Introducing the Private ICO (PICO)

How to Bring Token Fundraising into Compliance

By David Sacks and Josh Stein
Note: This post does not provide legal advice. In any token sale, there are a host of legal requirements to consider. Please consult your own securities lawyer.

I believe every ICO I’ve seen is a security. ICOs that are securities offerings, we should regulate them like we regulate securities offerings. End of story.”
— Jay Clayton, Chairman, U.S. Securities and Exchange Commission, testimony before the United States Senate, February 6, 2018

With those words, the SEC Chairman staked out a clear position — U.S. securities laws apply to the vast majority of ICOs. Companies raising funds with an ICO must comply or face possible enforcement action by the SEC. This warning comes as the ICO industry has raised more than $8 billion to date, which is in large part what has drawn SEC scrutiny.

The Chairman’s testimony before Congress was the latest in an escalating series of concerned statements from the SEC over the past few weeks and months. In remarks on January 22nd, Chairman Clayton noted that “I have instructed the SEC staff to be on high alert for approaches to ICOs that may be contrary to the spirit of our securities laws.” He pointedly warned just a month earlier that “I have asked the SEC’s Division of Enforcement to continue to police this area vigorously and recommend enforcement actions against those that conduct initial coin offerings in violation of the federal securities laws” (emphasis added).

These are not idle threats. The SEC has lodged an increasing number of enforcement actions. In addition, the SEC is issuing a large number of subpoenas to mainstream ICO platforms and investors, not just dubious ventures. Rumors have been sweeping the industry of pending enforcement actions against high-profile ICOs. Equally concerning for ICO issuers, aggrieved buyers may have private rights of actions that could attract the plaintiff’s bar if securities that were not properly registered decline in value.

Now that the SEC has clearly stated that virtually all ICOs are securities — and vigorous enforcement is the new reality — we want to outline a path forward for the industry. We don’t think that all token sales for fundraising in the U.S. need to end, but they do need to be brought into immediate compliance with securities laws. We propose a way to do that with a Reg D-compliant private sale, combined with a new token permissioning technology (the “R-Token”) that makes it practicable for issuers and investors to abide by existing rules and regulations. We call this approach the Private Placement ICO or “PICO”.

How We Got Here
To understand the SEC’s reaction and the path forward, it is worth reviewing how the industry got to this point.

In the beginning of cryptotokens, no one thought to apply securities laws to these novel inventions. Bitcoin was mined, not sold. The first token crowdsales were small, with little public awareness. As late as March 2016, only $56 million had been raised through ICOs. But ICOs quickly grew, and the community slowly started to recognize there might be securities law implications. A year later in March 2017, ICOs had raised a total of $330 million. Barely six months later in September 2017, ICOs had raised over $2 billion. As ICO funding exploded, the SEC declared in the DAO Report (June 2017) that digital assets could be securities, applying traditional securities law doctrine (the Howey test).

Following the DAO Report, Protocol Labs and the law firm of Cooley LLP set forth a conceptual framework for how securities laws might apply to token sales in a white paper entitled “The SAFT Project” (October 2017). Using the same Howey test, but applying it in a novel way, the paper argued that tokens designed for use as payment in blockchain protocols were likely not securities when the protocol was functional and the token had true utility. At the same time, the white paper expressed concern over ICOs of utility tokens before they were functional, warning that most such tokens would likely be deemed securities subject to the federal securities regime. Notably, functionality was put forth in a binary way — a protocol was either functional or not.

The white paper advanced a two-step solution based on a pre- and post- functional distinction. Borrowing from Y Combinator’s Simple Agreement for Future Equity framework (the famous “SAFE”), the authors proposed the Simple Agreement for Future Tokens (“SAFT”) as the first step toward obtaining compliant fundraising for companies who are contemplating ICOs. Simply put, instead of issuing pre-functional utility tokens, the company would enter into a forward contract — the SAFT — with accredited investors. The accredited investors would provide the company with immediate capital, and in exchange, would be promised rights to receive functional utility tokens once the protocol was working. While the SAFT itself was a security, the tokens themselves would not be securities because they were functional. Thus there would be no restrictions on the further sale of these utility tokens.

Since October 2017, many companies have followed this process, relying on the distinction between pre- and post-functionality as the dividing line between when a utility token might be considered a security. The SAFT white paper noted that the SEC had not commented specifically on the concept of functionality as the defining difference between a utility token and security token, noting “we await and expect further guidance from the SEC”.

