Where to set up a cryptocurrency business (2020)
An overview of the latest legal and regulatory developments for cryptocurrency businesses across various International Financial Centers
During recent years, a large part of the cryptocurrency industry have been operating in an unregulated manner. Most of the largest cryptocurrency exchanges, dealers and other crypto operators, as well as virtually all ICOs, have been doing business outside the supervision of any financial services regulatory body.
As the industry has grown, so have the concerns of domestic authorities and international bodies on the potential risks arising from such non-supervised crypto financial services activities.
Until last year, very few jurisdictions took action to bring crypto-related operators under regulatory supervision. The United States, with an arguably restrictive approach, applied existing legislation including but not limited to federal and state securities, and money transmitter laws, among others, to cryptocurrency exchanges, token issuers and other activities.
Regulators from Switzerland, Singapore, and numerous other international financial centers (IFC) also issued guidelines on how existing laws would apply to such companies, but in a much more flexible manner than that of the USA.
Other IFCs enacted a specific legal framework with the intention of building a healthy crypto sector, by attracting industry players while at the same time addressing risks. This group includes Japan, Malta, Gibraltar, Bermuda, Abu Dhabi Global Market, as well as other jurisdictions such as Thailand.
Although not supervising them from a financial services perspective, other jurisdictions such as Estonia or the Cayman Islands obliged crypto companies to comply with their local AML CTF regime.
Results from such new legal frameworks have been mixed. Some jurisdictions have seen a decent increase of activity, e.g. Japan and Estonia, while others have wiped out any local crypto activity taking place, e.g. Malta.
In any case, one could say that most jurisdictions took a “wait-and-see” approach – which is currently changing. We are witnessing a regulatory wave affecting the crypto industry across jurisdictions, which has mainly been catalyzed by two events:
On the one hand, the Financial Action Task Force (FATF) issued in June 2019 the Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.
The FATF is an intergovernmental institution consisting of 37 member countries that sets policies and produces recommendations to countries to improve their legislation and efforts for combating money laundering and terrorist financing.
Generally, countries should follow FATF guidelines, otherwise they run the risk of being blacklisted or scoring low compliance ratings, which could affect their participation into the globalized financial system and their business relationships with other countries.
The Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers mainly provides for certain recommendations on how Virtual Asset Service Providers (VASPs) ML & TF risks should be addressed, and requires national regulators to take action and regulate and supervise VASPs for AML/CTF purposes.
On the other hand, the 5th Anti-Money Laundering Directive (Directive (EU) 2018/843) (AMLD5) published in June 2018, brought virtual assets and virtual asset service providers under AML & CTF obligations. European Economic Area (EEA) Member States were obliged to transpose the 5AMLD into local law by 10 December 2020, and therefore, VASPs operating in the EEA must be regulated and supervised by the domestic regulator for anti-money laundering purposes.
As previously mentioned, the above has led to a large number of jurisdictions taking action and regulating certain cryptocurrency-related activities, and one can expect that many others will follow suit in the short/mid-term.
In this article, we have reviewed the current regulatory environment for cryptocurrency service providers in a number of international financial centers, focusing on some of those that have attracted either more industry players or more public attention across the industry.
Note that this article does not intend to be a comprehensive review and is not legal advice of any kind.
Singapore has generally been the jurisdiction of choice in Asia for headquartering crypto currency-related activities. The jurisdiction has attracted all kinds of players in the industry, including major cryptocurrency exchanges, brokers and dealers, as well as ICOs. The financial services regulator and de-facto central bank, the Monetary Authority of Singapore (MAS), has generally been very proactive in providing regulatory clarity as the industry has boomed.
In January 2020, the Singapore Payment Services Act 2019 (PSA) finally entered into force. The Payment Services Act provides a legal framework for a variety of payment service activities such as e-wallets (fiat), money transfer, merchant acquisition, e-money issuance and digital payment token services, which are regulated by MAS.
In an article from January 2019, we discussed the PSA and what it would mean for fintech and crypto operators. You can review the article here. Since then, MAS has published a series of regulations, notices and guidance covering licensing, ongoing compliance requirements, and anti-money laundering requirements such as the implementation of the FATF recommendations, among others.
Companies providing digital payment token services are required to hold a Payment Institution License. The transitional period for existing digital payment service operators such as crypto exchanges to submit an application for the license has now ended.
‘Digital payment tokens’ are defined as any digital representation of value that is expressed as a unit; are not denominated in any currency, and are not pegged by their issuer to any currency; they are, or are intended to be, a medium of exchange accepted by the public, or a section of the public, as payment for goods or services or for the discharge of a debt; and can be transferred, stored or traded electronically.
Generally, the above definition would cover Bitcoin and most utility tokens. Digital securities would generally be excluded, and related investment activities would normally fall under the Securities and Futures Act (SFA). Stablecoins might in certain instances fall under the PSA’s definition of e-money or under the SFA’s definition of debenture – depending on the nature of the assets backing the stablecoin and the rights and obligations of the issuer and the holders.
Companies providing digital token payment services – that is, in the business of buying and selling digital payment tokens or facilitating the exchange of digital payment tokens – are required to obtain a license as Payment Institutions. Therefore, cryptocurrency exchanges and broker-dealers clearly require a license to operate in Singapore.
MAS has also extended the scope of digital payment token services that may fall under the PSA in line with FATF standards.
Companies participating in and offering financial services related to the offer and/or sale of a digital payment token by an issuer, or inducing (or attempting to induce) any person to buy or sell a digital payment token (without the digital payment token service provider actually accessing any money or digital payment tokens), may also fall under the PSA.
Providing digital payment token transfer services and custodian wallet services is also regulated and supervised. Custodian Wallet services consist of safekeeping and administration of digital payment tokens or instruments enabling control over digital payment tokens. This applies to any cryptocurrency business operator that holds clients’ crypto funds, such as custodial wallets.
Transfer services are defined as accepting digital payment token from one digital payment token address or account, whether in Singapore or outside Singapore, as principal or agent, for the purposes of transferring, or arranging for the transfer of, the digital payment token to another digital payment token address or account, whether in or outside of Singapore. This could apply to certain centralized wallets and crypto payment processors, as well as brokers and exchanges (which nonetheless may be required to obtain a PSA license as when operating a digital payment token exchange).
