Securities Laws Aren't the Only Rules Token Sales Have to Consider
Peter Van Valkenburgh discusses potential AML/KYC issues for cryptographic token sales.
This article originally appeared in CoinDesk.
There is a dangerous hole in our current understanding of federal regulation of token sales, and it's not what you may think. Several lawyers, myself included, have previously sounded the alarm with respect to securities laws. But there is another issue: federal financial surveillance laws.
Better known as "AML/KYC" rules, these are laws that require businesses to collect and report information about customers. Uncertainty surrounding the application of these laws to token sales is at least as pronounced as the uncertainty surrounding the securities laws. The regulator on point has already fined one company in the space for selling tokens.
Worse, the regulatory guidance thus far released to explain who is and isn't on the hook is hard to parse and — at times — contradictory.
A federal law, the Bank Secrecy Act (BSA), mandates that "financial institutions" (a broad category of businesses offering financial services) must collect and retain information about their customers and share that information with the Financial Crimes Enforcement Network (FinCEN), a bureau within the US Department of the Treasury.
The emergence of bitcoin and decentralized crypto-tokens has raised an important question. When do businesses dealing with these new technologies fit the definition of "financial institution" and become obligated to surveil and report on their customers?
For bitcoin businesses, the question has been largely answered, but the law is not clear with respect to new token sales.
Several issues remain unresolved and carry tremendous potential liabilities for innovators. These include:
- Are BSA obligations triggered when the developers of a new decentralized token protocol sell that token to US persons?
- Do these sales fit into the definition of "money transmission" under financial surveillance regulations?
- Are sales to US persons without engaging in KYC violations of those laws?
In some of its administrative rulings, FinCEN has suggested that selling bitcoins or tokens from your own account (eg tokens you own) is not money transmission.
For example, when a miner sells the fruits of their mining efforts for dollars, or an investor decides to close their position in a token.
The XRP example
But in other contexts, particularly in the settlement agreement they reached with Ripple in 2015, FinCEN has suggested that selling a token you own (XRP in the Ripple case) is money transmission, and to do so without registering with FinCEN and complying with its regulations is a serious offense worthy of a major monetary penalty ($700,000 in the case of Ripple) or else time in jail for company management and even potentially shareholders.
This is a highly consequential legal uncertainty that lies like a trap for innovators dealing with US persons — many of whom have a good faith belief that they are doing nothing wrong. But this isn't just about how to structure a token sale so that it's legal. American competitiveness, jobs and the future of innovation on our shores is also at stake, as are our fundamental rights to privacy and free speech.
For the non-lawyer, the argument can be phrased in simple English.
Common understanding suggests that "money transmission" is an act performed by an intermediary; a person who stands between two parties accepting money from one and transmitting it to another.
When a person transacts directly with another person, giving them money for any reason — as a gift, a payment, a donation, a grant, a tip — she does not play this intermediary role. She does not hold herself out as a trusted third party. She is engaged in private, personal transactions rather than being engaged as a third party to the transactions of others.
A person who invents a new decentralized token and sells it to another person is not playing an intermediary role; they are engaged in a private transaction selling the fruits of their ingenuity and labor.
Balancing privacy and security
Congress made the policy choice long ago to deputize third-party intermediaries to surveil users on behalf of the government, and it's one that carries risks to individual privacy but also potential benefits to national security and peace.
However, mandating the same kind of surveillance from individuals who are not intermediaries — who are merely transacting on their own account with another citizen — is a considerable recalibration of the balance between privacy and security. It tips the scales against personal privacy and may even be unconstitutional.
This is not a recalibration that should be made merely by issuing administrative rulings or guidance, the approach thus far taken by FinCEN when dealing with these questions. Instead, FinCEN should clarify that selling decentralized virtual currency on one's own account does not constitute money transmission, regardless of whether the purpose of that sale is to pay a merchant, to sell tokens received through mining or — indeed — to sell one's own newly invented decentralized token.