As finance and technology combine to provide increasingly innovative products, 2017 was the year that saw cryptocurrencies enter into the mainstream.

Central to this rise has been burgeoning activity surrounding initial coin offerings (ICOs), a means by which virtual coins or tokens are sold to purchasers via distributed ledger technology (DLT) or blockchain networks like Bitcoin or Ethereum, in order to raise funds for new ventures. By the close of the year, ICOs had generated over $3.7 billion (£2.7 billion) in funds.[1]

Bitcoin emerged in the wake of the financial crisis. Its "outsider" status, particularly so far as financial regulation was concerned, was of pivotal importance.

The double-edged sword of unregulated ICOs has meant that, although for the fortunate the gains have been substantial, the losses have been equally substantial for those less fortunate. The decentralised nature of cryptocurrency has given rise to ICOs that failed to address responsibility or accountability towards investors. As a result, there is no protection against losing everything and little time to act before significant losses occur.

Various newsworthy events exposing a lack of investor protection have resulted in increased regulatory scrutiny. In the infancy of the cryptocurrency, an ICO could pay scant regard to due diligence and business transparency, because no regulators really knew what it was, how it worked or who or what they should be regulating. Investors will now expect more.

How, though, should a regulator seek to continue protecting consumers and market integrity, while also promoting technological innovation?

And if cryptocurrency and ICOs are to be ushered into the regulatory perimeter, how are they to be classified from a legal and regulatory perspective?

Regulatory approaches

On Sept. 12, 2017, the UK's Financial Conduct Authority issued a consumer warning on ICOs, stating that they are "very high-risk, speculative investments," and that "there is a good chance of losing your whole stake as an investor."[2] The European Securities and Markets Authority echoed these sentiments in a later warning.[3]

The People's Bank of China denounced ICOs as "illegal fundraising" in September 2017, and issued a ban, causing cryptocurrency values to plummet. The following day, Canadian regulators accepted a firm offering ICOs into its regulatory sandbox, as part of its broad goal of supporting innovative fintech projects.

On Nov. 14, 2017, the FCA addressed the risks inherent in investing in cryptocurrency contracts for differences — citing price volatility and price transparency, among other concerns.[4] More recently, political compromise on the proposed 5th Money Laundering Directive (MLD5) was reached, to bring virtual currency exchange platforms and custodian wallet providers into the anti-money laundering regulatory framework, and the changes are set to be adopted in Summer 2018.[5] While it will be some time before member states are obliged to address at least the money laundering risks of the product, there is nothing to stop any jurisdiction, whether an EU member or not, from taking earlier action. The MLD5 model could be a blueprint for others to follow or adapt as they see fit.

On Jan. 1, 2018, the Gibraltar Financial Services Commission (GFSC) introduced a DLT framework, with regulatory principles akin to the FCA's Principles for Businesses.[6] However, ICOs will not generally be caught.

The turning point: what the SEC said

The FCA's initial focus on ICOs came in the wake of a USSecurities and Exchange Commission (SEC) investigation into the DAO, a virtual organization created by

Within the Ethereum blockchain, the DAO publicly issued virtual DAO coins in return for Ether (the cryptocurrency of the Ethereum blockchain), and the greater the 'investment', the greater the voting rights the investor would obtain in how the funds were spent. After hackers stole the coins, the SEC investigated.

By applying the conditions from SEC vs Howey, the US Supreme Court test for determining whether transactions qualify as investment contracts (and by extension, securities), the investigation found that the tokens emergent from the DAO's ICO are securities and thus could fall within the US regulatory perimeter.

The SEC made the classification by fulfilling the following criteria from the Howey test:

  1. Investment of money — tokens are bought with cryptocurrency (in this case, Ether).
  2. Reasonable expectation of profits — investors buy into a common enterprise, with the expectation that the purchase of tokens would yield returns in the form of cryptocurrency from the DAO's ventures.
  3. Derived from the managerial efforts of others — DAO investors relied on the managerial and entrepreneurial efforts of to implement digital infrastructure and manage the DAO, putting forth project proposals to generate profit for its investors.
  4. Investor voting rights were limited — given that was able to control required voting thresholds for its projects, and given the anonymity of token holders, investors could not easily come together like shareholders and exert influence.

The classification of ICO tokens as securities demands the registration of offers and sales of securities, and registration as a national securities exchange. Surprisingly, however, the SEC did not pursue any enforcement action against the DAO.

Does the US position translate into UK law?

In its consumer warning, the FCA said that whether an ICO would be regulated must be considered on a case-by-case basis.

The consequences of operating within the UKr egulatory perimeter are considerable. Applications for authorisation are costly and time-consuming, and ongoing compliance even more so. But carrying on "regulated activities" without authorization is a criminal offence.

Under the general prohibition in the Financial Services and Markets Act 2000 (FSMA), no firm may carry on a regulated activity in the UK unless it is authorised to do so or exempted from the need for authorisation. To carry on regulated activities, the firm must be performing "specified activities" relating to "specified investments," as defined in the FSMA (Regulated Activities) Order 2001 (RAO).

Is an ICO token a specified investment?

Is it a share? It is unlikely that the tokens would be construed as shares, as that would require the firm offering the ICO to incorporate and have legal status. There is no parallel in the UK to the US concept of investment contracts being securities, and therefore of tokens aligned with the contracts also being securities.

