Essential Crypto Regulations for Decentralized Finance | CoinAlpha’s KYC-Enabled Basket Protocol

Disclaimer: I am not a legal advisor. My comments below are based on my understanding of the current regulatory environment, after significant research and discussions with multiple, global law firms (and incurring an unthinkable amount of associated legal bills); the content below also only skims the surface. You are advised to confer with your own counsel before acting, and please comment if you have any differing views.

TL;DR

• Blockchain technology and cryptocurrencies create the possibility for decentralized finance, a vision that has fueled recent ICOs and company creation…but unsurprisingly, this future faces regulatory challenges
• The main regulations that concern cryptocurrency companies are (1) know your customer / anti-money laundering and (2) transactions dealing with “securities”; messing either of these up, even if inadvertently, has severe repercussions
• Companies have adopted different approaches for operating their companies and technologies in light of regulatory uncertainty; alternatives, examples, and risks are discussed
• Some companies in the sector are creating or adapting technologies for regulatory compliance
• CoinAlpha released a KYC-enabled version of its Basket Protocol that conforms the protocol to KYC/AML and securities regulations

CoinAlpha is part of a community called DeFi that is working on decentralized finance projects on the blockchain. On September 12, 2018, we hosted a meeting at our offices to discuss regulatory and compliance matters. Clearly, this is a topic of high importance and of concern for the community. Our thoughts and discussion of some of the key points follows.

Preface: Decentralized Finance vs. Cryptocurrency Regulations

The rise of blockchain technology and cryptocurrencies has emboldened visions of financial freedom and deregulation through decentralization. Over the past two years, we have seen successful ICOs and the creation of companies focusing on decentralized versions of exchanges, lending platforms, financial products, crowd funding, and prediction markets. Recently however, the idealists have had to come back down to Earth (a bit) due to increasing scrutiny from regulators (SEC and FinCEN), who have been working to keep up with the developing technologies and have event recently been taking enforcement actions against companies in the sector.

The reality is, we still live in a fiat world. Companies who want to create traditional corporations and establishments are not free from the grasp of regulators. The primary challenge of operating a cryptocurrency company in the current regulatory environment arises from the lack of clear rules and regulations. In the U.S. for example, all we have are vague statements from the SEC Chairman, while determining whether or not a digital asset is a “security” based on the Howey Test is subject to interpretation.

While jurisdictions such as Malta and Thailand have been moving forward to create cryptocurrency regulatory frameworks, most of the world’s major jurisdictions have yet to take definitive action. Any company looking to operate in multiple jurisdictions is faced with the additional complication of having to navigate disparate regulatory regimes.

Of course, there are bad actors in the crypto space, which justifies a lot of this regulatory scrutiny. But (optimistically) there are many more companies who want to comply with rules, but have their hands tied due to uncertainty. So where do we go from here?

KYC/AML and Securities Regulations

First, we must understand what the main regulations are concerning companies dealing with cryptocurrencies. The overriding regulations are (1) know your customer / anti-money laundering (“KYC/AML”) requirements, such as those imposed by the U.S.’ FinCEN and its equivalent in most major, reputable jurisdictions, and (2) distribution of and transactions in securities, which, in the U.S., falls under the jurisdiction of the SEC.

Messing up KYC/AML can land you in jail, while tripping up on securities regulations can result in hefty fines, companies being shut down, and being personally barred from securities markets and serving on corporate boards.

Anti-Money Laundering

Due to their secretive nature as well as their ease of transmission, cryptocurrencies serve as an ideal conduit for laundering money. Sending Bitcoin or Ethereum is easy and instantaneous as compared to say moving around bags of ill-gotten money in brown paper bags. Naturally, they pose a high risk for abuse and therefore garner regulators’ attention.

Anti-money laundering regulation applies to companies operating “money transmitter businesses”, which may include transacting and trading in cryptocurrencies with customers. Such companies are required to know who their customers are prior to engaging in any transactions. Potential customers must be screened against sanction lists (such as OFAC) to avoid dealings with known terrorists, money launders, or politically-exposed persons. Other requirements include ongoing monitoring of customers to flag any suspicious or unusual transactions and periodically checking to ensure that existing customers have not been added to any sanction lists.

Securities Regulations

Regulators such as the SEC regulate securities because they want to protect investors from harm and potential loss on their investments through wrong-doing on the part of the security issuer, market manipulation, or from lack of understanding (or disclosure) about risks.

For social reasons, regulators are particularly concerned about protecting unsophisticated, “retail” investors; for example, they don’t want your grandparents losing all of their retirement savings from buying some scammy ICO.

Regulators are less concerned about “accredited investors”, which are investors deemed to be well-off enough to be able to tolerate investment losses or educated/professional enough to understand the risks of potentially speculative investments. The bar to qualify as an accredited investor in the U.S.: either (a) $200,000 annual income (or $300,000 jointly with a spouse), or (b) $1 million of assets excluding primary residence.

