Since the launch of Bitcoin, the first ever virtual asset in January 2009, virtual assets have been on a roller-coaster ride. 2017 was the breakout year: at its peak in December 2017, Bitcoin was trading as high as US$19,783, up 1,824% from its price on 1 January 2017. On 20 September 2019, there were 2,377 virtual assets listed on Coinmarketcap with a total market cap of approximately US$272 billion.

After a prolonged crypto winter in 2018 which saw prices of the major virtual assets drop, Bitcoin’s price recorded a 160% increase since the beginning of 2019. Bitcoin recently traded above US$11,000 for the first time in 15 months. Reasons suggested for the recent surge in bitcoin pricing include:

  1. A more complex conversation surrounding Bitcoin

  2. Fewer concerns about fraud

  3. A shift in the tense of how bitcoin is talked about from the past to the future

  4. Market maturity.

Virtual Asset Regulation

In terms of regulation of virtual assets generally, there has been no global co-ordinated response to date. While distributed ledger technology (DLT) which underlies virtual assets is widely considered to have the potential to deliver significant benefits, a view seems to be emerging that more needs to be done to address the risks associated with virtual assets. 

However, given that virtual assets are still in their infancy and developing rapidly, the challenge for regulators is how to protect investors and the market without stifling development and innovation. Many jurisdictions seek to regulate virtual assets under existing regulatory frameworks – but shoe horning these very diverse assets into investment categories created years ago for very different investment products has resulted in considerable uncertainty as to how the regulations apply. Rather than applying existing securities laws to virtual assets, there are arguments that the approach to their regulation needs to be more nuanced.

Facebook’s Libra

The regulation of virtual assets is also coming under the spotlight thanks to Facebook’s recently announced plans to launch a new virtual asset, Libra. The consortia of 29 associated with the launch include heavy hitting financial players and social media companies such as Visa, Mastercard, ebay, uber, Anchorage etc. A Geneva-based entity, the Libra Association, has been set up to govern and oversee the administration and facilitation of the new digital coin. Facebook also established Calibra, a subsidiary, that will provide digital wallets to save, send and spend Libras. It will be connected to Facebook messaging platforms, Messenger and WhatsApp and is expected to launch in the first half of 2020. Leading banks and lenders have yet to make a decision to join as they await the reaction and response of regulators and consumers.

Unlike other stable coins in the crypto-currency industry (e.g. Tether, which is pegged to USD), Libra coins will not be pegged to a particular currency but will fluctuate in value according to the value of the underlying assets and the exchange rates with local currencies. Libra’s underlying assets will be held by a geographically distributed network of custodians with investment-grade credit ratings.

As an initiative to use blockchain technology in offering unbanked consumers access to financial services for the first time, the unpegged Libra coins are set to allow Facebook to collect and store the data of millions of users. Critics argue that this raises concerns in relation to Facebook’s competence, if not integrity, in handling users’ personal information, especially amidst allegations regarding its ties to Russian interference in the 2016 US presidential election.

Putting privacy concerns aside, such a massive potential userbase will no doubt give rise to regulatory concerns relating to blockchain, distributed ledger technology and virtual assets. US Senator Mark Warner (a Virginia Democrat who sits on the Senate Banking Committee) and Markus Ferber (German lawmaker in European Parliament) have both voiced their concerns over Facebook’s new coin.

Risks and Benefits

Aside from the particular concerns raised by Libra, key risks associated with virtual assets include:

  1. Fraud – widespread fraud was a major factor in China imposing a ban on ICOs in September 2017. A statement on the website of the People’s Bank of China at the time claimed that some 90% of Chinese ICOs were fraudulent. In the UK, 203 cases of cryptocurrency fraud resulting in losses of over £2 million were reported in just 2 months in 2018.

  2. Financial crime – the risk of cryptocurrencies being used for money-laundering and terrorist financing.

  3. Security – There have been a number of cyber-attacks resulting in crypto exchanges being hacked and cryptocurrencies being stolen. Japan, one of the world’s most active markets for cryptocurrency trading, has experienced a series of major hacks resulting in the theft of some US$580 million worth of cryptocurrencies from the Japan-based Coincheck and Zaif exchanges in 2018. 

  4. Market-abuse activities such as ‘pump-and-dump’ schemes and insider dealing which are outside the scope of market misconduct legislation.

  5. General risk of failure – many ICO issuers are start-ups which have a high failure rate. Consumer protection concerns have focused on the quality of information provided to investors and whether ICOs are suitable investments for retail investors.

On the other hand, cryptocurrencies offer significant benefits. Virtual assets which act as a means of exchange (e.g. Bitcoin) can provide more efficient and cheaper transactions, e.g. in international transfers. As originally conceived by Satoshi, Bitcoin was intended as a “purely peer-to-peer version of electronic cash [that] would allow online payments to be sent directly from one party to another without going through a financial institution” (according to Bitcoin’s 2008 whitepaper). Published during the 2008 global financial crisis, Bitcoin’s whitepaper offered up an alternative to the traditional banking sector and financial access for the world’s unbanked populations. The World Bank’s latest (2017) Global Findex Database found that 1.7 billion adults do not have a bank or financial services account – although around 2/3 of them own a mobile phone. Bitcoin was thus envisaged as a means of providing a cheap and fast payment mechanism which could operate cross-border with far greater efficiency than was possible through traditional banks, while eliminating the possible risk of a failure of the financial system. Satoshi did not however foresee that Bitcoin would become a ‘store of value’ or ‘investment’ which people would buy for speculative purposes rather than its use value. The different uses of virtual assets, and the fact that their actual use can be very different from the use intended by their creator, are among the factors making the regulation of virtual assets so challenging. Moreover, when used as a capital-raising method in ICOs, virtual assets can support innovative business models which may have access to traditional fund raising avenues.

The OECD recently published a report – Initial Coin Offerings (ICOs) for SME Financing ( which concluded that blockchain-enabled ICOs “have the potential to offer a new way to raise capital for projects, benefitting from efficiencies, cost savings and speed of execution, if appropriately regulated and supervised”.

The OECD report identifies a number of benefits of ICOs:

  • Efficiency gains and cost savings from the use of distributed ledger technology such as block chain and disintermediation where value is exchanged without a bank intermediary;

  • Access to an unlimited investor pool – with no restrictions on geographic location or investor type;

  • Inclusive fundraising method which also creates a network of future users of the issuer’s product or service whose active participation impacts the issuer’s viability;

  • SME founders can raise early stage funding without relinquishing ownership, a key disadvantage of IPOs;

  • Speed – ICOs can be completed in a fraction of the time required for an IPO. BAT raised US$34 million in less than a minute. But the lack of regulatory standards means that speed is achieved because of the lack of information disclosure and due diligence requirements;

  • Liquidity provided by token listings on crypto-exchanges;

  • Cryptographically secured tokens benefit from the features of distributed ledger technology – immutability, permanence and security; and

  • The use of smart contracts can reduce counterparty risk as transactions are executed automatically on the occurrence of pre-defined conditions;

  • Costs – ICOs are considerably cheaper than other forms of fundraising, particularly IPOs due to the absence of underwriters fees.

However, ICOs are not for everyone. The SMEs that stand to benefit most from an ICO are those whose business model uses distributed ledger technology to meet a real consumer need. For these companies, the token issue creates a customer base before the project is launched providing for faster adoption of the product or service. This is a major advantage of an ICO over other forms of financing.

In addition, ICOs mainly address SMEs’ seed and early stage funding needs and are less suited to funding the later growth stages in an SME’s life cycle. 

The case for regulation

A major impediment to ICOs developing as a mainstream funding method identified by the OECD is regulatory uncertainty and the potential for regulatory arbitrage. The OECD makes a case for regulatory clarity to allow SMEs to enjoy the benefits of ICOs while protecting both SMEs and investors from the potential risks. It highlights standardised disclosure requirements as the way to eliminate information asymmetries which already characterise SME funding and points to enhanced retail investor protection measures and improved retail investor education on the risks of ICO investment. The Financial Action Task Force (FATF) has revised its recommendations to require “virtual asset service providers”, including crypto exchanges, to be licensed and supervised in their implementation of anti-money laundering and counter-terrorist financing procedures. The OECD further recommends the mandatory application of anti-money laundering and counter-terrorist financing procedures to ICO issues.

Unlike IPOs, ICOs are offered internationally rather than within a specific jurisdiction and cross-border trading occurs easily on online exchanges. The OECD argues for a more “coordinated global approach” to reduce regulatory arbitrage and to allow ICOs to reach their full potential as funding tools for blockchain-based SMEs. It is hard to argue against this. Yet, the reality is that widely different regulatory frameworks and economic and political objectives in different jurisdictions make regulatory cooperation extremely difficult.

Crypto Terminology

A particular difficulty, particularly when comparing regulation in different jurisdictions, is the lack of standard terminology across jurisdictions and official statements. The terms cryptocurrency, virtual currency, digital currency, virtual assets, digital assets, cryptoassets and digital tokens, are used more or less interchangeably. For the purposes of this seminar, I will use the term “virtual asset” to encompass all of these terms.

FATF Recommendations

The most significant regulatory development to date comes from FATF – the setter of international standards on Anti-money Laundering (AML) and Counter-terrorist financing (CTF).

In October 2018, FATF revised its Recommendations – the global standards on AML and CTF – to explicitly require member countries (which include Hong Kong) to:

  1. Regulate virtual asset service providers or VASPs for AML and CTF purposes;

  2. License or register VASPs; and

  3. Subject VASPs to effective systems for monitoring and supervision (revised FATF Recommendation 15).

New definitions of “virtual asset” and “virtual asset providers” were adopted.

A virtual asset is defined as a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. The definition explicitly excludes digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.

Virtual asset service providers are defined as any natural or legal person who is not covered elsewhere in the Recommendations and conducts any of the following activities as a business on behalf of another person:

  1. exchange between virtual assets and fiat currencies;

  2. exchange between different forms of virtual assets;

  3. transfers of virtual assets (i.e. conducting a transaction that moves a virtual asset from one virtual asset address or account to another);

  4. safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and

  5. participating in and providing financial services related to an issuer’s offer and/or sale of a virtual asset.

VASPs therefore include virtual asset exchanges, providers of certain types of virtual asset wallets and providers of financial services for ICOs.

21 June 2019 Guidance on Virtual Assets and Related Providers

On 21 June 2019, FATF updated its Guidance on Virtual assets and related providers to further clarify how its AML and CFT standards apply to virtual assets. In its Public Statement on Virtual Assets and Related Providers issued on the same day, FAFT also announced its adoption of an Interpretive Note to Recommendation 15 on New Technologies (INR. 15).

Application to Countries and regulatory authorities

INR.15 imposes binding measures on member countries for the regulation, supervision and monitoring of virtual asset service providers. In particular, it requires countries to:

  1. apply a risk-based approach to financial activities involving virtual assets and virtual asset service providers;

  2. require the licensing or registration of VASPs incorporated or established in their jurisdiction. They should also license or register natural persons who carry on VASP business in their jurisdiction. Jurisdictions may also require the licensing or registration of VASPs which offer products and/or services to customers in, or conduct operations from, their jurisdiction;

  3. apply all FATF preventative measures, including (without limitation) customer due diligence, record keeping, suspicious transaction monitoring to VASPs. Customer due diligence is required for transactions above US$ or EUR 1,000;

  4. designate a competent authority – not a self-regulatory body – to be responsible for VASPs’ licensing or registering, monitoring and supervision.

  5. require competent authorities to:

    1. take necessary legal or regulatory measures to prevent criminals or their associates from holding, or being the beneficial owner of, a significant or controlling interest, or holding a management function in, a VASP; and

    2. take steps to identify persons carrying on activities in virtual assets without the necessary licence or registration, and impose appropriate sanctions;

  6. empower competent authorities to ensure VASPs’ compliance with AML and CTF obligations, including the authority to conduct inspections, compel the production of information and impose sanctions;

  7. have a range of effective, proportionate and dissuasive sanctions to deal with VASPs that fail to comply with their AML/CTF obligations,including powers for supervisors to withdraw, restrict or suspend VASPs’ licence or registration. Sanctions should apply to VASPs, their directors and senior management;

Countries may prohibit VA activities or VASPs to support other policy goals, such as consumer protection and monetary policy.

Application of guidance

The FATF Recommendations do not however apply to a person who is not engaging in the various activities as a business for or on behalf of another person. Thus an individual who uses virtual assets to purchase goods or services on their own behalf is not a VASP.

Depending on a jurisdiction’s local laws, a virtual asset trading platform may not be a VASP if it simply provides a forum for buyers and sellers of virtual assets to post bids and offers and the parties trade at an outside venue (e.g. through individual wallets or wallets not hosted by the trading platform). However, if the platform facilitates the trade by buying the virtual assets from the seller and selling them to the buyer, it will be conducting exchange and/or transfer activity as a business on customers’ behalf and will thus be a VASP subject to the requirements. Closed-loop items that are non-transferable, non-exchangeable and non-fungible such as airline miles and credit card rewards are also outside the scope of the VASP regulatory controls.

The “Travel Rule”

One of the most controversial provisions is the application of the “travel rule” for banks to VASP transfers. This requires countries to ensure that originating VASPs:

  1. obtain and hold the required originator and beneficiary information (including the name and account number of the originator and beneficiary and the originator’s identification number);

  2. transmit the information to the beneficiary VASP or financial institution (if any); and

  3. make the information available on request to the appropriate authorities.

Implementation Requirement

FATF has said that it expects member countries to promptly apply the FATF Recommendations to virtual asset activities and service providers. It will monitor implementation and conduct a further review in June 2020. 

The G20 group of nations committed to implementing the updated AML and CTF standards for virtual assets and virtual asset providers when it met in Japan in June 2019

Implementation Progress

As a result of the requirement for FATF AML and CTF standards to be applied to virtual asset service providers, a number of jurisdictions have required crypto exchanges to be licensed and subject to AML and CTF obligations, or are in the process of doing so.

For example:

  • The European Union’s (EU) fifth money laundering directive (5MLD) requires virtual asset service providers to be registered, and meet the requirements of the EU’s anti-money laundering regime. EU member states are required to implement the requirements of the fifth money laundering directive into local law by 10 January 2020.

  • Singapore passed the Payment Services Act in January 2019 which requires entities providing virtual asset dealing or exchange services to be licensed by the Monetary Authority of Singapore (MAS). The detailed AML/CTF requirements applicable to licensees will be imposed by notices issued by the MAS under the Monetary Authority of Singapore Act.

Hong Kong Crypto Regulation

The Hong Kong regulators have not introduced, or consulted on, new laws or regulations to subject virtual asset providers to AML and CTF requirements, except where the virtual assets in question constitute “securities” under Hong Kong’s Securities and Futures Ordinance (SFO). In this case, intermediaries conducting regulated activities in relation to virtual assets that are securities, will need to be licensed or registered by Hong Kong’s Securities and Futures Commission (SFC)and must comply with AML and CTF requirements.

Generally speaking, the regulatory position in Hong Kong regarding “virtual assets” including cryptocurrencies (such as Bitcoin) and ICO tokens is that these are unregulated, unless they constitute securities.

In particular, the Hong Kong Monetary Authority (HKMA) has said that it does not regulate virtual assets such as Bitcoin which it regards as a virtual “commodity” and not as legal tender, a means of payment or money.[1] Hong Kong’s banking laws and regulations do not therefore apply to entities accepting or dealing in virtual assets.

The Money Service Supervision Bureau of the Customs and Excise Department also confirmed that Bitcoin and other similar virtual commodities are not money for the purposes of the Anti-Money Laundering Ordinance, and are thus outside the scope of its regulatory regime for money service operators.[2] 

On 1 November 2018, the SFC published new regulatory standards which apply to virtual asset portfolio managers and distributors of virtual asset funds that are already required to be licensed. Separately, the SFC invited virtual asset trading platforms and exchanges which are interested in becoming licensed to join the SFC’s Regulatory Sandbox with a view to potentially becoming licensed, if the SFC determines that they are appropriate for licensing following its assessment of their performance in the Sandbox.

The initiative is an important step forward as it demonstrates the SFC’s willingness to engage with participants in the crypto industry. There have been calls from the industry to introduce regulation in order to create legitimacy for players willing to comply with regulatory standards.

