Distributed ledger technology (DLT) –based financing has come a long way since the beginning of 2015, when the blockchain hype initially hit the mainstream financial industry. While 2017 was all about initial coin offerings (ICOs), 2019 has seen a shift towards more regulated security token offerings (STOs).
With the subsiding of this initial excitement, two observations can be made with certainty:
- First, the so-called “DLT grey market” is more and more disappearing as regulators across Europe, after taking time to assess and understand the new technology and its use cases, eventually reacted with clear and restrictive guidelines. In general, they applied existing legal principles and frameworks to investment products issued via such technology. While structural uncertainties and legal gaps exist, the wave of “scam and fraud” ICOs was quashed in the last two years.
- Second, DLT-based financing does not per se equate with successful fundraising. Many companies that chose to issue (security) tokens to raise funds missed their fundraising targets. The choice to utilize innovative technology to fundraise does not guarantee that investors will trust or be interested in the product. In this respect, DLT-based financing is no different from traditional financing methods, such as via bonds or initial public offerings (IPOs).
While we have focused our observations in this article on the financial industry, it should be noted that it is not only the financial industry which has used DLT as a new way to solve old problems; other industries such as logistics, data management, life sciences industries etc. have also identified potential use cases of DLT.
In the following sections, we will provide you with a high-level overview of selected challenges and developments related to DLT.
In the field of DLT-based financing, numerous statistics exist, but hardly any reliable data. With regard to STOs, we consider the Fintelum survey to be both relevant and useful. According to this survey, approximately 26% of the STOs initiated in the European Economic Area (EEA) and Switzerland failed or were cancelled. Only 17% were successful (i.e., the target amount was raised), while 57% were ongoing or had just started at the time of the survey.
It also appears that Switzerland is currently the “place to be” for an STO project – 31% of the successful or ongoing STOs were based in Switzerland, followed by the UK (23%), Germany (19%), Liechtenstein (15%), as well as Finland, the Netherlands and Lithuania (4% each).
It was also noted that while STOs based in Switzerland and the UK mainly preferred to issue equity-based security tokens, the German STOs were inclined towards debt financing by issuing bond-like tokens.
DLT financing – regulatory status quo in Germany
The Federal Financial Supervisory Authority (BaFin) classifies crypto tokens into three categories:
- "Payment Tokens", which are generally used as a personal means of payment and tend not to have any intrinsic value, and have limited or no functions beyond this;
- "Security Tokens", which confer upon its users membership rights or contractual claims involving assets, as with equities and debt instruments; and
- "Utility Tokens", which can only be used in the issuer’s network to purchase goods or services.
In relation to “Security Tokens”, BaFin has stated that a token is regarded as a security if all of the following criteria are met:
- transferability of the token;
- tradability of the token on the financial markets;
- embodiment of membership participation rights or contractual rights in the token; and
- no classification of the token as a pure instrument of payment.
A token classified as a security falls within the scope of various capital market law requirements. Issuers and/or offerors should consider the applicability of the Prospectus Regulation, the Market Abuse Regulation or the MiFID II regime, including the implementing national laws as well as anti-money laundering provisions (please see the section "New legislative proposals – changes to the German Banking Act" below).
New legislative proposals – changes to the German Banking Act
The Anti-Money Laundering Directive 2018/843/EU (AMLD 5) extended the European AML framework to include virtual currencies. The national implementation of these provisions must be completed by 10 January 2020.
Custody of crypto assets – new license requirement
The German Draft Law implementing the AMLD 5 rules (Draft Law) proposes, amongst other things, changes to the German Banking Act (Kreditwesengesetz, KWG) and prescribes that the custody, safe-guarding and protection of cryptographic keys − used to hold, store and transfer virtual currencies on behalf of the customers − is a financial service. This means that any company providing crypto custody services will require a license from BaFin from 1 January 2020. However, crypto assets, which can be classified as a security, shall, in contrast to the custody of other crypto assets, be regarded as a banking service (custody service pursuant to sec. 1 (1) N° 5 of the KWG) and will be subject to the stricter rules of the Deposit Act (Depotgesetz).
