This paper considers the pathway options for the development of a regulated secondary market in digital assets. It explores the conditions necessary to develop a regulatory framework that serves to facilitate the possibilities offered by cryptographic consensus technologies such as blockchain and distributed ledger technology. While centrality has been a useful and hitherto inevitable nexus point for regulatory agencies, the prospect of alternative decentralized environments signals a need to reconsider how regulatory oversight can work to service its intended functions. Existing market integrity controls are also presented with novel challenges in the context of multiple market places for the same digital asset.
The structural forms of centralized and decentralized cryptoexchange models and the functions served are considered in the context of historical development of exchanges in traditional markets. The different operational concerns, and how regulatory accountability can be established in decentralized contexts, are explored. The non-exchange-like activities that may be undertaken by exchange operators and the challenges arising in relation to intermediary services are reviewed.
The analysis suggests the development of regulatory policy should be model-neutral, form-independent and focused on functions and outcomes. It should not be imposed in a manner that may inhibit the ability of private markets to develop effective outcomes that align with public policy concerns, or which may cause industry development to cycle back toward extant models rather than evolving more optimal models of commercial and financial activity. Addressing intermediary services, whether provided by a cryptoexchange, intermediaries from traditional markets, or specialized cryptointermediaries, will be part and parcel of effective secondary market regulation. While the different nature of digital assets compared to traditional securities presents difficulties in applying existing regulations, it may also present opportunities for regulatory approaches that utilize their unique digital characteristics. Regulatory agencies must engage the concept of attraction regulation by playing a formative role in directing the industry toward shared goals.
All major financial jurisdictions have had to respond to the emergence of digital assets1 and the ever-increasing variety of related activities. Those responses can and do impact on the development of an emerging industry. Facilitation of the industry is desirable, provided it does not obstruct overarching objectives of regulation such as consumer protection and market integrity.
Regulation has frequently served as an important driver of industry development. In the context of newly available cryptographic consensus technologies (“CCTech”) such as blockchain and distributed ledger technology,2 on which digital assets are based, there is a risk that regulation could inhibit the possibilities offered by CCTech, such as finding new ways of servicing existing commercial needs more efficiently or developing new types of commercial activity. The danger in the secondary market context is that existing regulatory approaches could be prematurely applied or adapted, creating a favorable regulatory landscape for familiar models while selectively discriminating against other possibilities.
The characterization of digital assets for the purposes of extant securities laws is not a central concern of this paper. Instead, the approach taken accommodates the evolution of a more comprehensive regulatory framework for digital assets that is not limited by regulatory silos3 established in a pre-CCTech era. This differs from the approach in some jurisdictions to adopt a taxonomy referenced to conditions arising before the advent of CCTech4—such taxonomies may be recursive, appearing to solve the question of how today’s securities laws should be applied to digital assets, but without changing the underlying assumptions.5
Following a review of the secondary market and regulatory responses to date in Section 2, Section 3 discusses different centralized and decentralized cryptoexchange models, and the “familiarity risk” that policy makers assess models based on the degree of structural similarity to traditional stock markets. Section 4 considers the persistent nature of an exchange, despite its historical evolution, as a segue to the discussion in Section 5 of the operational characteristics of centralized and decentralized cryptoexchanges and the suggestion that regulatory agencies must attend to the regulation of exchange functions, not their form.
Section 6 explores the question of how to attach responsibility and accountability to cryptoexchanges, often considered problematic in the decentralized context, and the persons who trade through them. Section 7 discusses issues presented by intermediaries.
The concluding Section 8 considers the ordering of development for a more comprehensively regulated secondary market in digital assets, and the roles that can be played by attraction regulation and the design of the digital asset.
2.1 Industry developments
The components of a more complete and familiar market system in digital assets are progressively being assembled. Capital invested into digital assets in the primary market has predictably led to the development of secondary market activity—as regards types, products and range of services—which has increasingly demanded the attention of regulatory agencies.
Cryptoexchanges6 are of particular interest because they (i) represent large pools of capital risk and frequently hold customer assets, (ii) are significant in terms of investor losses incurred from exchange hacks and thefts,7 (iii) undertake a multiplicity of roles that create conflicts which have led to a division of labor in traditional markets, (iv) are subject to minimal or no regulation in the largest international financial centers,8 and (v) operate in markets where adequate market abuse surveillance mechanisms are absent. The Virtual Markets Integrity Initiative Report issued by the New York State Attorney General (the “VMII Report”) reflected these problems.9 In addition, there has been an increase in the number and size of cryptoexchanges,10 with some entering into tie-ups with traditional financial services providers.11 Cryptoexchanges12 and others13 are developing an increasing number of price indices in an effort to improve price transparency. However, many of these indices cross-refer to each other, and in the context of multiple market places in the same asset (see Section 4.2), they do not perform well in the face of unusual market events.14
A cohort of intermediaries providing specialized services for digital assets (“cryptointermediaries”) has started to emerge whose standards of conduct and practices will be vital to the development and operation of the secondary market. This has been stimulated by an increased awareness and concern over cryptoexchange practices and risk management. Investors that recognize, and seek exposure to, digital assets as a new asset class15 now include participants from traditional markets such as financial institutions, asset managers and hedge funds.16 The influx of institutional money has imported expectations from the traditional markets in relation to customary safeguards relating to custody arrangements,17 audit opinions and System and Organization Controls (“SOC”) reports,18 trade execution and portfolio and risk management,19 and legal opinions.
While services are evolving for similar reasons as seen in the traditional markets, unique features of digital assets give rise to new considerations. For example, institutional investors may want custody services segregated from cryptoexchanges, but ownership control of digital assets may not be segregated from a custodian’s own corporate balance sheet. There are also technical issues to ensure that a custody arrangement does not impact on the ability to respond to a fast-moving trading environment while at the same time not exposing the assets to the risk of a wallet being available online for longer than necessary. Investors have also turned to service providers in established markets for assistance with advice, execution and custody. Digital assets have become appealing to unsophisticated investors that have limited ability to assess and manage the attendant risks.