The recent series of escalating comments from the SEC — ending with “I believe every ICO I’ve seen is a security” and a flurry of subpoenas — is the “further guidance” we have been waiting for, and it shows that the simple binary functionality distinction in the SAFT white paper is not sufficient. The SEC seems to be saying that if tokens are used for a fundraising purpose, they are securities — “end of story” — even if they have some utility.


The New “Private ICOs” Under Reg D
Even in the shadow of SEC enforcement action, fundraising has not stopped; in fact, it has accelerated, with a record $2B raised in 2018 already. However it has quickly shifted from public crowdsales to so-called Private ICOs, in which token sales are limited to accredited retail investors and institutions. These Private ICOs have accounted for 84% of fundraising in 2018.

The Private ICO approach attempts to comply with securities laws using Reg D, specifically Rule 506(c). Reg D provides for the issuance of private securities without the onerous registration requirements of an IPO. The Form D disclosure filed with the SEC is relatively lightweight. It’s the form for securities issuance used in traditional VC rounds, and Form D filings are where Crunchbase gets its information. For our discussion, the significant restriction on issuance is that only accredited investors may buy. Accredited investors are those with more than $1 million in net worth (excluding home value), or 3 years of annual income exceeding $200,000 (for a single individual) or $300,000 (for a couple).

Although Reg D securities are much easier to issue than public securities, their trading is restricted in the first year after issuance. Unfortunately, this is where most Private ICOs fall down — they don’t enforce secondary trading restrictions. The more circumspect ones have sold tokens to accredited investors subject to a one-year lockup, so investors don’t receive their tokens for at least one year. This solves the problem of secondary trading during the restricted period, but it creates a practical issue: How will the protocol actually function without tokens being available in the first year?

To address this problem, some are using “airdrops”, the practice of distributing free tokens with the thought that there are no securities law restrictions on tokens given away rather than sold. At best, this is a very fact-specific grey area. The general principle is that if the company has received or will receive “any value” from the recipients of the airdrop in exchange for the tokens, then the securities laws apply to the airdrop itself (see an illustrative SEC analysis here). The airdrop argument would be stronger if the tokens had never been used for fundraising. But it seems hard to argue that a token that’s already treated as a security on direct sale would suddenly stop being a security when given to a speculator who trades it for a profit. Moreover, if the tokens are securities, there still remains the question of whether the tokens must be traded on a licensed exchange.

We believe that Private ICOs that comply with Reg D on issuance but disregard the rules on secondary trading will be short-lived, as it is only a matter of time before SEC enforcement turns to this issue. The SEC is unlikely to see 50% compliance as a passing grade. Given the new environment, we think the approach of Private ICOs that rely on “lockup + airdrop” for distribution is too risky, and a more complete approach is needed.

How to Make PICOs Compliant
A Reg D-compliant private sale needs to enforce restrictions on secondary trading, as well as initial issuance. At the same time, as a practical matter, tokens need to be sufficiently available to enable use of the protocol. We believe both objectives are possible.

Secondary sales of Reg D securities are allowed if they meet certain requirements. Under Section 4(a)(7), the private resale exemption, accredited investors may generally resell to other accredited investors after a 90-day post-issuance lockup period. One year after the initial issuance, the public may generally buy and trade the tokens under Rule 144.

The combination of Reg D, Section 4(a)(7), and Rule 144 offers a practical way forward. In this scenario, the company raises initial funds on a SAFT from accredited investors, then issues the tokens to those accredited investors. After a relatively short 90-day lockup, those initial accredited investors are free to trade with any other accredited investors. This allows the protocol to begin functioning. Nine months after that, all investors, not just accredited, are free to own the token.

The question is, how does one enforce the secondary trading requirements under Section 4(a)(7) and Rule 144? A new technology called R-Token makes this path logistically possible.

An R-Token is a type of token that is permissioned based on the Regulated Token Standard. The Regulated Token Standard is based on the ERC-20 standard but contains additional code to check an on-chain Regulator Service before it trades. The Regulator Service can be configured to meet relevant securities regulations, Know Your Customer (KYC) policies, Anti-Money Laundering (AML) requirements, tax laws, and more.

When a trade is requested, the R-Token checks with the Regulator Service to make sure that the investor and the trade are compliant; otherwise the token throws off an error message and will not transfer. In the case of Section 4(a)(7), for example, R-token will ensure that a token is being transferred to an accredited investor after the initial 90-day period. The R-Token can also be implemented to ensure that the tokens trade only on approved trading platforms.