Companies intending to carry on digital payment token services in Singapore are required to apply for and obtain a Payment Institution licence, either as a Standard Payment Institution or as a Major Payment Institution.
A Major Payment Institution License is required if the average of the total value of all payment transactions in one month exceeds SGD 3 million (or its equivalent in a foreign currency). Any cryptocurrency exchange would then generally need to obtain a Major Payment Institution license.
The basic requirements to obtain a Payment Institution license as set out in the PSA and the Payment Services Regulations are, among others:
- Minimum base capital of SGD 250,000 for a Major Payment Institution and SGD 100,000 for a Standard Payment Institution
- Security deposited with MAS of at least SGD 200,000; or SGD 100,000 if the average monthly transaction value is equal or lower than SGD 6 million.
- At least one Singaporean citizen or permanent resident to act as executive director; or an Employment Pass holder to act as executive director, and a Singaporean citizen or resident as non-executive director.
- Compliance with the Singapore AML & CTF regime (implementation of risk based approach, CDD screening and ongoing monitoring, SAR reporting, risk mitigation measures, etc)
- Governance and implementation of adequate controls in areas such as user authentication, data loss protection and cyber-attack prevention and detection
- 20% controllers, CEO and directors to be approved by MAS, subject to fit and proper requirements
MAS has also clarified the regulatory status of digital payment token derivatives, i.e. derivatives such as future contracts, CFDs or options whose underlying asset is a digital payment token.
MAS deems that digital payment token derivatives are not yet suitable for regulation, and prefer not to regulate service providers conducting activities related to such assets.
According to MAS, given the limited use of such instruments in Singapore, regulating such activities could confer misplaced confidence in such highly volatile products, which could lead to a wider offering to retail investors.
There is an exception to the above: if digital payment token derivative instruments are offered by an Approved Exchange (AE), MAS would regulate such instruments given that AEs are systemically important trading facilities. According to MAS, effective oversight over products offered on AEs is required due to the risk of contagion to the wider financial system.
Therefore, digital payment token derivatives are out of the scope of the PSA. However, companies operating trading facilities or dealing in such instruments need to evaluate whether any of their services would be captured by the FSA. For instance, a derivatives exchange may require engaging a PSA-regulated custodian or transfer service in order to operate its platform.
As one of the jurisdictions of choice for hedge funds, Cayman Islands has attracted a large proportion of investment funds investing in cryptocurrencies. Cayman has also been the jurisdiction of domicile of certain high-profile token offerings during the last several years.
Open-ended crypto funds have already been subject to the Mutual Funds Law (Revised), as any other fund and closed-ended crypto funds have been regulated since February 2020 under the Private Funds Law.
Furthermore, virtual asset service providers (VASPs) were already required to comply with AML laws, as they were considered relevant financial services businesses for the purposes of the Proceeds of Crime Law (Revised), the Anti-Money Laundering Regulations and other related AML & CTF legislation.
The AML regime creates certain requirements, including but not limited to the designation of compliance officers, implementation of identification and due diligence procedures to their counterparties, adoption of a risk-based approach to monitor financial activities, record-keeping, risk management and internal and external procedures and audits. Note that recent amendments to the AML laws, and guidance notes issued by CIMA provide for new requirements for VASPs such as compliance with the so-called Travel Rule.
However, on 25 May 2020, a set of new laws and amendments of existing laws aimed at regulating cryptocurrency businesses were gazetted in the Cayman Islands. Namely, the Virtual Asset (Service Providers) Law 2020; the Monetary Authority (Amendment) (No. 2) Law 2020; the Mutual Funds (Amendment) (No. 2) Law 2020; the Securities Investment Business (Amendment) Law 2020; and the Stock Exchange Company (Amendment) Law 2020.
The Virtual Asset (Service Providers) Law 2020 (VASP Law) brings Virtual Asset Service Providers (VASPs) under regulatory supervision of the Cayman Islands Monetary Authority (CIMA), and implements FATF recommendations.
The VASP Law is not in force yet;it will be implemented after a consultation period of CIMA and the Ministry of Financial Services with relevant industry players, and the issuance of relevant regulations and guidance notes which may take from 6 months to 1 year to be implemented.
Virtual asset services are defined as the issuance of virtual assets or providing one or more of the following services:
- exchange between virtual assets and fiat currencies;
- exchange between one or more other forms of convertible virtual assets;
- transfer of virtual assets;
- virtual asset custody service; or
- participation in, and provision of, financial services related to a virtual asset issuance or the sale of a virtual asset;
Virtual asset is defined as a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes.
The definition explicitly excludes a digital representation of a fiat currency. One could understand that this exclusion would apply to central bank digital currencies (CBDC), rather than stablecoins backed by fiat currencies, given that a stablecoin may be redeemed by fiat currencies but in no case is a digital representation of a fiat currency. However, we expect CIMA to provide guidance on this matter.
Furthermore, the definition of virtual asset does not differentiate between types of virtual assets, e.g. utility tokens, asset-backed tokens or digital securities. However, companies issuing or providing services related to digital securities or derivative instruments may also fall under the Securities Investment Business Law (2020 Revision), the Mutual Funds Law (2020 Revision), among others, as explained below.
Issuance or services related to virtual service tokens are also excluded from regulatory supervision. A virtual service token is a representation of value which is not transferable or exchangeable and includes digital tokens whose sole function is to provide access to an application or service, or to provide a service or function directly to its owner. This generally would include loyalty points or credits that cannot be traded on a secondary market.
Once the VASP law comes into force, VASPs will need to either register with CIMA (registered person), obtain a full CIMA Virtual Asset Service License (licensee), or obtain a Sandbox License (sandbox licensee), depending on the specific activity carried on by the VASP.
The VASP law provides for certain general requirements for registered persons, licensees and sandbox licensees such as the approval of senior officers, trustees, AML officers by CIMA, approval of transfer of equity interests, periodical AML regulatory audits, preparation of financial statements, and independent annual audits to such statements, among others. It also provides specific requirements for each type of virtual asset service activity.
Other aspects such as those related to financial resources (e.g. paid-up capital), insurance, restrictions on client/investor profile, economic substance, and other regulatory and reporting requirements, will be known after the above mentioned consultation period and the release of additional regulations and guidance notes.