However, cryptoexchanges and cryptointermediaries remain outside the ambit of standards and practices established by regulatory oversight bodies in major financial markets,20 leaving standard-setting and compliance practices to the market.21 Self-regulatory organizations (“SROs”) have developed, including the United Kingdom’s CryptoUK,22 Global Digital Finance (“GDF”),23 and the Japanese Virtual Currency Exchange Association (“JVCEA”).24 At present, these SROs tend to lay down high-level principles, as opposed to the more granular operating requirements seen in traditional markets.25 While self-regulation can be effective,26 it is a weak form of regulation when adequate enforcement is lacking.27 One form of enforcement is the ex ante role of a firm’s internal compliance team—however, for most cryptoexchanges and cryptointermediaries, specialized compliance personnel (as seen in intermediaries operating in traditional markets) currently remains a nascent concept.28
Regulatory development has nevertheless tangentially facilitated the industry by validating and safeguarding segments of the market including (i) the New York Department of Financial Services’ (“NYDFS”)29 BitLicense rules issued in June 2015, (ii) the developing cryptocurrency derivatives markets in the United States30 and UK31 via regulated futures and commodities platforms,32 and (iii) cryptocurrency spot markets.33 This is aided by (i) investigations of possible cryptoexchange manipulative practices,34 (ii) successful regulatory enforcement in the primary and secondary markets,35 and (iii) the expansion of anti-money laundering and counter-terrorist financing requirements to cover digital assets.36
The prospect of regulatory oversight expanding to cryptoexchanges and cryptointermediaries is inevitable. There is now increased regulatory interest encompassing information gathering37 and enforcement,38 and licensing regimes for secondary market activities are being proposed that would encompass a wider class of digital assets than those regarded as securities.39 In response, cryptoexchanges may self-impose higher standards, and there has been an increased willingness to engage with regulatory agencies to find a meaningful pathway forward.40
There remains much to be done before digital assets can fully service all uses to which they may be put, and this will in part depend on how the secondary market develops. This ranges from, for example, the ability of cryptoexchanges to interact normally with the existing banking system to a significant lack of transparency in the industry’s operations, and from the use of digital assets in corporate financing to the treatment of digital assets for the purposes of capital adequacy or financial resources requirements.41
2.2 Regulatory responses
The initial focus of regulatory agencies fell on the categorization of digital assets for the purposes of fitting them within established regulatory silos that applied to the primary market. While grey areas remain in determining whether a digital asset is a security, there has been some progress.42 This has redirected capital raising to permissive jurisdictions or being structured as an offering of securities made subject to exemptions from securities laws, such as via a securities token offering (“STO”).43
The preoccupation with the categorization of digital assets to date has left secondary market activities in need of more detailed discussion, which has become the next logical issue to address.
Cryptoexchanges present familiar regulatory concerns in relation to market integrity and investor risk. To date, standards have evolved out of industry needs, as opposed to regulatory requirements. These needs are a combination of commercial advantage, the expectations of new client groups (as noted above), technological capabilities, and negative market incidents such as cybersecurity and exchange failures. Frequently these are also the drivers of different exchange models. Regulatory agencies are to an extent relying on professionals (such as lawyers and accountants) as control gateways and as centers of learning and experimentation. This reflects an emergent coordination of efforts, as discussed in Section 8.1.
An approach in many jurisdictions44 is to apply the same categorization approach used in primary markets to secondary markets. Doing so is necessary to stay within the ambit of a regulatory agency’s statutory authority. In secondary markets, this turns on the question: does the activity fall under existing legislation, such as securities laws? Where the answer is negative, regulatory oversight does not apply and when affirmative it does.
While such a binary approach may be adequate for primary market regulation, additional considerations apply to secondary markets. Compared to the event-driven nature of primary markets, conduct in secondary markets is of an ongoing nature. Oversight is exercised via licensing, authorization or another form of approval by a regulatory agency (together, “licensing”) for certain types of activity, coupled with powers of supervision and inspection. Licensing is based on ongoing adherence to conduct and operational requirements, infrastructure requirements pertaining to resources and internal controls, senior management responsibility and governance, prudential requirements and self-reporting obligations. A comprehensive approach to secondary market regulation will need to countenance the regulatory oversight of cryptoexchanges operating under potentially quite different models, as well as cryptointermediary services.
The application to the secondary market of a binary approach borne out of traditional markets implicitly assumes that the characteristics of digital assets are amenable to the same granular requirements. Such an assumption may be incorrect, at least for the time being. Basic building blocks of regulatory oversight, such as custody, asset segregation, audit and record keeping continue to be difficult or impossible to satisfy to the same standards. This problem arises from the different characteristics of digital assets, and because no agreed standards have been set, for example, by public audit regulators.45 These issues are discussed in Section 7.2.
Nevertheless, bringing digital assets within existing laws can serve to impose other conduct requirements that are not contingent on the characteristics of digital assets, such as prohibiting misleading representations, discouraging speculative trading, and prohibitions against using fraudulent devices, engaging in manipulation or spreading false information.46
Using an existing regulatory framework underpins the approach taken by the Hong Kong Securities and Futures Commission (“SFC”) to license virtual asset trading platforms.47 The SFC may grant a license to a cryptoexchange if, among the digital assets traded there is at least one regarded as a security—this proviso is necessary for the SFC to establish jurisdiction.48 The SFC would exercise its power to impose conditions on licensees as a means of imposing on the cryptoexchange operational requirements that cover all digital assets traded, not only securities. The relevance of the shift from initial coin offerings (“ICO”) to STOs should not go unnoticed in this regard. The SFC’s proposal is laudable in that it implicitly recognizes the risk of leaving cryptoexchanges in a zero-oversight regime, and that the pathway to establishing oversight requires cooperation with the industry based on a shared goal of addressing risk and efficiency via agreed standards and practices. However, several caveats must be noted:49 satisfying the basic building blocks of regulatory oversight remains problematic; to what extent cryptoexchanges could conduct business as usual while also satisfying core regulatory needs remains to be proven; and the exclusion of decentralized cryptoexchanges (“DEX”) renders the approach model-dependant. As at April 30, 2020 only one company has disclosed it has applied for the license.50
Some jurisdictions have introduced legislation for secondary market activity, notably Gibraltar, Malta and Bermuda. While the approach has varied according to the regulatory system and social and political considerations, it remains to be seen whether legislating for an activity will also lead to meaningful and effective oversight at a granular level that serves to meet overarching policy objectives of regulation.51
As discussed in Sections 3 and 7, different models for secondary market activity are developing among cryptoexchanges and cryptointermediaries. These represent divergent approaches to solving market, investor and industry problems, some being familiar to securities markets, others being quite novel. This gives rise to the question of how best to develop a regulated secondary market. In particular, to what extent could regulation informed by solutions that have evolved in the traditional markets constrain the development of other solutions more apposite to this new asset class?
It is clear that any regulatory focus on cryptoexchanges will need to consider the non-exchange, intermediary-like functions cryptoexchanges currently undertake. This will be an important component of improving standards and the safety of the secondary market, as well as the development of a full complement of cryptointermediary services (discussed in Section 7).
2.3 Regulatory efficiency
The extent to which lack of regulatory clarity impacts on industry development represents shortcomings in regulatory efficiency.
Where digital assets and activities do not fit into an existing regulatory construct, the powers of the regulatory agency may not be engaged. This is a vires problem: regulatory agencies have no power to regulate areas in need of oversight, for example consumer protection or issues arising out of interactions between public capital and efficient capital formation. This gives rise to two quandaries.
First, in well-regulated markets, digital assets that are not securities may be tradable on cryptoexchanges but do not correspond with a regulated class of asset that an intermediary—and the regulations that apply to it—are set up to handle. Conversely, digital assets that are securities are not generally available on cryptoexchanges in regulated markets because that requires the cryptoexchange to become registered,52 which is difficult or impossible due to regulatory standards that cannot be satisfied in relation to digital assets. Resolution of this problem depends on shaping specific regulatory requirements to the characteristics of digital assets (see further Section 6).