Regulating around the Edges

Essentially, the SFC is trying to impose regulation where it can. As spelt out in its “Statement on Initial Coin Offerings” of 5 September 2017,[3] where a virtual asset constitutes a security (i.e. it carries rights equivalent to traditional securities such as shares, debentures or interests in a collective investment scheme) or a futures contract, it is already regulated by the SFC. Accordingly, licensing requirements apply to firms carrying on “regulated activities” in relation to such virtual assets. Licensing requirements thus apply to:

  1. an exchange providing trading services in virtual assets which are securities or futures;

  2. firm managing funds that invest in virtual assets which are securities or futures; and

  3. firms distributing funds which invest in virtual assets (irrespective of whether they are securities or not).

The SFC’s regulatory jurisdiction does not however extend to the many virtual assets which are not securities or futures contracts – which the SFC refers to as “non-SF virtual assets”. Thus, an exchange which only trades non-SF virtual assets or a firm which only manages funds investing in non-SF virtual assets is completely unregulated.

Primary market issues and offers of virtual assets (such as ICOs) which are not securities also remain unregulated.

>Virtual Asset Exchanges

The proposals for potentially regulating virtual asset exchanges involve a voluntary process whereby exchanges wanting to be licensed would operate within the SFC’s Regulatory Sandbox. If the SFC decides to proceed with licensing for virtual asset exchanges, which is by no means a given, it would be a licensing condition that the exchange trades at least one virtual asset which is a security in order to bring the exchange within the SFC’s regulatory jurisdiction. Once it is, the SFC would apply its regulatory framework to all activities of the exchange irrespective of whether they involve virtual assets which are securities or not.

Virtual Asset Portfolio Managers and Virtual Asset Fund Distributors

The SFC is imposing regulation on virtual asset portfolio managers and virtual asset fund distributors which are already required to be licensed either because:

  • they also manage portfolios of traditional securities or futures contracts which requires an asset management licence; or

  • they distribute funds investing solely in non-SF virtual assets. Fund distribution requires a securities dealer licence (Type 1) because a fund is a “collective investment scheme” which is a security irrespective of whether the fund invests in virtual assets which are securities or not.

The SFC has applied additional licensing conditions to both types of firm to the extent that they manage portfolios (or portions of portfolios) that invest in virtual assets. Portfolio management includes both fund management and management of discretionary accounts (in the form of an investment mandate or a pre-defined model portfolio).

Firms distributing virtual asset funds (whether as fund managers under an asset management licence or as fund distributors under a securities dealer licence) are required to comply with:

  1. the SFC’s regulatory framework for licensed corporations including its Code of Conduct for Persons Licensed by or Registered with the SFC (Code of Conduct), including (among others) Know-your-Client (KYC) and AML and CTF obligations, as well as an obligation to ensure the suitability of product recommendations and solicitations for particular clients; and

  2. additional requirements including extensive due diligence in relation to the virtual asset funds they distribute[4], their fund managers and counterparties.

Potential Framework for Regulation of Virtual Asset Platform Operators

Currently, none of the cryptocurrency exchanges operating in Hong Kong are licensed by the SFC. The SFC has written to exchanges warning them not to trade virtual assets which are securities but has not named the relevant virtual assets or clarified why it considered them to be securities.

Recognizing its lack of jurisdiction over exchanges which only trade non-SF virtual assets, the SFC is offering exchanges the chance to become licensed – in order to be able to set themselves apart from unlicensed exchanges – if they trade at least one virtual asset which is a security. The SFC would then regulate all activities of the crypto exchange – including those relating to virtual assets that are not securities, on the basis that the trading of one (or more) security virtual assets brings the exchange within its regulatory jurisdiction. The SFC refers to this as an “opt-in” regime.

The SFC is envisaging a staged approach comprising:

  • An initial exploratory phase – platform operators would not be licensed at this stage. The SFC would discuss with Platform Operators its expected standards of regulation, observe their live operations, and assess whether Platform operators are appropriate for regulation by the SFC based on the performance of those trading in the Sandbox. To avoid public confusion about Platform Operators’ regulatory status, the SFC will keep Sandbox applicants’ identity confidential.

  • At the end of the exploratory stage, the SFC may decide not to regulate Platform Operators. If, however, it determines that they are appropriate for regulation, it will consider granting licences for Type 1 (dealing in securities) and Type 7 (providing automated trading services) to Platform Operators, subject to stipulated licensing conditions.

  • The Platform Operator will then move to the second stage of the Sandbox when it will need to put in place robust internal controls and will be subject to closer SFC supervision. After 12 months, the Platform Operator will be able to apply for removal of some of the licensing conditions, e.g. on ongoing reporting obligations, and exit the Sandbox.

According to the “Conceptual framework for the potential regulation of virtual asset trading platform operators” (Conceptual Framework), if a Platform Operator is interested in becoming licensed, it must:

  • operate an online trading platform in Hong Kong;

  • offer trading of at least one virtual asset that constitutes a “security” under the SFO; and

  • provide trading, clearing and settlement services for virtual assets and have control of investors’ assets.

These basic requirements raise a number of issues:

  1. It is not clear at what stage the Platform Operator needs to offer trading in a virtual asset which is a security – is this a requirement for entering the Sandbox and starting the “Exploratory stage”; or only for the grant of a licence? The latter interpretation makes more sense given that the licensing obligation should be triggered the moment a platform provides trading for a virtual asset which is a security.

  2. It is unclear which virtual assets will qualify as “securities”. The SFC has said that most virtual assets fall outside the scope of the definition, but has not provided any explanation for that view. To be a security, a virtual asset would need to have the features of shares, debentures, a collective investment scheme, structured product or regulated investment agreement. In some cases, it will be obvious – e.g. where a virtual asset entitles the holder to a share of the issuer’s profit making it similar to a share, or where the issuer will invest the token proceeds and distribute a share of the return on investment to holders, making it a collective investment scheme. Yet there will be many virtual assets where the position is uncertain. In the UK, a report of the Cryptoassets Taskforce (October 2018) noted that the complexity and opacity of many virtual assets make it difficult to determine whether they qualify as security tokens. [5]

  3. given that many platforms are available online, the scope of the requirement that the exchange “operates” in Hong Kong needs clarification.

Given that the framework proposed is entirely voluntary, and the SFC may decide at the end of the “exploratory phase” not to license crypto exchanges, it is difficult to see how Hong Kong is intending to comply with the FATF Recommendations. Possibly, the intention is to indicate to FATF that Hong Kong is doing something, although the SFC is hamstrung by the fact that its regulatory authority under the SFO extends only to securities and futures contracts, and would not extend for example to Bitcoin. 

In any event, the licensing conditions and regulatory standards the SFC is proposing – such as the restriction to “professional investors” when most cryptoexchange users are retail investors – are not likely to be attractive to exchanges.

Proposed Licensing Conditions

If the SFC grants a licence to a qualified Platform Operator, it will impose licensing conditions which are likely to include the following “core principles”:

  1. Services must be provided only to “professional investors”

    The SFC will require platforms to limit trading activities to professional investors only. For individuals, this will require them to have a portfolio of cash and securities of at least HK$8 million. The restriction on retail customers may put off platforms which currently cater for retail clients. The move could also be criticised for disenfranchising retail investors.


  1. All virtual asset trading activities must be conducted under a single legal entity

    All virtual asset trading activities conducted by the Platform Operator’s group which are: (a) conducted in Hong Kong; or (b) actively marketed to Hong Kong investors, will need to be carried out by a single SFC-licensed entity. Virtual asset trading activities include all virtual asset trading activities on and off the platform, and any activities that are wholly incidental to the provision of trading services.

    The SFC notes in the Conceptual Framework that it will not license virtual asset trading platforms that only provide a direct peer-to-peer market place for investors who retain control over their own assets (whether fiat currencies or virtual assets). This model is increasingly popular among Hong Kong crypto exchanges with some offering off-exchange trading venues for large orders of virtual assets (referred to as ‘block trading’) to meet demand from institutional investors. It is not clear therefore whether the SFC will allow operations to be split between those which the SFC is prepared to license and those it is not.

    The entry of institutional investors – typically hedge funds, high net worth individuals, family offices and private banks – is a trend which picked up in 2018. Some virtual asset exchanges are also using algorithmic trading.


  1. Transactions must be pre-funded and no leverage or virtual asset-related futures contracts or other derivatives are allowed

    Platform Operators will only be allowed to execute a trade for a client if there are sufficient fiat currencies or virtual assets in the client’s account with the platform to cover the trade. Platform Operators will be prohibited from providing financial accommodation for clients to acquire virtual assets. No trading of virtual assets which are futures contracts or other derivatives is allowed. The limitation on providing margin financing could act as a deterrent.


  1. Prohibition on trading ICO tokens in initial 12 months

    A virtual asset issued by way of an initial coin offering (ICO) will only be acceptable for trading at least 12 months after completion of the ICO, or when the ICO project has begun to generate profit, whichever is earlier.


Ongoing Regulatory Standards

If a Platform Operator is granted a licence, it will be required to comply with the SFO and its subsidiary legislation as well as the Code of Conduct for Persons Licensed by or Registered with the SFC (Code of Conduct) and other codes and guidelines issued by the SFC.

In particular, licensed Platform Operators would need to comply with know-your-client procedures under paragraph 5.1 and the suitability requirement under paragraph 5.2 of the Code of Conduct, as well as the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism.

The SFC has also set out terms and conditions that would generally apply to licensed Platform Operators, although these will be subject to variation depending on a Platform Operator’s particular business nature, size and model and the outcome of discussions with the SFC.

  1. Financial Resources

    Platform Operators will need to assess whether they are able to meet the financial qualification requirements.

    To be licensed as a securities dealer and provider of automated trading services, a Platform Operator will need minimum paid-up share capital of HK$5 million and minimum liquid capital of HK$3 million under the Securities and Futures (Financial Resources) Rules.

    The SFC may additionally require (on a case-by-case basis) Platform Operators to maintain a reserve equivalent to 12-months of operating expenses to cushion them against risks of theft and hacking.


  1. KYC, AML and CTF Obligations

    As licensed entities, platform operators would be required to perform know-your-client, AML and CTF procedures. They will also have to comply with the suitability requirement – i.e. ensure that any recommendation or solicitation made to clients with regard to virtual assets is “suitable” having regard to the information about the client of which they are or should be aware through due diligence (exemptions from this requirement are available for institutional professional investors and, subject to performing certain procedures, corporate professional investors). 

    With regard to AML and CTF, the SFC highlights in its Regulatory Statement for Virtual Asset Portfolio Managers, Fund Distributors and Trading Platform Operators of 1 November 2018 that Platform Operators’ inability to comply with requirements on AML and CTF due to the anonymity of blockchain transactions may be a reason why the SFC ultimately determines that Platform Operators are not suitable for licensing. It states “the SFC is not certain at this stage whether platform operators would satisfy the expected anti-money laundering standards, given that anonymity is the core feature of blockchain, … the underlying technology of virtual assets”.

    Many exchanges already voluntarily adopt KYC and AML procedures. However, the Conceptual Framework would impose additional detailed obligations in relation to KYC/AML including requirements to:


  1. conduct all deposits and withdrawals of fiat currencies for a client’s account through a designated bank account opened in the client’s name with an authorised financial institution in Hong Kong or other jurisdictions agreed by the SFC;

  2. apply enhanced due diligence and ongoing monitoring in specified circumstances including transactions involving virtual assets with higher risk or greater anonymity (such as virtual assets which mask users’ identities or transaction details) and transactions with tainted wallet addresses such as “darknet” marketplace transactions; and

  3. have systems in place that are able to:

    1. identify and prohibit transactions with virtual asset addresses where there is a reasonable suspicion that it is used for the purposes of conducting fraud or any other criminal activity; and

    2. track virtual assets through multiple transactions to allow accurate identification of the source and destination of virtual assets.

  1. Knowledge Requirement

    Except in the case of institutional professional investors, Platform Operators will be required to assess a client’s knowledge of virtual assets (including risks associated with virtual assets) prior to provision of service. If a client does not have the required knowledge, a Platform Operator would only be able to provide services to the client if it would be acting in the client’s best interests. 

    This requirement is likely to be problematic for Platform Operators since the SFC does not provide guidance as to what will be considered to be sufficient knowledge or the circumstances in which a trade could be considered to be in a client’s best interests. Sufficient knowledge will be particularly difficult to assess given that virtual assets are a recent phenomenon and they vary widely. Would experience of trading Bitcoin, for example, be regarded as providing sufficient knowledge for the trading of ICO tokens? The Circular to intermediaries distributing virtual asset funds, which also imposes a knowledge assessment obligation on distributors, provides that licensed corporations may take into account a client’s prior investment experience in private equity or venture capital or whether they have provided capital for a start-up business in the previous two years. The SFC should confirm whether this would also apply to Platform Operators assessment of client knowledge.


  1. Due Diligence on Virtual Assets Admitted to Trading

One of the most onerous obligations to be imposed is the requirement that Platform Operators perform all reasonable due diligence on virtual assets before listing them. Despite the broad scope of the obligation, the specified areas that Platform Operators may consider for these purposes are broad and imprecise and Platform Operators are likely to experience considerable difficulty in conducting due diligence for example in relation to:

  • the security infrastructure of the blockchain protocol underlying the virtual asset and whether it may be susceptible to attack by miners controlling more than 50% of the network’s mining hash rate or computing power;

  • the accuracy of the marketing materials and the requirement that they are not misleading;

  • the demand, supply, maturity and liquidity of the virtual asset.

Platform Operators will need to establish and disclose their criteria for admitting virtual assets for trading. If a Platform Operator receives payments for admitting virtual assets to trade, its fee structure must avoid any actual, potential or perceived conflict of interest (e.g. by imposing a flat rate for all virtual asset issuers).

  1. Insurance

    Another potential difficulty for Platform Operators may be fulfilling the requirement to take out insurance against theft or hacking as insurers have not yet indicated that they are ready to insure against these risks.


  1. Market Manipulation and Abuse

    Platform Operators will be made responsible for preventing market manipulation and abuse. 


  1. Public Disclosure

    Licensed Platform Operators would be required to make public information as to their fees and charges; the trading rules governing their platform operations and their criteria for admitting virtual assets to trading.


  1. Ongoing Reporting Obligations

    Potential ongoing reporting obligations will include requirements to report to the SFC details of new virtual assets to be admitted to trading on the platform and the identities and locations of its clients at month-end.


  1. Other Requirements

    Other, less onerous obligations include:

    • Implementing written policies and procedures governing employees’ dealings in virtual assets;

    • Prioritizing clients’ orders over orders for the Platform Operator’s account, accounts in which it is interested or the accounts of its employees or agents; and

    • Holding clients’ money and virtual assets in a segregated account.

While Platform Operators are operating in the Sandbox, the SFC may further consider or refine its regulatory and supervisory approach through discussions with them. Licensing conditions (and terms and conditions) imposed will be made public. The SFC may also issue further guidance depending on developments in virtual asset-related activities.

Regulation of Virtual Asset Portfolio Managers

Firms managing virtual asset portfolios, whether as licensed asset managers or as licensed securities dealers, will be subject to additional licensing conditions. These will apply to two types of firms.

  1. Firms managing traditional securities and virtual assets

Additional licensing conditions will apply to firms which: (a) are (or are to be) licensed as asset managers because they manage portfolios of traditional securities or futures contracts; and (b) also manage (or plan to manage) portfolios investing solely or partly in virtual assets. 

The additional licensing conditions are subject to a de minimis provision such that they apply to an intermediary if it distributes virtual asset funds which:

  • have a stated investment objective to invest 10% or more of their gross asset value (GAV) in virtual assets; or

  • intend to invest or have invested more than 10% of their GAV in virtual assets directly or indirectly(i.e. fund of funds that invest in derivatives such as total return swaps which have virtual assets as the underlying).

  1. Firms distributing funds investing solely in non-SF virtual assets

The new licensing conditions also apply to firms which distribute funds which only invest in non-SF virtual assets. These firms are not required to be licensed as asset managers (since the management of a fund which does not invest in securities or real estate is outside the definition of asset management). However, a firm that distributes such a fund in Hong Kong must be licensed as a securities dealer (i.e. for Regulated Activity Type 1 (dealing in securities). The SFC will impose the new licensing conditions for virtual asset fund management on its securities dealer licence.

The licensing conditions do not however apply to:

  1. Licensed corporations which only manage funds investing in virtual asset funds (i.e. funds of funds); or

  2. Licensed corporations managing portfolios whose mandate is to invest mainly in securities and/or futures contracts and their investment in virtual assets exceeds 10% of NAV only because of an increase in the prices of the virtual assets held in one or more of the portfolios. The licensed corporation is required to take all reasonable steps to reduce the portfolio’s investment in virtual assets below the 10% of GAV threshold. If, however, the position is expected to continue (i.e. virtual assets will continue to exceed 10% of GAV), the licensed corporation must alert the SFC which will consider imposing licensing conditions. Failure to notify the SFC may result in disciplinary action.

