Latest FINMA Guidelines on ICOs; How to do KYC for your token holders

On September 29th 2017 Swiss Financial Authority FINMA issued a guidance on “Regulatory Treatment of ICOs”. Ta-Da!

Similar to the SEC and some other regulators, FINMA has essentially reiterated the message that ICO projects should follow the existing laws and regulations, instead of waiting for some special regulatory treatment (and hoping it’s never going to happen).

More specifically, everyone was reminded that issuing debt, securities or any other financial instruments must be done in accordance with existing provisions related to transparency of information and investor protection.

Then, FINMA specifically stated that “collecting funds for one’s own account without a platform or an issuing house acting as an intermediary is unregulated from a supervisory standpoint, in cases where repayment is not obliged, payment instruments have not been issued and no secondary market exists”, which closely reminds me the definition of the loyalty program utility token (except for secondary market, but this is a separate discussion).

Lastly, FINMA clarified that even though the act of crowdfunding via token issuance may not be regulated as a financial activity, some other regulations could still be applicable:

AML and KYC Obligations will apply “where the creation of a token by an ICO vendor involves issuing a payment instrument. If this is the case, other supervisory issues may be effective for third parties, especially for professional crypto-brokers or trading platforms which carry out exchange transactions or transfers with tokens (secondary trading with tokens)”;

Banking Law: “accepting public deposits, where an obligation towards participants arises for the ICO operator because of the ICO, generally necessitates a banking licence;

Securities Trading and Secondary Market: “licensing requirement to operate as a securities dealer may exist where the tokens issued qualify as securities (e.g. derivatives)”; and

Collective Investments Schemes: “potential links to collective investment schemes legislation may arise where the assets collected as part of the ICO are managed externally”.

As a concluding remark, FINMA reiterated that “…due to the close proximity in some areas of ICOs and token-generating events with transactions in conventional financial markets, the likelihood arises that the scope of application of at least one of the financial market laws may encompass certain types of ICO model. This is also the case for ICO activities which aim to circumvent those provisions”.

So, what does it mean? Can you still run an ICO without some kind of a banking license in Switzerland? Are past ICOs in trouble?

Short answer: it is still possible to do ICOs in Switzerland and, well… it depends how the past ICOs were structured. Every project that followed my previously published advice (meaning — identifying customers, applying AML controls and ensuring that the token qualifies as a loyalty or close-circle membership program) is not in trouble. If this is not the case, some remediation should be planned and executed asap.

Let’s take it step-by-step.

Step One: Make sure your token is not structured as a security or debt or any form of investment or derivative product. If you are issuing a security — it’s a completely different ball game.

Step Two: Identify token holders.

There are several ways of going about this: collecting documents from early investors during pre-sale (you are going to know who they are anyway), entering into a reliance agreement with one of the cryptocurrency exchanges or wallet custodians, facilitating your ICO or currently trading your token (assuming your current or future clients are already the clients of this exchange or custodian, and have been appropriately identified by them, which is obviously a big assumption), setting up a pre-registration site, and a mix of all of the above.

If you are using pre-registration (strongly recommended), all users must register and as a minimum provide:

• Full name;
• Email;
• Date of Birth;
• Nationality;
• Address; and
• Phone (optional, but very good for enabling 2-factor authentication to protect everyone from hacking and disputes).

A different set of data is applicable to legal entities and their representatives. At this point of time (e.g. during the pre-ICO registration) you have to be able to collect and keep information about session, IP location, device, language, operating system and some other standard machine fingerprint data. This information will be crucial for the future fraud and authentication management purposes.

At the end of the pre-registration process the user will have to agree that you keep their data for the purpose of ICO participation. You have to be clear that this registration is not connected and not binding for ICO participation itself. From the privacy and data protection perspective, for example if you will have a third party facilitating the ICO from the technical standpoint and some customer data may need to be shared with this third party, the client must know about this and explicitly agree that their data are going to be shared with this provider. You have to be able from the technical standpoint to link each registration with the future unique blockchain address, where the funds will be sent by each participant. It is also a good idea to think at that stage, if you are going to have minimal and maximal limits per participant and whether or not you are going to allow immediate re-sale of the tokens (from the AML perspective, allowing immediate re-sale is not ideal, but if you are able to identify all participants of all re-sale activities and protect against pump and dump, good for you).

At this point you can already implement some filtering logic, if you would like to block participants from certain countries, based on their IP, address, nationality, or phone country prefix.

All names of the ICO participants must be screened against a number of sanctions lists (as a minimum — UN/EU consolidated list, Swiss sanctions list, OFAC) and PEP lists. Most likely, you won’t find anything, but you cannot avoid this step. It can be done during the pre-ICO registration or during the ICO, simply to ensure that your token holders are not terrorists and not from Iran or North Korea.

It is also a very good idea to implement detection tools for linked accounts (based on the common device or IP used).

Step three: During the ICO, all successful customers must accept our T&Cs and privacy policy and will become our customers.

Step four: Verify your customers. After your ICO is complete, contributors with balances in excess of specific amounts must undergo an additional verification step. for example, by completing video verification or providing copies of their documents. Depending on your country of residence and the nature of the token, the threshold could be at 5,000 CHF or 25,000 CHF. Those contributing above 100,000 CHF should be categorized as higher risk category, and for them you may need to do additional verification with questions about their source of funds and occupation, which can be done as an online questionnaire in combination with looking up people’s social networks footprint (yes, it’s possible and there are authorized providers who know how to do it).