Second, the regulatory lacuna leaves cryptoexchanges to self-select standards. Cryptoexchanges that engage in best practices consistent with regulatory objectives nevertheless are unregulated and compete with cryptoexchanges that engage in practices not tolerated in the regulated market.
Where a cryptoexchange chooses to operate is currently determined by (i) the characterization of its activities, (ii) the digital assets it trades, (iii) to whom trading services are provided, (iv) applicable laws relating to the foregoing, and (v) how the cryptoexchange’s business model interacts with the foregoing. Cryptoexchanges typically exercise regulatory arbitrage opportunities to operate in jurisdictions compatible with its business model.
Applying existing regulations to cryptoexchanges has had limited success in de-risking the market in digital assets. A not-insignificant volume of trading has moved to exchanges operating in jurisdictions that provide little or no regulatory protection to investors, which merely pushes the problem to be someone else’s problem. While some cryptoexchanges only accept investors that do not invoke legal and regulatory issues, given the ease of cross-border activity within a secure and pseudonymous environment, there is a residual risk that local investors remain exposed to unregulated offshore cryptoexchanges. This has led many regulators to pursue a path of investor education. Conversely, cryptoexchanges remain exposed to investors who may disguise themselves to obtain services.
In this environment, regulatory efficiency fares poorly.53 The opportunities for digital assets to be transacted in regulated jurisdictions are diminished, pushing liquidity to unregulated environments, as opposed to producing greater oversight. This creates increased opportunities for secondary market activity to service the needs of persons thought to be excluded from regulated markets (such as persons engaged in money laundering and terrorist financing). Remoteness from regulatory oversight also increases the risk of abusive practices that have been problematic in well-regulated markets, such as market manipulation and front running.
These concerns have given rise to the argument that regulatory agencies and lawmakers must respond to the development of CCTech by adopting “attraction regulation.”54 The hallmark of overseeing traditional markets—disclosure-based regulation backed by enforcement—has been successful because of the inherently observable nature of the market participant. However, the particular ability of CCTech to subvert oversight makes this difficult or impossible.55 Accordingly, it is essential that regulatory oversight is accompanied by a significant level of buy-in from cryptoexchanges.
The term “cryptoexchange” is eponymous. It glosses over the emergence of fundamentally different exchange models and practices.
Some cryptoexchanges operate on a model that relies on, similar to a traditional stock exchange, a centralized trading platform managed by an exchange operator, the primary difference being the type of assets traded. Other cryptoexchange models utilize CCTech to dovetail exchange functions with the digital nature of the underlying asset being traded, which represents a paradigm shift in how an exchange is capable of working.
While the dichotomy between cryptoexchanges operating on a centralized basis (a “centralized cryptoexchange” or “CENEX”) and those operating on a decentralized basis (a “decentralized cryptoexchange” or DEX) is useful for several purposes, and will be used as a yardstick in this paper, it is an imperfect device. At the time of writing many DEX currently operating are not completely decentralized, and there will often be a not-insignificant element of centralized control over the deployed code and its use.
The application of tags derived from or referenced to the structure and operation of the traditional markets is not always helpful in providing clarity and may obfuscate a more well-informed regulatory approach. For example, referring to a bundle of services as alternative trading services (“ATS”)56 or platforms in deference to regulatory frameworks carries presumptions about the services and how they can be regulated. In particular, they may presume a centralization of a service akin to what is observable and regulated in traditional markets, whereas CCTech may offer decentralized solutions, i.e., that do not necessarily involve a central point of control. The United States Securities and Exchange Commission (“SEC”) had sought to cleave trading platforms dealing in digital assets from “exchanges,” being of the view that calling a platform a cryptoexchange can give the misimpression to investors that the platform is SEC-registered and meets the regulatory standards of a national securities exchange.57 However, it was unsuccessful owing to the vires issue already noted, namely, that where a platform cum cryptoexchange does not trade any category of product falling within an established regulatory silo, they are not within the scope of the SEC’s authority, and there is no general prohibition on the use of the word “exchange.”
A cryptoexchange might also engage in activities that have been subject to a division of labor in traditional markets owing to the conflicts of interest they create if undertaken by the same person. This can include (i) exchange-like acts such as price formation, order-matching functions, clearing and settlement, (ii) the operation of over-the-counter (“OTC”) desks,58 and (iii) acts more typical of intermediaries such as market making, contract counterparty, broking, dealing, advisory and custody that are not exchange-like. The development of initial exchange offerings (“IEO”),59 where the cryptoexchange acts as the promoter of a capital raising exercise, is also distinct from activities undertaken by traditional exchanges and onboards another business line that creates additional potential conflicts of interest. The multiple possible roles of a cryptoexchange give rise to additional regulatory considerations.
These distinctions raise basic questions over how to approach the regulation of cryptoexchanges. The remainder of this Section 3 and Sections 4 to 6 are primarily concerned with the exchange-like functions of cryptoexchanges. The discussion of cryptointermediaries in Section 7 applies equally to the intermediary-like functions undertaken by a cryptoexchange.
Trading relationships in a CENEX can be characterized by a hub-and-spokes model: traders are positioned at the perimeter, communicating electronically via the spokes with a central operator that provides the gateway for information and which connects supply and demand via mechanisms established by the operator. Although a CENEX may be facilitating customers’ trading of digital assets, the CENEX does not need to utilize or interact with CCTech, except where the transaction will be recorded on-chain (see further Section 5.3).
These features reflect a traditional stock exchange model familiar to regulatory agencies. However, unlike traditional stock exchanges, CENEX operate without any intermediary gateway60 and are open to anyone who completes the CENEX’s account opening procedures.61
Although an exchange operator stands in the middle of trading activities, it may effect order execution in different capacities: (i) the exchange operator acts as an intermediary that matches, clears and settles an order of one client with the order of another client, (ii) the exchange operator stands in the middle of matched client orders, similar to a central counterparty (“CCP”), or (iii) the exchange operator matches a client order with its own book, similar to a proprietary trader or market maker,62 taking a proprietary position on the asset or on a back-to-back (i.e., position-neutral) basis with the benefit of a spread on the buy/sell prices. The possibility that it might also act as a promoter in an IEO has already been discussed.
A CENEX may employ each approach at different times, and in an unregulated environment, is free to do so subject to any legally binding representations made to investors as to how it conducts its operations. In each case, the credit, liquidity and settlement risk implications are similar to those found in traditional exchanges. In addition, because the investor may not be privy to which capacity the central operator is acting, there is a risk that the operator may arbitrage between each method of order execution according to its own commercial interests. For example, it might take a position of proprietary trader where there is a significant buy-sell spread that it can profit from, but match buy and sell orders directly where the spread is too small to profit from and receive commission only.