Bringing Virtual Asset Portfolio Managers within the Regulatory Net

All existing licensed corporations and licence applicants are required to notify the SFC if they currently manage, or plan to manage, one or more portfolios that invest in virtual assets, or intend to hold non-SF virtual assets on behalf of the portfolios under their management. The notification requirement applies even if: (a) the intention is to invest less than 10% of the portfolio’s GA in virtual assets; or (b) the virtual assets involved are “securities” or “futures contracts”. Failure to inform the SFC may constitute a breach of the Securities and Futures (Licensing and Registration) (Information) Rules.

The Licensing Process

On being informed that a firm is managing or plans to manage virtual asset portfolios, the SFC will send the standard licensing conditions to the firm and these may be varied following discussions with the firm according to its particular business model. Existing licensed corporations which do not agree to comply with the licensing conditions will be prohibited from managing virtual asset portfolios and must unwind their virtual asset positions.

A new licence applicant will have to agree to the licensing conditions proposed, or its licensing application will be rejected.

The Licensing Conditions

  1. Restriction to professional investors and disclosure requirements

Only professional investors as defined under the SFO are allowed to invest in a portfolio with:

  1. a stated investment objective of investing in virtual assets; or

  2. an intent to invest 10% or more of the portfolio’s GAV in virtual assets.

This restriction does not apply to funds authorised by the SFC for retail distribution under s.104 SFO.

As discussed in relation to licensing trading platforms, portfolio managers may not wish to be restricted to dealing only with professional investors. 

Despite the restriction to professional investors, firms will be required to disclose all associated risks to potential investors and distributors appointed for the distribution of virtual asset funds.

  1. Safeguarding of assets

Licensed corporations will be subject to requirements to ensure the safe custody of virtual assets, although the SFC acknowledges that virtual asset funds face “a unique challenge due to the limited availability of qualified custodian solutions”. 

The SFC has imposed onerous obligations on licensed corporations with regard to their selection of appropriate custodians. Their ability to comply with these requirements will depend on the willingness of custodians to disclose information on their financial resources, corporate governance and risk management etc. The obligations include:

  • assess and select the most appropriate custodial arrangement (e.g. whether to hold the assets itself or with a third-party custodian or an exchange) taking into consideration the advantages and disadvantages of holding virtual assets at different host locations by way of “hot wallets”, “cold wallets” and “deep cold wallets”) with regard to (among others):

    1. the ease of accessibility to virtual assets, i.e. time required to transfer virtual assets to the trading venue; and

    2. the security of the custodial facility, i.e. whether appropriate safeguards are in place to protect against external threats such as cyberattacks; and

  • exercise due skill, care and diligence in selecting, appointing and conducting on-going monitoring of custodians by reference to factors such as the custodian’s:

    1. experience and track record in providing custodial services for virtual assets;

    2. regulatory status, particularly whether its virtual asset custodial business is subject to regulatory oversight;

    3. corporate governance structure and the background of its senior management;

    4. financial resources and insurance cover for compensating customers for loss of customer assets; and

    5. operational capabilities and arrangements, for example, its “wallet” arrangements and cybersecurity risk management measures.

Where virtual assets are held by the licensed corporation itself, the licensed corporation is additionally required to:

  1. document the reasons for self-custody;

  2. implement appropriate measures to protect the assets;

  3. ensure the effective segregation of the virtual assets from the licensed corporation’s own assets on its insolvency;

  4. use best endeavours to acquire and maintain insurance cover over the virtual assets; and

  5. disclose the risks of self-custody to investors.

  1. Portfolio valuation

The SFC recognizes that there are currently no generally accepted valuation principles for virtual assets, particularly ICO tokens. The licensing conditions will however require licensed corporations to select valuation principles, methodologies, models and policies which are reasonably appropriate in the circumstances and in the best interests of investors. These will also need to be disclosed to investors.

  1. Risk management

Licensed corporations will be required to set appropriate limits for each product and market the portfolios invest in, and each counterparty to which the portfolios have exposure. They should, for example, consider setting a cap on portfolios’ investment in illiquid virtual assets and newly-launched ICO Tokens. Periodic stress testing must be carried out to assess the effect of abnormal and significant changes in market conditions on portfolios.

Before transacting with virtual asset exchanges, licensed corporations will be required to assess the reliability and integrity of the virtual asset exchange taking into account matters such as the virtual asset exchange’s:

  1. experience and track record;

  2. legal or regulatory status, if any;

  3. corporate governance structure and background of its senior management;

  4. operational capabilities;

  5. mechanisms (e.g., surveillance systems) implemented to guard against fraud and manipulation with respect to products traded on the exchange;

  6. cybersecurity risk management measures; and

  7. financial resources and insurance cover.

Exposure to individual virtual asset exchanges must be limited by setting appropriate caps.

  1. Auditors

The SFC notes that the accounting profession has no agreed standards and practices for how an auditor can perform assurance procedures to obtain sufficient audit evidence for the existence and ownership of virtual assets, and ascertain the reasonableness of the valuations. Despite this, the SFC will require the appointment of an independent auditor to audit the financial statements of managed funds. Despite the difficulties acknowledged by the SFC, it will require licensed corporations to consider auditors’ experience and capability in checking the existence and ownership of virtual assets, and ascertaining the reasonableness of their valuation, in their selection of an auditor.

  1. Liquid Capital

A licensed corporation which holds non-SF virtual assets for portfolios under its management will need to maintain a required liquid capital of at least HK$3 million (or its variable required liquid capital, whichever is higher).

Virtual Asset Fund Distributors

Firms which distribute funds that invest (wholly or partially) in virtual assets in Hong Kong are required to be registered for Type 1 regulated activity (dealing in securities) irrespective of whether or not the virtual assets are securities or futures contracts. Type 9 licensed asset managers which also distribute funds under their management which invest in virtual assets can rely on the incidental exemption from the Type 1 licensing requirement. 

The SFC’s “Circular to intermediaries on the distribution of virtual asset funds” (the Circular) reminds licensed corporations which distribute virtual asset funds that they are required to comply with the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC, including the requirement to ensure the reasonable suitability of any recommendation or solicitation made to a client under paragraph 5.2 of that Code (as supplemented by the SFC’s Frequently Asked Questions on Compliance with the Suitability Obligations by Licensed or Registered Persons[6] and the Frequently Asked Questions on Triggering of Suitability Obligations[7]).

The Circular also sets out additional requirements which apply to distributors of virtual asset funds which:

  1. are not authorised by the SFC for retail distribution under section 104 SFO; and

  2. have a stated investment objective of investing in virtual assets or intend to invest or have invested more than 10% of their GAV in virtual assets (i.e. funds which the licensed corporation knows, or should reasonably have known, to be investing more than 10% of their GAV in virtual assets at the time it distributes the fund, unless it has been advised that the fund manager intends to reduce the fund’s investment in virtual assets to below 10% of the fund’s GAV in the near future). The investment in virtual assets may be direct or indirect (i.e. through fund of funds and funds which invest in derivatives, for example, total return swaps, with virtual assets as the underlying).

Additional Requirements

The additional requirements that apply to licensed corporations distributing these funds are as follows:

  1. Selling restrictions

    • Only professional investors as defined under the Securities and Futures Ordinance should be targeted.

    • Except in the case of institutional professional investors, licensed corporations should assess whether clients have knowledge of investing in virtual assets or related products before effecting the transaction on their behalf. They may only effect a transaction for a client without such knowledge, if this would be in the best interest of the client, although no guidance is given on when a transaction can be considered as being in the client’s best interests. For the purposes of the knowledge assessment, a licensed corporation may take into account a client’s prior investment experience in private equity or venture capital or whether they have provided capital for a start-up business in the previous two years.

  1. Concentration assessments

A particularly difficult obligation on licensed corporations is a requirement that they must consider the aggregate amount to be invested by a client in virtual asset funds to be reasonable given the client’s net worth.

  1. Due diligence on virtual asset funds not authorised by the SFC

Licensed corporations will need to conduct extensive due diligence on non-SFC authorised funds, their fund managers and parties providing trading and custodian services to the funds. Where licensed corporations distribute third party funds, their compliance with these obligations will depend on the willingness of the various parties to disclose the required information. The assessments licensed corporations will be required to make are difficult given the lack of developed standards in the industry. The due diligence is required to include (without limitation) an examination of the fund’s constitutive documents and completion of a due diligence questionnaire, in addition to making enquiries of the fund manager to obtain an in-depth understanding of the following:

  1. In relation to the fund manager

    1. General

      • its background, relevant experience and, where applicable, the track record of its senior management, including its chief investment, operation, risk and technology officers;

      • its regulatory status, e.g., whether the fund manager is subject to any regulatory oversight and its robustness; and

      • its compliance history, e.g., whether any disciplinary or regulatory actions have been taken against it by any regulatory authorities.

    2. Operations/ Internal controls and systems for example:

      • whether there is proper segregation of key functions, such as portfolio management, risk management, valuation and custody of assets and, if not, whether there are any adequate compensating controls to prevent abuse;

      • the persons who can transfer assets from the fund or custodians and what safeguards are in place;

      • the persons responsible for, and the procedures for, reconciling transactions and positions, including the frequency of reconciliations; and

      • the methodology and the persons responsible for determining the pricing and assessment of the reasonableness of the determined price of each virtual asset.

    3. IT system

      • its IT infrastructure (e.g. in terms of security and access management).

    4. Risk management

      • its risk management procedures, including concentration limits, counterparty risk management procedures, stop-loss arrangements and stress testing;

      • its liquidity risk management policy; and

      • disaster recovery plan.

  2. In relation to the fund

    1. The fund’s targeted investors;

    2. List of instruments the fund intends to trade or invest in and any limitations on the size of its holding of ICO tokens, pre-ICO Tokens or other illiquid or hard-to-value instruments;

    3. Its valuation policy (especially for ICO Tokens, pre-ICO Tokens or other illiquid or hard-to-value instruments);

    4. The custody arrangement for the fund assets, including the policy on the allocation of assets to be kept at different host locations, such as exchanges, custodians, hot storage, cold storage;

    5. Its use of leverage and derivatives;

    6. The fund’s targeted risk and return per annum;

    7. Key risks (as described in “Information for clients” below); and

    8. The fund’s auditors and audited financial statements, including whether the fund has received a qualified audit opinion in the past, and whether the audited statements are up-to-date.

  3. In relation to the fund’s counterparties

    1. Legal and regulatory status (whether they are regulated by any authorities to, among other things, undertake custody business or trade in virtual assets);

    2. Their experience and track record in dealing with virtual assets;

    3. The robustness of their IT systems (including cybersecurity risk management measures) and contingency plans; and

    4. Their financial soundness and insurance coverage, e.g., insurance to cover losses of customer assets.

  1. Provision of information to clients

Licensed corporations will need to provide prominent warning statements covering, among others:

  1. The continuing evolution of virtual assets and how this may be affected by global regulatory developments;

  2. Price volatility;

  3. Potential price manipulation on exchanges or trading platforms;

  4. Lack of secondary markets for certain virtual assets;

  5. That most exchanges, trading platforms and custodians of virtual assets are currently unregulated;

  6. Counterparty risk when effecting transactions with issuers, private buyers/sellers or through exchanges or trading platforms;

  7. The Risk of loss of virtual assets, especially if held in “hot wallets”;[8] and

  8. Cybersecurity and technology-related risks.

For licensed fund managers which manage funds investing in virtual assets and distribute those funds, the new requirements should not prove problematic, particularly where they provide custody for the virtual assets. The requirements are likely to be much more problematic for Type 1-licensed fund distributors where the extent of due diligence they will be required to perform on third party funds, their fund managers and custody arrangements may not be practical.

As regards the proposed licensing of trading platforms and exchanges, the proposed regulatory requirements are likely to be seen as excessively burdensome. It will be interesting to see whether exchanges’ desire for the credibility which comes with licensing will make them willing to submit to the additional regulatory burden.


The SFC’s November 2018 statements did not however touch on ICOs. In September 2017, following China’s crack-down on ICO issues, the SFC issued a statement adopting a pragmatic approach, i.e. rather than ban ICOs outright, the SFC determines their regulatory status on a case-by-case basis depending on whether, given their particular characteristics, they constitute securities as either:

  1. shares – e.g. where ICO tokens represent equity or ownership interests in a corporation, for example where token holders are given rights to receive dividends and to participate in the distribution of the corporation’s surplus assets upon winding up;

  2. debentures – where tokens create or acknowledge a debt or liability owed by the token issuer;

  3. interests in a Collective Investment Scheme (CIS) – e.g. where the token proceeds are managed collectively by the ICO scheme operator to invest in projects with the aim of enabling token holders to receive a share of the returns provided by the projects.

The SFC’s guidance indicates that the essential features of a CIS are:

  1. it must involve an arrangement in respect of property (property is broadly defined);

  2. participants do not have day-to-day control over the management of the property (even if they have the right to be consulted or to give directions about the management of the property);

  3. the property is managed as a whole by or on behalf of the person operating the arrangements, and/or the participants’ contributions and the profits or income are pooled; and

  4. the purpose of the arrangement is to provide participants with profits, income or other returns from the acquisition or management of the property.

There have been no court decisions on the meaning of “collective investment scheme” in Hong Kong and whether or not any particular ICO falls within the definition will depend on the facts and circumstances of the ICO and ultimately, the courts’ interpretation of the statutory definition.

In Hong Kong, as elsewhere, ICOs have typically been structured as “utility tokens” which provide the holder with rights of access to a product or service provided by a DLT platform. A further statement by the SFC in February 2018 suggested that “utility tokens” are outside the scope of Hong Kong’s securities legislation.

The SFC has contacted ICO issuers and crypto currency trading platforms operating in Hong Kong regarding their activities. The ICO issuers apparently either confirmed that their tokens did not constitute securities, or ceased to offer tokens in Hong Kong. The crypto exchanges similarly either confirmed that they only trade non-security tokens, or ceased to sell tokens which could be securities. The SFC has not published the names of the relevant ICO issuers or provided any further guidance on the features of an ICO token which are likely to render it a security.

The SFC has put a stop to one ICO – in March 2018, it stopped Black Cell Technology Limited’s ICO being offered to the Hong Kong public on the basis that the offering may have been a collective investment scheme. However, this was an extreme case since the tokens sold in the ICO were redeemable for equity shares in the ICO issuer, Black Cell.

The ICO had been promoted through Black Cell’s website, where the digital tokens were sold, and this was accessible by the Hong Kong public. The SFC’s regulatory action resulted from concerns firstly that Black Cell had engaged in potential unauthorised advertising activities: section 103 SFO prohibits the issue of an advertisement or invitation which contains an invitation to the public to acquire an interest in a CIS unless the issue has been authorised by the SFC or an exemption applies in breach of section 103. The SFC also considered that there may have been a breach of the SFO’s licensing requirements, but failed to specify which regulated activity was involved. Black Cell stopped ICO transactions with Hong Kong investors and undertook not to devise, establish or market any CIS except in compliance with the SFO’s requirements.

In Hong Kong, as in many jurisdictions, there is a lack of clarity as to the features of an ICO which would bring it within the definition of a security. However, in the UK, the FCA’s final 2019 Guidance on Cryptoassets[9] states that utility tokens which give holders access to products or services, currently or prospectively, are not regulated provided they do not have the features of traditional securities. In particular, the guidance states explicitly that the tradability of ICO tokens on secondary markets and their potential use for speculative investment purposes will not of itself bring the tokens within the scope of FCA regulation. It is likely that Hong Kong would follow the UK approach given that the Hong Kong and UK statutory definitions of “collective investment scheme” are virtually identical. On that basis, it is likely that an ICO of utility tokens would not be regulated in Hong Kong as a securities offering.

SFC Statement on Security Token Offerings 28 March 2019

The SFC issued a Statement on Security Token Offerings on 28 March 2019 setting out regulatory requirements applicable to security token offerings, generally known as STOs. The statement also reiterates the SFC’s earlier warnings to the public of the potential risks involved in investing in digital assets such as initial coin offering (ICO) tokens and security tokens.

Security tokens are being heralded in some quarters as the “next big megatrend” in the blockchain revolution. Market exuberance for ICOs has waned given the sharp drop in crypto values since their December 2017 heyday. Whereas ICOs sought to position themselves outside the securities regulatory framework, STOs are being used in some jurisdictions, notably the US, to bring crypto assets within the regulatory net as a means to achieve regulatory certainty.

