On 9 January 2019, the European Securities and Markets Authority (ESMA) published its advice to the European Union Institutions (Commission, Council Parliament) on initial coin offerings (ICOs) and crypto-assets. The advice clarifies that current European Union (EU) rules apply to crypto-assets that qualify as financial instruments and provides ESMA’s position on any gaps and issues in this regulatory framework with regard to its application by National Competent Authorities (NCAs). For crypto-assets that do not qualify as financial instruments, ESMA proposes a bespoke regime limited to establishing some minimum requirements.

Similarly, ESMA believes that in order to guarantee a level playing field and to ensure adequate investor protection across the EU, both situations (where crypto-assets are classified as financial instruments and where they are not) should be analysed at a European level. This analysis should bear in mind the reflections and possible paths proposed by ESMA in this advice when determining the suitability of the current legislative framework or other legislative initiatives relating to ICOs and crypto-assets.

ESMA issues this advice, based on Article 9(4) of Regulation (EU) No. 1095/2010, of 24 November, and in response to a request from the European Commission (EC) which, in its 2018 FinTech Action Plan, requested the European Supervisory Authorities (ESAs) to assess the suitability of the EU regulatory framework with regard to ICOs and crypto-assets.

Key concepts and overview of the crypto-asset ecosystem: agents and business models

Crypto-assets are a type of private asset based on Distributed Ledger Technology (DLT) that is not issued by a central bank. There are different types: investment-type – they have attached rights to participate in profits and are similar to financial instruments; utility-type – these provide the possibility of being used or consumed to access or purchase some good or service within the ecosystem in which they are generated; and payment-type – these may be used as a means of payment to pay for goods or services outside the ecosystem itself.

DLT is a means of saving information through a distributed ledger, which is a repeated digital copy of data available at multiple locations. DLT is built upon two-key cryptography: the public key, which is used for identification, and the private key, which is used for authentication and encryption. In order to transfer assets in the DLT, an address (hash of the public key) and a balance are associated and taken, together with the encrypted private key and the recipient’s address, to the DLT, which authenticates the transaction by obtaining the public key from the encrypted private key.

Digital crypto-asset wallets are used to store public and private keys and to interact with DLTs to allow users to send and receive crypto-assets and monitor their balances. They may be of different types: software wallets (access is through another physical device) or hardware wallets (a physical device) and the so-called hot/cold wallets depending on whether or not they are connected to the Internet.

DLT uses distributed consensus to verify and confirm transactions. Consensus is reached via a network of computers, called miners, which provide the necessary computational power to validate transactions and include them in the next block of transactions in the chain. Consensus mechanisms aim to mitigate the risk of DLT users posting false transactions. Most crypto-assets issued recently rely on permissionless DLTs (in which access is not subject to permission or authorisation) and anyone can be a miner, which raises specific governance and liability issues.

Developers work on implementation and progress of the protocol or operating system of the DLT, including smart contracts. Smart contracts are self-executing pieces of code that replicate a given contract’s terms and conditions in order to automate the execution of contractual obligations.

Many crypto-assets that exist on the market have been issued through ICOs to allow the issuer to raise capital in exchange for fiat currencies or other crypto-assets, e.g. Bitcoin or Ether. They are promoted using so-called “white papers” on the issuer’s website and on social media.

Once issued, crypto-assets may be exchanged for fiat currencies or other crypto-assets on specialised trading platforms. Some may provide broker/dealer type services while others are more akin to multilateral trading systems. In so-called centralised platforms, the assets and keys are held by the platform and trade settlement occurs on the books of the platforms (off-chain), while in decentralised platforms, the crypto-assets are in the clients’ name and settlement takes place on DLT (on-chain).

Information on the profile of crypto-asset investors is limited. It seems that the investor base has expanded from the original tech-savvy community to a broader audience, including both retail and institutional investors.

Risks, benefits and issues for consideration by regulators

ESMA analyses the risks that crypto-assets pose to investor protection and market integrity as crypto-assets do not currently pose a risk to financial stability.

In ESMA’s opinion, it is likely that investors will not be aware of the risks before making the investment or of whether this asset class is appropriate for their needs. In general, the projects of ICO issuers are at the initial stages of development and the likelihood that they will fail is therefore high. Furthermore, the liquidity of crypto-assets is shallow.

In addition to general risk, trading platforms have other specific risks arising from DLT technology. In centralised platforms, users would suffer the losses in the event of a cyber-attack and would have counterparty risk with the platform. In decentralised platforms, the risk of loss as a result of a cyber-attack is much lower and there is no counterparty risk, but they will have the same vulnerabilities as the DLT on which they are built, e.g., there may be delays in the processing of the transactions or governance issues.

