Some participants in the crypto/blockchain/DLT industry actively invite regulatory oversight but policy considerations and the usual patterns of legal and regulatory development can mean that wanting to be regulated is not always the same as being able to be regulated.

In the Hong Kong Lawyer, Syren Johnstone examines aspects of the technology that make it difficult to regulate the primary and secondary market, while at the same time allowing industry development without it being affected by fraud and abuse, or being used to service money laundering and other criminal purposes. It concludes by suggesting the policy approach that regulators should take to this new technology.

*This article first appeared in the Hong Kong Lawyer

The technology is the starting point

In 1988 Tim May famously stated “Computer technology is on the verge of providing the ability for individuals and groups to communicate and interact with each other in a totally anonymous manner. Two persons may exchange messages, conduct business, and negotiate electronic contracts without ever knowing the True Name, or legal identity, of the other.” Today, that has become a reality in a developing digital ecosystem that is being built on cryptographically secure consensus technology (“CCTech”) that forms the basis of blockchain and distributed ledger technology applications.

CCTech enables qualitatively different boundaries of commercial activity than was previously possible. It holds the promise of enabling new ways of undertaking existing commerce that provide efficiency gains, as well as generating new types of commercial activity. The first peer-to-peer version of electronic cash created on 3 January 2009 (Bitcoin), has been followed by other cryptocurrencies, digital tokens that provide access to some service or utility or operate as a security (see Hong Kong Lawyer, March 2018 “ICO Utility Tokens and the Relevance of Securities Law”), and smart contracts (collectively, ”cryptos”).

Industry growth has involved developers tapping into the highly regulated public capital market in ever-larger offerings. A secondary market facilitated by crypto exchanges has emerged. This is creating significant challenges to regulatory agencies to define how existing laws and regulations might apply.

Establishing a sustainable regulatory approach is complicated by features of CCTech still undergoing transformational evolution that pose novel challenges to regulatory policy making and raise fundamental questions about what regulatory oversight might look like, and to what it should attach.

The prospect of regulation

On the prospect of oversight by regulatory agencies, the crypto-industry continues to express its voice in a partisanly manner. There are those who see independence from oversight as a necessary expression of political freedom, or advocate that the industry should not be subjected to any oversight other than by the community participating in cryptos. Other participants in the industry wish to take advantage of the current situation by moving to the lowest commercially viable legal standard or jurisdiction.

There are also those who actively seek to be regulated as a means of being accepted into mainstream commercial activities and validated as a legitimate activity, and to foster the industry by directing it to applications benefitting society. Some see regulation as a competitive advantage over others who are ill-equipped, or inadequately funded, to cope with the anticipated burden of regulatory oversight. However, policy considerations and the usual patterns of legal and regulatory development can mean that wanting to be regulated is not always the same as being able to be regulated.

Regulatory agencies have to date primarily applied existing regulatory standards to the industry where they can. There is a general sense that this will not be enough to facilitate industry development while also dealing with the risk of fraud and consumer abuse. There are also real concerns that the anonymity provided by CCTech could be used by bad actors to further criminal purposes.

The primary hurdle for regulatory clarity is sometimes said to be the legacy system of laws, regulations and financial and commercial practices that have been established in a pre-CCTech era. Industry requests for regulators to specify the features that would determine which regulatory silo a crypto belongs to (money, security, futures contract, commodity, or other) oversimplifies the new context presented by CCTech and underestimate the related policy considerations.

Primary market activity thus remains governed by a singular question: is the crypto a security? This leaves CCTech developers cum promoters to resolve questions that lawyers and regulatory agencies cannot currently clearly define other than by reference to broad functional concepts, or narrow established categories, raising the danger of ex post regulation.

The development of taxonomies that seek to map cryptos onto existing securities laws as a means of assisting regulatory clarity has become a mini-industry. However, these often “solve” the problem without changing the underlying assumptions about how existing laws securities laws apply. As such they are essentially recursive and achieve very little. It is of course somewhat paradoxical to address something new by treating it as though it were something old.

In contrast to the situation in the primary market for securities, regulators in the UK and the U.S. have permitted a futures market to evolve around cryptocurrencies (Bitcoin, and recently Ether). The court in CFTC v. McDonnell, et al. (18-CV-361, 2018) has confirmed the oversight powers of the U.S. Commodity Futures Trading Commission (“CFTC”) in this regard. Although many in the industry perceive regulatory oversight as abhorrent to the essence of CCTech, regulatory oversight of the futures market has enabled the development of financial products within an established regulated infrastructure that has facilitated the perception of cryptocurrencies as a valid asset class to gain exposure to. Importantly, it means that investors are brought within a context subject to safeguards imposed on regulated intermediaries.

Building blocks

Regulation of the financial services industry in the modern era is based around three primary choke points concerning products, venues and acts. These assume some form of intermediation via markets, brokers and advisers. Regulation has already had to adapt in response to technology that displaces human involvement, such as algorithmic trading and robo-advising, where sentience ceases to form part of the regulated act but rather is embedded in the coding that enables the act to be undertaken.

CCTech presents additional difficulties. There is a venue, but it may be only exist in a code supported on a network of participants. There is an act, but that may take place without intermediation other than the non-sentient operation of a code operated over a network in which the creator no longer has a role. There is a product, but there is a recognised lack of clarity as to how to characterise a crypto for the purposes of regulatory silos. CCTech enables venue, act and product to be collapsed into the operation of code via distributed networks, decentralised and dis-intermediated arrangements, and smart contracts.