In Hong Kong, however, STOs are not happening yet.

Part of the reason is that, even with the SFC’s STO statement, it is still very uncertain how the Hong Kong regulatory framework applies to security token offerings, and more fundamentally, as to the characteristics which make a crypto asset a security token in the first place.

Another shortcoming is that the SFC’s March 2019 statement sets out requirements for ‘intermediaries’ which market and distribute ICOs, but does not adapt or explain the concept of ‘intermediary’ in the context of ICOs. Unlike typical securities offerings, digital token offerings are decentralised and operate without traditional intermediaries such as brokers. The UK FCA’s January 2019 Consultation Paper recognises this as one area where the use of distributed ledger technology potentially raises novel issues that need to be considered in determining how existing regulation applies to token offerings.

The FCA uses the term “issuers of tokens” to cover a number of entities “including developers, designers, firms who issue tokens and certain intermediaries” because of the difficulty of determining precisely who the issuer or issuers are. Since traditional intermediaries like securities brokers are not typically involved in the ICO and STO markets, the Hong Kong regulators need to consider how investor protection concerns can be met without over-burdening token issuers and stifling the market.

What does the SFC consider to be a security token?

The SFC describes security tokens as digital assets which have the features of traditional securities, including:

  1. tokens which represent economic rights such as a share of profits or revenue.

    • Thus tokens which are essentially tokenised shares (e.g. entitling holders to a share of profits in the form of a dividend or to participate in the distribution of the issuer’s assets on winding up) will be a security token, and thus a security under Hong Kong law.

    • Similarly, as stated in the SFC’s Statement on Initial Coin Offerings[10]in September 2017, a token which has the features of a debt or liability owed by the issuer, will likely be a “debenture” for the purposes of Hong Kong’s securities laws.

  1. The SFC’s May 2019 statement also provides that a token representing ownership of assets, such as gold or real estate, would amount to a security token, although the SFC does not elaborate on why this should be the case.

    • The SFC may be alluding to what is essentially a tokenised real estate or gold fund – where money raised from a token offering is invested in gold or real estate on the understanding that token holders will receive a share of the future proceeds of sale of the gold/real estate when sold at a profit. In that case, the tokens would likely constitute securities as interests in a collective investment scheme under the Securities and Futures Ordinance (SFO).

    • Alternatively, the SFC could be suggesting that tokens whose value/price is somehow linked to the value/price of an underlying commodity such as gold or real property constitute either “regulated investment agreements” or “structured products” under the SFO definitions.

Structured products

Structured products are defined broadly and include any product where all or part of the return or amount due (or both), or the settlement method, is determined by reference to any one or more of:

  1. changes in the price, value or level (or within a range) of securities, commodities, indices, property, interest rates, currency exchange rates or futures contracts, or any combination or basket of any of these; or

  2. the occurrence or non-occurrence of any specified event(s) other than an event relating only to the issuer and/or the guarantor of the product.

The SFC statement suggests that, depending on how the tokens are structured, tokens representing an underlying asset could constitute structured products subject to Hong Kong’s securities laws. It is not however clear what the “return” would be in the context of a token representing an interest in gold for example.

Would a token holder be regarded as receiving a return “determined by reference” to a change in value of the gold, if he will receive the cash equivalent of the gold’s market value or physical possession of a now more valuable commodity on a future redemption of the token?

The difficulty is that, at the date of the issue/ offer of the tokens when the regulatory categorisation of the tokens as securities or non-securities must be made, there is no way of knowing whether the underlying assets, and hence the tokens, will increase or drop in value in the future. Moreover, whether or not individual token holders will receive a “return” (i.e. a profit) on a future cashing-out will vary among holders depending on when they redeem their tokens and the prevailing state of the market. Tokens linked to an asset such as gold, or to a fiat currency such as the US dollar, are typically termed “stable coins”, the aim of which is to minimise a token’s volatility, a characteristic of most cryptocurrencies.

Even the most widely held crypto assets such as Bitcoin and Ether are not immune from high volatility and commonly rise or fall between 10 and 20 per cent within a day.[11] 

If the SFC were to take the view that a token which at the date of offer has the mere potential to rise in value is a security subject to its requirements for securities offerings, the way to avoid this would be to fix the value of the gold at the date of offer, potentially depriving the token of its rationale.

Further, unlike jurisdictions such as the United States, Hong Kong does not regulate commodities such as gold. It is therefore illogical that a token representing a commodity, which is more akin to a deposit slip than a security, would be regarded as a security subject to the full force of Hong Kong’s securities regulatory regime.

Regulated investment agreements

A ‘regulated investment agreement’ is an agreement, the purpose or effect (or pretended purpose or effect) of which is to provide to any party to the agreement a profit, income or other return calculated by reference to changes in the value of any property (e.g. equity-linked deposits) (but does not include a collective investment scheme).

Again, unless a security token offering is essentially a tokenised fund offering (as in the DAO case in the United States) which should be regulated as a collective investment scheme, there seems to be little support for the SFC’s statement that tokens representing digital ownership of assets such as gold or real estate constitute securities under the SFO. Further guidance on this from the SFC would be welcome.

Regulatory implications of STOs being “securities” under the SFO

SFC authorisation requirements

The SFC statement notes that security tokens are typically offered only to professional investors. In that sense, they differ from ICO tokens where the primary market is retail. An offer of security tokens only to professional investors as defined in the SFO has the advantage of being exempt from the requirement for SFC authorisation of any advertisement or invitation issued in relation to an offer of securities (under section 103 SFO) where the security tokens are offered to more than 50 persons in Hong Kong.

Where STO tokens constitute interests in a collective investment scheme, they will need to be offered in reliance on an exemption from the need for SFC authorization – e.g. only to professional investors in Hong Kong or in a private placement. Otherwise, the STO tokens must meet the stringent requirements of the SFC’s Code on Unit Trusts and Mutual Funds which include:

  • requirements applicable to the ‘fund manager’; and

  • investment restrictions – including a prohibition on real estate investment.

Licensing requirements for intermediaries marketing / distributing security tokens

Where crypto assets are “securities” under the SFO, any intermediary which markets and distributes the security tokens must be licensed or registered with the SFC for Type 1 regulated activity (dealing in securities), and each of its staff members involved in their marketing must be a Type 1 licensed representative accredited to the Type 1 licensed entity.

Conduct requirements for licensed intermediaries

STO suitability for intermediaries’ customers

Intermediaries which market and distribute security tokens must comply with the conduct provisions of the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC (Code of Conduct), in particular the requirement under paragraph 5.2 to ensure that customer recommendations and solicitations with respect to security tokens are reasonably suitable for the particular customer, given the information about the particular customer of which the intermediary is or should be aware through the conduct of due diligence.

Intermediaries should also refer to the SFC’s Suitability FAQs and FAQs on Triggering the Suitability Obligations. Although not referred to in the SFC statement, all licensed intermediaries are also under an obligation to conduct customer due diligence and anti-money laundering checks on their customers and these apply irrespective of the type of product being recommended or the subject of a customer solicitation.

Online distribution of STOs

The SFC regards security tokens as “complex products” as defined under new paragraph 5.5 of the Code of Conduct which came into effect on 6 July 2019. Paragraph 5.5 imposes additional obligations on licensed intermediaries which make recommendations or solicit investors with respect to complex products. In particular, licensed intermediaries and their licensed staff will have to ensure that:

  1. the security token is suitable for the client in all the circumstances;

  2. the client is provided with sufficient information on the key nature, features and risks of the security token to understand it before making an investment decision; and

  3. the client is provided with clear warning statements about the security token’s distribution.

Intermediaries’ due diligence obligations

The SFC’s May 2019 statement mentions the need for intermediaries who market or distribute security tokens to conduct proper due diligence on the offering which should cover (among others):

  1. the background and financial soundness of the management, development team and the issuer of the security token; and

  2. the existence of and rights attached to the assets which back the security token.

Licensed intermediaries are also required to study security tokens’ whitepapers and all relevant marketing materials and other published information. The May statement also notes intermediaries’ obligation to ensure that information provided to customers in respect of an STO is accurate and not misleading. This is the first time the SFC has raised the issue of the standard of due diligence it expects in relation to security token offerings and intermediaries responsibility for the accuracy of information.

Information to be provided to customers

Intermediaries should provide their customers with clear and comprehensible information on STOs which should include prominent warning statements alerting potential investors to the risks associated with digital assets. The SFC reminds licensed intermediaries to implement adequate systems and controls to ensure compliance with their regulatory obligations prior to engaging in security token distribution.

Requirement to notify the SFC before dealing in security tokens

The SFC also requires licensed intermediaries to notify it in advance prior to conducting any business in security tokens.

Investors’ warnings

The SFC warns investors that they should exercise caution in relation to digital assets, reiterating the principal risks of digital assets which include illiquidity, volatility, opaque pricing, hacking and fraud and apply equally to security token offerings. The SFC statement notes that security token offerings are an emerging form of fundraising and that investors should thus exercise care when making an investment decision particularly given the risk of significant financial loss.

Security token offerings are yet to take off in Hong Kong. It is hoped that this will give the SFC time to provide more detailed guidance on the grey areas highlighted above. In particular, greater clarity would be welcome on the circumstances in which tokens representing commodities (e.g. gold) or real estate would fall within the definition of a security and whether this is restricted to tokenised funds.

The professionals’ only exemption is one means of taking token offerings outside CWUMPO’s prospectus regime and the SFC’s requirements for collective investment schemes under the SFO and Code of Conduct. The ICO market has however been primarily targeted at retail rather than professional investors, although that has changed with increasing numbers of crypto exchanges now providing over-the-counter trading for large block trades only.

The downside of the SFC statement’s proposed approach to regulating security token offerings is that the investor protection driven measures of the Code of Conduct (the obligation to ensure the suitability of investment products for individual clients, anti-money laundering and counter-terrorist financing obligations etc.) will apply only where a traditional intermediary is involved. The Code of Conduct does not apply to issuers of securities and thus, on a typical security token offering, there is no obligation on the issuer to ensure the accuracy of the information provided in its marketing documents nor to assess the suitability of its tokens for prospective purchasers.

Add to this the fact that token issuers and their designers and developers are typically based offshore, outside the regulatory remit of the SFC, protection for Hong Kong investors against fraudulent or incompetent issuers will be scant. The SFC Code of Conduct requirements referred to in the SFC’s latest statement will only ever apply where a Hong Kong intermediary is engaged to market the tokens to Hong Kong investors. Under the SFO, security tokens, in the same way as traditional securities, cannot be marketed to Hong Kong investors except by an SFC Type 1 licensed entity. However, if security tokens are not “actively marketed” to the Hong Kong public, there is nothing to prevent Hong Kong investors from subscribing for tokens via an offshore platform and in this situation, none of the Code of Conduct’s investor protection mechanisms will apply. Further, if the offering turns out to be a scam, Hong Kong investors have no means of redress other than a contractual claim or common law action against the token issuer. Given that whitepapers generally do not even contain the issuer’s legal name and registered address, this route to recovering losses will not be straightforward.

These issues are of course by no means unique to Hong Kong and regulators from the major jurisdictions such as the UK, Australia and Canada are currently consulting on how to regulate tokens.

In some ways, the SFC and other major regulators are to be commended for their “wait-and-see” approach to crypto regulation which is allowing the market to develop. Moreover, there is undoubtedly a second mover advantage for regulators in avoiding knee-jerk regulation in the crypto space.



China and South Korea are the principal jurisdictions to have declared ICOs to be illegal. China also prohibits trading of virtual assets on exchanges. The United States was one of the first jurisdictions to see ICOs and virtual asset trading platforms take off, but the US regulators were among the first to apply existing laws and regulations to clamp down particularly on cases of fraud, but also on ICOs offering virtual assets with the features of traditional securities and ICOs marketed as money-making investments.

Japan was the first jurisdiction to legalise virtual assets as a legal means of payment and Bitcoin is widely accepted by Japanese retailers and also for payment of utilities bills. Financial intermediaries licensed to deal in virtual assets are subject to capital and anti-money laundering requirements. Virtual assets are also subject to Japan’s tax regime.

Other, mainly smaller jurisdictions, notably Gibraltar, Malta, Switzerland, Estonia and Belarus have implemented bespoke regulatory regimes for virtual assets aimed at fostering their development as virtual asset hubs.

Approaches to Virtual Asset Regulation

There are four principal types of regulatory responses to virtual assets:

  1. Application of existing regulation

    Many regulators have applied existing laws and regulations to activities involving virtual assets by issuing regulatory guidance on how existing laws apply to those activities.

    Examples include Australia’s Information Sheet (INFO 225) on ICOs and cryptocurrency and Hong Kong’s Statement on Securities Token Offerings.


  2. Retrofitted regulation

    Extending existing laws and regulations to cover activities involving virtual assets.


  3. Bespoke regulation

    Enacting new laws specifically to regulate virtual asset activities. An example is Malta’s Virtual Financial Assets Act.


  4. Bespoke regulatory regime

    Establishing a distinct regulatory framework applicable to a type of activities (typically fintech activities), of which virtual asset activities are one type.



The People’s Bank of China (PBoC) and six other financial regulators banned ICOs in September 2017 ordering all ICOs to cease immediately and money already raised through ICOs to be refunded to investors. Before the crackdown, 80% of the world’s cryptocurrency transactions and ICO financing took place in the PRC.[12] The regulators declared ICOs to be an unauthorised illegal fundraising activity and stressed that virtual assets issued in ICOs do not have legal status equivalent to that of fiat currencies and should not be used and circulated in the market as currencies.

On 9 December 2018, the PBoC extended its ICO ban to securities token offerings.[13] 

Virtual asset trading exchanges are also banned through prohibitions on exchanging fiat currency for virtual assets; buying or selling virtual assets; setting virtual asset prices and providing information and intermediary services in relation to virtual assets. China has also taken steps to block online access to offshore ICOs and virtual assets exchanges.

Financial institutions and non-banking payment institutions are prohibited from, directly or indirectly, providing services or products relating to ICOs, such as setting up bank accounts, or providing registration, trading, settlement, clearing or insurance.

A ban on banks and payment institutions dealing in Bitcoin has been in effect since 2013.

In the past, China adopted more favourable policies in relation to blockchain. Its internet regulator, the Cyberspace Administration of China however announced new regulations which took effect on 15 February 2019 which apply to blockchain information service providers – broadly an entity using blockchain technology to provide online information services to the public. The new regulations clamp down on blockchain anonymity with requirements for users to provide their real names and national ID card numbers or phone numbers when registering for a blockchain service. Similar restrictions already applied to China’s mobile payment service providers. Blockchain service providers need to register with the government and are required to censor content “deemed to pose a threat to national security”. They must also keep a record of information published by users and disclose this information to the government. The new regulations appear to target the use of blockchain technology to bypass China’s censorship of the internet following recent cases of individuals posting information on the Ethereum blockchain to escape censorship.

The PBOC also announced the possibility of extending its ICO ban to airdrops labelled as “disguised ICOs” in a 2018 report.[14]

China’s central bank is however planning to launch a state-backed cryptocurrency, Digital Currency/ Electronic Payments (“DC/EP”), to seven institutions in November 2019 – the China Construction Bank, the Industrial and Commercial Bank of China, the Bank of China, the Agricultural Bank of China, Alibaba, Tencent and Union Pay. The recipient institutions will then disperse the cryptocurrency to Chinese citizens and others doing business in RMB.

The DC/EP is centrally managed by the central bank, implying that the digital currency remains a liability of the bank, and the debtor-creditor relationship is unchanged. Also, while traditional cryptocurrencies like Bitcoin use an algorithm to limit supply, the supply of DC/EP will be controlled by the People’s Bank of China (“PBoC”). Unlike Bitcoin, the ledger will be centralised and the ledger must adopt real-name verification. The cryptocurrency will be 100% backed by the reserves that commercial institutions pay to the PBoC.

In 2019, the World Economic Forum released a report stating that at least 40 central banks are planning to experiment with central bank digital currencies.

  1. Potential advantages

National cryptocurrencies allow the government to track the money flow in economic activities and can provide valuable information for devising monetary policies.

The introduction of central bank digital currencies can facilitate efficient settlements of cross-border financial transactions, as digital currency payments can be sent almost instantly from a sender to a receiver at a fraction of the cost of a regular international bank payment.

The adoption of state-backed digital currencies may also lead to the reduction of counterparty credit and liquidity risks.

The central bank of India suggested that the rising costs of managing fiat paper and metallic money have led central banks around the world to explore the option of introducing digital currencies.