Examples of CENEX are Coinbase, Kraken, Bitfinex, Binance, Bittrex, Poloniex, Huobi, and ANXONE.63 The operations of each are different in material ways.
Trading relationships in a DEX can be characterized by a matrix model: traders interact with other traders via mechanisms embodied in a distributed computer code on a direct peer-to-peer (“P2P”) basis. The operational rules of the code match and settle orders without the involvement of any person other than the order inputs of the buyer and seller. The code is necessarily based on CCTech, which may be thought of as having the same “DNA” of the digital assets being traded. Unlike with CENEX, a third party gateway is not necessary to access trading on a DEX, though intermediary services may be engaged.
DEX implement one of the original prospects offered by CCTech, namely, the ability for two persons to communicate and interact with each other in a secure environment without needing to know anything about the counterparty and without the need for a trusted third party intermediary.64 As a result, the risk profile of code-based trading relationships in a DEX is significantly different from that of a CENEX. No third-party central operator can impose itself in a transaction (although a DEX could provide for intermediary services such as custody that traders might elect to invoke). DEX eliminate the need for a CCP since settlement is effected on a delivery versus payment basis (“DVP”) directly between the persons trading. These features mean there is no possibility of a proprietary middleman cum market maker, and conflict and other counterparty risks are absent. On the other hand, because there is an absence of intermediation other than the non-sentient operation of the code, new risks may be created in the operation of the code.
A technologist may consider the DEX as being centralized in the CCTech code because the operational rules of the underlying code constitute the exchange. This is wholly different from the traditional stock exchange model familiar to regulatory agencies, primarily because the bricks-and-mortar venue that anchors centralization has been collapsed into a CCTech-based code supported over a network of participants. Adding to the ostensible disparity, the creator of the DEX may have only a limited, diminishing or no role in how the DEX operates or evolves following its deployment.
DEX are in an earlier stage of development than CENEX. This is primarily due to the different technical challenges of developing the CCTech to provide for P2P trading (see further Section 5.2).
Examples of larger, better known DEX are IDex and EtherDelta,65 while others are being developed by groups such as OAX.66 In 2017, 0x launched an open protocol for developing DEX.67
Importantly, one cryptoexchange model does not presuppose the extinction of another. For example, Binance, a CENEX, has developed Binance DEX.68 Competition is for different types of investors seeking different types of products and trading opportunities. DEX may develop differently and service different end users, including CENEX—for example, an investor-facing CENEX seeking to share liquidity with another CENEX might look to the P2P feature of a DEX.
3.3 Familiarity risk
In a pre-CCTech era, exchanges were subject to a clear legal position because the product being traded placed the exchange within a regulatory silo, such as securities, or futures and commodities, each of which had its governing legislation. The underlying asset traded to some extent also constrained exchange structures and operations.
In the post-CCTech era, emerging cryptoexchange models present policy challenges for regulators. Legal and regulatory approaches could differentiate between models, preferencing one over another, or possibly inhibiting the evolution of exchange mechanisms.
In this context there is a “familiarity risk,” namely, that models are assessed on their structural similarity to traditional stock markets. Where so applied, it makes risk easier to understand and deal with because it taps into a body of developed regulatory knowledge and experience. Importantly, it appears to offer the opportunity to transplant, with only minor adjustment, existing granular regulations to the digital asset environment.
The structural similarities of CENEX to traditional exchanges provide regulators with a certain level of comfort as to how regulatory oversight of CENEX might operate. There is a centralized operator responsible for the operations of the cryptoexchange that can be licensed and subjected to regulatory requirements including inspection and enforcement. Ultimately, a license given to a CENEX can be withdrawn for non-compliance.69
In contrast, various features of DEX give rise to two questions as regards whether they are able to be, or should be, regulated:
First, is it right to regard a DEX as an exchange that should be subject to regulatory oversight?
Second, in the absence of centralized control, to what might regulation attach?
To address these questions, Section 4 first considers the nature of an exchange as a segue to the suggestion made in Section 5 that regulatory agencies must attend to the regulation of exchange functions, not their form, and accordingly that DEX should be regarded as exchanges. Section 6 explores the difficulties of applying a functional approach, and how regulation might be attached to a DEX.
When taken out of the regulated environment, the word “exchange” is open to various applications. At a conceptual level, the notion of an exchange is based on furnishing a means of bringing together supply and demand.70 While that is a simple concept, several features ensure that those means are operationally effective. Regular operation under uniform rules must govern its operation. Mechanisms must exist to facilitate price formation and discovery. Gateway requirements determine what goods are available for transacting and who is able to transact. Deals must result in binding contracts subject to effective means of enforcement where not performed.71
An exchange must also provide mechanisms for order input, order matching, clearing and settlement.72 While these four stages (together, the “Trading Mechanism”) operate in a linear sequence, transparency at each stage will vary according to different exchange models or customs.
While these processes have persisted since the earliest formation of exchanges, how they have been achieved has evolved over time. In particular, ideas about the venue, exchanges as centralized phenomena, and the role of intermediation have undergone significant changes in response to technological developments.
4.1 A brief history of exchange development
Formalized exchanges, from their beginnings in Continental Europe and England around the 15th to 17th centuries73 through to the 20th century, grew out of the recognition that it was easier to make trades if interested parties met at the same place (i.e., a physical location) and time. This facilitated market transparency and the development of standard customs and market practices. It also reinforced the utility of market participants as reputational intermediaries, with those not complying with acceptable market behavior being excluded.74
Although markets were self-governed P2P markets, central authorities were increasingly involved. Private law court decisions reinforced market practices. The government licensed the premises where markets operated, and eventually the people who acted as intermediaries. Centralized control became important as markets grew larger, more complex, and the mobility of capital (human and money) increased. This enabled better mechanisms of excluding intermediaries who violated accepted practices and norms.
Stock exchanges in the modern era were formed by reputational intermediary brokers who were willing to sponsor company securities into the trading system, effectively putting their reputation behind the securities both on their initial listing and in subsequent secondary market trading. This system works because the broker’s business model depends on its certifications being accurate.75
Exchanges based on member-brokers started to undergo structural changes at the end of the 20th century in tandem with increasing public regulation and the recognition of exchanges as a public utility servicing a larger social need to support innovation and the real economy. The growth of market size and complexity increased the capital demands placed on exchanges to meet market expectations to deliver services at a reduced cost while also meeting the requirements of public regulatory oversight. This led to a wave of demutualizing and corporatizing exchanges whereby self-regulating member-brokers were relegated to intermediaries subject to exchange rules governed by a public regulatory agency. As exchanges became publicly owned listed companies, it also became necessary for regulation to be wholly or partially externalized.76
These developments served to facilitate the operational, informational and allocation efficiency of markets that were essentially defined by a venue, an investible product and intermediaries who facilitated bringing together supply and demand. While intermediaries were key to market efficiency, the ability of reputation to safeguard market integrity had its limits.