Is it a debt instrument? Nor would the tokens be likely to constitute instruments creating or acknowledging indebtedness. Depending on the structure of an ICO, it could conceivably be construed as a debenture, but this would involve strict conferring of profit-sharing rights so as to render the appearance of tokens more as loans than investments in (digital) currency, which is unlikely.

Is it a CIS? The tokens bought through an ICO may however represent units in a collective investment scheme (CIS), which are specified investments and the establishment, operation or winding up of a CIS is included as a specified investment under the RAO.

An ICO would be a CIS if the answer to each of the following questions is "yes":

  • Does selling the tokens constitute 'arrangements with respect to property of any description, including money', where the purpose of the investment would be 'to participate in or receive profits or income arising from' a firm's cryptocurrency ventures? Probably, using similar logic to the SEC's conclusions regarding 'reasonable expectation of profit'
  • Do the investors have no day-to-day control over the management of the property, whether or not they have the right to be consulted or give directions? Even if a token was structured so as to confer a right to vote on any future ventures, the management of the cryptocurrency fund itself would never fall to an individual investor. Again, this aligns with the US element of "derived from the managerial efforts of others," and so the answer again is likely "yes"
  • Finally, do the ICO arrangements represent the pooling of multiple investments? Again, they would ordinarily appear to, as its profits are pooled, and the investments are managed wholly by or on behalf of the firm operating the scheme.

On this analysis, the DAO ICO would meet the conditions of being a CIS. Of course, not all ICOs will be structured like the DAO and may not meet the conditions to be a CIS. But if there is a CIS, the person responsible for it, if in the UK, will be carrying on the regulated activity of establishing, operating and winding up a CIS and would need to be authorised. If that person were outside the UK, it would not need FCA authorisation, but its marketing would be restricted, as would the activities of any person in the UK seeking to arrange investment into the ICO or advise on such an investment. We discuss this below.

Might there be any other types of investment? It is also worth noting that, in a letter from the FCA to the Treasury Select Committee, whose focus was not ICOs but rather the boundaries of the regulatory perimeter in general, the FCA noted that while cryptocurrencies themselves are typically not "investments," and therefore the issuing or trading in them would not be regulated, derivatives referencing the cryptocurrency may be — and so those who trade, advise on or arrange trading in them may fall within the scope of regulation.

Are there specified activities?

If the ICO is a CIS, the sale of tokens to investors and subsequent management of the fund may satisfy a number of "specified activities." Any one or more of these activities, if carried on in the UK, and sometimes into the UK from abroad, attracts the authorisation requirement.

The most likely activities to be carried on in the UK are "arranging" and potentially "advising" and "dealing." Even if the person doing them is outside the UK, it will still fall within the UKregulatory perimeter unless it can operate under strict conditions — which depend on the precise activity, but include that the product was marketed in compliance with relevant promotion restrictions and may also require the involvement of a UKauthorized person.

A firm may also be involved in safeguarding and administering the fund before any ventures begin. Thereafter, the firm would be exercising discretionary management of the assets in electing its cryptocurrency ventures, likely constituting managing activities. If the entities carrying on these activities are situated outside the UK, UK regulation would bite only if investment decisions are made in the UK, and where funds were safeguarded and administered in the UK

For the SEC, the involvement of US investors was critical to the need for SEC registration. In the UK, if the individuals or entities carrying on the activities were in the UK, they would in principle still need authorisation even if they targeted and accepted no UKinvestors.

Even if all regulated activities are carried out outside the UK, if the ICO interests are characterised as units in a CIS and marketed to individuals in the UK, FSMA restrictions on both marketing and certain activities would apply, so UK law cannot be circumvented simply by doing everything offshore. As the FCA says, much will hinge on the precise structure of the ICO.


Unauthorised firms threaten a key statutory objective of the FCA: consumer protection. Investors dealing with unauthorised firms will not by covered by Financial Ombudsman Service or the Financial Services Compensation Scheme if things go wrong.

Other FCA warnings regarding ICOs touched on the volatility of coins/tokens, and the risks inherent in investing in an unregulated space in the early stages of its development. The FCA said:

"Businesses involved in an ICO should carefully consider if their activities could mean they are arranging, dealing or advising on regulated financial investments. Each promoter needs to consider whether their activities amount to regulated activities under the relevant law. In addition, digital currency exchanges that facilitate the exchange of certain tokens should consider if they need to be authorised by FCA to be able to deliver their services."

It may be the case that in the volatile, unregulated space of ICOs, the FCA may simply create a new regulated activity of issuing coins, as it did with peer-to-peer lending, so as to bring it within the regulatory perimeter.

For now, however, the FCA is alive to the risks posed and emphasises that, depending on how they are structured, firms involved may be carrying on regulated activities without authorisation or exemption.

Notwithstanding any regulatory speculation, one might query whether ICOs will remain a commercially reasonable investment, after major financial institutions like Lloyds and Virgin Money banned their customers from purchasing cryptocurrency on their credit cards.

It will be interesting to see what 2018 holds for issuers, investors and regulators alike.


This article was previously published on Monday 5 March 2018 by Law360.