  1. Potential disadvantages

An obstacle to the adoption of a national cryptocurrency is the possibility that the government can increase its ability to surveil users of the cryptocurrency. The central bank of Russia has noted that central bank digital currencies are unable to provide the same level of anonymity that is provided by cash. This may be considered a disadvantage by users who are concerned about privacy.

The introduction of central bank digital currencies may also affect the effectiveness of financial intermediation. With the introduction of a national cryptocurrency, the central bank would play a more important role in financial systems and in the allocation of economic resources. This may not be economically optimal if the central bank is less efficient in performing these roles than private entities. This can also potentially result in greater political interference in central bank activities.

Some countries are also hesitant about the idea of adopting a national cryptocurrency. For instance, Japan is concerned that their society is not yet ready to give up physical cash, which forms a significant part of the local economy. South Korean officials are also worried that the introduction of a national cryptocurrency may destabilize the market.


Japan was the first country to recognise virtual assets as a legal payment method in April 2017 when it revised its Payment Services Act (the PSA). Virtual assets are treated as assets which can constitute means of payment rather than as legal currencies. Japan also regulates virtual asset exchanges. Its proactive approach has allowed Japan to develop into the world’s largest crypto exchange market, accounting for over 61% of global Bitcoin trades as of December 2017, twice the trading volume of the United States.[15]

Japan’s Financial Services Authority (the FSA) licenses and regulates virtual asset exchanges subjecting them to money laundering regulations which require customer identity to be checked when accounts are opened, the maintenance of transaction records and suspicious transaction notification. At one point, there were 32 exchanges operating in Japan, 16 of which were FSA approved. The other 16 were given approvals while their applications were under review and these are referred to as “quasi-operators”.

The FSA tightened its screening of virtual asset exchanges on 2 September 2018 in response to the hack of Tokyo cryptocurrency exchange, Coincheck, in January 2018 which saw almost US$500 million in digital tokens stolen. The number of screening questions has increased fourfold to 400 items and crypto exchanges are required to submit minutes of board meetings to allow the FSA to assess that sufficient consideration has been given to computer system security and sustaining the company’s financial health. 13 of the 16 quasi-operators, including Payward Japan which operates Kraken exchange, withdrew their licensing applications.

With regards to ICOs, the Financial Instrument and Exchange Act (FIEA) was amended on 7 June 2019 which recognizes virtual assets as “money” in the context of a collective investment scheme. Hence virtual assets which are paid as consideration in return for ICO tokens issued on an ICO, the ICO tokens (which are regarded as interests in the collective investment scheme) are regarded as “securities”. Hence, ICOs are regulated as offers of securities under the Financial Instrument and Exchange Act.

Other consequences of ICO tokens categorization as securities are that:

  1. ICOs must be handled by a securities company licensed under the FIEA. A Type 1 Financial Instruments Business Operator Licence is required to process an ICO (whether it is a public offer or private placement) and to broker the ICO tokens.

  2. Issuers of ICO tokens will have to be registered as Type II Financial Instruments Business Operators because the tokens constitute Type II securities. The ICO operator (which may also be the issuer) will also need to be registered as an investment manager to manage the funds raised by the ICO.

The amendments will come into effect at the latest by 7 June 2020. Drafts of the necessary amending ordinances are expected to be issued during 2019 and finalized during early 2020.


The regulatory position in the US is extremely complicated. Virtual asset-related activities potentially fall within the jurisdiction of a number of US federal regulators including the SEC which regulates them as securities, the Commodity Futures Trading Commission (the CFTC) which classifies them as commodities, the Financial Crimes Enforcement Network (FinCEN) which treats them as currency and the IRS for whom they constitute property. That the jurisdiction of the agencies frequently overlaps has led to allegations of excessive and unclear regulation which is stifling the development of virtual asset technologies. State regulators also regulate various activities, particularly money transmission. 

Securities law regulation

The US has taken the lead in bringing enforcement actions against ICOs on the basis that ICO tokens constitute securities, as described above.

On 16 November 2018, the SEC issued a Statement on Digital Asset Securities Issuance and Trading[16] setting out its views on three principal areas relating to digital assets.

  1. ICOs

The US Securities and Exchange Commission (the SEC) has repeatedly stated that virtual assets may qualify as “securities” and that ICOs thus need to comply with US securities laws, in particular the 1933 Securities Act.

The Howey Test is used to determine whether a virtual asset is a security. Under the Howey Test an investment contract (which is a security) is an investment of money in a common enterprise with a reasonable expectation of profits to be derived from the entrepreneurial or managerial efforts of others.

In July 2017, the SEC issued an investigative report in which it determined that “DAO Tokens” offered and sold by a “virtual” organisation called the DAO were “securities” under the Securities Act of 1933 and the Securities Exchange Act of 1934. DAO Tokens were offered in exchange for Ether (ETH) and the ETH raised would be used to fund projects. DAO Token holders stood to share in the expected profits from these projects as a return on their investment in DAO Tokens.

The DAO met the requirements of the Howey test:

  1. “an investment of money” – the use of ETH to invest in DAO tokens met the requirement for an investment of “money” which does not need to take the form of cash.

  1. “in a common enterprise with a reasonable expectation of profits”

Purchasers of DAO were found to be investing in a common enterprise with a reasonable expectation that they would receive a return in the form of a share of the profits from projects funded by the DAO. Promotional materials distributed informed investors that they would share in the profits earned from projects funded by their investment in DAO tokens. Token holders could also monetize their investment by reselling DAO tokens in the secondary market.

  1. “to be derived from the entrepreneurial or managerial efforts of others”

The DAO’s investors relied on the significant managerial efforts of, its co-founders and curators to manage the DAO and put forward project proposals to generate profits for investors. Their efforts were essential to the overall success and profitability of any investment into the DAO.

DAO token holders’ voting rights were limited and the pseudonymity and dispersion of token holders meant that they did not provide token holders with meaningful control. 

The DAO ICO was however unusual in that it was essentially a tokenized fund and thus fell squarely within the definition of a security. 

The regulatory position is less clear in relation to “utility tokens” which proliferated in the wake of the DAO report. The key feature of a utility token is that rather than representing an interest in the company itself, it represents a right of access to a specific product or service typically provided using a DLT platform. After the DAO report, companies started issuing utility tokens to raise capital for developing products or services to which token holders would have access.

But as became clear in SEC enforcement actions, merely calling something a “utility token” does not mean it is not a security. In applying the “Howey test”, the US adopts a functional approach to determining whether an ICO is a securities offering so that if a token essentially acts as an investment, it will be regulated as a security.


In December 2017, the SEC halted the ICO of Munchee Inc. (Munchee) for violations of US securities laws. This was the first SEC enforcement action against an ICO which did not involve fraud. The case involved a “utility token” issued to raise funds for the improvement of an existing app for reviewing restaurants. The SEC determined[17] that the MUN tokens were investment contracts under the Howey test on the basis that:

  1. The Munchee whitepaper set out actions Munchee would take to increase the value of the tokens including Munchee potentially “burning” tokens, taking them out of circulation and reducing the supply of the tokens, potentially causing the appreciation of the remaining tokens. This lead to the finding that purchasers of MUN tokens would have had a reasonable expectation of future profits obtained from the efforts of others;

  2. Munchee and its agents made statements on blogs and podcasts that the tokens would increase in value and endorsed other people’s public statements that touted the opportunity to profit;

  3. Munchee intended that the tokens would trade on a secondary market, representing in the whitepaper that they would be tradable on at least one US-based exchange within 30 days of the conclusion of the offering; and

  4. The tokens were marketed to crypto-investors (i.e. people with an interest in tokens and digital assets that had created profits for early investors), rather than to existing users of the Munchee App or to the restaurant industry (the supposed intended users of the tokens).

At the time of the ICO, the tokens had no actual utility. Yet, the decision noted that even if the tokens had had a practical use at the time of the offering, this would not preclude them from being a security. The determination of whether or not a token is a “security” depends on an assessment of “the economic realities underlying a transaction” and not the label it is given (e.g. a “utility token”).

In the wake of Munchee, public statements by SEC officials suggesting that all ICO are securities offerings, led to ICOs only being offered in the US under exemptions from the registration requirements of the US Securities Act of 1933.

In February 2018, SEC Chairman Jay Clayton stated “I believe every ICO I’ve seen is a security”. Only Bitcoin and Ether are not regarded by the SEC as securities and are instead regarded as commodities. In June 2018, SEC Corporate Finance Division Director, William Hinman[18] described how cryptocurrencies can evolve from being securities to non-securities once the network on which they function is sufficiently decentralised that purchasers no longer expect any person or group to carry out essential managerial or entrepreneurial efforts as required by the “Howey test”). ICOs, he said, are securities offerings because where ICOs raise money to develop networks on which digital assets will operate, the economic substance is the same as a conventional securities offering. He noted that “Funds are raised with the expectation that the promoters will build their system and investors can earn a return on the instrument – usually by selling their tokens in the secondary market once the promoters create something of value with the proceeds and the value of the digital enterprise increases”.

In November 2018, the SEC settled two enforcement cases against ICO issuers, Paragon Coin, Inc. (Paragon) and CarrierEQ, Inc. (Airfox) for failure to register their ICO offerings under the Securities Act. Both offerings were found to be securities offerings because the issuers had primed purchasers’ reasonable expectations of profits through statements on internet forums, blogs, emails and social media. Key features were that:

  1. The Airfox and Paragon ICOs were capital raising exercises aimed at funding the development of a profitable business.

  2. Both companies announced plans to reduce the number of tokens available (“burning”) to increase the demand for the tokens and hence their price.

  3. Tokens were sold to early investors in pre-sales at a discount to the price set for the general public in the ICO. The tokens were not marketed to end-users; instead the offerings were structured to encourage speculative investment.

  4. Both companies publicised that they would actively seek listing of the tokens on secondary market exchanges.

Both Paragon and Airfox companies agreed to register the ICOs under the Securities Exchange Act of 1934 (the Exchange Act) and file periodic reports. They also agreed to offer recission rights in the form of refunds to token purchasers who bought the tokens in the initial offering or presale. The registration and ongoing disclosure requirements are intended to provide token holders with the information they would have received if the issuers had complied with the registration requirement under the Exchange Act. Ongoing disclosure is intended to allow holders to make an informed decision of whether to seek reimbursement or to continue to hold the tokens. 

The SEC statement refers to the Paragon and Airfox cases as demonstrating a path to compliance with federal securities laws for illegal unregistered offerings of digital asset securities, suggesting that other ICO issuers, which have conducted an illegal offering of ICO tokens, can still register the offering. US lawyers commenting on the statement have noted however that no registration statement for the offer and sale of tokens has yet been declared effective under the Securities Act of 1933, and that no offering circular has yet qualified under the Regulation A exemption from registration for small public offerings. [19] 

In spite of SEC officials’ statements suggesting all ICOs are securities offerings, the US enforcement actions based on securities law violations have involved cases where explicit statements were made that token holders could expect to receive a profit.

There have been over 1,400 ICOs in the US to date, yet the SEC has only brought enforcement actions based on securities law violations (as opposed to fraud) in a small number of cases, raising the question of whether it was the explicit promotion of the ICOs as something that would increase in value that resulted in them being targeted by the SEC, rather than their “utility token” features? It seems likely that without the express statements suggesting the ability to make a profit from the tokens, neither ICO would have amounted to a securities offering.

SEC Statement on “Framework for ‘Investment Contract’ Analysis of Digital Assets

The US SEC issued a Statement on “Framework for ‘Investment Contract’ Analysis of Digital Assets in April 2019 for determining whether a virtual asset is offered and sold as an investment contract, and therefore as a security. The framework applies the Howey Test which focuses not only on the form and terms of the virtual asset, but also the surrounding circumstances and the manner of offering, selling and reselling.

The most problematic of the Howey test’s 3 requirements is the “reasonable expectation of profits derived from efforts of others” prong. This gives rise to three main inquiries:

  1. whether a purchaser relies on the efforts of others, in particular the efforts of an active participant (AP) such as a promoter or other third party; and (b) are those efforts “undeniably significant ones, those essential managerial efforts which affect the failure or success of the enterprise”.

    The following will make it more likely that a virtual asset purchaser relies on the efforts of others:

      1. the AP is responsible for the development, improvement or enhancement, operation, or promotion of the network.

    – If the network or virtual asset is still in development/ not fully functional at the time of the offer or sale, purchasers would reasonably expect an AP to further develop the functionality of the network or virtual asset;

    1. essential tasks or responsibilities will be performed or are expected to be performed by an AP;

    2. the AP supports or creates a market for, or the price of, the virtual asset;

    3. the AP plays a leading or central role in decision making or judgement exercising concerning the network or characteristics or rights of the virtual assets;

    4. purchasers reasonably expect the AP to undertake efforts to promote its own interests and enhance the value of the network or virtual asset.

  2. The second inquiry relates to the reasonable expectation of profits. Profits can include capital appreciation resulting from the development of the initial investment or business enterprise or participation in earning results from use of purchasers’ funds.

    Examples of characteristics giving rise to a reasonable expectation of profits include (among others):

    1. rights for holders to share enterprise’s income or profit or to realize gain from capital appreciation of digital asset;

    2. present or future transferability or tradability of virtual asset on a secondary market or platform;

    3. purchasers’ reasonable expectation that an AP’s efforts will lead to the virtual asset’s capital appreciation and the realization of a return;

    4. the digital asset is offered broadly to potential purchasers rather than being targeted at expected users of the goods or services or those with a need for the network’s functionality purchasers of the digital asset;

    5. While capital appreciation is relevant to the inquiry, price appreciation resulting solely from external market forces is outside the ambit of the Howey Test.

  3. The third inquiry relates to the transaction’s economic reality and whether the virtual assets are offered and sold for use by the purchaser. The Howey test is unlikely to be met where the following factors are present:

    1. the distributed ledger network and virtual asset are fully developed and operational;

    2. the virtual asset can be used immediately for its intended functionality on the network;

    3. the virtual asset’s design meets the needs of users and does not encourage speculation as it its value or the network’s development;

    4. the ability of a virtual asset (proposed to be virtual currency) to make payments in different contexts and its substitutability with real currency;

    5. the ability of the virtual asset to be redeemed within a developed network or platform for the goods or services.

No action letter

A no-action letter was sent to Turnkey Jet, Inc. on 3 April 2019 by FinHub’s Chief Legal Advisor agreeing that the tokens used by the business travel start-up were not securities. The reason given were that:

  1. funds from the Token sales would not be used to develop the TKJ Platform, Network or App, all of which would be fully developed and operational by the time the Tokens were sold.

  2. the Tokens had an immediate use at the time of the token sale.

  3. the Token price was fixed at one USD.

  4. the Tokens could only be used for air charter services.

  5. Repurchases would only be made at a discount to the Token price.

  6. Turnkey Jet marketed the Tokens in a manner emphasizing the functionality rather than potential increase in value.

  7. The Tokens were transferrable only to TKJ wallets and not to wallets outside the network.

The restrictions outlined in the no-action letter mean however that it is unlikely to be of benefit to most ICO issues, i.e. those where the funds are used to develop the network and the tokens only have a future use.

  1. Investment Vehicles Investing in Digital Asset Securities

The SEC statement provides a reminder to asset managers that the regulatory framework under the Investment Company Act of 1940 for pooled vehicles investing in securities also applies where investment vehicles invest in virtual asset securities.

In September 2018, the SEC found that the manager of a hedge fund which invested in virtual asset securities had improperly failed to register the fund as an investment company. Its offering of interests in the fund to the public was therefore unlawful. The fund manager also acted as investment adviser to the fund and was found to have violated the antifraud provisions of the Investment Advisers Act of 1940 by making misleading statements to fund investors.

  1. Trading Digital Asset Securities

A trading platform which offers trading of virtual assets which are “securities” and operates as an “exchange” as defined under federal securities laws must be registered with the SEC as a national securities exchange or be exempt from registration. An exemption is available for an alternative trading system which is registered with the SEC as a broker-dealer and becomes a member of a self-regulatory organisation such as the Financial Industry Regulatory Authority (FINRA). According to press reports, however, several cryptocurrency exchanges have entered into talks with the SEC about registering as a licensed broker-dealer, but these have not yet been approved.

In the November 2018 statement, the SEC notes that so-called “decentralized” trading platforms combine traditional technology (such as web-based systems that accept and display orders and servers that store orders) with new technology (such as smart contracts run on a blockchain that contain coded protocols to execute the terms of the contract). The combined technologies enable investors and market participants to find counterparties, discover prices and trade digital asset securities. It refers to the enforcement action against the founder of EtherDelta which was found to provide a marketplace for bringing buyers and sellers of digital asset securities together through the combined use of an order book, a website that displayed orders and a smart contract run on the Ethereum blockchain. EtherDelta’s smart contract validated order messages, confirmed the terms of orders, executed paired orders and updated the distributed ledger to reflect trades. Its activities were found to clearly fall within the definition of an exchange.