New definition of crypto assets
Further, the Draft Law introduces a definition for “crypto assets” (Kryptowerte), as follows:
- a digital representation of value;
- that is not issued or guaranteed by any central bank or public authority;
- that does not have a legal status as currency or money;
- is accepted by natural or legal persons under agreements or practice as a means of exchange or payment, or serves investment purposes; and
- that can be transferred, stored and traded electronically.
As expected, the Draft Law goes beyond the requirements of the AMLD 5 by extending the definition of crypto assets to include any means of exchange or payment as well as investment assets. The new definition includes tokens with exchange and payment functions (e.g. crypto currencies), which have already been defined as units of account pursuant to sec. 1 (11) N° 7 of the KWG, including tokens used for investment, e.g. so-called security tokens and investment tokens, which may be used as debt instruments, investments in assets or investment funds in accordance with sec. 1 (11) N° 2, 3 and 5 of the KWG.
The new definition shall only be a “fallback” definition (Auffangtatbestand), if any crypto asset does not qualify as a security, an investment product or other regulated product. However, this “fallback” character is not explicitly stated and explained in the Draft Law but only mentioned in the legislative justification (Gesetzesbegründung), which is not the primary source for interpretation. Accordingly, the German Federal Council (the Council) requests in its recommendation that the “fallback” character of the new definition and the overall relation to other provisions are explicitly clarified in the Draft Law.
No combination of the new crypto custody license with other licenses?
However, companies cannot combine a license for providing custodial services for crypto assets with any other licenses under the KWG. This means that companies already holding a license pursuant to section 32 of the KWG will either have to relinquish their existing license in order to be authorized as a provider of custodial services for crypto assets, or outsource such custodial services to a third party or utilize a holding corporate structure with separate licenses.
This classification as a “special financial service institution” is intended to ensure that any IT risks resulting from crypto assets custodial services do not affect other financial services that may be provided by the licensed provider. The need for separation remains questionable, as the legislator's goal should be to separate the IT processes on a technical level. An obligation to operate the crypto assets custodial service on separate servers strictly segregated from other business operations would probably be a more suitable and balanced solution. The Council also criticizes the restriction of the license and the currently planned inability to combine it with other licenses (e.g. operation of an MTF). The Council emphasizes that there are no indications that the crypto custody services is associated with greatly increased IT risks that could spread to other business areas.
No liability umbrella for crypto custody services
Furthermore, a liability umbrella (Haftungsdach) in accordance with section 2(10) of the KWG cannot be used with regard to the provision of crypto asset custodial services. The Draft Law does not intend to amend the list of the financial services eligible for a liability umbrella (namely investment brokerage, investment advice, as well as placement services).
Companies that have been providing crypto asset custodial services before 1 January, 2020, shall benefit from a transition period. These companies can notify BaFin in writing by 1 February, 2020, and submit a full license application by no later than 30 June 2020.
Crowdfunding service provider regime – new proposal for regulation
The European Commission made the first attempt at an EU-wide regulation for crowdfunding with a proposal for a regulation on European crowdfunding service providers (ECSP) for business. The adoption of this regulation had already been announced in the Commission's FinTech Action Plan. In accordance with the ordinary legislative procedure, the European Parliament and the Council published a new proposal for an ECSP Regulation (ECSP Proposal)
The ECSP Proposal mainly aims to foster cross-border crowdfunding activities and to facilitate the exercise of the freedom to provide and receive such services in other Member States than where the crowdfunding platforms are established.
Crowdfunding services, as defined in the ECSP Proposal, shall only be subject to an authorization under the new ECSP Regulation regime, without any further license requirements. This means that a service which falls within the scope of Art. 3 (1)(a) of the ECSP Proposal does not need a license under the Markets in Financial Instruments Directive (MiFID II), even if the activity as such is also regulated under MiFID II. On the other hand, where a crowdfunding service provider already holds an authorization under MiFID II or other directives, it should be possible to hold both authorizations under those directives and the ECSP Proposal. Furthermore, in these cases the authorities shall rely on documents or proofs, which are already available to them and may provide a simplified authorization procedure under the ECSP Proposal.
However, the ECSP Proposal only covers business funding, so crowdfunding services in relation to lending to consumers do not fall within the scope of the ECSP Proposal.