Companies that are regulated under other regulatory frameworks such as securities investment businesses, money service businesses, banks or trust companies, and which also intend to provide certain virtual asset service, might not need to register or obtain a license under the VASP Law, but may need to obtain a waiver from such registration or license requirement from CIMA. CIMA may grant a waiver depending on the specific activities and the regulatory framework applicable to the relevant company. Regulated companies will be required to file a notice with CIMA, which will evaluate whether they are eligible for a waiver or are required to be registered or licensed under the VASP Law.
Exchanges and Broker-Dealers
Cayman Islands companies operating a virtual asset trading platform such as a cryptocurrency exchange will be required to obtain a full CIMA license.
A virtual asset trading platform includes both centralized and decentralized platforms that facilitate the exchange of cryptocurrencies for fiat currencies or other cryptocurrencies for a benefit, and either holds custody of or controls clients’ virtual assets, or purchases virtual assets from a seller in order to sell them to a buyer.
The above definition covers custodial cryptocurrency exchanges, as well as certain broker-dealers, and, potentially, certain decentralized exchanges – depending on their specific business model.
The definition explicitly excludes platforms acting as a forum where sellers and buyers may post bids and offers, but involve trades occurring in a separate platform or in a peer-to-peer manner.
Virtual asset trading platforms will be required to comply with a number of disclosure requirements such as those related to conflicts of interests, price discovery mechanisms, custodial arrangements, and insurance, among others.
Certain activities will be restricted for trading platforms, such as providing financing to clients without proper terms and risk disclosures; trading in its own account if it could be detrimental to the interests of its clients, with certain exceptions as long as proper disclosures are made; or providing fiat to fiat exchange services, among others.
Custodial wallet service providers will also be required to obtain a full CIMA license for the provision of virtual asset custody service. Virtual asset custody service is defined as the business of safekeeping or administration of virtual assets or the instruments that enable the service provider to exercise control over virtual assets.
Non-custodial wallets, i.e. wallets where the user exclusively controls and manages the private key, would fall out of the above definition.
Virtual asset custodians will be required to comply with certain disclosure requirements, and certain requirements related to the segregation of assets, insurance requirements and cyber security measures.
Companies issuing virtual assets, i.e. initial coin offerings, will be restricted to issue and sell cryptocurrencies to the public with an aggregate offering value over a prescribed threshold, unless they do so via a licensed virtual asset trading platform. The specific threshold is yet to be determined.
Token issuers will need to request authorization from CIMA to carry on the issuance, regardless of whether they use the services of a licensed virtual asset trading platform or not.
Companies providing financial services related to the issuance of virtual assets will need to be registered with CIMA. Further guidance from CIMA is expected in order to provide clarification on what specific activities could constitute such “financial services”.
Cryptocurrency Brokers and Transfer Services
Crypto brokerage firms that do not hold custody of the assets, and merely act as intermediaries between buyers and sellers, may not require a CIMA license, and rather register with CIMA as a “registered person”.
Likewise, Cayman companies providing transfer services may only be required to register with the regulator. Transfer services may include certain crypto payment processing services.
As previously mentioned, the VASP Law makes no distinction between types of virtual assets, and digital securities service providers or issuers would generally fall under VASP Law.
However, amendments to the existing Cayman Islands legislation have provided regulatory certainty on how such legislation applies to digital securities.
The Securities Investment Business (Amendment) Law 2020 (SIBL) provides that virtual assets representing, or being derivatives of, or which can be converted to securities, are considered securities.
Companies conducting securities investment business in digital securities could be regulated under the SIBL. In cases where a company’s activities may require a license under both the VASP Law and SIBL, CIMA may waive the requirement for obtaining one of the two licenses, at its discretion.
Trading platforms offering derivative contracts such as futures contracts, contracts for differences, options and other related instruments whose underlying assets are virtual assets would also generally require a license under the SIBL. However, if such platforms also provide custody of virtual assets, a VASP license or a waiver from CIMA may also be required.
The Stock Exchange Company (Amendment) Law, 2020, has opened the door for the creation of digital securities exchange operators in the Island. The amendment provides that Cayman Islands Stock Exchange (CEX) will not have the sole and exclusive right to operate the securities markets in the Islands that trade in securities represented by virtual assets.
Although companies issuing their own securities are not required to register with CIMA under the SIBL – digital securities issuers would fall under the VASP law and generally be required to request authorization from CIMA, as explained above.
The definition of “equity interest” under the Mutual Funds Law has also been amended to broaden the definition of equity interest. So, a collective investment scheme issuing a redeemable token that provides for certain profit or interest rights clearly qualifies as a Mutual Fund.
Decentralized Finance or DEFI
Operators of decentralized finance (Defi) platforms may not be explicitly caught by the VASP Law. However, Defi operators should carefully assess whether certain characteristics of a Defi platform may be considered a “virtual asset service” or may fall under other regulatory laws such as the Securities Investment Business Law or the Banks and Trust Companies Law.
Furthermore, a Cayman company intending to operate a Defi platform may be required by CIMA to apply for and obtain a regulatory sandbox license.
The sandbox license consists of a 1-year temporary license, where VASPs or fintech service providers would be able to test innovative technologies or methods of delivery.
The sandbox license would apply when CIMA deems that due to the innovative nature of the business model of the VASP, stricter and closer supervision and oversight is required. This might also involve placing certain restrictions on the volume of business and type of clients that the VASP may onboard, among others.
A sandbox license in lieu of registration or full license may also be required if the service poses certain financial, systemic, money-laundering, terrorism financing or proliferation financing risks, or if it is in the best public-private interest.
Fintech companies that do not fall under the definition of VASP or are not subject to any other existing regulatory regimes may also apply for a sandbox license, although the VASP law does not create an obligation for such companies to do so.
The British Virgin Islands (BVI) is home to some of the largest cryptocurrency spot exchanges by trading volume, and some of the largest token offerings.
The current financial laws of the BVI do not provide a framework for cryptocurrency businesses. Cryptocurrency exchanges, token offerings, wallets and other crypto-related activities are operating in an unregulated manner.
Although the jurisdiction has been attracting major players in the industry over the last years, the Financial Services Commission (FSC) has remained publicly silent on the matter.
However, last July 2020, the FSC issued guidance on the applicability of existing legislation to cryptocurrency-related activities.
The FSC Guidance provides some clarity on the position of the FSC on crypto assets (virtual assets) and whether certain activities or products would fall under the existing financial services laws such as the Securities and Investment Business Act, 2010 (SIBA).