The SEC emphasized that a functional approach is applied in assessing whether a system constitutes an exchange. It is the activity that occurs between buyers and sellers, not the technology or terminology used, which determines whether the system operates a market place.

  1. Broker-Dealer Registration

The November 2018 statement notes that an entity that facilitates the issue of virtual asset securities in an ICO and secondary trading in virtual asset securities, may be acting as a “broker” or “dealer” that is required to register with the SEC and become a member of a self-regulatory organization, typically FINRA.

The Exchange Act prohibits a broker or dealer from inducing or attempting to induce the purchase or sale of a security unless the broker or dealer is registered under the Exchange Act. A “broker” is defined as any person engaged in the business of effecting securities transactions for others. A “dealer” is a person engaged in the business of buying or selling securities for their own account through or broker or otherwise.

As with the “exchange” determination, the SEC takes a functional approach in determining whether an entity is a broker or dealer. The SEC’s recent enforcement action against TokenLot demonstrates how the broker-dealer registration requirements can apply to entities trading or facilitating transactions in digital asset securities, even if they do not satisfy the definition of an exchange. TokenLot described itself as an “ICO superstore” where investors could purchase digital assets, including digital asset securities during or after an ICO. TokenLot’s brokerage activities consisted of marketing and facilitating the sale of digital assets, accepting investors’ orders and funds, and enabling the payment of proceeds to issuers. TokenLot also acted as a dealer in making regular purchases of digital tokens and reselling them for accounts in its name that were controlled by its operators. 

Bitcoin ETFs

The SEC has refused to approve Bitcoin ETFs citing concerns relating to market manipulation, price volatility, hacking, and custody.

Bitwise’s recent submission to the SEC made a number of arguments countering the perceived problems, including:

  1. Volume data reported by virtual asset exchanges is inaccurate and actual volume is far lower than reported volume

  2. Nature of bitcoin makes it resistant to manipulation since Bitcoin’s price is set on open market with a global price

  3. Fractured market provides resistance to manipulation as synchronous coordination across all markets is required

  4. Concerns re. custody can be dealt with using Cold Storage (create private keys on devices not connected to internet and offline storage) – none of the Bitcoin hackings involved cold storage.

  5. The existence of regulated, insured third party custodians.

Regulation as “virtual currencies”

In the US, virtual assets can also be regulated as “virtual currencies” such that the guidelines of the US Department of the Treasury, Financial Crimes Enforcement Network (FinCEN) apply to “administrators” and “exchangers” which need to be registered with FinCEN as a money service business and comply with regulations aimed at countering money laundering and terrorist financing. FinCEN has brought criminal and civil enforcement actions against virtual currency businesses for failure to register and non-compliance with anti-money laundering procedures.

Regulation as commodities

The US Commodity Futures Trading Commission (CFTC) has designated Bitcoin as a commodity. The CFTC thus has oversight of fraud and manipulation involving Bitcoin traded in interstate commerce as well as the regulation of commodity futures tied directly to Bitcoin.

State legislation

Each of the US states has its own state securities and financial services regulator and many have adopted regulations in relation to crypto currencies. New York has been the most active in terms of regulation and requires any business engaging in the transmission, trading, custody or issue of a virtual currency to obtain a BitLicense.

Licensees are also required to satisfy certain compliance requirements including a minimum capital requirement and anti-money laundering and know-your client obligations. Entities that hold virtual currencies for third parties must hold them in trust with an approved custodian. Depending on their activities, entities holding a Bitlicense may also be required to obtain a New York money transmission licence. 18 Bitlicences have been granted to date. 

Facebook has reportedly applied for a Bitlicense to use its virtual asset, Libra, in New York.

The Bitlicense has been controversial and a number of crypto businesses left the state citing overly burdensome disclosure requirements and regulatory requirements. State legislation however differs from state to state which means that businesses with customers in multiple states have to comply with a number of inconsistent, and often burdensome, state money transmission laws. Further, since all virtual assets are treated as currency, the laws apply to all issuers of tokens that have value, and anyone facilitating trading in them.[20]

Whether or not utility tokens are “securities” under US laws has come under the spotlight in the SEC lawsuit filed against Kik alleging that its initial coin offering in 2017 breached US securities laws which required it to register its Kin tokens as securities before selling them. The lawsuit may provide further clarity regarding the application of the Howey test to virtual assets. The company published its response to the SEC action denying that its tokens constitute securities. However, some commentators have predicted that Kik will seek to settle the case.

Kin is a currency token whose function is transferring value between users. Kin is the cryptocurrency of Kik, a popular messenger service. Users can earn Kin by contributing to the Kik community, and can spend Kin on goods and services within the Kik platform.

Developers of apps who adopt Kin are incentivized to create new features in their apps to maximize Kin transaction volumes among users. Kin are paid out daily to apps based on the transaction volume they have generated.

  1. Key arguments by Kik that Kin tokens are not securities

Kik contends that its offer and sale of Kin in 2017 did not amount to an “investment contract”.

Kik claims that the SEC has misstated the test established by the Supreme Court in Howey when it alleged that “[i]nvestment contracts are transactions where an individual invests money in a common enterprise and reasonably expects profits to be derived”. In fact, the Supreme Court defined an investment contract as “a transaction or scheme whereby a person invests his money in a common enterprise and is led to expect profits solely”.

Kik argues that the purchasers of Kin were not led to expect profits based on the efforts of Kik. The totality of Kik’s promotional materials emphasized Kin’s utility as a medium of exchange, and the need for developers and users to adopt Kin for it to succeed.

Kik also argued that the SEC stretched the Howey test beyond its definition by incorrectly assuming that any discussion of a potential increase in the value of an asset is the same as promising profits solely from the efforts of others.

The SEC has publicly stated that transactions in Bitcoin and Ether are not “investment contracts”. Kin is a transaction currency akin to Bitcoin or Ether, which are not regulated as securities.

Kik’s consultant also advised Kik that “[i]n the case of a community currency, there is a good basis to argue that this is not a security. You’re just selling units of property that you created that are used for a particular purpose in your app.”

United Kingdom

The UK’s Financial Conduct Authority (FCA) issued the Guidance on Cryptoassets: Feedback and Final Guidance to CP 19/3 (Final Guidance) in July 2019. The Final Guidance reframes the taxonomy of cryptoassets and clarifies whether certain cryptoassets may fall within the FCA’s regulatory perimeter.

The Final Guidance also looks at whether virtual assets are:

  1. ‘Specified Investments’ under the Regulated Activities Order (the RAO);

  2. Financial Instruments’ such as ‘Transferable Securities’ under the Markets in Financial Instruments Directive (MiFID II); or

  3. captured under the Payment Services Regulations or the E-Money Regulations.

Categorisation of Virtual Assets

The FCA Guidance identifies four principal types of virtual assets, while stressing that these categorisations are neither mutually exclusive nor exhaustive. Definitive judgments have to be made on a case-by-case basis.

Regulated Tokens

1. Security tokens – virtual assets with characteristics that meet the definition of a Specified Investment under the RAO such as a share or a debt instrument, or possibly also a Financial Instrument under MiFID II. Activities in these tokens are regulated by the FCA.

2. E-money tokens tokens that meet the definition of e-money under the Electronic Money Regulations 2011 (EMRs). They are also regulated by the FCA.

Unregulated Tokens

3. Exchange tokens – tokens designed to be used as a means of exchange, and are usually a decentralised tool used for buying and selling goods and services without traditional intermediaries. They fall outside the FCA’s regulatory perimeter. However, they will be subject to the anti-money laundering and counter-terrorist financing regulation under the Fifth Anti-Money Laundering Directive (5AMLD).

4. Utility tokens – tokens granting holders access to a current or prospective product or service, but which do not meet the definition of e-money, or provide the same rights as other Specified Investments under the RAO. They fall outside the FCA’s regulatory perimeter.

In general, unregulated tokens refer to any token that does not meet the definition of e-money, or provide the same rights as other Specified Investments under the RAO. These includes tokens referred to as utility tokens, and exchange tokens.

These tokens can, for example, be issued centrally or be decentralised, give access to a current or prospective good or service in one or multiple networks and ecosystems, or be used as a means of exchange. They can be fully transferable or have restricted transferability.

Security Tokens – Virtual assets as Specified Investments

As noted above, security tokens refer to tokens as only those that reach the definition of Specified Investments under the RAO. Whether or not a virtual asset is a Specified Investment depends on its particular characteristics. Factors indicative of a virtual asset being a Specified Investment (and thus regulated by the FCA), include, but are not limited to:

  1. the contractual rights and obligations the holder has by virtue of holding or owning the virtual asset;

  2. any contractual right to profit-share (e.g. dividends), revenues, or other payment or benefit of any kind;

  3. any contractual right to ownership in, or control of, the issuer or other relevant person (e.g. by way of voting rights);

  4. language used in relevant documentation (e.g. the term ‘whitepaper’) that suggests the virtual assets are intended to function as an investment;

  5. whether the virtual assets are transferable and tradeable on virtual asset exchanges or any other type of exchange or market;

  6. a direct flow of payment from the issuer or other relevant party to holders of virtual assets may be an indicator that the virtual asset is a security, although an indirect flow of payment (such as profits or payments derived exclusively from the secondary market) would not necessarily indicate the contrary. If the flow of payment were a contractual entitlement, the FCA would consider this to be a strong indication that the token is a security).

The substance of a virtual asset, and not the label ascribed to it, will determine whether a virtual asset is a Specified Investment. Thus a virtual asset which is described as a ‘utility token’ will still be a Specified Investment if it confers rights typical of a Specified Investment.

Virtual assets are most likely to fall within the following categories of Specified Investments: shares, debt instruments, warrants, certificates representing securities, units in collective investment schemes and rights and interests in investments.


  • virtual assets conferring rights similar to shareholders’ rights – such as voting rights, access to a dividend or rights to capital distribution on liquidation, are likely to be Specified Investments.

  • virtual assets representing ownership (through dividends and capital distribution) or control (through voting) are also likely to be Specified Investments.

  • However voting rights on direction which do not amount to control will not make a virtual asset a Specified Investment. The FCA gives the example of a virtual asset which gives the holder the right to vote on future ICOs the firm will invest in, and no other rights, as being unlikely to be considered a share, since the voting rights do not confer control-like decisions on the future of the firm.

Debt instruments

  • Debt securities that are negotiable on the capital markets are transferable securities within MiFID.

  • A virtual asset which creates or acknowledges a debt owed by the issuer to the virtual asset holder is likely to be considered a debenture and thus a Specified Investment. If it is negotiable on the capital markets, it may also be a transferable security under MiFID.


  • Warrants are Specified Investments that are expressed in terms of the rights they confer in relation to other categories of Specified Investments.

  • The rights conferred must be rights to ‘subscribe’ for the relevant investments – i.e. they must be rights to acquire the investments directly from the issuer and by way of issue of new investments (not by purchase of investments that have already been issued).

  • If virtual assets are issued that give holders the right to subscribe for Specified Investments (e.g. shares or debentures), the virtual assets will likely constitute warrants and thus will be Specified Investments.

Certificates representing certain securities

  • A certificate or other instrument that confers contractual or property rights over other investments (e.g. shares or debentures) will be a Specified Investment if:

    1. the other investment is owned by someone who is not the person on whom the certificate confers rights; and

    2. that other person’s consent is not required for the transfer of the investments.

  • Depositary receipts are Specified Investments within this category.

  • A virtual asset which confers rights in relation to tokenised shares or debentures, including depositary receipts, is likely to be a Specified Investment.

Units in a collective investment scheme

  • A collective investment scheme is an arrangement, the purpose or effect of which is to enable persons taking part in the arrangement to participate in, or receive profits or income arising from the investment, or sums paid out of such profits or income. The participants do not have day-to-day control over the management of the investment and the participants’ contributions, and the profits from which payments are made, are pooled and/or the investment is managed as a whole by or on behalf of the scheme’s operator (subject to certain arrangements which are excluded).[21]

  • The Specified Investment category is ‘units in a collective investment scheme’[22].

  • A virtual asset that acts as a vehicle through which profits or income are shared or pooled, or where the investment is managed as a whole by a market participant (e.g. the issuer of the virtual assets) is likely to be a collective investment scheme.

Rights and interests in investments

  • Rights to or interests in certain investments, including those listed above from shares to units in a collective investment scheme, also constitute Specified Investments under the RAO.

  • virtual assets that represent rights to or interests in other Specified Investments are therefore also likely to be Specified Investments. Hence a virtual asset that represents a right in a share will be a Specified Investment even though the virtual asset itself does not have the characteristics of a share.

Products referencing virtual assets

  • Products that reference virtual assets, like derivative instruments, are also likely to be Specified Instruments as options, futures or contracts for difference under the RAO. They may also be financial instruments under MiFID II.

E-money Tokens

According to the Final Guidance:

  1. E-money tokens refer to virtual assets that meet the definition of e-money under the EMRs. That is:

    1. electronically stored monetary value that represents a claim on the issuer;

    2. issued on receipt of funds for the purpose of making payment transactions;

    3. accepted by a person other than the electronic money issuer; and

    4. not excluded by regulation 3 of the EMRs.

  2. E-money issuance is regulated under the EMRs and is a regulated activity under article 9B of the RAO, when carried on by credit institutions, credit unions and municipal banks.

  3. E-money must enable users to make payment transactions with third parties, so must be accepted by more parties than just the issuer. It includes fiat balances in various types of online wallets or prepaid cards.

  4. Exchange tokens such as Bitcoin, Ether and similar virtual assets are unlikely to constitute e-money because, among other things, they are not normally centrally issued on the receipt of funds, nor do they represent a claim against the issuer.

  5. Distributed ledger technology (DLT) and cryptographically secured tokens can be used to represent fiat funds. However, the Final Guidance notes that virtual assets that establish a new type of unit of account (rather than representing fiat funds) are unlikely to constitute E-money unless the value of the unit is pegged to a fiat currency, but even then it will still depend on the facts of the case. Firms have used DLT-based e-money to provide more efficient and automated services (including for international payments) within the FCA’s sandbox.


Stablecoins are virtual assets which are pegged to a fiat currency (typically the US dollar and usually with a 1:1 backing). Their aim is to reduce the volatility which has typically been associated with virtual assets. 

Virtual assets can be stabilised in other ways, for example by being backed by particular assets (which could include Specified Investments), a basket of cryptoassets, or potentially through algorithms that maintain the supply of the cryptoasset.

However, not every token where attempts have been made to stabilise their value will constitute e-money tokens. They must also meet the other conditions in the definition of E-money as set out in the EMRs. For example, a token that is backed with fiat currency, but can only be spent with the issuer will not constitute E-money, as it is not accepted by a person other than the issuer.

On the other hand, a stablecoin which does not meet the definition of E-money may fall under the regulatory perimeter in other ways, for example, as a security token.

Exchange Tokens

According to the Final Guidance:

  1. The fact that an exchange token can be acquired and held for speculative purposes rather than exchange, with holders expecting the tokens to increase in value, is not sufficient to bring the exchange token within the definition of a Specified Investment. The FCA gives the analogy of a person holding a different fiat currency or a commodity in anticipation of an increase in value. It notes that this approach aligns with its approach to other products which are not FCA-regulated, such as art or fine wine which may also be considered to have speculative value.

  2. The FCA does not currently regulate activities in exchange tokens – the operation of a virtual asset exchange and the transfer or trading of virtual assets on exchanges are currently outside the scope of FCA regulation.

  3. As noted above, however, 5AMLD will extend AML and CTF regulation to entities that carry out the following activities[23]:

    1. exchanging virtual assets for fiat currencies and vice versa;

    2. exchanging one form of virtual asset for another;

    3. transferring virtual assets – i.e. conducting a transaction on behalf of another person what moves a virtual asset from one virtual asset address or account to another;

    4. safekeeping or administration of virtual assets or instruments enabling control over virtual assets; and

    5. participating in and providing financial services relating to an issuer’s offer and or sale of a virtual asset.

  4. In addition, other FCA rules may apply to activities in exchange tokens in certain circumstances:

    1. Senior Managers and Certification Regime (SMCR): activities by relevant individuals within authorised firms in relation to unregulated cryptoassets may be covered by the SMCR individual conduct rules. That will include all unregulated activities by UK deposit takers and dual regulated investment firms as well as all ‘SMCR financial activities’ by FCA regulated firms.