Since digital token issuers are typically newer companies (many of whom have only whitepapers and zero actual commercial progress), they present a higher risk for investors and, rightfully, raise red flags with regulators.

What do “securities” have to do with cryptocurrencies?

Some digital assets may be deemed “securities”. It’s easy to see that any digital tokens that have characteristics similar to equity (representations of ownership or claims to shares of profits), debt (tokens with rights to interest or repayment), or investment schemes (tokens with claims to investment participation) are “securities”. What’s less clear are tokens initially distributed as “utility” tokens but whose values are in some way tied to the performance and activities of the issuer. Also unclear are tokens that were potentially sold by the issuer under the pretext of an investment. From the SEC Chairman’s point of view, essentially all ICOs issued have been “securities”.

Herein lies a major fundamental problem for companies transacting in cryptocurrencies; as mentioned above, determination of whether or not a digital asset is a “security” is not always clear.

What does this imply for my cryptocurrency transactions?

For token issuers, if your token might be deemed a security, you must comply with securities offering regulations. In the U.S., this means you must register the offering with the SEC (which is quite an involved process, requiring substantial disclosure and ongoing public filings) or otherwise rely on an exemption from registration.

Examples of exemptions are as follows:

1. 144A private placement open to accredited investors only
2. Reg S (sales outside of the U.S. to non-U.S. persons)

Extending from these exemptions are transfer restrictions that would apply to all parties transacting with cryptocurrencies:

• For 144A private placements, limitation on the transfer of assets over the first year following issuance
• Reg S securities: digital assets issued outside of the U.S. may not be distributed to U.S. persons.

Due to the SEC’s currently lack of clarity in what digital assets constitute a “security”, digital assets issued outside of the U.S. that may be deemed as “utility” tokens or cryptocurrencies (i.e. not securities) in their respective jurisdictions may still be deemed a security by the SEC. Therefore, transfer of any such digital assets to U.S. persons may run afoul of U.S. securities regulations.

Regulatory Approaches for Cryptocurrency Companies

Anti-money laundering requirements are relatively clear; if you are operating a money transmitter business, you need to perform KYC/AML.

The main uncertainty for dealing with cryptocurrencies are related to securities regulations. Given this lack of clarity, what alternatives do companies have to launch and/or continue to operate their technologies and work in the crypto space? Below are some alternatives of what some companies are doing.

Alternative 1. Business as usual; accept regulatory uncertainty (and risk)

Some companies are operating and comfortable occupying a gray area…for now. They generally acknowledge operating with a some level of risk.

Example: OTC Market Makers
Some of the most profitable companies in the industry are companies that assist cryptocurrency holders to trade their cryptocurrencies: OTC market makers. Unlike public exchanges, OTC market makers have networks of clients, manage their order books privately, and discreetly facilitate larger “block” trades.

Regulatory risk: acting as an unregistered broker-dealer of securities

Risk level: varies depending on activities

What they are doing: most OTC market makers operate without licenses and are not registered with FINRA as broker dealers. The general rationale for this is that the SEC has not provided clear guidance on cryptocurrencies.

Operating in this manner does carry with it varying degrees of risk: trading in Bitcoin and Ethereum only is pretty low risk, since those are the only two cryptocurrencies that the SEC have actually given more clear guidance are not securities. However, many OTC market makers do also transact in other cryptocurrencies, e.g. ERC20/ICO tokens.

The risk of this approach is that the SEC can shut down or fine such companies, if it deems some of the digital assets they are transacting in as “securities”. Some OTC market makers and counsels are optimistic that if (or when) the SEC begins to enforce regulations, it may give market participants time to become compliant (such as a grace period for registering with FINRA/SEC) or give advance notice to cease operations. But these are just guesses. To some degree, many OTC market makers acknowledge the possibility that they may be forced to shut down at any time.

Alternative 2. Provide the protocol technology only

Risk level: low

Regulatory risk: conducting or facilitating unregulated parties to conduct regulated activities (e.g. transacting in securities)

Some companies have chosen to provide decentralized technologies only and distance themselves from the activities conducted using their technologies. For an example of this, read Augur’s Terms of Service and FAQs. By not acting as parties to the transactions (i.e., not using the technologies themselves) conducted on their platforms, these companies reduce the risk of contravening regulations. Examples of this are decentralized exchanges (such as 0x Protocol) and Augur. Augur has created a protocol for prediction markets, which are basically “contracts-for-differences” that very clearly have characteristics of derivatives/securities. To get comfortable with their regulatory position, Augur only provides and maintains the true peer-to-peer software only.

That being said, this approach is not without risk. One counsel has advised us that there is a possibility (even if remote) that providing technology to enable unlawful activities (which unregulated companies engaging in regulated activities is) may implicate the technology provider as well.

