The obligation to secure your opponent's data in the age of hacking
Hacking, corporate espionage and data breaches are on the rise around the globe.
In the summer an international team of regulatory lawyers at Norton Rose Fulbright produced an article for Thomson Reuters summarising international regulatory developments concerning initial coin offerings. The article is reproduced below.
The International Organisation of Securities Commissions (IOSCO) issued a communication warning that the wider targeting of initial coin offerings (ICOs) to retail investors through online distribution channels raises investor protection concerns. The communication followed warnings issued by regulators in individual jurisdictions, which are discussed below.
Since 2017 there has been a steady stream of regulatory warnings concerning ICOs. For example, in September 2017 the UK Financial Conduct Authority (FCA) issued a consumer warning on ICOs which was followed a month later by a discussion paper on ICOs from the French regulator, the Autorité des Marchés Financiers. In November the German regulator, the BaFin, issued its own warning on ICOs which was followed a couple of days later by public statements from the European Securities and Markets Authority (ESMA) on the risks ICOs present to investors and rules applicable to firms. A day after ESMA's public statements the Dutch Authority for the Financial Markets issued its own warning. The Central Bank of Ireland issued its own alert on ICOs, in December 2017.
Although the announcements were made at different times the core messaging is remarkably similar, and focuses on three particular components: (i) that ICOs are risky and highly speculative investments; (ii) depending on how they are structured, ICOs could fall inside or outside the regulatory perimeter, and this is judged on a case-by-case basis; and (iii) it is down to ICO issuers themselves to consider whether they fall within the regulatory perimeter; if they conclude that they do, they need to seek the necessary regulatory approvals.
From a UK perspective, the regulatory perimeter has become slightly clearer following the FCA's publication of a statement that activities in relation to derivatives which reference either cryptocurrencies or tokens issued through an ICO are "likely" to require FCA authorisation.
The FCA has not yet confirmed its position regarding the regulatory status of tokens more generally, however, as has been the case in other jurisdictions (such as in Switzerland). The German BaFin has also issued an advisory letter on the supervisory classification of cryptocurrencies underlying ICOs as financial instruments. BaFin noted among other things that a token can serve as the underlying asset for a derivative contract and that where a token is the underlying asset for a derivative contract, the derivative contract is to be classified as a financial instrument for MiFID II purposes.
Both the Hong Kong Securities and Futures Commission (SFC) and the Monetary Authority of Singapore (MAS) have issued warnings regarding ICOs. The SFC has issued both a statement (September 2017) and a warning (February 9, 2018) on ICOs. It has also issued a reminder on cryptocurrency related products and derivatives (December 11, 2017).
In both jurisdictions the regulators have followed a similar line to European regulators in the sense that whether ICOs come within the regulatory perimeter is dependent on the facts of each case. Both the SFC and the MAS, however, have noticed an increase in the use of ICOs to raise funds and therefore the focus has tended to be on whether ICOs fall within relevant securities laws.
The Australian Securities and Investments Commission (ASIC) has issued a number of papers on ICOs, notably Information Sheet 225: ICOs (INFO 225). ASIC's most recent paper, released in May, included an announcement that the regulator has received delegated powers from the Australian Competition and Consumer Commission enabling it to take action against misleading or deceptive conduct in marketing or selling of ICOs, even where the ICO does not involve a financial product. This rather innovative Australian approach was neatly (and somewhat bluntly) summed up by John Price, ASIC Commissioner, who said at the time of the announcement: "Regardless of the structure of the ICO, there is one law that will always apply: you cannot make misleading or deceptive statements about the product."
Additionally, in INFO 225, ASIC has left the door open for ICOs to be managed investment schemes (MIS). An MIS is any arrangement whereby
It is possible that an ICO could potentially be an MIS under Australian financial services law because essentially, investors' money will be pooled together by the token-issuing entity to build their private blockchain or invest in other underlying assets on behalf of token-holders.
An Australian court has not yet tested this, but there is a risk that an ICO may be ruled as an MIS which, if promoted to retail investors in Australia, will need to be registered with ASIC and issuers will need to comply with strict licensing, disclosure and other obligations regulated under Chapters 5C and 7 of the Corporations Act 2001.
The risk is that if a person operates an MIS without registering it with ASIC, and fails to comply with the relevant regulatory obligations, a court may order the MIS to be wound up and monies returned to investors.
The Canadian Securities Administrators (CSA) have recently published CSA Staff Notice 46-308 Securities Law Implications for Offerings of Tokens which builds on the 2017 CSA Staff Notice 46-307 (Cryptocurrency Offerings). The staff notice was also accompanied by an investor alert on investing with crypto-asset trading platforms.