    2. Principles for Business rules (PRIN): the 11 high level PRIN also apply to unregulated activities carried out by FCA regulated firms. Those firms are required to conduct their business with integrity, exercise due skill and care, treat their customers fairly, and observe proper standards of market conduct.

Utility Tokens

  1. Utility tokens are virtual assets that provide consumers with access to a current or prospective service or product and often grant rights similar to pre-payment vouchers. In some cases, they may be similar to, or the same as, rewards-based crowdfunding. Typically, the participants will contribute funds to a project in exchange for a reward, for example access to products or services at a discount.

  1. Like exchange tokens, utility tokens can normally be traded on the secondary markets and be used for speculative investment purposes, although the FCA again notes that this does not mean that the utility tokens are Specified Investments.

  1. As utility tokens do not exhibit features that would make them the same as security tokens, they are not captured in the regulatory regime.

  1. It should be noted that e-money tokens, i.e. tokens that reach the the definition of E-money, are specifically excluded from the category of utility tokens.

Use of virtual assets to facilitate regulated payment systems

Unregulated tokens can be used to facilitate regulated payment services such as international money remittance which is used to enable remittances to occur quicker and cheaper. 

The UK’s Payment Service Regulations set out eight different payment services which include services relating to the operation of payment accounts (e.g. execution of payment transactions, card issuing, merchant acquiring and money remittance). They also list activities which do not constitute a payment service – such as cash payments made directly between the payer and payee.

The Payment Service Regulations do not cover virtual assets because they only cover activities relating to funds which re defined as ‘banknotes and coins, scriptural money and electronic money’.

Other Tokens and Business Models

The Final Guidance also clarifies the categorisation for different tokens already in the market, as well as those being developed:

  • Equity tokens and debt tokens – they generally fall under the category of security tokens (thus are regulated by the FCA).

  • Dual tokens – the regulatory treatment depends on the token’s intrinsic structure, the rights attached to the tokens and how they are used in practice. For example, if the token at a point in time reaches the definition of an e-money token or a security token, then it will fall under the regulatory regime.

  • Bank tokens and settlement tokens – they will constitute unregulated tokens if they do not meet the definition of e-money and are not Specified Investments under the RAO. That will include, for example, a token used with only the issuer and not for the purposes of making payments transactions provided that it does not confer on the holder the rights akin to another Specified Investment.

  • Tokens distributed via airdrops – the FCA will decide the nature of the token based on its intrinsic structure instead of the mechanism by which it is acquired. For example, a token can be a security token even if nothing is received for it. Whether a token is sold at value, or distributed for free via an airdrop is irrelevant for the purposes of the FCA regulation.

The FCA Regulatory Sandbox

The FCA Sandbox allows firms to test innovative propositions in the market with real consumers under a controlled regulatory environment. The FCA will typically require firms to impose additional restrictions to protect consumers.

Firms wanting to carry on a regulated activity must be authorised before testing. The Sandbox offers various tools including restricted authorisation, individual guidance, informal steers, waivers and no enforcement action letters.

Ongoing Works on virtual asset Regulation

Currently, areas such as custody and settlement fall outside the scope of the Final Guidance, which only aims to provide a perimeter guidance. The FCA is monitoring developments in those areas, and will engage with market participants as the market matures.

In addition, the FCA is working closely with other regulatory agencies to develop a consistent framework for regulators across different jurisdictions to approach cryptoassets.

Future Consultations on virtual asset Regulation

The FCA plans to conduct a further consultation on prohibiting the sale of derivatives that reference certain types of virtual assets (e.g. exchange tokens). The proposed ban will potentially cover CFDs, options, futures and transferable securities.

HMT is also proposing a consultation on bringing further virtual asset related activity with the scope of FCA regulation.


The Australian Securities & Investments Commission (ASIC) updated its information on ICOs and virtual assets set out in its Information Sheet 225 Initial Coin Offerings and crypto-assets (INFO 225) on 30 May 2019. 

INFO 225 sets out how the Corporations Act may apply to the raising of funds through an ICO and to other activities involving virtual assets such as cryptocurrencies, tokens or stable coins.

Under the current regulatory regime, when the virtual asset issued by an ICO is a financial product, the issuer will need to consider and comply with the relevant capital raising provisions of the Corporations Act, AFS licensing requirements and other regulatory requirements. For non-financial products, no regulatory restraint on capital raising exists but entities are still expected to comply with relevant laws and obligations such as the Corporations Act, ASIC Act, Australian Consumer Law, anti-money laundering (AML) and know your client (KYC) obligations.

ICOs constituting or involving a financial product

The Corporations Act is likely to apply to an ICO that involves a financial product such as a (1) managed investment scheme, (2) security, (3) derivative or (4) non-cash payment (NCP) facility.

The key consideration when assessing an ICO’s legal status as a financial product are the rights attached to the virtual assets which are normally set out in the ICO’s ‘white paper’, the offer document issued by the business making the offer or sale of an ICO virtual asset. However, rights can also be determined from other circumstances (e.g. how the ICO or cryptoasset is marketed to potential investors). The term ‘rights’ should be interpreted broadly and include possible future rights, contingent rights and rights that may not be legally enforceable.

Managed investment schemes

A managed investment scheme is a form of collective investment vehicle which has three elements:

  1. People contribute money or assets (e.g. other virtual assets) to acquire an interest in the scheme (which will typically be a type of ‘financial product’ under the Corporations Act);

  2. Any of the contributions are pooled or used in a common enterprise to produce financial benefits or interests in property (e.g. using funds raised from contributors to develop the platform), for purposes that include providing a financial benefit for contributors (e.g. from an increase in the value of their cryptoassets); and

  3. Contributors lack day-to-day control over the operation of the scheme but, at times, may have voting rights or similar rights.

Application to ICOs

If the rights and value of the virtual assets are related to an arrangement with the three elements described above, the virtual assets issuer is likely to be offering interests in a managed investment scheme.

ICO issuers may refer to the rights conferred on holders of the virtual assets in terms of a receipt for a purchased service. The ICO is likely to be a managed investment scheme when the value of the virtual assets acquired is affected by the pooling of funds from contributors, or the use of those funds under the arrangement. This is particularly likely to be the case where the ICO is offered as an investment.

INFO25 provides the following flow chart to assist in determining whether an ICO is a managed investment scheme.

However, it is not clear in what circumstances an ICO will be deemed to produce a financial or other benefit for those holding interests in the scheme. It would seem to clearly cover the situation where the ICO operates essentially as a tokenized fund – e.g. where the amounts paid by subscribers of the cryptoassets are used to invest in properties or companies and the profits arising from those investments are shared among the holders of the cryptoassets. 

It is however less clear whether it would cover the situation in which cryptoasset purchase monies will be used to develop the issuer’s platform which will provide certain services to the holder of the cryptoasset in the future, which will be paid for using the cryptoasset. The questions in that scenario are:

  • Would the future services available to holders of the virtual assets constitute a “benefit” which would bring the arrangement within the scope of a “managed investment scheme”?

  • If the value of the virtual assets increases such that holders can realise a gain on selling their virtual assets (either on a virtual assets exchange or privately), would this be a “benefit” which would bring the arrangement within the scope of a “managed investment scheme”? The difficulty here is establishing that it is the pooling of the contributions (and the actions of the issuer in developing its platform) which gives rise to the “benefit” (i.e. the rise in value of the virtual assets) for the holders.

ICOs may not offer the same protections as IPOs to consumers, consumers may be able to withdraw their investment before the crypto assets are issued or pursue the issuer and involved parties in the ICO for the losses in cases where (1) the prospectus does not contain all the information required by the Corporations Act or (2) includes misleading or deceptive statements. (see Regulatory Guide 228 for prospectus disclosure requirements)

Non-cash payment facilities

A non-cash payment (NCP) facility is an arrangement through which a person makes payments, or causes payments to be made, other than by the physical delivery of currency. Such facilities can be a financial product which requires an AFS licence if payments can be made to more than one person.

An ICO may involve an NCP facility if it includes an arrangement that allows:

  1. Payments to be made in a form of value (instead of physical currency) to a number of payees; or

  2. Payments to be started in a form of value (not a physical currency) and later converted to fiat currency to enable completion of the payment.

Generally, an AFS licence may be needed if an ICO involves an NCP facility. In some cases, however, exemptions (e.g. a low-value exemption) may apply.

Financial market operation

A financial market is a facility where offers to acquire or dispose of financial products are regularly made. Where a virtual asset is a financial product, then any platform that enables consumers to buy, be issued with, or sell such virtual assets may involve the operation of a financial market.

To operate a financial market in Australia, the platform operator will need to hold an Australian market licence, unless covered by an exemption. Currently, there are no licensed or exempt platform operators in Australia that enable consumers to buy, be issued with or sell virtual assets that are financial products.

Entities may also propose to issue financial products that:

  1. are linked to, or reference, virtual assets;

  2. invest in virtual assets; or

  3. otherwise enable consumers to have exposure to virtual assets.

In these cases, the entities will be providing a financial service in issuing such financial products and may require a new AFS licence or licence variation (such as a new product authorisation).


A number of jurisdictions have sought to establish themselves as crypto hubs by adopting crypto-friendly regulation. Malta was one of the first jurisdictions to implement laws setting the regulatory framework for blockchain and DLT, cryptocurrency and digital assets. The principal law governing ICOs and virtual asset exchanges and service providers is the Virtual Financial Assets Act (VFA Act) which came into effect on 1 November 2018 together with two other laws.

The two largest crypto exchanges, Binance and OKEx operate from Malta.

Virtual Financial Assets Act

The VFA Act sets out the framework for virtual financial assets, including ICOs, and entities that deal with them such as virtual asset exchanges, investment advisers, custodian wallet providers, brokers and portfolio managers. 

Malta adopted a Financial Instruments Test which must be conducted by anyone proposing to issue an ICO in or from Malta to determine the type of asset being created and the law applicable to the ICO and the token itself.

A “virtual financial asset” or “VFA” is any form of digital medium of recordation that is used as a digital medium of exchange, unit of account or store of value that is not:

  1. a financial instrument – as defined under the EU’s Markets in Financial Services Directive (MiFID) and Malta’s Investment Services Act. Activities related to financial instruments are regulated under the Investment Services Act;

  2. a virtual token – a token which has no utility or value outside the DLT platform on which it is issued and which cannot therefore be traded or exchanged outside that platform. Activities relating to virtual tokens are unregulated. Virtual tokens are typically utility tokens whose only utility and value is to acquire goods or services within the DLT platform on which they are issued; or

  3. electronic money – to qualify as electronic money, a DLT asset must be issued at par value on receipt of funds by the issuer and be redeemable at any time only by the issuer. It should be used for making payments and must be accepted by a person other than the issuer as a means of payment.

If a DLT asset is convertible into another type of DLT asset, it will be treated as the DLT asset type into which it may be converted.

Most virtual assets will be virtual financial assets. 

Whitepaper Content Requirements

The VFA Act requires an entity which proposes to (i) offer a virtual financial asset to the public in or from Malta (the Issuer) or (ii) apply to trade a virtual financial asset on a DLT exchange, to issue a white paper. The contents requirements for white papers include (among others) requirements that:

  1. it contains information which, according to the particular nature of the issuer and of the virtual financial assets being offered to the public, is necessary to allow investors to make an informed assessment of the issuer’s prospects, the proposed project and of the features of the virtual financial asset;

  2. it includes the names of the persons responsible for the white paper and their declarations that, to the best of their knowledge, the information it contains is accurate and does not omit any material information;

  3. details of the issuer including its registered address, a description of its principal activities, and its financial track record if established for more than three years; and

  4. a summary in standard form providing key information relating to the offering.

A copy of the white paper signed by the members of the Issuer’s board of administration must be delivered to the Malta Financial Services Authority (MFSA) ten working days before the day of its circulation in whatever form. The MFSA will register the white paper once it is satisfied that it complies with the relevant requirements.

The definition of a VFA issuer refers only to legal entities formed under the laws of Malta. Thus issuers must be incorporated in Malta if they wish to conduct a VFA offering (i.e. an ICO).

Issuer Obligations

VFA issuers are required to:

  • Conduct their business with honesty and integrity;

  • Communicate with investors in a fair, clear and not misleading manner;

  • Identify and manage conflicts of interest;

  • Have effective arrangements in place for the protection of investors’ funds;

  • Have effective administration arrangements;

  • Maintain all its systems and security access protocols to appropriate international standards; and

  • Comply with Malta’s anti-money laundering and counter-terrorist financing regulations.

Issuers will be liable to compensate any person who suffers loss resulting directly result from the purchase of virtual financial assets either as part of an initial VFA offering or on a DLT exchange on the basis of untrue information contained in the white paper, on the issuer’s website or in an advertisement relating to the virtual financial assets. Information is “untrue” if it is misleading or inaccurate in the context in which it is included, either deliberately or as a result of gross negligence. A defence is available if a person can prove that he believed and had reasonable grounds to believe that the statement was true, or if on becoming aware that a statement is false, he immediately gave public notice of that fact.

VFA agent requirements

The issuer of an ICO must appoint a VFA agent approved by the MFSA on an ongoing basis. Lawyers, accountants and corporate service providers can apply for approval as a VFA agent. The VFA agent is responsible for advising and guiding the issuer as to its responsibilities and obligations under the VFA Act and related rules and regulations. It must form an opinion that the issuer has complied with all applicable regulatory requirements in relation to the offer of virtual financial assets or their admission to trading on an exchange (as the case may be) and must consider the issuer to be fit and proper. The VFA agent acts as a point of liaison between the issuer and the MFSA and must submit all documentation required under the VFA Act and related rules and regulations. In particular, it must submit a certificate of compliance to the MFSA annually confirming that the issuer is in compliance with the regulatory requirements. The VFA agent must disclose any material information relating to regulatory non-compliance to the MFSA.

Requirements for Advertisements

The VFA Act specifies requirements for advertisements issued in relation to an initial VFA offering or the admission of a VFA to trading on a VFA exchange. Any advertisement must be clearly identifiable as such and the information it contains must be accurate and not misleading and must be consistent with the information contained (or to be contained) in the white paper. The advertisement must contain a statement that a white paper has been or will be issued and give the addresses and times at which copies are or will be available to the public.

Advertisements related to a VFA service can only be issued by a VFA licence holder or by another person where the licence holder’s board of administration has vetted and approved its contents.

VFA Service Providers

The provision of VFA services in or from Malta requires the provider to be licensed by the MFSA.

VFA services include:

  1. Reception and Transmission of Orders – receiving an order to buy, sell or subscribe for virtual financial assets and transmitting that order to a third party for execution;

  2. Execution of Orders – acting to conclude agreements to buy, sell or subscribe for virtual financial assets on behalf of third parties;

  3. Dealing on own account – trading against proprietary capital resulting in the conclusion of transactions in virtual financial assets;

  4. Portfolio Management – managing assets belonging to another person where the assets include one or more virtual financial assets or where the person managing the assets has a discretion to invest the assets in virtual financial assets (whether or not issued in Malta);

  5. Custodian or Nominee Services – acting as a custodian or nominee holder of a virtual financial asset or a private cryptographic key, or holding a virtual financial asset or a private cryptographic key as nominee on behalf of a person providing a VFA service or on behalf of a client of that person, where the nominee holding is carried out in relation to that service;

  6. Investment Advice in relation to virtual financial assets;

  7. Placing of virtual financial assets – marketing newly issued virtual financial assets or virtual financial assets already issued but not admitted to trading on an exchange to specified persons (not involving a public offer) or to existing holders of virtual financial assets; and

  8. Operating a virtual financial assets exchange.

Application for the Licence

An entity seeking a VFA licence must appoint a registered VFA agent to submit the application. The MFSA may grant or refuse to grant a licence, which may be general or restricted to the provision of specified VFA services. The grant of a licence requires the MFSA to be satisfied on an ongoing basis that:

  1. The applicant (and its beneficial owner, qualifying holder, members of the board of administration or any other person who directs the business of applicant) is fit and proper to provide the relevant VFA services and complies and observes the requirements of the VFA Act and other relevant regulations and rules;

  1. If the applicant is a natural person, that such person is a resident of Malta;

  1. If the applicant is a legal person, that it is either constituted in Malta or in accordance with Malta’s laws or in a recognized jurisdiction and has established a branch in Malta. Its purposes or objects must be limited to acting as a licence holder and carrying out ancillary or incidental activities, and do not include purposes or objects which are not compatible with the VFA services of a licence holder. Non-compatible purposes or objects include any activity that requires authorisation by the MFSA under any Maltese law other than the VFA Act; and

  1. Its actual activities are compatible and related to VFA services.

The Competent Authority may issue a licence subject to any conditions it deems appropriate, and may subsequently revoke or impose additional conditions. The MFSA’s decisions to grant or refuse to grant a licence will be guided by its objectives of investor and public protection, protection of Malta’s reputation, promotion of innovation and competition and the sustainability and reputation of the applicant and parties connected to it.