The threshold for the exemption for the obligation to publish a prospectus for crowdfunding offers corresponds to the Prospectus Regulation (EU) 2017/1129 and is set at €8 million (the maximum consideration for each crowdfunding offer). Here, the Member States also have the option to set the threshold for prospectus exemptions for crowdfunding offers below €8 million and can prohibit the raising of capital for crowdfunding projects from its residents for amounts exceeding that national threshold. Crowdfunding services for offers with a consideration above €8 million or above the national threshold notified under the ECSP Regulation shall remain subject to applicable national or EU legislation on prospectus obligations.
According to the ECSP Proposal, crowdfunding service providers may only accept deposits or other re-payable funds from the public if they are authorized as a credit institution pursuant to Art. 8 of Directive 2013/36/EU. However, no credit institution license or any other authorization or permission requirement shall be imposed by national laws on fundraising projects or on investors themselves, where such projects or investors accept funds or grant loans for the purposes of offering or investing into crowdfunding projects.
In particular, the scope of the ECSP Proposal is very clear with regard to lending activities: loans included within the scope of the ECSP Proposal should be loans with unconditional repayment claims. The platforms should only facilitate the conclusion of loan agreements between investors and project owners, without acting as a creditor themselves. In particular, the platforms must not grant credit for their own account or take deposits or other repayable funds from the public (like a credit institution).
Where a crowdfunding service provider carries out payment services in connection with its crowdfunding services, it needs to be authorized as a payment services provider as defined in Directive 2015/2366/EU. Accordingly, the crowdfunding service provider must inform the competent authorities about whether the provider intends to carry out payment services itself with the appropriate authorization or whether such services will be outsourced to an authorized third party.
The ECSP Proposal intends to differentiate between sophisticated and non-sophisticated investors and introduces different levels of investor protection safeguards adapted to each of these categories of investors. The distinction between sophisticated and non-sophisticated investors should build on the distinction between professional clients and retail clients established in MiFID II, but with certain adjustments to the specific context of the crowdfunding market.
Additionally, the ECSP Proposal foresees a possibility for non-sophisticated investors to revoke their expression of investment interest without penalty or explanation. Further, the ECSP Proposal clarifies that the right of withdrawal provided for in Directive 2002/65/EC concerning the distance marketing of consumer financial services will also be applicable.
DLT and GDPR
The different use cases of DLT are not limited to fundraising and token issuance. Crowdfunding platforms can perform KYC/AML services via DLT. Further, blockchain seems to be a good answer to data management challenges, while the pharmaceutical or logistic industries have long recognized the benefits of DLT for product validation or transportation processes.
However, many of these use cases involve the processing of personal data on DLT, which triggers the applicability of the General Data Protection Regulation (GDPR). The purposes and requirements of the GDPR and the inherent nature of DLT cause significant challenges for users and regulators, which require special attention.
For example, the GDPR is based on the assumption that data can be modified or erased where necessary to comply with legal requirements. However, the nature of any distributed ledger does not allow deletion or modification of data, which is already part of the network, in order to ensure data integrity and to increase trust in the network. Therefore, any processing of personal data via DLT (e.g. registering a transaction containing names or phone numbers, performance of KYC services) would per se constitute an infringement of the GDPR, as the rights of the data subjects to erasure or modification cannot be granted.
Another issue is the determination of the responsible person: the GDPR assumes that there is always a “data controller”, a company or an individual who is in charge of the collected data and the processing, and who can determine the means and purposes of the processing and has full control over the data. As distributed ledgers often seek to achieve decentralization by replacing a unitary actor with many different players, the allocation of responsibility and accountability is difficult, if not impossible.
If possible, personal data should be processed with a non-DLT database and anonymization or pseudonymization solutions should be used when transferring the information onto the distributed ledger. It is also more GDPR-compliant to use private or permissioned distributed ledgers, rather than public ones. The limited number of participants and the possibility to define rules with regard to data handling on private or permissioned distributed ledgers provides more protection for (personal) data.
When processing personal data on distributed ledgers, data controllers must carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to the processing and explain why the processing via DLT is necessary and why there is no other solution that would be fully compliant with GDPR. However, the most compliant way for now is not to process personal data on blockchain/distributed ledgers at all.
New blockchain strategy of the German government
On 18 September, 2019, the German government passed a comprehensive blockchain strategy which sets out regulatory plans with regard to blockchain (and overall distributed ledger) technology. As an overall goal, Germany intends to exploit the potential of blockchain technology while preventing any opportunities for abuse. In particular, Germany has clearly stated that it would not support private companies trying to establish parallel currencies, which clearly addresses Facebook’s planned Libra project.
