Blockchain's Steady March to Legitimacy

by White & Case LLP
Contact

White & Case LLP

Four separate events during the second half of July signal that virtual currency and blockchain are steadily becoming part of mainstream financial services. The interconnected histories of Bitcoin (the most common virtual currency), blockchain and distributed ledger technology (DLT) have a common arc: from systems created to circumvent traditional financial and legal structures, to innovations destined to disrupt financial incumbents, to the focus of intensive investment by the financial sector. In recent weeks, developments in corporate law, securities regulations, financial crimes enforcement and state legislation have moved these technologies ever closer to full legitimacy.

Overview

July 19 through July 27, 2017, will likely be remembered as one the more consequential periods for development of the legal framework surrounding the use of virtual currency and blockchain (VC&B) by the financial services industry. Each of the following events advanced the development of a different aspect of the law as it applies to VC&B:

  • July 19, 2017 – The Uniform Law Commission (ULC, also known as the National Conference of Commissioners on Uniform State Laws) approved a Uniform Regulation of Virtual Currency Business Act (Uniform VCBA) to be used as a model law for states seeking to adopt such legislation.
  • July 21, 2017 – Governor John C. Carney Jr. of Delaware signed a bill to allow corporations registered in the state to use blockchain to issue, trade and record stock.
  • July 25, 2017 – The US Securities and Exchange Commission (SEC) issued an Investor Bulletin and Report of Investigation of The DAO, which included a finding that virtual coins or tokens sold through initial coin offerings (ICOs) are securities under federal securities law.
  • July 27, 2017 – The Financial Crimes Enforcement Network (FinCEN), for the first time assessed civil money penalties against a foreignlocated virtual currency exchange, for violating US anti-moneylaundering (AML) laws.

Longstanding Bitcoin developers and dedicated members of the virtual currency community—a group that tends to harbor strong views opposing government intrusion and legal formalities—appear to be somewhat dismayed by these events. But consumers, institutional investors, banks, fintech developers and other groups looking to use or develop VC&B-based products and services should take comfort: a regulatory framework is steadily coalescing and the uncertainty that typically surrounds the use of novel technology continues to fade.

The brief history of bitcoin and blockchain

When the pseudonymous Satoshi Nakamoto published Bitcoin: A Peer-to-Peer Electronic Cash System on October 31, 2008, he/she could not have envisioned that a system specifically designed to obviate the need for trusted third-parties in financial transactions, including government regulators, would eventually become embedded in the traditional financial system. Blockchain or DLT is the technology that enables Bitcoin's defining features—trustless, distributed and immutable—and it did not take long for other developers, companies and even financial institutions themselves to recognize the utility of blockchain.

The unit of currency within the Bitcoin network is bitcoin (not capitalized, or BTC), and each bitcoin is created when a miner (a computer connected to the Bitcoin networking that participates in processing transactions) completes the computations necessary to write the next block of transactions to the blockchain. A bitcoin, therefore, is a virtual coin or token that the individual miner earns in return for the work their system performed in processing the Bitcoin encryption algorithms.

There are now hundreds of virtual currencies (of widely varying popularity and valuation) based on the blockchain architecture, the most notable of which include Ethereum, Litecoin, Zcash, Ripple and Monero. These virtual currencies can be traded on exchanges and converted to fiat currency, which enables markets to track their valuations. With a current market capitalization for Bitcoin more than $45 billion and for Ethereum more than $20 billion (several others are more than $1 billion), it is unsurprising that virtual currency has long attracted the attention of both investors and regulators.

Changing perceptions shaping law and regulation

Early on, Bitcoin was often associated in popular opinion with illicit transactions, due in part to the impression that virtual currencies are completely unregulated. While that was initially the case, over the past several years regulators have been slowly creating a legal framework for VC&B.

