ledger technologies) in the issuance, trading, provision of services such as smart contracts, forks and transfers between blockchains. To undertake these risks, IOSCO presents for consultation whether regulators should require CASPs to comply with IOSCO’s requirements on operational or technological risk and resilience, as well as to publish in concise, non-technical language, all the elements that may lead to serious operational or technological risk and the framework for their mitigation (people, processes and systems). This recommendation number 17 is supported by IOSCO principles 31, 32, 33, 34 and 38 on intermediaries, markets and infrastructure.

9. Recommendation for retail investor distribution

While traditional financial markets have a high participation of institutional investors, crypto-asset markets have a high participation of retail investors. IOSCO states that several CASPs offering services to retailers have been found to operate without complying with applicable laws, even in jurisdictions where important retailer protection systems are already in place. The cross-border nature of crypto-asset activities and retailers’ direct access to such markets adds significant risks of mis-selling and exposure to fraud in crypto-assets. The transnational nature makes it difficult to resolve retailer complaints. To handle said issues, IOSCO’s recommendation number 18 IOSCO requests CASPs to operate in a way that is consistent with IOSCO’s standards for retail investor relations and to have the appropriate systems, policies, procedures and communication in place, for the registry of new clients and on a regular basis. If the CASP finds, during the registering process, that a possible client does not have sufficient knowledge, it should not be allowed to trade in crypto-assets. To this regard, CASPs’ procedures should assess the suitability and appropriateness of its services and products for retailers.

To complement the latter, IOSCO published in September 2023 a document for consultation regarding the Policy Recommendations for Decentralised Finance.

IOSCO’s 2022-23 roadmap on crypto-assets made a commitment to publish by the end of 2023 recommendations and guidelines regarding crypto and digital assets, as well as decentralised finance.

DeFi commonly refers to financial products, services, arrangements, and activities that use distributed ledger or blockchain technologies (DLT), including self-executing code referred to as smart contracts. DeFi aims to disintermediate and decentralise legacy ecosystems by eliminating the need for some traditional financial intermediaries and centralised institutions, and by enabling certain direct investment activities.

IOSCO’s document for consultation regarding DeFi includes nine recommendations, on which they request comments, based on principles and centred on results that aim to DeFi products, services, arrangements and activities by means of the implementation of IOSCO’s regulatory principles. Below is a list of the recommendations with a short descriptive text:

1. Recommendation 1 – Analyse DeFi products, services, arrangements and activities to assess regulatory responses

IOSCO states that a regulator should analyse and understand DeFi products, services, arrangements and activities, defining typologies of comparable products with similar characteristics, identifying the economic situation of the relationship/agreement between consumers/investors and the market maker or DeFi provider, taking place or located within its jurisdiction. The objective is to apply its existing legal regime or, if any, a new regulatory framework, as appropriate, in accordance with the principle of “same activity, same risk, same regulatory outcome”. The regulator should assess what technological knowledge, data and tools it needs to understand and analyse each of DeFi’s products, services, arrangements and activities in order to inform the regulatory responses.

2. Recommendation 2 – identify responsible persons

The regulator should aim to identify the natural persons and entities in a purported DeFi arrangement or activity that may be subject to its regulatory framework. IOSCO states that responsible persons are those who exercise control or sufficient influence over a DeFi arrangement or activity.

3. Recommendation 3 – Achieve common standards of regulatory outcomes

The regulator should use the existing or new regulatory framework to regulate, supervise, oversee and address risks arising from DeFi products, services, arrangements and activities in a manner consistent with IOSCO standards, for investor protection and market integrity, using regulatory tools the same as those required in traditional financial markets.

4. Recommendation 4 – Require identification and addressing of conflicts of interest

The regulator should seek to require DeFi product and service providers and responsible persons to identify and address conflicts of interest, in particular those arising from the different roles and capacities of a particular provider and/or its affiliates, as well as the products and services offered. These conflicts should be effectively identified, managed and mitigated. The regulator should also consider whether certain conflicts are sufficiently acute that they cannot be effectively mitigated, including through disclosure systems and controls or prohibited actions. This may mean that more robust measures, such as legal disaggregation or decentralisation, as well as separate registration and regulation of certain activities and functions, may need to be required.

5. Recommendation 5 – Require identification and addressing of material risks, including operational and technology risks

In implementing existing or new regulatory frameworks, DeFi’s product and service providers and responsible persons, as appropriate, should be required to identify and address material risks, including operational and technological risks. These risks should be identified and effectively managed and mitigated and, if not possible, other more robust measures may be required.

6. Recommendation 6 – Require clear, accurate and comprehensive disclosures

In regards investor information, IOSCO notes that in the implementation of existing regulations and in new regulatory frameworks on DeFi, providers of DeFi products and services and other responsible persons, as appropriate, should be required to disclose to users and investors comprehensive and clear information material to the products and services offered in order to promote investor protection and market integrity.

7. Recommendation 7 – Enforce applicable laws

The regulator should apply comprehensive authorisation, inspection, investigation, surveillance and enforcement powers, consistent with its mandate, to DeFi products, services, arrangements and activities subject to regulation (whether by application of existing or new regulatory frameworks), including measures to detect, deter, enforce, sanction, redress and correct violations of applicable regulations. The regulator should also assess what knowledge, data and tools are needed to enforce the regulation.

8. Recommendation 8 – Promote cross-border cooperation and information sharing

Given the cross-border nature of DeFi products, services, arrangement and activities, the regulator should have the ability to cooperate and share information with regulators and authorities in other jurisdictions. This includes cooperation and information sharing agreements and/or other collaboration mechanisms, similar to those used in traditional financial markets, to facilitate assistance, both in authorisation or supervision processes of regulated persons or entities, as well as in investigations.

9. Recommendation 9 – Understand and assess interconnections among the DeFi market, the broader crypto-asset market, and traditional financial markets

When analysing DeFi products, services, arrangements and activities, the regulator should analyse the interconnections among DeFi arrangements, the crypto-asset market and traditional financial markets. In such an analysis, the regulator should consider how such interconnections affect risks to investor protection and market integrity and identify potential connections with the regulatory framework, including the persons responsible. To this end, it should develop and employ appropriate methods to monitor and assess DeFi products, services, arrangements and activities.