Under SIBA, certain financial instruments are considered investments, and intermediaries or companies carrying on investments activities need to obtain a license or otherwise be authorized by the regulator.
The above includes companies dealing in investments, arranging deals in investments, managing investments, advising on investments, administering investments, custodians of investments or operating an investment exchange.
According to the FSC Guidance, virtual asset products may be captured from a regulatory perspective either when they are issued or when they are in the hands of a holder, or the subject of an investment activity.
Certain factors must be taken into account when evaluating whether existing regulations would apply. Namely, the way the virtual asset is used, the type of related business activities, and whether such activities are analogous with those conducted through traditional businesses, and the characteristics and business activities relating to an offering or issuance.
Virtual assets and related products conceived and used as a means of payment for goods and services may not be considered an investment under existing legislation, and therefore intermediaries and issuers of, and activities related to, such assets would generally not be subject to SIBA. Virtual assets that cannot only be used as means of payment with certain rights attached may qualify as investments, if such rights share common features with investments, as defined by SIBA.
This means that spot exchanges, broker-dealers, wallets, etc., providing services related to cryptocurrencies that are to be used for payment purposes, might not require an investment business license under SIBA.
However, the FSC considers that as virtual assets and related products have value, they meet the definition of intangible property. This is a relevant point, because SIBA regulates as investments certain derivative instruments whose underlying is property of any description.
For instance, in the case of derivative instruments – futures contracts and contracts for differences (or other similar contracts) whose underlying is a virtual asset, would be captured by SIBA, and dealers, exchanges, and other intermediaries would be required to obtain an investment business license.
In the case of options, only options whose underlying is a virtual asset that is considered an investment would fall under SIBA.
Virtual assets can be considered investments if they share certain attributes or rights with ‘traditional’ investments.
For instance, a virtual asset that confers voting and/or profit rights in an enterprise (e.g. represents a share, stock or interest in a company) would be considered an investment under SIBA. Tokens representing interests in investment funds would also be considered an investment.
A token representing debt, e.g. a bond, could be considered a debenture under SIBA. Certain stablecoins might also be considered debentures.
The Guidance also clarifies that virtual asset transfer activities would not generally fall under the Financing and Money Services Act, 2009 and will not be considered a Money Service Business.
The FSC also advises that when virtual asset activities share certain characteristics akin to a regulated investment activity under SIBA, guidance from the FSC should be secured before starting operations in or from within the BVI.
Companies carrying on investment activities related to virtual assets that fall under the SIBA’s definition of investment and are not currently regulated are required to submit an application for an investment business license before mid January 2021.
Liechtenstein authorities have been very keen on attracting industry players. The country has hosted one of the first prospectus-approved securities token offerings in the European Economic Area, and some of its banks are some of the few banks worldwide that openly onboard cryptocurrency businesses and provide cryptocurrency-related services.
In October, 2019, the Parliament of Liechtenstein approved the Law on Token and Trustworthy Technology Service Providers (commonly known as the “Blockchain Act”, and abbreviated as TVTG).
The TVTG, which entered into force in January 2020, not only regulates certain crypto service providers but also provides a legal framework for the tokenization of any form of asset or right. This is quite unique as the TVTG provides a legal basis for the transition to and use of blockchain in traditional financial business models.
The TVTG provides a legal framework for trustworthy technology service providers, who will need to register with and will be supervised by the Financial Markets Authority of Liechtenstein (FMA)
Token Issuers – A Token Issuer is defined as a person offering tokens to the public in their own name or in the name of third parties.
This includes initial exchange offerings or initial coin offering platforms. Companies conducting airdrops may also be captured by the definition.
Token issuers offering tokens in their own name (e.g. ICOs) are required to register with the FMA if the value of the tokens issued in one year exceeds or will exceed CHF 5 million.
Token Issuers must comply with certain minimum paid-up capital requirements, specifically:
- CHF 50,000 when the value of the tokens issued in a given calendar year is CHF 5 million or lower;
- CHF 100,000 when the value of the tokens issued in a given calendar year is more than CHF 5 million, up to CHF 25 million; or
- CHF 250,000 when the value of the tokens issued in a given calendar year is more than CHF 25 million.
Token Generators include persons programming the code for generating tokens. This could include, for instance, smart contract developers.
TT Key Depositaries and TT Token Depositaries include persons in the business of safeguarding tokens or private keys for third parties and/or executing transactions for third parties, such as custodial wallets or exchanges.
TT Key Depositaries only keep a copy of the client’s private key, while the client still knows the private key, whereas TT Token Depositaries safeguard tokens on behalf of clients, without the private key being known by the client.
Both TT Key Depositaries and TT Token Depositaries must have a minimum capital of CHF 100,000.
TT Protectors include persons, acting as trustees, that hold tokens in their own name for the account of third parties, or carry on transactions for third parties. Persons acting as TT protectors are required to hold a license under the Law on Professional Trustees (TrHG)
Physical Validators include persons ensuring the enforcement of rights in accordance with the agreement and property law, to goods or assets represented by tokens. Physical validators must ensure that their clients generating tokens which represent property rights are the rightful owners of and have the ability to dispose of such rights.
Physical validators must have a paid-up capital of CHF 125,000 in the event that the value of the property does not exceed CHF 10 million; otherwise, CHF 250,000.
TT Exchange Service Providers include persons that exchange fiat currency or tokens for tokens and vice versa. This would generally include cryptocurrency dealers.
Exchange service providers are required to have a minimum paid-up capital of CHF 30,000 when the total annual transactions is more than CHF 150,000 and does not exceed CHF 1 million; or CHF 100,000 when the value of the annual transactions exceeds CHF 1 million.
TT Verifying Authorities include persons verifying the legal capacity and the requirements for the disposal over a token. For instance, service providers that ensure that only approved persons or persons meeting certain preconditions acquire specific tokens.
TT Price Service Providers include persons providing price information on the basis of purchase and sale offers, or completed transactions. For instance, crypto exchanges.
TT Identity Service Providers include persons identifying the person in possession of the right of disposal related to a token and recording it in a directory.
Besides the aforementioned capital requirements, which cannot be used for operational expenses, the FMA will assess certains aspects when registering a TT Service Provider.
The regulator will assess whether the applicant is sufficiently technically qualified to provide the service, and management has sufficient expertise to evaluate and satisfactorily address the risks related to the activity. A Fit and Proper test will be conducted to all management board members, and to shareholders/partners who hold more than 10% interest.