At the federal level, FinCEN issued guidance in March 2013 that defined virtual currency and interpreted the Bank Secrecy Act (BSA) as applying to exchangers and administrators of virtual currency. A year later, the IRS determined that, for federal tax purposes, virtual currency is property. In connection with a September 2015 order settling charges against Coinflip, Inc., a platform for trading BTC option contracts, the US Commodity Futures Trading Commission (CFTC) defined virtual currency as a commodity under the Commodity Exchange Act. Although the SEC had previously warned about the use of virtual currencies in the context of Ponzi schemes, until July 2017, the agency had not issued any formal guidance or interpretations related to VC&B.

States began regulating virtual currencies in 2015. Connecticut, New York, Oregon and Tennessee each enacted legislation that year defining virtual currency under their respective state laws and requiring money transmitters dealing in the exchange of US dollars with virtual currencies to obtain licenses. Since then, at least five other states have passed similar laws. Frustratingly for VC&B developers and users, there is significant variation among these laws, and in some states, such as New York, there is uncertainty regarding which participants within a virtual currency network are required to obtain a license.

SEC and initial coin offerings

Among the July 2017 events, the SEC's determination that certain virtual coins or tokens are securities may have the most immediate impact. The determination arose out of the SEC's investigation into The DAO, a decentralized autonomous organization (a DAO, as opposed to The DAO) built on the Ethereum Blockchain.

Ethereum is more than a virtual currency in that its protocol includes the ability to create what are called smart contracts. These smart contracts are self-executing programs of varying complexity that are recorded on the blockchain, and are therefore immutable once written. A hypothetical smart contract could be an agreement to transfer a set amount of ether (ETH, the unit of currency on Ethereum) when a specific event occurs in the future. Once that agreement is written, the transfer will be executed without any further action by any party involved. The Ethereum Blockchain, like the Bitcoin Blockchain, is processed by a distributed network of computers that are compensated with ETH for their efforts.

Conceived in November 2015, The DAO was intended to be a mechanism for Ethereum developers to direct ETH, or funding, to projects that would further improve the Ethereum ecosystem and to profit from any successful efforts. Even though The DAO operated on the Ethereum Blockchain, it had its own virtual tokens (DAO Tokens) that could be used only within The DAO structure.

Its developers capitalized The DAO by launching an initial coin offering (ICO) that allowed people to use ETH to purchase DAO Tokens. The ETH paid was transferred to an Ethereum address controlled by The DAO, and each DAO Token provided the holder with voting rights within The DAO. The DAO structure allowed holders of DAO Tokens to submit project proposals (in the form of a smart contract) and to vote on other such submissions. Any projects that received the necessary votes for approval would trigger the smart contract to fund the project by transferring the proposed amount of ETH from The DAO's Ethereum address to the address designated in the smart contract. Before voting, holders of DAO Tokens would be able to evaluate the proposals, including the project description, amount of ETH required and the address to which the ether would be transferred.

By the end of May 2016, The DAO had sold 1.15 billion DAO Tokens in exchange for approximately 12 million ETH, at the time worth approximately $150 million. On June 17, 2016, before The DAO funded any projects, an unknown attacker exploited a flaw in the protocol and diverted more than one-third of the ETH from The DAO's Ethereum address to one controlled by the attacker. The attack triggered significant fallout within the VC&B community—including issues involving immutability, hard forks and 51 percent attacks—and ultimately lead the SEC to investigate whether The DAO violated US securities laws.

Although the SEC ultimately decided not to pursue enforcement action, it issued a Report of Investigation to stress that federal securities law may apply to offerings and sales, including the use of a DAO or other blockchain-based means to raise capital, without regard to the technology or corporate form used. Specifically, the SEC determined that DAO Tokens are securities under the Securities Act of 1933 (Securities Act) and the Securities Exchange Act of 1934 (Exchange Act) and, as such, The DAO ICO was a securities offering that should have been registered under the federal securities laws.