Harbor designed the R-Token standard to tokenize traditional securities and securitize assets more broadly. It was designed from the ground up to instantiate a wide variety of securities rules, including many of the specific rules within Reg D, Reg S, Section 4(a)(7), Rule 144, as well as KYC/AML and investor accreditation. Different types of securities come with a host of different and complex rule sets, including different rules on secondary trading. Harbor recently published the whitepaper and smart contracts for R-Token and the Regulator Service — you can find them on

While we’ve focused this blog post on U.S. law, the flexibility of the protocol allows for multiple jurisdictions for true international compliant use. For example, Reg S provides an exemption under U.S. securities laws for international offerings sold to non-U.S. persons. Issuers wanting to do a Reg S token sale could permission R-Token to exclude U.S. persons altogether. Alternately, R-Token could facilitate the combination of a Reg D offering to accredited U.S. investors and a Reg S offering to non-U.S. persons to achieve the widest possible compliant token distribution. The application of R-Token permissioning for use with the Reg S exemption and international laws is a lengthy topic for its own blog post.

Why It’s Good Policy
We believe that the Reg D-compliant PICO described above, with an accredited-only secondary market for the first year, presents a great option for the industry (especially when coupled with a Reg-S compliant offering with broad foreign-only distribution). It serves not just the letter but the spirit of the securities rules, fulfilling their underlying policy rationales. The SEC has a 3-part mission: (i) protect investors, (ii) maintain fair, orderly, and efficient markets, and (iii) facilitate capital formation. The Reg D-compliant PICO serves all three interests, providing a common, reliable, and efficient way to raise funds with slowly expanding liquidity as the risks to investors lessen and become better known:

  • Use of the SAFT and PICO to raise funds for future tokens facilitates capital formation. Reg D on issuance protects investors by limiting the initial issuance to accredited investors, who have the sophistication and financial resources to deal with the risks of a nascent industry with young companies.
  • The 90-day lockup period of Section 4(a)(7) dampens the initial speculative fever that has accompanied prior ICOs. The continued limitation of trades after 90 days to accredited investors protects the broader investor community when the protocol and company are still very young and risky. There is an orderly market for prepared sophisticated investors.
  • The opening up of secondary trades to any investor after a year allows for essentially public distribution of the tokens. At first glance, a year period to widespread public ownership might look long to the creators of a new protocol, but it should work for most scenarios. The clock starts counting down on token issuance, not the protocol going live. For those companies eager to get tokens into more hands more quickly, doing the token issuance sooner in their lifecycle and before the protocol is live will cause the clock to start ticking much earlier than current industry practice. Think of the remaining time as a public beta period of the protocol. Having some months with a more limited pool of sophisticated, engaged, and fault-tolerant users makes for a good beta.
  • After a year, there should be much more information for all investors on whether the protocol is working, the use and valuation of the token, etc., which is good for the broader pool of investors and makes for a better market. Moreover, after a year the functionality of the protocol may have advanced sufficiently such that the tokens have truly become utility tokens.

Finally, it is worth noting that there are additional benefits to the use of permissioned tokens. In addition to securities law, regulators are concerned about issues like tax evasion, money laundering, and anti-terrorism. For tokens that have been deemed securities, regulators across the world will not let them be anonymously held and traded, as bearer securities have been outlawed in dozens of countries. R-Token ensures that every token holder is a known party who passes KYC/AML and other tests.

Fundraising through ICOs has unleashed a wave of innovation across our industry, democratized access to capital across the globe, and allowed talented developers anywhere to pursue their visions. Those are all good things. But unless ICOs are quickly brought into compliance with securities and other laws, they will be brought to an abrupt halt by regulators and private litigation — at great cost to all involved.

Harbor urges all ICO issuers and issuing platforms to embrace the Regulated Token Standard, which can enforce the necessary restrictions on issuance and secondary trading. There is no need to ignore current SEC rules; what’s needed is technology to comply with them. Harbor is not an issuing platform. We are an open-source protocol. We invite all ICO issuing platforms and identity verification services to contact us at

Fundraising is arguably the one killer app for blockchain that has value today for end-users. Investors have quickly demonstrated a willingness to participate in and embrace this new global digital financial system. But even though the demand is there, the compliance has been lacking — until now. It’s time for the industry to get serious about compliance, before a combination of severe enforcement, private litigation, and new regulations strangle ICOs and token sales altogether. We believe that the PICO with the proper implementation of permissioned tokens will allow this new financial system to flourish.

David Sacks is the Chairman of Harbor and a General Partner at Craft Ventures.
Josh Stein is the President and General Counsel of Harbor.

Like what you read? Give Harbor a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.