With regard to risks in relation to the custody of crypto-assets, it will be necessary to know the measures that might be implemented by custodial wallet providers (or trading platforms that provide the service) for segregating and safeguarding these assets.

Other risks stemming from the underlying technology are: a) flaws in the protocol supporting the DLT or the coding of the smart contracts, or the possibility of cyber-attacks or other risks resulting from the fact that DLT is still a nascent technology and b) risks resulting from the distributed nature of DLT, which raises issues around territoriality (applicable law), governance and privacy, which might be partly mitigated by means of specific arrangements in the case of permission-based DLTs. The absence of rules that establish responsibilities and liabilities in the event of errors, negligence or fraud means that there are no incentives for the proper functioning of the consensus mechanism and could lead to the fact that miners may suspend their activities if they do not receive the proper incentive. There is also the risk of forks in the result of a change in the protocol of the DLT. The absence of rules on conflicts of interest may lead to the concentration of mining activities, thus increasing the possibility of price manipulation and a lack of competition. Another challenge is to determine how to ensure the privacy of client data and the protection of insider information.

ICOs and crypto-assets offer a number of potential benefits: they are an alternative funding source for DLT projects and start-ups and an attractive investment opportunity for smaller investors but do not typically get access to early-stage financing investments. In addition, the possibility of converting every asset into digital tokens represented on DLT may be a long-term trend that might have the potential to reactivate investment or enhance the liquidity of certain financial assets. DLT and smart contracts may potentially reduce risks and costs.

A preliminary issue is the need for legal certainty: it is necessary to clarify the legal treatment of crypto-assets and the way in which the existing EU regulatory framework may apply to them.

Legal qualification of crypto-assets: circumstances in which they would be considered financial instruments

ESMA notes that there is no legal definition of crypto-assets and a key consideration of their legal qualification is whether they may be considered financial instruments in accordance with Directive 2014/65 on markets in financial instruments (MiFID II). “Financial instruments” are defined in Article 4(1)(15) of MiFID II as those “instruments specified in Section C of Annex I”, while “transferable securities” are defined in Article 4(1)(44).

In order to prepare this advice, ESMA used the conclusions of the survey of NCAs conducted by the FISC (Financial Innovation Standing Committee) on the legal qualification of a sample set of six crypto-assets of different types (except pure payment-type crypto-assets as they are outside the scope of securities legislation) available for European investors. The main results of the survey highlighted that:

• The classification of a crypto-asset is the responsibility of each NCA and will depend on the specific national implementation of MiFID II since, while someMember States employ a restrictive list of transferable securities, others prefer broader interpretations and therefore not every NCA applies the same classification for a particular crypto-asset.
• Where crypto-assets qualify as transferable securities or other types of MiFID II financial instruments, they must comply with existing EU financial regulation.
• Crypto-assets that grant profit rights (without ownership or governance rights attached) were considered by most NCAs to qualify as transferable securities. Pure utility-type crypto-assets fall outside existing financial regulations.
• Some legal modifications and adaptations seem to be inevitable in view of the wide variety of crypto-assets in order to adjust current legislation to these new assets.

Regulatory implications when a crypto-asset qualifies as a financial instrument

The application of European financial services legislation to crypto-assets that are classified as financial instruments poses a series of problems and challenges.

For the application of prospectus legislation (Directive 2003/71/EC and Regulation 2017/1129), the prospectus should be adapted to the type of asset and issuer and include detailed information on the characteristics and rights attached to the crypto-assets, the terms and conditions and the expected timetable of the offer, the use of the proceeds of the offer and specific risks related to DLT.

Issuers of ICOs, when the crypto-assets are admitted to trading on a regulated market situated or operating within a Member State, must comply with the requirements on the disclosure of periodic information set out in the Transparency Directive (Directive 2013/50/EC amending Directive 2004/109/EC).

With regard to the application of MiFID II, the decentralised nature of some platforms means that there is no identified operator and their operations are automated and based on smart contracts and access requirements cannot be controlled. Pre- and post-trade transparency may not be applied in the same way in every jurisdiction as this will depend on the classification of the crypto-assets as equity or non-equity instruments. Neither may hybrid platforms (those in which orders are matched traditionally but settlement is carried out through a smart contract) fit neatly into existing regulations.

With regard to application of the Market Abuse Regulation (Regulation 596/2014), ESMA recommends that the possibility that the price of a financial instrument could be influenced through manipulative trading in crypto-assets that do not qualify as a financial instrument could be considered and addressed in any further revision.