Another regulatory change will be the introduction of electronic securities. A first proposal regarding blockchain-based electronic bonds is envisaged for 2019 and may even pass the required legislative procedure this year. Electronic shares and investment units are expected to follow in the near term. A regulation on public offerings of specific crypto tokens is also planned for 2019, which will require the offeror to publish an information document. Presumably, the aim is to regulate such crypto assets that cannot be considered as securities or other regulated products and which are therefore not subject to the prospectus requirements of the Prospectus Regulation or German Investment Products Act (Vermögensanlagengesetz).
Furthermore, the legislator plans to analyze possible applications of DLT in company law, which may even result in a new “blockchain-based” company form.
If you are keen to explore the above topics further, we at Dentons can help you to ensure that your proposed activities are compliant with all applicable regulations and can unlock the potential of utilizing blockchain and DLT in your business.
CrowdTuesday in Frankfurt
In light of the recent legislative changes, the recent CrowdTuesday in Frankfurt on 19 September was all about European crowdfunding trends in equity and lending. After a panel discussion with regard to the differences and challenges for crowdfunding and DLT financing in Germany, Austria and Luxembourg with the platforms Exporo, STOKR and Conda as well as Dentons, MME Legal gave their view on the current situation in Switzerland. The event then continued with two keynotes from NIBC and Creditshelf, providing a brief overview of the crossover of DLT and classical lending, the challenges for the existing lending industry, as well as recent changes. The following panel discussion between Auxmoney, Funding Circle, October, NIBC and Creditshelf (moderated by Verband deutscher Kreditplatformen) gave the participants a deeper understanding of the lending market and future developments. The closing session for the event came from BaFin, with a short overview of the last ECSP Proposal, and Prof. Dr. Sandner from the Frankfurt School Blockchain Center.
Watch out for the next CrowdTuesdays in Düsseldorf and Munich in 2019/2020.
- According to Fintelum, the survey results were drawn from publicly available information relating to 35 publicly announced strictly STO projects. Fintelum also made efforts to confirm related information directly with each issuer: here.↩
- Available here.↩
- (EU) 2017/1129.↩
- (EU) 596/2014.↩
- So called „5th Anti-Money-Laundering Directive” from 30 May, 2018, amending the AMLD 2015/849/EU (4th AMLD), and amending Directives 2009/138/EC and 2013/36/EU↩
- So called „Draft Law on the Implementation of the amended Directive to the Fourth EU Money Laundering Directive” (Regierungsentwurf), from the Federal Cabinet, as of 29 June 2019.↩
- Explanation to the „Draft Law on the Implementation of the amended Directive to the Fourth EU Money Laundering Directive” (Regierungsentwurf), from the Federal Cabinet, as of 29 June 2019, page 126.↩
- German Federal Council, Recommendation of the Committees dated 9 September 2019 with regard to the Draft Law (Drucksache 352/1/19, page 36). ↩
- German Federal Council, Recommendation of the Committees dated 9 September 2019 with regard to the Draft Law (Drucksache 352/1/19, page 38). ↩
- First proposal dated 8 March 2018 (COM (2018) 113 final).↩
- Dated 8 March 2018 (COM/2018/0109 final).↩
- Dated 24 June 2019 (2018/0048 (COD)): here.↩
- Directive 2015/2366/EU, Directive 2009/110/EU or Directive 2013/36/EU.↩
- A “consumer” means a natural person who, in transactions […], is acting for purposes that are outside his trade, business or profession (Art. 3(a) of the Directive 2008/48/EC.↩
- Currently, the situation in Germany is different, as BaFin assumes a credit business requires a license if the loans are granted on a commercial basis (where there is a specified duration and intended profit) or to an extent which requires a business operation set up in a commercial manner (i.e., more than 100 loans or a total loan volume of over €500,000 with at least 21 loans).↩
- Regulation 2016/679/EU.↩
- The European Parliament recently published a study with regard to “Blockchain and the General Data Protection Regulation”, analyzing the tensions between DLT and GDPR and suggesting action guidelines as long as the legal situation is not entirely clarified: here.↩
- Available here.↩
- For further information, please go to: here.↩