On a side note, regulatory considerations aside, one major downside of this approach is that it limits potential users and adoption. (1) Larger institutions may not be able to use these platforms because they are not regulated, and funds / institutional investors / registered money transmitter businesses may not be able to trade on DEXs because there is no KYC/AML enforced. (2) Separately, having to install local software, update local nodes: quite a lot of hoops to jump through for a potential user. (3) Lastly, the company itself has to rely on others to generate activity on its platform. “If you build it, they will come” 🙏…
A lot of headwinds, from a business perspective.

Alternative 3. Partner with regulated entities

One of the technologies that we have developed is the ability to create diversified portfolios of cryptocurrencies and efficiently make markets in the aggregate portfolios and their underlying cryptocurrencies. However, due to the regulatory uncertainty surrounding this activity, we have chosen to partner with a U.S. registered broker-dealer, Sharespost. In this arrangement, we provide Sharespost with cryptocurrency expertise and our trading technologies. Since Sharespost is a registered broker-dealer, they are conducting regulated activities within the scope of their registration. It’s a win-win; we provide them with a new crypto product to offer their investors, and we get to deploy and implement our technologies.

Alternative 4. Modify technologies to allow for regulatory compliance

Companies are developing new technologies that are regulatory compliant, or modifying their existing technologies.

One of the most clear examples of this is the developing security tokens market. Companies are developing security token exchanges (such as tZERO, OpenFinance Network) and security token protocols (e.g. Polymath, Harbor, Securitize), purpose-built to control the users of protocols and the methodology for the creation/issuance of digital assets, as well as to enforce transfer and any other related restrictions.

For our Basket Protocol, we have taken this approach and created a version of our protocol that allows for user control and transfer restrictions on Basket Tokens. Separately, our Fund Protocol, in which only whitelisted addresses are able to send subscription requests, also enables KYC/AML control.

KYC Enabled Basket Protocol

We have created a KYC-enabled version of our Basket Protocol by introducing a new module, the KYC.sol smart contract, which implements token holder whitelisting and transfer restrictions. Only whitelisted Ethereum wallet addresses are allowed to hold Basket Tokens; transfers to non-whitelisted addresses will fail. Similarly, any attempts to create or fill buy or sell orders that would result in non-whitelisted addresses receiving Basket Tokens will also fail. These restrictions are enforced at the protocol level.

This allows users of the protocol to add an off-chain KYC/AML verification step when using the protocol. The protocol administrator or a designated KYC Admin address may whitelist or unwhitelist Ethereum addresses. The main functions are summarized below:

// Query if an address is whitelisted
function isWhitelistedHolder(address _holder) public view returns (bool)
// Function to whitelist an Ethereum address
function whitelistHolder(address _addressToWhitelist) public onlyOwnerOrAdmin returns (bool)
// Function to remove an address from the whitelist
function unWhitelistHolder(address _addressToUnwhitelist) public onlyOwnerOrAdmin returns (bool)

The contracts which involve potential transfers of baskets tokens (namely the Basket and the BasketEscrow contracts) connect to the KYC module to verify validity of the recipient Ethereum address before allowing for the execution of token transfers.

What do users do if they want to transact with parties other than those whitelisted in the protocol?

The Basket Protocol is built on the premise that the Basket Token holder retains ultimate control of the underlying cryptocurrencies contained in the Baskets.

So doesn’t restricting transfers to whitelisted holders prevent this?

Actually, no. While a holder of a basket token may not transfer his basket token holdings to an address that is not whitelisted, the holder continues to have the ability to “debundle” basket tokens and take ownership of the underlying tokens. Once debundled, the underlying tokens can be individually transacted or transferred just like any other tokens. Most importantly, because a debundled basket token ceases to exist, basket tokens cannot be used in ways not permitted by the protocol administrator. Our protocol not only helps token holders, it does so in a way that works within existing regulatory frameworks.

One of our core values at CoinAlpha is a belief that blockchain and cryptocurrency-related technologies have the potential to revolutionize many industries such as the financial and asset management sectors, which continue to operate with inefficient, age-old processes and procedures. It’s of utmost importance to carry on with our mission of proving out the underlying technologies. As a startup, we simply don’t have the luxury of time to wait around for clearer guidance from regulators; we need to start generating revenue today.

While this does dampen the realization of a fully decentralized financial system today, it does create a near-term path for us to move forward with our company. One step forward…

To learn more about CoinAlpha:

• Check out our website https://coinalpha.com;
• View our open sourced repos on GitHub: https://github.com/coinalpha
• Join the conversation on telegram: https://t.me/coinalphainc;
• Follow us on Twitter: https://twitter.com/CoinAlphaInc;
• Follow our blog: https://medium.com/finance-3.