4.2 Venue versus function
Venues in the form of trading halls with physical locations were a consequence of having no other means of reliable communication. This changed with the advent of electronic communications networks (“ECN”) and ATS that provided the possibility of a physical exchange venue being replaced by an electronic “place-less” one. Originally broker-to-broker institutional systems, proprietary networks were propelled by the Internet’s advent to a significantly wider audience.
The problem of bringing ECNs and ATSs within regulatory oversight was really a conceptual one wrapped up in grasping the idea that an exchange’s functions could be serviced in ways not dependent on a bricks and mortar venue. The question was less significant than at first blush. IOSCO77 reported in 1994 that at least 13 jurisdictions had fitted ECNs and ATSs within their regulatory frameworks.78 This was often implemented by focusing on the providers of the network.
The most successful electronic exchange was Nasdaq, which at various stages of its development possessed both centralized and decentralized elements. On its commencement in 1971 it served only as an ECN among participating members of the National Association of Securities Dealers (“NASD”)79 to provide quotations, and was successful in reducing trading spreads. It later added trading on an OTC80 basis, and subsequently provided trading systems.
Centralization and intermediation
Nasdaq remained characterized by functions centralized in the operations of the network that facilitated quotations and later trading. It necessarily involved the participation of third party intermediaries that continued to bring together demand and supply, and who were subject to a membership gateway mechanism that controlled who could participate in the facilities of the network cum exchange. Unlike traditional exchanges at the time, the network operated over its participating members and in that sense was distributed or decentralized.
Regulatory oversight of Nasdaq prior to it becoming a national securities exchange was possible because: (i) the trading of securities was subject to registration requirements,81 and (ii) participating members engaged in trading activities82 were required to be registered with the SEC as broker-dealers and members of the NASD, an SRO regulated by the SEC.83 The SEC achieved meaningful enforcement of rules governing secondary market activity via its oversight of Nasdaq’s participating members.
Although there was an element of decentralization (prior to Nasdaq’s demutualization),84 regulatory oversight could nevertheless be regarded as centralized because it could attach to each person accessing exchange functionality.85 Whether the Trading Mechanism was centralized or distributed was largely irrelevant for enforcement purposes.
Risk, market integrity and multiple market places
A central concern of financial regulators is to identify and create mechanisms that control risk. Markets take assurance from regulatory de-risking. Although some of the risks involved in an electronic exchange may be platform-specific, many of the same issues arise as on a traditional exchange such as operational risk, credit risk, market risk and legal risk, among others. In addition, intermediary risk presents similar challenges to the performance of the exchange function where intermediaries do not adhere to established standards and practices.
The mechanisms of de-risking have also evolved. For example, the regulation of exchanges has had to respond to structural weaknesses revealed following abnormal market events that impacted on transaction integrity. Stock market crashes, particularly those in 1973 and 1987, highlighted the need to create a better system for ensuring the integrity of transactions not conducted on a DVP basis. This centered on the role of the CCP and its robustness to withstand market events including defaults, and risk control and governance issues. However, where conduct of transactions on a strict DVP basis is possible, counterparty risk falls away. In addition, the regulator’s mandate to supervise, investigate and enforce against intermediaries has been continually strengthened, particularly moving into the 1990s and following the 2008 financial crisis. This has encompassed both prudential and conduct regulation, as well as wider concerns related to market abuse, whether by intermediaries or others.
The secondary market for digital assets presents novel market integrity considerations. Unlike traditional markets, in which a security is generally traded on a single exchange venue,86 there is typically no single exchange on which a digital asset may be traded. For example, an investor may acquire Bitcoin on one cryptoexchange, move the Bitcoin into its own wallet, then connect that wallet to another cryptoexchange to execute a sales transaction. The existence of multiple market places, whether CENEX or DEX, offering trading services for the same digital asset across multiple jurisdictions, creates new opportunities for manipulative activities. For example, by placing a very large Bitcoin sell order on one well-known exchange in an attempt to push prices down, while taking a highly leveraged buy position on another exchange that generates profits from any fall in the Bitcoin price. This form of manipulation presents entirely new oversight and control challenges in the context of multiple market places.
The dematerialization of venue thus creates new issues for assets that have, unlike traditional securities, a ubiquitous quality to them.
5.1 Form versus function
The CENEX cryptoexchange model bears a clear structural similarity to traditional exchanges insofar as all trading relationships are established by an entity that controls the Trading Mechanism. This creates a center of accountability that facilitates the familiar supervise-and-control mechanisms of regulatory oversight, notwithstanding the non-exchange-like acts a cryptoexchange might engage in.
In contrast, the DEX model gives rise to a regulatory conundrum—if all trading relationships arise directly between counterparties on a P2P basis, not via a central controller, on what should regulatory accountability bite? A difficulty regulatory agencies have with DEX is that because there is no centralized nexus—a jurisdiction where an identified exchange controller resides—there appears to be no regulatory nexus, either. One sometime hears the comment that in a DEX “there is nothing to regulate.” Accordingly, DEX are sometimes regarded not as exchanges per se but as P2P platforms, or OTC markets in which anyone can transact directly with anyone else in whatever they wish to trade. This overlooks the essential functions of an exchange by focusing on form. While centrality has been a useful and hitherto inevitable nexus point for regulatory agencies, the prospect of alternative decentralized environments signals a need to reconsider how regulatory oversight can best work to service its intended functions.
Connecting regulatory oversight to the form of the exchange is an accident of history because venues with a specific, typically singular location were an essential feature of exchanges. Physical venues present an easy target for implementing effective regulation and attaching accountability. When the undertaking of exchange functions became place-less, regulatory agencies focused on the intermediary gateway mechanisms, namely, the members operating the exchange (or ATS) who were already subject to regulatory oversight.
While DEX present a challenge to effective oversight, one might query to what extent are the mechanisms of exchange regulation contingent on the form of the exchange model, or does form dictate what functions are capable of being effectively regulated?
Throughout the development of exchange regulation, regulation has emerged in response to, and has drawn legitimacy from, a need to address risk and to improve market efficiency. It has not emerged in response to form per se but safeguarding the functions an exchange performs. The desirability of regulatory oversight to address risk and to improve market efficiency remains unchanged regardless of the form of a cryptoexchange.
It runs counter to sense to suggest that if a DEX performs all the functions of an exchange but is not regarded as a regulated (or regulatable) exchange, then the usual safeguards and liability for wrongdoing would not apply. To take three examples: (i) the code constituting the DEX allows the asymmetric distribution of trading information based on user status,87 (ii) a trader on a DEX engages in price-manipulative practices (such as wash trading), and (iii) a trader on a DEX possesses undisclosed inside information or otherwise trades with a knowledge-based trading advantage. In a regulated exchange context, each of these is relevant to the integrity of the market.
In a CCTech era, one must consider form versus function differently because the technology allows form to be dematerialized to an extent not previously possible. While the trading participants in a DEX may be distributed, the Trading Mechanism is nevertheless centralized in the underlying code constituting the DEX.