TT Service Providers must have in place the appropriate governance policies and procedures to limit the risk and disclose conflicts of interest, as well as appropriate internal control mechanisms and risk management procedures according to the activity, size, complexity and risks of the TT Service Provider and its services.
TT Service Providers are also subject to the Law on Professional Due Diligence for the Prevention of Money Laundering, Organised Crime and Financing of Terrorism. This means that TT Service Providers must comply with the AML regime, implementing a risk-based approach. KYC and CDD procedures, and ongoing monitoring, among others, must be implemented. TT Service Providers must also comply with the EU 5AMLD and FATF recommendations such as the Travel Rule.
When it comes to exchanges and dealers offering derivative contracts whose underlying are cryptocurrencies, they would generally require a license under the Law on Banks and Investment Firms, given that crypto derivatives are considered financial instruments under the EU’s Markets in Financial Instruments Directive (MiFID), which is applicable and transposed into local law in all member states of the European Economic Area.
Authorities in Switzerland have played a very active role in attracting industry players and providing regulatory clarity to companies for the adoption of distributed ledger technology in their business models.
Switzerland was the domicile of some of the first high-profile ICOs, and hosts a number of crypto financial intermediaries registered with Self-Regulatory Organizations (SROs). The Swiss Financial Market Supervisory Authority (FINMA) has been one the first regulators to grant banking licenses to banks with a clear focus on cryptocurrencies, among many other innovative developments related to digital securities.
The Swiss Federal Council, in conjunction with FINMA and through consultation with industry participants, is working on amendments of various laws for blockchain-related companies, with special focus on building the foundation for a robust digital securities market.
Proposed amendments to the Swiss Code of Obligations will provide a legal basis for the tokenization of rights with the introduction of Uncertificated Register Securities. Such Uncertificated Register Securities will provide for tokenized rights to be only claimed or transferred through a distributed ledger technology-based electronic register, which should meet certain technical requirements such as those related to security and publicity of rights.
Swiss corporate law may also be amended to allow corporations to issue tokenized shares as Uncertificated Register Securities.
There has also been a proposal to amend the Swiss Financial Market Infrastructure Act to provide a new licensing regime for DLT trading venues, i.e. digital securities exchanges. The regime will allow licensees to provide services related to facilitating trading, and offer clearing, settlement, and custody of DLT securities.
Amendments to the Swiss Debt Enforcement and Bankruptcy Act have also been proposed in order to facilitate the segregation of crypto-based assets from third-party custodians in case of bankruptcy proceedings against them.
Existing Regulatory Framework for VASPs
For companies currently intending to operate a virtual asset activity in or from within Switzerland, the Swiss Federal Council and FINMA has already provided comprehensive reports and guidance on how existing financial market legislation would apply to virtual asset activities. The Swiss legal framework is already at present suited to regulate most common VASPs’ business models.
Swiss regulators differentiate between three types of cryptocurrencies: payment tokens whose function is serving as a means of payment; utility tokens which are intended to provide digital access to an application or service; and asset tokens representing assets such as participations in real physical assets, companies, or earnings streams, or an entitlement to dividends or interest payments.
Payment tokens and utility tokens (as long as they can already be used as digital access) would not generally qualify as securities. Utility tokens that do not yet have any utility and are used merely for investment purposes, as well as asset tokens, are regarded as securities.
As per FINMA guidance, companies providing custody wallet services (i.e. custody and payment services for virtual assets) and operating virtual asset trading platforms, fall under the Federal Act on Combating Money Laundering and Terrorist Financing (AMLA).
Therefore, companies that intend to provide the above mentioned services are required to join an SRO as a financial intermediary. This would generally apply to brokers, custodians, as well as exchanges facilitating trades in payment tokens and utility tokens that are not considered securities.
SROs are organizations supervised by FINMA that regulate and supervise the activities and ensure AMLA compliance of financial intermediaries, such as brokerage firms.
In order to become a member of an SRO, a cryptocurrency exchange or wallet service provider needs to provide evidence on how the company would be able to adhere to the AML regime. The regime provides certain obligations to financial intermediaries such as the implementation of customer due diligence and enhanced due diligence procedures, transaction monitoring, reporting of suspicious activities, appointment of compliance officers, etc.
SROs also require companies to comply with the travel rule – for instance, crypto transactions to and from external wallets are only permitted where the external wallets are owned by the financial intermediary’s customer, and if the customer’s authority of such wallet is verified.
SROs effectively act as regulators for anti-money laundering purposes, and have the right and authority to audit the financial intermediary at any time. A revocation of SRO membership would generally require the financial intermediary to cease activities.
Brokers, exchanges or custodians accepting fiat currencies or virtual assets on their own addresses could be subject to obtaining a banking licence, as the activity could constitute acceptance of deposits from the public.
However, an exemption from obtaining a banking license would generally apply if the clients’ assets held in the company wallets are only used for the execution of trades on the exchange, are not interest-bearing and are transferred on within 60 days. This effectively brings certain crypto platforms offering interest-bearing crypto deposit facilities under the requirement of obtaining a banking license.
Certain other crypto-related activities involving virtual assets may also require a securities dealer or banking licence issued by FINMA. Asset managers managing their customers’ crypto assets on behalf of customers would generally require a FINMA license.
Companies dealing in asset tokens or utility tokens with no present utility may also be required to obtain a bank or securities dealer license; in the case of exchanges facilitating trading in such instruments, they may require a multilateral trading facility license or a securities dealer license with authorization to operate an organized trading facility.
Companies issuing asset tokens or utility tokens (with no utility at the time of issuance) are also required to comply with prospectus requirements, or avail for the available prospectus exemptions for small offerings.
London, as one of the largest, if not the largest, financial centers worldwide has also attracted a great number of industry players of almost any activity.
The UK is also the European home of some of the largest cryptocurrency exchanges, and has a growing offer of OTC dealers, as well as crypto lending platforms.
Cryptoasset activities that do not involve financial instruments are not currently regulated by the Financial Conduct Authority (FCA) as financial services or investment firms. However, from January 2020, the FCA does supervise cryptoasset activities for anti-money laundering purposes.
This means that companies conducting cryptoasset activities are required to register with the FCA and comply with the UK’s AML/CTF regime.
Activities subject to registration include cryptoasset exchange providers and Custodian wallet providers.