The SEC found that The DAO ICO had the same characteristics of traditional securities offerings. Under the Securities Act and Exchange Act, a security includes an investment contract, which is an investment of money in a common enterprise with a reasonable expectation of profits to be derived from the entrepreneurial or managerial efforts of others.1 The SEC reiterated that money in an investment contract does not need to be cash and that using ETH to purchase DAO Tokens constituted the investment of money. Further, The DAO investors had reasonable expectations of profits, which were primed by The DAO developers' statements during the ICO.

Most of the SEC's analysis focused on whether the expected profit from DAO Tokens depended on the efforts of others. The SEC found that the expertise of The DAO developers and project curators who were selected by the developers were critical to The DAO’s ongoing operations and to determining which proposed projects would be put up for vote by investors. DAO Token holders had limited voting rights and were able to vote only on curated projects. Further, the distributed and pseudonymous nature of underlying Ethereum Blockchain made it difficult for investors to coordinate their efforts, thereby increasing their dependence on The DAO developers.

The SEC concluded that because DAO Tokens are securities, The DAO violated section 5 of the Securities Act by failing to register with the SEC as an issuer. Moreover, the online platforms that traded DAO Tokens and provided users with a system that matched orders from buyers and sellers violated section 3 of the Securities Act by failing to register as securities exchanges. The SEC stressed that the DAO Token findings would apply to any virtual coins or tokens offered or sold through an ICO with similar facts and circumstances.

A move towards consistency

Earlier in July, the UCL completed a more than two year process to draft a Uniform VCBA. This model law— as with others promulgated by the UCL—is intended to be used as a template for state legislatures seeking to enact virtual currency legislation. Although the UCL does not have the authority to impose uniformity, the existence of a Uniform VCBA greatly increases the likelihood of a consistent regulatory framework for virtual currencies across all states.

The UCL effort on virtual currencies started in October 2015 with the first drafting committee meeting. Just prior to that meeting, two other virtual currency frameworks were released. In June 2015, the New York State Department of Financial Services (NYDFS) issued its BitLicense Regulatory Framework. Meanwhile, the Conference of State Bank Supervisors (CSBS) had been working on a multistate effort and released its Model Regulatory Framework for virtual currency activities. The UCL acknowledge using many components of the CSBS framework and, to a lesser degree, the BitLicense as a starting point.2

The Uniform VCBA focuses primarily on the licensing requirements for companies that host virtual currency exchanges or provide services that involve the transmission of money. The UCL sought to address two aspects of such licensing that had been criticized in the NYDFS BitLicense: clear definitions of what businesses must obtain a license and a reasonable AML framework.3 It accomplishes the former by requiring a license for any business that has the "power to execute unilaterally or prevent indefinitely a virtual currency transaction."4 This definition of when a business controls virtual currency is able to cover a wide range of activities and provides clarity to both the states that would enact the legislation and the virtual currency businesses in such state.

Importantly, by emphasizing "unilateral" and "indefinitely" in its definition, the Uniform VCBA distinguishes between entities that fully control consumers' virtual currency and those that provide non-custodial services, such as multisignature or "multisig" authentication. Multisig is a security technique that, among other functions, allows an owner of virtual currency to require multiple cryptographic keys (for these purposes, a key is analogous to a password) to initiate a transfer of coins. But implementing multisig requires an individual owner to allow a third party to store one (or more) keys that are associated with the coins. Multisig systems block the third party from initiating a transfer without authentication by the owner and establish mechanisms to ensure the third party cannot prevent the owner from initiating transactions. Providers of multisig authentication (and other non-custodial services) do not control consumers' virtual currency and, under the Uniform VCBA, would not be required to obtain a license.

The Uniform VCBA would require a licensee to maintain compliance programs that include procedures to prevent: fraud, funding terrorist activities and money laundering. Unlike the BitLicense, the Uniform VCBA's AML requirements are simply a cross reference to federal AML requirements, the BSA and any applicable state laws outside the virtual currency regime.5 In this regard, the Uniform VCBA is similar to most states' money transmitter licenses, in that it relies primarily on FinCEN to detect and enforce AML issues.