The CSA staff notice outlines specific situations the CSA has come across that may have an implication for the presence of one or more of the elements of an investment contract in the context of an offering of coins or tokens. The CSA also reminds firms that certain exemptive relief from securities law requirements may be provided through its Regulatory Sandbox, subject to certain conditions ensuring adequate investor protection.
The CSA staff notice is a clear indication that Canadian securities regulators are monitoring the crypto asset space very closely. It also suggests that they understand commonly used token offering models, including structures that may have been adopted to minimise the application of Canadian securities laws. By explicitly addressing offerings by way of simple agreements for future tokens (SAFTs), through air drops or from foreign jurisdictions, the CSA staff notice signals that regulators may readily subject certain projects which use these structures to Canadian securities laws.
In general, the CSA's approach appears to be consistent with the approach taken by the U.S. Securities and Exchange Commission (the SEC), namely, that most token offerings are subject to applicable securities law.
The SEC continues to view nearly all ICO transactions sold from the United States or to U.S. persons as transactions in securities that would require registration with the SEC or an exemption from registration. This is especially the case when the money raised in the ICO is used to develop a platform or token product that does not yet exist, or that is not yet fully functional, at the time the ICO transaction takes place.
In a speech on June 14, 2018, however, William Hinman, SEC director of corporation finance, said that once the platform is built post-ICO, it is at least theoretically possible that the token itself is not a security. The analysis turns in part on whether and how the token is sold by promoters in the market and on whether and how token holders after the ICO use their tokens on the platform (assuming it is built) or trade them with other market participants. If a token is not a security, then other regulatory regimes may apply. It has been reported by several news outlets that the U.S. Department of Justice, in coordination with the U.S. Commodity Futures Trading Commission, is conducting an investigation into market manipulation of cryptocurrencies in post-ICO trading.
In Brazil and Argentina the respective regulatory authorities have issued warnings (the Comision Nacional de Valores on November 12, 2017 and the Securities and Exchange Commission of Brazil (CVM) on November 17, 2017). Like other regulatory warnings, the CVM has clarified that certain ICO transactions may constitute securities transactions subject to applicable securities law requirements even though, as at the date of the warning, no ICO had been registered or exempted from registration in Brazil.
The Abu Dhabi Financial Services Regulatory Authority has issued supplementary guidance concerning the regulation of ICOs/token offerings. At the end of the guidance is a useful table summarising the regulatory treatment of virtual tokens and currencies that do, and do not, have the characteristics of a security under the Abu Dhabi Financial Services and Markets Regulations 2015 (FSMR 2015). The table also states that derivatives of virtual currencies and security tokens are regulated as specified investments under the FSMR 2015.
The Dubai Financial Services Authority (DFSA) has issued a general investor statement on cryptocurrencies. "The DFSA would like to make it clear that it does not currently regulate these types of product offerings or license firms in the Dubai International Financial Centre (DIFC) to undertake such activities. Accordingly, before engaging with any persons promoting such offerings in the DIFC, or making any financial contribution toward such offerings, the DFSA urges potential investors to exercise caution and undertake due diligence to understand the risks involved," the statement says.
The UAE's Securities and Commodities Authority (SCA), the country's markets regulator, has also warned investors against any fundraising done in cryptocurrencies, be it ICOs, initial token offerings, token pre-sale or token crowd-sale. The SCA has confirmed that it does not recognise, regulate, or supervise any ICO presently. Initial coin offering investments are not offered legal or regulatory protection and investors involved in ICO investments are doing so at their own risk.
The People's Bank of China issued a notice last September declaring ICOs illegal. As part of the ban individuals and organisations were told to refund investors any amount raised from them. South Korea also banned ICOs but there are media reports which suggest that they may be made legal again in the future.
Most regulators appear to have opted for warning investors that ICOs are highly speculative but to have stopped short of clearly expressing whether or not they are within the regulatory perimeter. In many cases, the position has had to be reviewed on a case-by-case basis. In the light of this, there is a danger that regulatory divergence will become quite considerable. The main problem with the regulatory assessment, however, is the diverging rights attached to tokens and their different uses. As a result, innovative solutions such as using Regulatory Sandboxes and thinking outside the legislative box – as in Australia – may be the way forward.
Hacking, corporate espionage and data breaches are on the rise around the globe.
Implications for cryptocurrency trading, smart contracts and AI
Decree No. 228 of 2019 (Decree 228/2019) came into effect on 27 August 2019, which simplifies and revokes previous decrees of the Ministry of Employment (MoE) to widen the type of job titles allowed for foreign professionals to work in Indonesia.