5.2 Is a DEX really an exchange?
In view of the foregoing considerations, the first question raised earlier, “is it right to regard a DEX as an exchange that should be subjected to regulatory oversight?” should be answered in the affirmative.
As discussed in the next section, the functions common to CENEX and DEX overlap extensively. The characterization of DEX as anything other than an exchange is a product of the current development of DEX, which are in a much earlier stage of development and involve a significantly smaller market size compared to CENEX. That perception is likely to change as DEX evolve and a more settled model emerges.
Accordingly, it is suggested that DEX can in principle be regulated because they perform the same or similar functions as other exchange models and give rise to similar risks. This is the approach the SEC has taken in its enforcement action relating to EtherDelta, a DEX, because the SEC considered EtherDelta to satisfy the functional test for an exchange set out in the Securities Exchange Act of 1934.88 The SEC subsequently emphasized that it will take a functional approach to cryptoexchange regulation.89 It notes the development of decentralized trading systems and suggests that an exchange can be comprised in systems that display trading interest to other users, or that receive trading orders centrally for processing and execution.90 This is essentially a reworking of the same concerns expressed in the SEC’s Regulation ATS over 20 years ago, which enabled ATS to register as national securities exchanges or broker-dealers.91
However, the various structural forms of cryptoexchanges give rise to differing considerations and solutions as regards how risk might be best managed and how regulatory oversight can be effectively implemented. This is discussed in Section 6.
5.3 Functions common to different models
An exchange’s operations include the listing function, access to trading, clearing and settlement, the robustness of the exchange’s systems and controls, conflict management, rule development and record keeping. Where clearing and settlement functions are undertaken, issues such as rules regarding transaction finality, and credit and liquidity risk will be of concern.92
The performance of these functions will affect the risk profile of the market. The following paragraphs discuss three core functional elements of an exchange: (i) infrastructure development and maintenance, (ii) admission criteria and (iii) operation of the Trading Mechanism. These give rise to different concerns depending on the CENEX/DEX model employed. In each case, it is necessary to consider the prospect for ongoing regulatory responsibility and accountability, which is discussed further in Section 6.
Key infrastructure functions of an exchange include:
Developer role – responsibility for developing the rules and operations of the exchange including the Trading Mechanism;
Controller role – responsibility for control of the exchange’s Trading Mechanism; and
Governance – how exchange functions are managed and implemented.
In CENEX, an identifiable legal person undertakes these roles. This makes regulatory oversight of the exchange’s infrastructure straightforward insofar as there is a single contact point for information and control.
In DEX, only the developer role is clearly undertaken by an identifiable legal person (or group), which may or may not perform an important ongoing role following deployment of the DEX. The controller role and governance will depend on how each DEX is organized. This could range from containing elements of centralization in relation to particular functions (such as providing order matching), to being open-sourced and fully decentralized, similar to the concept of a decentralized autonomous organization.93 Decentralization combined with evolution over time can give rise to difficult accountability issues. For example, although Ethereum is regarded as fully decentralized,94 the Ethereum Foundation has, for the time being, a de facto leading role in its development.95 In contrast, Bitcoin is also fully decentralized, but there is no equivalent to the Ethereum Foundation for Bitcoin. While both may be subject to manipulative wrongdoing,96 establishing a nexus for legal responsibility for the operation of the underlying code presents obvious problems.
If a DEX has a residual center of control or significant influence in relation to one or more exchange-like functions, it may not be unreasonable for a regulatory agency to premise regulatory approval and oversight of the DEX on the continued presence of such a center. This would likely require the relevant entity to accept submission to regulatory oversight, which would create new commercial considerations for the initial developer cum controller and for the design of the DEX model. This may be a necessary trade-off for the validation provided by regulatory approval. In the extreme case of a fully open-source DEX where no one is in control,97 other problems emerge, as discussed in Section 6.2.
Admission to listing
Key functions of an exchange include:
Admission standards – setting and enforcing rules for admitting assets to the trading platform;
Ongoing standards – rules for continuance of the trading facility. This would encompass integrity of the assets and transactions; and
Adjudication mechanism – application of admission and ongoing standards.
This reflects the role of an exchange as a market facilitator and as a provider of assurance.
A CENEX controls its standards according to its business model. For example, it may avoid listing digital assets that invoke securities laws. A CENEX may also negotiate with the promoter of a token issuance to receive compensation for listing the digital asset. While this is not different from traditional stock exchanges, there is a concern that compensation may override listing standards, a problem likely more acute in an IEO.
CENEX may provide some form of verification or approval of digital assets admitted to trading. For example, Binance has introduced a “gold label” programme whereby a gold “v” for “verified” is given to the projects cum digital assets that it has confirmed.
In a DEX, decisions about standards could present issues because it may need to take into account subtle considerations that may be difficult or impossible to codify. The decision in January 2019 by Coinbase, a CENEX, to pause transactions with the ETC98 blockchain highlights this problem. Coinbase identified deep chain reorganizations that contained double spends, which placed some customers’ ETC assets at risk of becoming valueless. In that case, the work process involved a machine-based system alerting the issue to humans who subsequently made the call to suspend trading and make a public announcement.99 This had a material impact on ETC prices. The extent of decentralization of a DEX is likely to impact on the level of assurance that could be provided by a decision-making mechanism. One solution would be to outsource the production of assurance to third parties that provide services for reward.
The concern of regulatory oversight is whether a cryptoexchange is able to and does establish and enforce accepted minimum standards. While CENEX can comply with externally imposed standards, the ability of DEX to do so effectively may depend on the model used.
Key operational functions of an exchange include:
Participants – who can access the exchange, by enduring membership or as peripatetic trader, and what rules govern means of access;
Order book transparency – visibility of posted orders and pre-trade matching to exchange customers on a symmetric or asymmetric basis;100
Order matching sequence – whether the mechanism operates fairly to all customers;
On-chain or off-chain Trading Mechanism – where does matching, clearing and settlement occur;
CCP – presence or absence of; where present, assessment of CCP credit risk and the method of final settlement;
Involvement of trusted third parties – intermediation, custodian or direct P2P;
Dispute resolution system; and
Abusive practices – whether mechanisms assert market transparency and enable the control of market-abusive practices.
Many of these issues can be handled equally well by CENEX and DEX. Both can manage rules of membership, or investor on-boarding mechanisms/identity verifications, possibly via third parties that provide identity verification services for reward.
The management of order book transparency and order book sequence is subject to additional risks in a CENEX that undertakes intermediary-like acts. This includes client-order front running and execution and allocation anomalies. Where that happens, price transparency and fair treatment of investors suffer. This raises a regulatory question unique to CENEX, namely, how conflicts should be managed and whether a regulated environment should require segregation or the unbundling of a CENEX’s roles.
The different approaches to on-chain and off-chain mechanisms on CENEX and DEX give rise to different considerations.