There are a number of other grounds on which the MFSA may refuse to grant a licence, including if it considers that the applicant does not have sound and prudent management, robust administration arrangements and adequate internal control or security mechanisms, or that the applicant has close links to a person or persons that prevent it from exercising effective supervision of the applicant, or that granting a licence to the applicant could pose a risk to investors, the general public, Malta’s reputation, and promotion of innovation or competition.

The MFSA can suspend or cancel a licence if:

  1. a licence holder does not start to provide the VFA service within twelve months from the date of issue of the licence;

  2. a licence holder has ceased operations as a result of a merger;

  3. if the licence holder is declared bankrupt, goes into liquidation or makes a composition with its creditors or is otherwise dissolved; or

  4. at the written request of another competent regulatory authority regulating the licence holder.

Licence holders conduct and obligations

The VFA Act imposes standards of conduct on licence holders including requirements that they act honestly, fairly and professionally; comply with the requirements of the VFA Act and any related rules and regulations; and owe fiduciary duties towards their customers. Licence holders must maintain systems and security access protocols to appropriately high standards.

Prevention of market abuse

The VFA Act creates offences of insider dealing, market manipulation and unlawful disclosure of inside information in relation to virtual financial assets that are admitted to trading on a VFA exchange, whether carried out in or outside Malta:

  1. Insider dealing – intentionally recommending or inducing another person to engage in insider dealing is an offence. Insider dealing occurs where a person possesses inside information and uses that information by acquiring or disposing of, for its own account or for the account of a third party, directly or indirectly, virtual financial assets to which that information relates. It also occurs where a person possesses inside information and recommends, on the basis of that information, that another person acquire or dispose of virtual financial assets to which that information relates, or induces that person to make such an acquisition or disposal, or that another person cancel or amend an order concerning a virtual financial asset to which that information relates, or induces that person to make such a cancellation or amendment Use of the recommendations or inducements constitutes insider dealing where the person using the recommendation or inducement is aware that it is based upon inside information.

  1. Unlawful disclosure of inside information where a person possesses inside information and discloses that information to any other person, except where such disclosure is permitted by the VFA Act and regulations or rules issued thereunder. Inciting, aiding or abetting such an offence is also an offence.

  1. Market manipulation is defined as the manipulation or attempted manipulation of a virtual financial asset or a benchmark through the use of an abusive strategy.

VFA exchanges are required to have effective systems, procedures and arrangements in place to monitor and detect market abuse, and must report any suspicion of market abuse to the MFSA.

The MFSA may require any person providing VFA services to provide it with information and documents, including data traffic and existing DLT records, and may require a VFA service provider to answer questions by attending a designated appointment. The MFSA cannot however demand source codes of proprietary technology, highly sensitive information or intellectual property related to DLT and smart contracts.

Licence holders’ Auditor

A licence holder will be required to appoint an auditor who has a duty to report to the MFSA any fact or decision that is likely to lead to a serious qualification to, or refusal of, the auditor’s report on the accounts of the licence holder, or is likely to constitute a material breach of applicable legal or regulatory requirements, or impairs the licence holder’s ability to continue its activities. Any person having close links with such a licence holder must also be reported to the MFSA by the auditor. The auditor must simultaneously communicate the information to the board of administration of the licence holder, unless the auditor knows of compelling reasons not to do so. The auditor is required to report to the MFSA annually on the systems and security protocols of the licence holder.

It is an offence for a person to induce or attempt to induce another person to enter into a VFA agreement by knowingly making statements that are misleading, false or deceptive. Any person intentionally obstructing another person from exercising rights given by VFA Act will also be guilty of an offence. Offences under the VFA Act are punishable by a fine of up to EUR 15,000,000, a fine up to three times the greater of the profits made or losses avoided by the offence, or by imprisonment for a maximum six years, or both fine and imprisonment.

The VFA Act also imposes reporting obligations with respect to suspected money laundering and terrorist financing. If an officer or an employee of a VFA issuer, VFA agent or licence holder considers that a transaction may involve money laundering or terrorist financing, they must report this in compliance with the Malta’s Prevention of Money Laundering Act.


Gibraltar is another jurisdiction which has introduced regulations aimed at attracting blockchain and crypto companies.

Gibraltar’s DLT principles-based regulation

Regulations governing businesses operating in or from Gibraltar which use distributed ledger technology for storing or transmitting value belonging to others (DLT Activities) took effect on 1 January 2018. Firms carrying on a business in DLT Activities, including crypto trading exchanges and custodians, need to be authorised as DLT Providers by Gibraltar’s Financial Services Commission (the GFSC). 

Gibraltar’s regulatory approach to DLT is outcome-focused, not prescriptive. The GFSC requires DLT Providers to comply with nine principles designed to ensure achievement of desired regulatory outcomes, including investor protection.

Application for the licence must be made to the GFSC and applicants must demonstrate how they will comply with the following nine principles:

  1. conduct its business with honesty and integrity;

  2. pay due regard to the interests and needs of each and all its customers and must communicate with its customers in a way which is fair, clear and not misleading;

  3. maintain adequate financial and non-financial resources;

  4. manage and control its business effectively, and conduct its business with due skill, care and diligence; including having proper regard to risks to its business and customers;

  5. have effective arrangements in place for the protection of client assets and money when it is responsible for them;

  6. have effective corporate governance arrangements;

  7. ensure that all systems and security access protocols are maintained to appropriate high standards;

  8. have systems in place to prevent, detect and disclose financial crime risks such as anti-money laundering and countering terrorist financing (AML/CFT); and

  9. be resilient and develop contingency plans for the orderly and solvent wind down of its business.

AML/CTF Regulations

Gibraltar’s Proceeds of Crime Act 2015 was amended to extend AML/CTF obligations to undertakings that receive proceeds in any form from the sale of tokenized digital assets whether on their own account or on behalf of another person.

Regulation of ICOs

ICOs are not however specifically regulated in Gibraltar, although they may fall within the scope of existing regulation of securities. However, Gibraltar’s Government (HMGoG) and the Gibraltar Financial Services Commission (GFSC) issued proposals for the regulation of ICOs in March 2018. The proposals would introduce a requirement for an “authorised sponsor” of all publicly offered ICOs and would regulate the conduct of authorised sponsors, secondary token market operators and token investment and ancillary service providers.

The “Proposals for the regulation of token sales, secondary market platforms and investment services relating to tokens” (Token Proposals) propose new legislation to regulate the following activities conducted in or from Gibraltar:

  • the promotion, sale and distribution of tokens;

  • operating secondary market platforms trading in tokens; and

  • providing investment and ancillary services relating to tokens.

The regulations will impose obligations on:

  • authorized sponsors of public ICOs;

  • secondary token market operators (i.e. virtual asset exchanges); and

  • token investment and ancillary service providers.

They will not however regulate token issuers or promoters, nor the tokens or technology underlying them. Instead, regulation will be effected by requiring authorized sponsors, crytpo exchanges and service providers to comply with new regulations. 

The aim of the proposed regulatory regime would be to mitigate the risks associated with token-based crowd financing by requiring full and accurate disclosure of information, imposing rules for the orderly and proper conduct of secondary market platforms and requiring competent professional investment services. GFSC will be the relevant supervisory authority for AML/CFT regulation, and the provisions of DLT regulations will apply to firms covered by the new token regulations.

Promotion, sale and distribution of tokens

The first limb of the regulations will regulate the primary market promotion, sale and distribution of tokens that are not securities (which are already covered under existing securities legislation), outright gifts or donations which are conducted in or from Gibraltar. According to the Proposals, these tokens are typically those referred to as utility or access tokens which offer commercial products or services (which may not exist at the time of the token sale). Tokens that function solely as decentralised virtual currency (e.g. Bitcoin) or as central bank-issued digital currency will be excluded from this limb of the regulations. However, hybrid tokens (which have an underlying economic function that is both virtual currency and something else) will be caught.

Unless further specifics are included in the proposed legislation or guidance, the current proposals do little to create clarity as to which tokens will be covered by the new legislation and existing securities laws, respectively and which will remain unregulated. The regulatory treatment of an ICO offering will thus still require an analysis of the nature of the rights attached to the tokens and their intended use. From a European perspective, the closest equivalent to the US concept of a security, is probably a unit in a collective investment scheme. To date, there is no guidance as to how that concept applies to an ICO. It is not clear from the Gibraltan proposals whether they will cover all “utility tokens” irrespective of whether they can be traded in the secondary market. 

The activities to be regulated under the first limb are proposed to include activities:

  • which purport to be or imply that they are made from Gibraltar;

  • are intended to come to the attention of or be accessed by any person in Gibraltar;

  • are conducted by overseas subsidiaries of Gibraltar-registered legal persons (in such cases, the Gibraltar person will be liable); or

  • are conducted by overseas agents and proxies acting on behalf of Gibraltar-registered legal persons, or on behalf of natural persons ordinarily resident in Gibraltar (in such cases, the Gibraltar person will be liable).

Disclosure rules

The proposed regulations on the promotion, sale and distribution of tokens will require adequate, accurate and balanced disclosure of information to enable anyone considering purchasing tokens in the primary market to make an informed decision. The regulations may prescribe what, as a minimum, constitutes adequate disclosure, and in what form disclosures are made (e.g. in a key facts document not exceeding 2 pages). The FSC may publish guidance on the disclosure rules from time to time.

Financial crime provisions

Undertakings that receive, whether on their own account or that of another person, proceeds in any form from the sale of tokens were brought within the scope of the Proceeds of Crimes Act 2015 (POCA) by an amendment which took effect in March 2018. Token issuers are thus already under a statutory obligation to perform AML and CTF checks on token purchasers.

Authorised sponsors

The proposed regulations will establish a regime for the authorisation and supervision of token sale sponsors (authorised sponsors) who will be responsible for ensuring compliance with this limb of the regulations. An authorised sponsor will need to be appointed in respect of every public token offering promoted, sold or distributed in or from Gibraltar. Authorised sponsors may be appointed by the Gibraltar promoter or by organisers of the offering, wherever located.

Authorised sponsors will be required to have knowledge and experience of ICOs and mind and management in Gibraltar. They will be allowed to delegate some of their work to others, including offshore parties, but will remain directly accountable to GFSC for the actions of their delegates.

Codes of practice

Authorised sponsors will be required to have in place one or more codes of practice relating to offerings they sponsor. Authorised sponsors are considered to be in the best position to determine best practice for the offerings they sponsor and will be free to apply different codes to different categories of tokens and offerings. Codes of practice may cover matters such as methods for applying and distributing sale proceeds.

A code of practice will have to be incorporated in authorised sponsors’ agreements with their ICO clients. Submission of codes of practice will form part of the application process for an authorised sponsor licence. Prior reporting of amendments to codes of practice will be required and will be treated in the same way as other major business changes.

It is proposed that regulations would specify principles governing the content of codes of practice. Authorised sponsors will be free, subject to approval, to set their own methodologies for implementing the principles.

Registers of authorised sponsors, codes of practice, sponsors’ clients and tokens

GFSC will establish and maintain a public register of authorised sponsors and their codes of practice (past and present).

GFSC will add to the public register the following details of public offerings provided by authorised sponsors of public offerings they are engaged in:

  • the client(s) for whom they act;

  • the token(s) included in the offering;

  • the code of practice applicable to the offering; and

  • any interest they, and connected persons, have in the tokens offered.

New Controlled Activity and Offence

A new controlled activity of being an authorised sponsor will be created and it will be an offence to promote, sell or distribute tokens in or from Gibraltar without compliance with:

  • the requirement for an authorised sponsor;

  • the requirement for a current entry on the public register;

  • specified disclosure obligations; and

  • relevant provisions of POCA, where applicable.

The promotion, sale and distribution of a public token offering may only be conducted once, and while, the offering appears on the register.

Secondary market activities

The proposals include regulation of secondary market platforms operated in or from Gibraltar that are used for trading tokens and, to the extent not covered by other regulations, their derivatives. The regulations aim to ensure that the activities of these markets are fair, transparent and efficient and that organised trading occurs only on regulated platforms.

The proposed regulations will set out requirements for:

  • disclosure to the public of data on trading activity;

  • disclosure of transaction data to GFSC; and

  • specific supervisory actions concerning tokens and positions on token derivatives.

These regulations will cover secondary market trading of all tokenised digital assets including virtual currencies and will be modelled, to the extent appropriate, on market platform provisions under MiFID 2 and MiFIR. GFSC may issue guidance as appropriate.

Authorised secondary token markets

The proposals include adding a new controlled activity of operating a secondary market platform used for trading tokens and their derivatives. GFSC will authorise and supervise secondary token market operators and maintain a public register of such operators.

Investment and ancillary services relating to tokens

The proposed legislation would include a new controlled activity of providing investment and ancillary services relating to tokens in or from Gibraltar and, to the extent not covered by other regulations, their derivatives.

This limb of the regulations is intended to cover advice on investments in tokens, virtual currencies and central bank-issued digital currencies, including:

  • generic advice (setting out fairly and in a neutral manner the facts relating to token investments and services);

  • product-related advice (setting out in a selective and judgemental manner the advantages and disadvantages of a particular token investment and service);

  • and personal recommendation (based on the particular needs and circumstances of the individual investor).

This limb of the regulations will be modelled on similar provisions under MiFID.


[1] HKMA. Press release “The HKMA reminds the public to be aware of the risks associated with Bitcoin”. 11 February 2015.

[2] Money Service Supervision Bureau. Customs and Excise Department. “Statement in relation to “Bitcoin and Money Service Operator Licence”. August 2014.

[3] SFC. Statement on initial coin offerings. 5 September 2017. 

[4] The additional requirements will not apply to funds authorised by the SFC for retail distribution.

[5] Cryptoassets Taskforce: final report. October 2018 at page 20.

[6] SFC. Frequently Asked Questions on Compliance with Suitability Obligations by Licensed or Registered Persons. 23 December 2016 at

[7] SFC. Frequently Asked Questions on Triggering of Suitability Obligations. 23 December 2016 at

[8] A “hot wallet” refers to a wallet used for holding virtual assets in an online environment which provides an interface with the internet, which is more susceptible to cyber-attacks.

[9] FCA. “Guidance on Cryptoassets: Feedback and Final Guidance to CP19/3”. July 2019.

[10] SFC. “Statement on Initial Coin Offerings”. 5 September 2017 (

[11] Forbes. “Explaining Stable Coins, the Holy Grail of Cryptocurrency”. 12 March 2018

[12] SCMP. “Central bank deputy governor: STO business “essentially an illegal financial activity in China”. 9 December 2018.

[13] Ibid.

[14] People’s Bank of China (2018) China Financial Stability Report 2018.

[15] Japan Times. “Cryptocurrency’s worrying boom”. 26 December 2017.


[17] Order instituting cease-and-desist proceedings pursuant to section 8A of the Securities Act of 1933, making findings, and imposing a cease and desist order. 11 December 2017.

[18] William Hinman. “Digital Asset Transactions: When Howey Met Gary (Plastic)”. 14 June, 2018. Note both statements are expressed as representing the views of the speaker rather than the SEC.

[19] Sidley Austin. “The Security Token Story: SEC Reveals Act III – Registered Digital Assets – and Reminds Market Actors of Acts I (Investment Vehicles) and II (Secondary Trading).” 19 November, 2018.

[20] C. R. Goforth. “US Law: Crypto is Money, Property, a Commodity, and a Security, all at the Same Time” available at

[21] Section 235 of the Financial Services and Markets Act 2000. 

[22] Article 81 of the Regulated Activities Order.

[23] The FCA will be the supervisor for this new AML regime. The regime is pending further consultation in late 2019.

P.10 ‘A regime for exchange tokens’

P.16 ‘Definition of security tokens’

Regulation of cryptocurrencies in Hong Kong

Regulation of ICOs in Hong Kong

Hong Kong Crypto Regulation

Virtual Asset Regulation

Pump and dump schemes

Cryptocurrency Hong Kong

Hong Kong bitcoin regulation

Crypto in Hong Kong

Hong Kong ico regulation

Initial coin offering hong kong
Hong Kong crypto exchange