Cryptoasset exchange providers include businesses providing services related to exchanging, or arranging, or making arrangements with a view to the exchange of, cryptoassets for money, money for cryptoassets, or one cryptoasset for another cryptoasset, or operating a machine which utilizes automated processes to exchange cryptoassets for money or money for cryptoassets. This generally includes cryptocurrency exchanges, brokers, dealers, ICOs, Crypto ATMs and certain p2p crypto platforms.
Custodian wallet providers are businesses that provide services to safeguard or administer cryptoassets on behalf of their customers, or administer private cryptographic keys on behalf of their customers in order to hold, store and transfer cryptoassets, when providing such services. This would generally capture any activity where the company provides a custodial wallet.
Cryptoasset firms need to adhere to AML/CTF requirements much in the same way as investment firms authorized under the Financial Services and Markets Act (FSMA).
This includes but is not limited to having in place policies, systems and controls appropriate for mitigating the money laundering or terrorist financing risk, undertaking customer due diligence, and enhanced due diligence for high-risk customers, adhering to the Travel Rule, appointing of compliance officers, reporting suspicious activity to the National Crime Agency (NCA), and filing AML reports with the FCA, among others.
The application process involves submitting certain information and documentation such as business and marketing plans, structural organization, IT security systems and controls, backgrounds of managing officers and beneficial owners, governance and internal control mechanisms, as well as anti-money laundering manuals, policies and procedures. The applicant should also disclose all their controlled cryptoasset addresses.
Digital securities and cryptoasset derivatives may be considered investment products under the FSMA, and therefore companies doing business in securities tokens or crypto derivatives are required to obtain a license and be regulated as investment firms.
Bermuda was one of the first jurisdictions to enact a legal framework for cryptocurrency businesses back in July 2018. It did this by amending the Companies Act and the Limited Liability Companies Act, introducing regulatory requirements for companies conducting ICOs (the ICO Act), as well as by passing the Digital Asset Business Act, 2018 (DABA) which brought under regulatory supervision crypto-related business activities such as digital asset payment service providers, custodians, market makers and exchanges.
Unlike other jurisdictions, the definition of a digital asset in Bermuda encompasses payment, utility and security tokens. This means that digital securities issuers, exchanges, brokerages, market makers, etc., are all caught by the cryptocurrency legislation in Bermuda.
The above mentioned legislation has had a relatively modest outcome, and just a few companies have been licensed under DABA or obtained consent from Bermuda’s Ministry of Finance (MOF) to carry on an ICO.
Last May 2020, Bermuda repealed the ICO Act, and introduced new legislation for ICOs – the Digital Asset Issuance Act, 2020 (DAIA). The new legislation provides for ongoing regulatory supervision by the Bermuda Monetary Authority (BMA) to token issuers, rather than the one-off consent from the MOF required in the ICO Act.
A company planning to conduct a public token sale, and whose tokens would be sold to more than 150 persons, would need to go through a vetting process and seek authorization from the BMA.
An issuance document with appropriate risk disclosures and other relevant matters together with a business plan will need to be lodged with the BMA. The BMA will assess certain relevant parameters related to the offering and the company, such as those related to fitness of company management, governance, risk management policies, cybersecurity and custody arrangements, KYC and AML & CTF procedures, etc. The BMA may set conditions, prohibitions or restrictions on a case-by-case basis.
When it comes to the DABA, the same was amended last October 2019 via the Digital Asset Business (Amendment) Act, 2019, to expand its reach to further activities. Specifically, DABA now covers digital asset derivative exchanges, digital asset benchmark administrators, digital asset trust services, and has broadened or modified the definition of exchange, custodians and market makers.
A digital asset exchange is now defined as a centralized or decentralized electronic marketplace used for digital asset issuances, distributions, conversions and trades, including primary and secondary distributions, with or without payment. The definition has broadened to also cover decentralized exchanges, token issuance launch platforms, brokerages, etc.
The definition of market maker is now more specific, bringing further clarity on what activities could constitute market maker activities – including persons conducting the business of quoting buy and sell prices in furtherance of profit or gain on the bid offer spread; fulfilling orders initiated by clients or in response to clients’ requests to trade; or hedging positions arising from the fulfilment of such activities.
Companies providing rate, index or figure made available to the public or published by reference, to which the amount payable under a digital asset or the value of a digital asset is determined, are also now regulated as digital asset benchmark administrators.
Fiduciaries, Agents or Trustees that manage, safeguard or administer digital assets on behalf of other persons are now regulated as digital asset trust service providers. Fiduciaries, Agents and Trustees appointing qualified custodians may be exempt. Qualified custodians are those regulated under DABA to provide custodial wallet services.
The DABA amendments also provide for crypto derivatives exchanges to be regulated as digital asset derivative exchange providers, which includes companies operating a digital asset derivatives exchange and creating, selling or otherwise entering into digital asset derivatives contracts; and/or clearing and settlement of digital asset derivatives.
Digital asset derivative exchanges include decentralized and centralized marketplaces used for digital asset derivatives issuances, distributions and trades with or without payment.
Digital asset derivatives include options, swaps, futures, contracts for difference or any other contract or instrument whose market price, value or delivery or payment obligations are derived from, referenced to, or based on a digital asset underlying interest.
The BMA grants two types of licenses – a class F license, for an indefinite period; or a class M license, for a defined period determined – a ‘sort-of-sandbox’ license.
BMA will expect the applicant’s head office and the place of effective management to be in Bermuda, with an appointed local representative who will have certain statutory duties to report matters to the BMA. You will need to have a physical office and key c-executives of the company to be resident in Bermuda.
The BMA will assess officers’ backgrounds, and whether the platform is adopting the appropriate measures and systems related to prevention of money laundering and terrorist financing, and has the appropriate KYC/AML policies in line with its strict AML/ATF legislation.
A minimum paid-up capital of at least USD 100,000 may be requested. The BMA may request higher amounts depending on the business activity and risk profile of the applicant.
An indemnity insurance may need to be taken on, whose coverage amount will be determined by the BMA, but could be around USD 1,000,000. There will be requirements on certain risk mitigation measures, internal audit requirements, as well as other requirements that the BMA may consider appropriate according to the nature, size, complexity and risk profile of the business.