FinCEN reaches foreign exchanges

On July 27, 2017, FinCEN demonstrated that its authority to impose civil money penalties on money services businesses (MSBs) extends even to virtual currency businesses operating in foreign jurisdictions. Coming approximately one week after the UCL approved the Uniform VCBA that would encourage states to rely on FinCEN to monitor virtual currency businesses, the action against BTC-e, the subject of FinCEN's MSB action, shows the potential effectiveness of such an arrangement.

BTC-e is a Russia-based virtual currency exchange that facilitates the purchase and sale of fiat currency (US dollars, Rubles, Euros, etc.) and virtual currency (Bitcoin, Litecoin, Ethereum, Dash, etc.). FinCEN has jurisdiction over the MSB because a substantial part of its business is with customers in the US (both buyers and sellers) and because some computer nodes that participate in the processing of BTC-e's transactions are located in the US.

The FinCEN investigation found that the MSB facilitated transactions involving ransomware, computer hacking, identity theft, fraud schemes and drug trafficking. FinCEN also linked it to the transaction of more than 300,000 bitcoin that were related to the massive theft of the now-defunct Mt. Gox exchange. The $110 million civil money penalty against BTC-e is the first time FinCEN has ever taken action against a foreignlocated MSB and is the second such action against an MSB that exchanges virtual currency.

Improving corporate ledgers

Finally, July was also notable for DLT and blockchain as used in applications other than virtual currency. When Delaware governor John C. Carney Jr. signed the amendments to the Delaware General Corporation Law (DGCL), it was the culmination of a process started one year prior by former Governor Jack Markell. The amended DGCL now explicitly allows Delaware companies to maintain shareholder information on a blockchain instead of using existing database and record keeping methods. Further, Delaware corporations using DLT for their stock ledgers can use that as the basis for their required investor communications.

The SEC has previously approved companies to use DLT for specific offerings, such as when Overstock.com received approval in 2015. Similarly, NASDAQ and other exchanges around the globe are experimenting with blockchain based settlement for stocks traded on their system. The Delaware law, which is effective as of August 1, 2017, marks a significant step forward for the assimilation of blockchain technology into the law, and corporate law particularly, because it will allow companies to take advantage of DLT for trading without having to maintain duplicate records for corporate law compliance. Supporters of the amendment believe it will keep Delaware at the forefront of corporate law, and that blockchain will improve transparency, reduce settlement times and, thus, will be beneficial for large and small investors alike.

Conclusion

Virtual currency and blockchain technology are becoming an important component of the financial system. Although VC&B were founded on a non-governmental philosophy, the technology is steadily gaining legitimacy as federal and state agencies build a regulatory framework. Over nine days in July, VC&B took several important steps along that path. The SEC, FinCEN, UCL and State of Delaware each added to or clarified meaningful aspects of that framework. This does not mean that all (or even most) issues regarding VC&B are resolved. Notably, the full range of potential enforcement actions by the SEC and FinCEN remains untested, but they are important factors that must continue to be considered in the ever-expanding reach of VC&B technology. While this is certainly an important consideration for entrepreneurs, investors and banks that have been hesitant to launch VC&B initiatives, there are encouraging signs that the regulatory framework for these initiatives is providing a foundation for building a path to mainstream acceptance and legitimacy.

Click here to download PDF

1 See SEC v. Edwards, 540 US 389, 393 (2004); SEC v. W.J. Howey Co., 328 US 293, 301 (1946); see also United Housing Found., Inc. v. Forman, 421 US 837, 852-53 (1975).
2Draft Regulation of Virtual Currencies Act, National Conference of Commissioners on Uniform State Laws, p. 1 (October 1, 2015).
3Our thoughts on the BitLicense: California is Winning, Coin Center.
4 Uniform VCBA § 102(3)(A).
5 Uniform VCBA § 601(d)(2), (3).

Written by:

White & Case LLP
Contact
more
less

White & Case LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.