In CENEX, the exchange controller is normally facilitating the matching of supply and demand off-chain as a liquidity provider—trading on-chain is slow and expensive. There are two important trade-offs for speed and cost reduction. First, investors must transfer fiat currency or digital assets to the CENEX. Because CENEX store the investor’s private keys, this exposes the investor to counterparty risk including credit, theft or fraud, hacking and uncertainty as to the capacity in which the exchange controller is acting in relation to trades (i.e., exchange-like versus intermediary-like). Second, questions arise as to what is being traded and owned, with whom one is trading, and what additional risks are created.101
In contrast, DEX have traditionally been modeled on the concept of on-chain trading that allows investors to take custody of their own digital assets because matched transactions can be securely settled directly between seller and buyer on-chain. While no counterparty risks arise (because no CCP or trusted third party such as a custodian is required), on-chain trading means reduced transaction efficiency. This aspect of DEX is starting to evolve as Layer 2 solutions are developed that resolve one or more efficiency issues.102 In a typical Layer 2 solution, order input and matching is undertaken off-chain and transactions are only recorded on the underlying blockchain upon the trader exiting the Layer 2 hub to settle. For example, performance characteristics of OAX’s “L2X” are in line with existing centralized exchanges.103
Abusive practices include identifying and controlling “dealing” market abuse (for example, manipulative practices as regards price or unfairly dealing with an information advantage) and “information” market abuse (for example, publishing false or misleading information).104 For reasons already discussed, the element of human decision-making may place a DEX in a difficult position to respond to these regulatory expectations.
Different cryptoexchange models thus give rise to regulatory concerns that are essentially the same as in traditional markets, albeit with different characteristics as to how they may be managed and how accountability may be established. In addition, the evolution of third party intermediary-like services105 supplementing CENEX or DEX creates risks traditionally associated with intermediaries, such as conflict management and order execution. These regulatory considerations are briefly discussed in Section 7.
Assuming effective, granular rules are in place, the precursor to granting a CENEX or a DEX the validation of regulatory oversight as an exchange may be established in the same way as done in traditional exchanges, namely, by reference to the operational standards employed and compliance with other regulatory requirements. For example, a DEX could demonstrate that the underlying code complies with operational rules, such as how the Trading Mechanism works, how and when prices are published and so on.
In principle, the regulatory validation of a DEX via licensing and oversight of its operations is not per se dependent on locus—these are merely functions. In contrast to the continuing centralized point of control found in a CENEX, a DEX presents a different problem because when the DEX becomes functional and fully distributed, locus may be difficult to establish.
As discussed in Section 4.1, although Nasdaq was initially regarded as an electronic OTC market with elements of decentralization, its operation required the continuing involvement of NASD members, thus establishing locus. The EtherDelta case also demonstrates the relevance of locus to accountability—the enforcement action taken was against its developer and only in relation to the period during which the developer was in sole control of the website that hosted the order book.106 EtherDelta continues to operate.107
This returns the discussion to the second question raised above: “in the absence of centralized control, to what might regulation attach?” which is discussed next.
6.2 Responsibility and accountability
For a regulatory agency to be able to meaningfully pursue its objectives, it must be able to establish the responsibility and accountability of persons it regulates. For the reasons outlined above, this is relatively straightforward in relation to CENEX.
The absence of a central actor in a deployed DEX requires new thinking about how to: (i) establish responsibility for responding to regulatory enquiries and procuring ongoing compliance with regulatory requirements that change over time, and (ii) impose accountability in relation to regulatory non-compliance.
As regards (i), on the premise that a DEX’s Trading Mechanism satisfies the regulatory requirement at the outset, responsibility could be managed in the same way that any other CCTech works, namely, via a consensus mechanism. The operation of the underlying code could include responsibility mechanisms. For example, mechanisms such as majority consent or prior agreement that certain members have requisite authority could assist in achieving compliance where changes to the code become necessary for such purposes. The regulator may have specific requirements, such as the identification of an approved person, in which case this would need to be written into the DEX’s underlying code, and could only be changed with the requisite consensus and regulatory approval.
As regards (ii), unlike with responsibility, it may not be possible to entirely design this into the operation of the code—effective oversight of an exchange’s operations requires a legal person to be held accountable by the imposition of sanctions. Three considerations in relation to this problem are as follows.
First, if the DEX is not fully decentralized (such was the case with the SEC’s enforcement action against EtherDelta already discussed above), there may remain a central point of potential enforcement, albeit constrained by the role of the central actor.
Second, while a DEX may ostensibly be fully decentralized, it may nevertheless be possible to identify a person with enough authority or influence over the underlying code, whether de facto or de jure, to establish sufficient grounds for accountability—analogous to the concept of a shadow director.108 Developers can continue to exert considerable influence over a deployed DEX, whether because of their unique understanding of the code, reputational issues, or their maintenance of a reserve of membership tokens109 that provides them with an ongoing economic interest and incentive to continue promoting the DEX.
This consideration leads to a third, more regulatory-proactive means of approaching the problem. One can consider the regulated market in terms of a “controlled environment,”110 an arena where entry requires acceptance of the rules of the arena and putting into escrow rights that are able to be actioned where the rules have been breached.111 This would need to go beyond the ability of the regulatory agency to withdraw regulatory approval and would require private rights to be escrowed to the rules of the arena. A potential target is membership tokens. For example, if a regulatory agency requires as a condition of approval and oversight such benefits being escrowed,112 this could drive the development of DEX toward increasingly regulatable models. It also gives rise to new design considerations.
One rationale for regulators to move in this direction is based in economic theories of law that liability should be imposed on the most efficient risk bearer.113 Regulatory accountability rules may prescribe the party that bears the economic risk and social cost of non-compliance,114 and require an undertaking cum escrow by the relevant person as a condition of licensing. On this analysis, the design of membership tokens and the decision to acquire membership tokens would need to weigh the cost of non-compliance with the cost of prevention.
Developers are in the best position to manage regulatory concerns on a prospective basis in the design of the DEX and post-deployment. However, the efficacy of accountability turns on two considerations. First, those with sufficient economic interest would only voluntarily proffer accountability if the cost of being regulated is outweighed by the benefits, and that they remain in effective control. The evolution of ownership and influence over time would necessitate the appointment of persons sufficiently empowered and with sufficient economic interest to bear accountability. Second, given that the underlying code is open-source software, if users of the DEX diverged from upgrades, it no longer makes sense to hold the developer accountable. This would leave the regulator with insufficient means of establishing accountability—regulatory effectiveness suffers where liability/accountability is broad. In this scenario the regulator is left with withdrawing regulatory approval.115
Nevertheless, this approach might resonate with DEX in search of a clear jurisdictional connection that gives it clarity as to its legal standing, in addition to the validation provided by regulatory oversight. Essentially a commercially driven, voluntary scheme, this is an example of “attraction regulation”116 that hinges on an “if-then” trade-off: if one has sufficient economic interest in being regulated, then one can ensure sufficient control/influence and submit to regulatory oversight and accountability. This facilitates safer marketplaces. While regulation may be at odds with certain socio-political views of CCTech concerning government oversight, attraction regulation does not operate on a mandatory basis. The regulatory arena operates on the basis of accountability, and participants not interested in traditional jurisdictional boundaries can make their own assessment of whether to enter the arena.