Estonia was one of the first jurisdictions to bring virtual currency service activities under AML supervision. An amendment to the Money Laundering and Territorial Financing Prevention Act in 2017 brought AML requirements to activities related to the conversion of virtual currency against fiat currency, and the provision of wallet services (custodial wallets).
Companies conducting the above activities were required to obtain a license for each activity issued by the Financial Intelligence Unit of Estonia, a branch of the Police Department.
It was affordable and relatively easy and quick to obtain such licenses – requirements were considerably lenient. This led to hundreds of businesses to domicile their companies in Estonia, and obtain the above licenses. Most of these exchanges were operated from overseas.
In response to this massive flow of foreign-operated crypto exchanges and wallets using Estonian structures and FIU licenses, Estonian authorities took certain actions due to reputational and AML compliance concerns, as well as to update the relevant legislation in line with current AML standards related to crypto activities.
In March 2020, Estonia entered into force an amendment to the Money Laundering and Territorial Financing Prevention Act, providing for stricter licensing and ongoing requirements for companies conducting such activities.
The two licenses have been unified in one: a virtual currency service provider license that includes both exchange and wallet service providers.
It is important to note that such a license is not a financial services license, and that licensees are not regulated by Estonian Financial Supervision and Resolution Authority (FSA). The virtual currency service provider is issued by the FIU and companies are only regulated for anti-money laundering purposes.
The amendments required existing and new licensees to increase their minimum paid up share capital from EUR 2,500 to EUR 12,000, have their bank or payment accounts domiciled in the EEA, update their AML procedures in line with new requirements provided by the EU’s 5AMLD and the domestic AML regime, as well as to have certain physical presence in Estonia, among others. Stricter background checks and fit and proper tests are conducted on executives and beneficial owners.
Such physical presence requirements include having a place of business in Estonia, i.e. an office where the principal activities of the company are carried out. Furthermore, all executive board members must be residing in Estonia, including the compliance officer. The rationale behind this requirement is common across financial services activities and jurisdictions – authorities should be able to properly supervise and audit the companies, which could be difficult to undertake when a company is operated overseas.
License fees have been increased by 10x, and the FIU application revision period has doubled.
Luxembourg is one of the largest global financial centers and perhaps holds the largest share of the investment fund industry, including fund vehicles and asset managers. As such, the jurisdiction has also attracted a few large crypto industry players, and its Commission de Surveillance du Secteur Financier (CSSF) was one of the first regulators to grant a Payment Institution License to a cryptocurrency exchange.
Last March 2020, Luxembourg transposed the EU’s 5AMLD into domestic law by amending Law of 12 November 2004 on the fight against money laundering and the financing of terrorism (AML law).
Such amendments make VASPs subject to AML/CTF obligations. VASPs include:
- the exchange between virtual assets and fiat currencies, or with one or more forms of virtual assets, which includes brokerages, exchanges, ATMs;
- the transfer of virtual assets, including payment processing entities, and certain wallet providers;
- the safekeeping or administration of virtual assets or of instruments enabling control over virtual assets, including custodian wallet services;
- the participation in and the provision of financial services related to the offer of an issuer or the sale of virtual assets, including ICOs, and certain ICO service providers (e.g. ICO platforms);
Virtual asset is defined as a digital representation of value, including a virtual currency, that can be exchanged or transferred in a digital manner, and which can be used for payment or investment purposes.
The above definition leaves out any asset that could qualify as electronic money under the Payment Services Law, or as a financial instrument under the Financial Sector Law. Therefore, VASPs that deal in digital securities and other financial instruments in the form of virtual assets would be considered credit institutions or investment firms.
Cryptocurrency exchanges, brokers, wallets, etc., are required to register with the CSSF, and are supervised by the CSSF for AML purposes.
Registered companies will be required to provide evidence of having an adequate internal AML/CTF framework, including AML/CTF policies and procedures, AML/CTF risk assessment and risk appetite, performing CDD before starting a business relationship and on an ongoing basis, applying a risk-based approach especially when performing CDD, implement CDD in line with the customer’s risk profile, including EDD when applicable, monitoring transactions and reporting suspicious transactions to the CSSF, identifying payers and payees (travel rule), as well as implementing adequate AML/CTF training programs to employees.
Furthermore, the CSSF has generally required crypto exchanges operating in or from within Luxembourg to obtain a Payment Institution (PI) License under the Law of 10 November 2009 on payment services, on the activity of electronic money institutions and settlement finality in payment and securities settlement systems.
Payment Institution licensees are generally required to have an initial paid-up capital of EUR 125,000, although lower amounts may be authorized depending on the specific activities and the expected size and transactional activity of the business. Ongoing liquid capital maintained shall be the highest out of the initial paid-up capital, 10% of the previous year fixed overheads, or an amount calculated considering a percentage of the payment transaction volume multiplied by a scaling factor that depends on the specific services provided by the PI, or an amount determined by the sum of various income and expense items multiplied by a multiplying factor.
PIs are required to have relevant physical presence in Luxembourg, i.e. the necessary and sufficient human and technical resources in Luxembourg to do business; as well as the procedures and technical infrastructure, efficient risk management, adequate compliance internal control mechanisms and procedures, and IT security, among other requirements. Management and c-level executives shall prove they have enough experience to satisfactorily fulfil their roles.
Much in the same way as Luxembourg and other European Union member states, in May 2020, Netherlands also implemented the EU 5AMLD, which covers virtual asset service activities.
VASPs are now subject to the Dutch Anti-Money Laundering and Counter-Terrorist Financing Act and are supervised by the Dutch Central Bank (DNB) for anti-money laundering purposes.
Virtual currency service providers including companies engaged in the business of providing exchange services between virtual currencies and fiat currencies or other virtual currencies (exchanges, brokers, ICOs, etc), as well as custodian wallet service providers, are required to register with the DNB.
The registration requirement is triggered for both companies incorporated or having their registered office or a branch office in the Netherlands, or in another EEA Member State when they provide services in the Netherlands. Companies domiciled outside of the EEA are in principle not allowed to operate in the Netherlands, unless their jurisdiction of domicile is approved by the Dutch Minister of Finance.
At the time of registration, the DNB will expect the crypto service provider to lodge a comprehensive business plan, detailed background information and documentation on the so-called policy makers, i.e. management and supervisory board members and beneficial owners, a governance and structure plan, operational and management policy, as well as any outsourcing arrangements, and KYC/AML & CTF policies and procedures, among other matters such as the disclosure of conflicts of interests or cybersecurity matters.