With regard to the Short Selling Regulation (Regulation 236/2012), ESMA considers that it might be necessary to revise the list of financial instruments in Annex I of Commission Delegated Regulation 918/2012 so as to explicitly include those crypto-assets that might generate a net short position on a share or on a sovereign debt instrument and it might also be recommendable to revise the case in which a crypto-asset does not qualify as a financial instrument.

For application of the Settlement Finality Directive (Directive 98/26 and 2004/44) and the Regulation on improving security settlement in the European Union and on Central Securities Depositories (Regulation 909/2014), where there is a securities settlement system, ESMA believes that further consideration needs to be given to whether permissionless DLTs might be authorised as a Central Securities Depository (CSD) in which the crypto-assets must be registered or collaborate with an authorised CSD. Consideration also needs to be given to the role of miners and how they would be handled under the regulation in terms of governance and technical requirements given their novel and fundamental role in the settlement process. Another problem is that in the crypto-asset environment, it is natural persons who take part in the transactions. ESMA also anticipates issues in relation to settlement finality and Delivery versus Payment (DvP) in a DLT environment and interoperability issues in permissionless DLTs. With regard to the form of representation of crypto-assets, it seems that any technology, including DLT, may be used for issuing crypto-assets in the EU through book entries although there may be national legislation that imposes restrictions. However, once the securities are traded or admitted onto a trading venue, they must be registered in the book-entry system in a CSD.

There is no harmonised definition of safekeeping and record-keeping of ownership of securities and rights attached to securities at EU level. ESMA’s preliminary view is that having control of private keys on behalf of clients might be regarded as safekeeping services although it may be performed on the basis of another legal contract and that regulators should analyse how these obligations must be fulfilled in a DLT environment.

The Alternative Investment Fund Managers Directive (Directive 2011/61/EC) and the Directive on iInvestor Compensation Schemes (Directive 97/9/EC) also apply to the clients of investment firms with regard to activities with crypto-assets that are financial instruments in the EU.

The scope of the fifth Directive on Money Laundering and Terrorist Financing (AMLD), which must be implemented by 10 January 2020, includes virtual wallet service providers and virtual currency brokers. ESMA agrees with the recommendation of the European Banking Authority (EBA) in its report with technical advice for the EC on the classification of crypto-assets in view of the second Electronic Money Directive (Directive 2009/110/EEC) and the second Payment Services Directive (Directive 2015/2366/EU), according to which the scope of the AMLD should be reviewed in order to include the providers of services of crypto-to-crypto exchanges and providers of financial services for ICOs.

ESMA’s position on gaps and issues for consideration by EU policymakers

ESMA believes that it will be necessary to re-assess the phenomenon as it develops since DLT technology is still at an early stage and it proposes a set of measures that in many cases would require Level 1 measures complemented by Level 2 and 3 levels and, as the case may be, by Q&As:

• Definition of the concept of “custody/safekeeping services/activities” relating to crypto-assets in a DLT framework.
• Adjustment of the concepts of “settlement” and “settlement finality” applied to crypto-assets and clarification of specific governance issues with permissionless DLTs and the role of miners in settlement.
• Identification of new or enhanced requirements in order to mitigate risks that are specific to the underlying technology (ensuring that the protocol and smart contracts underpinning DLT meet minimum reliability and safety requirements) and cybersecurity risks.
• Definition of requirements for decentralised and hybrid platforms.
• Amendments to pre-and post-trade transparency (definition of threshold for liquidity, size etc.) in order to adapt to the new assets.
• Adaptation of data reporting and record-keeping requirements and of the reference data and classifications of traditional financial instruments.
• Analysis of possible new situations of market abuse and explicit mention of crypto-assets in short selling.

Crypto-assets that do not qualify as financial instruments (unless they qualify as electronic money) are likely to fall outside existing EU rules. In this case, investors will not benefit from the safeguards provided by the rules and they may not easily distinguish between those crypto-assets that are within the scope of EU financial services rules and those which are not, especially when they are available for trading on the same venues.

ESMA is aware that some Member States (France, Liechtenstein and Malta) have or are considering bespoke regimes for those crypto-assets that do not qualify as MiFID II financial instruments. However, it believes that a more homogenous framework should be applied throughout the EU and it proposes two options: (A) implementing a bespoke regime and (B) doing nothing, with ESMA preferring option A. This bespoke regime would require Level 1 measures that will provide for minimum requirements for specific types of crypto-assets, which in all cases would include aspects relating to the prevention of money-laundering and the obligation to properly inform investors about the risks and lack of protection or limited protection associated with this type of investment.

Links of interest:

ESMA advice to the European Commission on Initial Coin Offerings and Crypto-Assets

EBA Report with advice for the European Commission on crypto-assets