The possibility of undertaking commercial activity on a decentralised, peer-to-peer basis represents a qualitatively different kind of issue for regulatory agencies. At some point, adaptability may be challenged to the extent that existing regulatory tools which have developed around centralised, intermediary-based systems may to some extent be rendered obsolete, raising questions as to the continued viability of existing legal silos and traditional choke points, and giving rise to policy concerns.

Even if basic problems were solved about which or whether a law applies to a crypto, or at what choke point to apply it, there remain problematic areas. Regulation proceeds on the basis that regulation is possible but CCTech does not, at the present point in time, provide some of the usual building blocks that enable the meaningful implementation of regulatory objectives.

This includes an assortment of investor protection and market integrity considerations, such as: integrity of ownership and integrity of transactions, issues related to account management including proof of ownership to public audit standards, custody and segregation, how record keeping is to be undertaken, how exchange regulation might work, the ability to assert market transparency and market abuse protections, how money laundering risks are to be addressed.

To this can be added technical issues that the industry is actively trying to solve, many of which potentially give rise to legal issues and have implications for investor protection and market integrity. These often require an appreciation of how the science and technology operate and their weak points such as how they might be gamed by bad actors. They include: the management of keys and wallets, the risk of consensus hijack, denial of service attacks, double spending, scalability, code governance controls and cyber security challenges.

Disclosure is another building block. Key disclosures might address: does the underlying code do what it is expected or promised to do, is the governance of the code appropriate (such as agreeing on roll-backs), has it been properly written so that it is free of bugs that might facilitate hacks or other problems, has the security protocols been properly implemented, is the crypto scalable to benefit from network effects. Not all codes are the same in this regard and coding errors have caused significant problems in the past, yet there are no established standards for audits of code writing.

Not all problems are adequately managed by merely releasing information. Positive action is sometimes required. This can take the form of an industry regulating itself via standards and best practices, but the industry is in its nascent stages in this regard. An area of development to watch is the standards being developed by the International Organisation for Standardisation in their ISO/TC 307 programme. Nine new projects concerned with blockchain and DLT are currently in their proposal or preparatory stages.

Resolving some of the above building blocks is therefore a precursor for effective, granular regulation to develop. Solutions are likely to come from the technology itself as it develops in response to regulatory expectations. This may serve to facilitate the development of regulatory technology, which presents opportunities for creating avenues within the underlying CCTech code for interactions between the actors involved in any crypto generation or exchange, any buyer of a crypto, and regulatory agencies.

One of the inherent difficulties of addressing the regulation question is the reality that the industry is in its early stages of maturation. Core concepts are still subject to significant debate, the potential technological implementations of the science remains in a discovery and development phase, and the prospects for commercial use cases of CCTech is still evolving. This makes the policy formation that leads to regulatory implementation difficult as these conditions increase the risk that regulations are made only to see the industry change under it, or regulations are made that capture the wrong family of acts – in either case the policy objectives are missed.

The dynamics that animate regulatory change are subject to two related overarching considerations: to what extent is meaningful regulation possible and, if it is, how and when should regulatory oversight be imposed? Regulatory intervention that is too early, too heavy, or misses the target runs the risk of slowing the growth of the industry and damaging the beneficial prospects it offers to commercial activity and society more generally.

The technology is also the end point

The present state of regulatory uncertainty creates risks to the industry itself. It increases the cost of industry development because raising capital in an uncertain legal environment gives rise to increased liability risk. To this can be added the risks (including attendant industry costs) already observed in traditional capital markets (primary and secondary) that include fraud, money laundering, theft, mis-disclosure, manipulative practices, internal control failures, misfeasance, and adequate custody and handling of money, or securities or other assets belonging to another.

Whatever regulatory controls might be put in place, the reality is that the nature of CCTech presents a fundamental obstacle to oversight control because of the possibility – and consequences – of an alternative means of undertaking commerce on Internet-based networks that does not require the involvement of a regulated financial institution that intermediates transactions.

The intractable problem created by CCTech is how to bring cryptos within an appropriate oversight mechanism given its particular technological capability to subvert – unmeasured oversight control runs the risk of achieving the opposite effect of driving activity further out of sight. The proposal by the United States Treasury’s Office of Foreign Assets Control (“OFAC”) that it may add digital wallet addresses to its SDN List was criticised for just that. This reflects the anarchic potential of CCTech that is crucial for regulators to fully grasp if regulation is to be successfully developed. Regulatory agencies may need to look for ways of bringing oversight to the industry by using strategies different to those previously employed.

Actors in the industry seeking to be regulated are doing so for a number of commercial reasons including validation and legitimacy, the usual assurances provided to the market by regulatory oversight, industry risk reduction, and access to a larger pool of capital. It is proposed that these reasons can be engaged to make regulation a desirable option.

In short, the best way to establish regulation may be to make it attractive. That may not be a regulatory end-point but a point from which regulators can begin to better work with the industry. For that dynamic to work, it is essential that oversight controls do not undermine the opportunities that cryptos offer to new ways of engaging in commercial activity. Regulations must be based on outcomes that are independent of specific technologies and activities, such as fair disclosure, industry standards, and accountability for wrongdoing. Care must be taken that oversight controls do not to operate as anti-competitive tools.

The range of relations that CCTech can possibly create, and the behaviours in the market once they are created, are at once simulacra of human commerce and a potential further development of it. It remains to be seen whether the current trajectory of regulatory thought and action is working toward supporting the efficient allocation of risk and industry development, wherein capital finds projects that offer, and have a reasonable prospect of delivering, economic and social improvement.

Interested in the impact of new technologies on regulation? Get involved at this year’s annual conference. Contact Jim McKay ( to become involved as a speaker or session moderator.