Offshore jurisdictions have attracted a large share of the cryptocurrency industry, whether due to the regulatory uncertainty in certain ‘onshore jurisdictions’, the laissez faire approach taken by the regulators of offshore jurisdictions, or other fiscal and legal matters.
However, due to a mix of their willingness to attract such a new financial industry and the fear of reputational damage – many of them are in the eye of the storm when it comes to AML compliance; offshore jurisdictions have thus taken or are taking action to regulate crypto service providers, with certain relevant exceptions.
For instance, in 2018, in the middle of the ICO bubble, Anguilla enacted the Anguilla Utility Token Offering Act, 2018 (AUTO Act), placing significantly strict and relatively expensive requirements for locally-incorporated companies to conduct ICOs. As expected, given the nature of ICOs, and that the bubble burst – the AUTO Act has not seen much traction.
Isle Of Man was perhaps the most advanced jurisdiction on this matter, passing, five years ago, the Designated Businesses (Registration & Oversight) Act 2015 – requiring certain businesses providing services related to or issuing cryptocurrencies to register with the Isle Of Man Financial Services Authority (IOMFSA) as ‘designated business’ for anti-money laundering compliance purposes.
Jersey passed the Proceeds of Crime (Miscellaneous Amendments) (Jersey) Regulations 2016 (the Regulations), in 2016, bringing certain virtual currency activities under Jersey’s anti-money laundering legislation and requiring registration with the Jersey Financial Services Commission (JFSC).
Furthermore, given the recent FATF recommendations on virtual asset service providers, we can expect a further ‘regulatory wave’ across offshore financial centers to bring such activities under supervision of their respective regulator. In fact, it has already started.
In 2019, the Securities Commission of the Bahamas (SCB) issued the Digital Assets and Registered Exchanges Bill 2019 (DARE Bill). Once approved, it will require digital token exchanges, sponsors of an initial token offering, custodial wallet service providers, digital token transfer service providers and other related crypto-activities to register with and be supervised by the SCB.
Antigua and Barbuda has already passed and approved the Digital Assets Business Act 2020 (DABA) last May 2020. When DABA comes into force, digital asset businesses will be required to obtain a license from, and will be supervised by, the Financial Services Regulatory Commission (FSRC). Antigua’s DABA defines the following activities as digital asset business:
- issuance, sale or redemption of virtual coins, tokens or any other form of digital asset, e.g. ICOs;
- operating as a payment service provider business utilizing digital assets, which includes the provision of services for the transfer of funds and holding funds in connection with digital asset transactions, i.e. crypto payment processing services;
- operating as an exchange, i.e. cryptocurrency exchange activities;
- operating as a digital asset services vendor, i.e. brokers, asset managers, market makers, among others.
- providing custodial wallet services, i.e. storing or maintaining digital assets or a virtual wallet on behalf of a client for the purposes of trading, exchange or payment;
- providing digital asset custody services, i.e. the business of safekeeping or administration of digital assets or the instruments that enable the holder to exercise control over digital assets;
- lending, borrowing, providing financial services, or issuing derivatives with respect to, and otherwise dealing with, digital assets, i.e. centralized crypto lending platforms, crypto derivatives exchanges, etc.
- special purpose depository services, i.e. companies accepting deposits which may conduct other activities, including trust services, asset management, etc.
- reasonably ancillary activities in connection with the above activities.
Last January, the Saint Kitts and Nevis’ National Assembly also passed the Virtual Asset Act, 2020 (VAA). The VAA is not yet in force, but it aims to regulate and bring crypto businesses such as cryptocurrency exchanges, brokerages, wallet service providers, and ICOs, among others. under the supervision of the Financial Services Regulatory Commission (both the Saint Kitts branch, and the Nevis branch).
For its part, Seychelles, the offshore jurisdiction that hosts the largest share of the unregulated crypto industry – with the largest unregulated exchanges and brokerage firms operating via Seychelles International Business Companies – has launched a regulatory sandbox exemption for fintech firms.
The Bottom Line
As we have seen, since the release of 5AMLD and the FATF recommendations on Virtual Assets and Virtual Assets Service Providers, authorities from a number of jurisdictions are taking action to update their financial services and anti-money laundering laws to cover companies providing services related to and issuing cryptocurrencies.
All EU Member States are transposing 5AMLD, placing registration requirements and supervision by national regulators from an anti-money laundering perspective.
One can expect that non-EU jurisdictions will also do so very shortly, in order to avoid the reputational and economic relationship issues that could arise from ML concerns and low AML compliance rates set by international bodies.
International financial centers are at the forefront of regulating cryptocurrency activities, not only from an AML perspective but also as financial services and investment institutions that cover a broader range of aspects besides AML compliance. One can also expect that in the mid-term cryptocurrency exchanges, broker-dealers, custodians, etc., will be regulated much in the same way and following the same (or stricter) codes as securities or payment services businesses, etc.
These could be very interesting times for the industry, where a certain level of maturity is achieved, and service providers and intermediaries would need to operate under certain rules. Emergence of businesses in the space might slow down, as regulations could pose a barrier for certain entrepreneurs.
However, if regulations are properly handled and implemented, they could also help to clean up certain controversial or dubious practices from certain actors, and overall bring positive reputation to the industry while providing solid projects certain regulatory certainty and the appropriate environment to grow.
Although one could argue that the ‘wild-west’ environment in which some cryptocurrency industry players have operated in recent years has its days numbered, in fact, it might not be the case in certain instances.
As the industry grows, and regulators try to keep the pace – new innovative business models are emerging, such as those related to decentralized finance or Defi.
Defi platforms are gaining substantial traction recently, but due to their decentralized nature, in certain cases, could fall outside of the scope not only from existing financial markets laws, but also from the abovementioned new legal frameworks that are put in place to regulate the cryptocurrency industry. In future articles, we will discuss what to consider when setting up and operating a Defi platform from a legal perspective. Stay tuned.
Perhaps now more than ever, it is paramount for both existing and new crypto businesses to be up to date on the ongoing legal developments in the space, as well as to be properly informed about the regulatory opportunities and requirements in order to make the right decisions. At Flag Theory, we can help you navigate such legal developments across international financial centers, and assist you with aligning various legal, regulatory, and tax elements to your specific operational and commercial needs, priorities, and goals. Contact us for further information about our services.