Finally, some DEX may be regulated in a derivative manner by regulatory agencies imposing on regulated entities (e.g. a licensed CENEX or other intermediaries) selection criteria in respect of any DEX they wish to utilize.117
6.3 Traders using cryptoexchanges
Accountability of CENEX or DEX users can be established in the same manner as in traditional markets in relation to persons who abuse the market by their dealing activities (such as manipulative practices or unfairly dealing with an information advantage) or the provision of false or misleading information. For example, the powers of the United States Commodity Futures Trading Commission (“CFTC”) in relation to manipulative and deceptive devices are only defined by the act and the product, and as such are not limited to acts undertaken on regulated markets.118 Market-abusive practices could therefore still be made subject to liability even if a CENEX or DEX continued to operate on a non-licensed basis.
An important shortfall in regulation currently is that various market abuse laws are premised on the affected assets being listed as securities, commodities or a futures product. For example, laws addressing unfair dealing with an information advantage (insider dealing) are not applicable to a digital asset that is not a listed security. However, it is possible that an insider on a blockchain project can take advantage of non-public price-sensitive information. For example (hypothetically), trading advantages could arise in favor of a person, ahead of public disclosure, (i) at the Ethereum Foundation aware of a critical problem in the Ethereum code likely to impact negatively on its development or alternatively a significant breakthrough, or (ii) at Bitfinex or Tether who had knowledge of a probable lawsuit.119 While these events are likely to affect the price of digital assets once disclosed, trading ahead of a public announcement may not be covered by insider dealing laws.
While secondary market regulation would need to take such issues into account, they are outside the scope of this paper.
Intermediary services are rapidly evolving in response to the development of cryptoexchanges. They include cryptointermediary services emerging specifically in relation to digital assets as well as the expansion of services sought to be provided by intermediaries in the traditional securities and futures markets (“traditional intermediaries”) to whom investors are increasingly looking to obtain the services they are accustomed to receiving.
The range of services is likely to expand rapidly as cryptoexchanges become subject to regulatory oversight. How intermediary services interact with oversight mechanisms is an area that has received little attention. This is unfortunate as the involvement of intermediaries may go some way towards addressing the problem of establishing locus, discussed above, because these services are expected to be undertaken on a centralized basis. The development of intermediation can therefore be seen as assisting the progress of regulatory oversight.
7.1 Different types of intermediary involvement
Cryptoexchanges currently operate on the basis that an investor deals directly with the exchange without the involvement of cryptointermediaries. Investor needs are expected to create demand for intermediary services such as advisory, trade execution, portfolio management and custody. In the case of CENEX, investors may want these services segregated from the controller of the cryptoexchange to avoid conflicts of interest. Segregation may also occur in response to regulatory requirements, as is starting to happen in Japan following amendments to the Payment Services Act (“PSA”) and Financial Instruments and Exchange Act (“FIEA”) (see Section 7.2). In the case of trading on DEX, there may be significant technical demands on the investor that encourage execution services.
To these might be added custodial functions that sit alongside and connect into the cryptoexchange. An investor trading on a CENEX may prefer to deal where custody of assets is held or controlled independently of the CENEX. An investor trading on a DEX may not want the burden of holding digital assets and assign the task to a custodian subject to regulatory oversight and able to interact directly with the DEX. A cryptointermediary undertaking trade execution or portfolio management on behalf of a client may also necessitate a role for a third party custodian.
As cryptointermediaries begin to accompany and possibly subsume some of the services now obtainable through a cryptoexchange, it will be necessary to understand how they can be regulated. The assurance provided by regulatory oversight of the intermediary would facilitate investor confidence and industry development. Portfolio management is an obvious area which is being explored by the SFC.120
Investors familiar with using traditional intermediaries in established stock and futures markets may use their services in relation to digital assets. This has already started to happen because investors seek the same safeguards via conduct rules and protections from intermediary abuse being subject to regulatory oversight. However, regulated intermediaries have been unable to assist their clients in relation to digital assets as a result of compliance issues arising out of the absence of regulatory building blocks in the secondary market for digital assets, which is discussed next.
7.2 Regulatory building blocks
From a policy perspective, intermediary regulation would be problematic if the basic building blocks of regulatory oversight and conduct management were absent.121 These cover investor protection, market integrity considerations, conduct standards and prudential rules. Detailed operational and compliance requirements include:
the need to manage conflicts of interest and to put the interests of clients first;
the need to manage order execution and allocation fairly and in the interests of the client;
the adoption of appropriate account management practices including safeguarding client assets, asset segregation and custody;
the need to enable proof of ownership to public audit standards;
the implementation of operational controls including books and records and risk assessment that safeguard operations;
the need to undertake appropriate due diligence on clients, counterparties and investment products; and
the need to maintain adequate financial resources.
The ability to implement the foregoing building blocks are precursors for effective, granular regulation to develop. They will need to be applied to CENEX which, unlike DEX, could take advantage of clients in the same way an intermediary handling client orders and client assets could. A number of these issues have been identified in the VMII Report.
If the CCTech underlying a digital asset does not support the building blocks, it may be difficult or impossible for the intermediary to comply with conduct requirements. An intermediary handling digital assets is presented with compliance issues as regards existing account and audit requirements since there are currently no accepted audit standards for digital assets. This also has consequences for prudential requirements because the ability of a digital asset122 owned by an intermediary (or other financial services provider) to serve a similar range of regulatory functions as traditional securities, such as being counted toward capital adequacy requirements, remains to be developed. Similarly, standards for the custody of client assets that enable tracing (such as in the event of exchange or custodian failure or insolvency) have not been established.
Some attempts to regulate digital assets do not recognize these difficulties. For example, after the NYDFS introduced the BitLicense in 2015 it realised that certain requirements regarding financial statements and audit reports could not be satisfied. This led to a relaxation of requirements in favor of a direction to try and receive a SOC report in accordance with standards set by the American Institute of Certified Professional Accountants (“AICPA”).123 Customer-driven demand has also increasingly pushed the providers of custody services toward SOC reporting. In January 2019, Gemini (a CENEX taking custody of client assets) announced that a SOC 2 Type 1 report had been obtained from Deloitte.124 While this is a significant step forward for custodial functions, a Type 1 report only covers the procedures and controls at a point in time, as opposed to a Type 2 report which covers the effectiveness of operational controls over a period of time.
Amendments to Japan’s PSA and FIEA on May 31, 2019 establish a legislative basis for important customer safeguards in the digital environment. The amendments are due to come into effect by June 2020 subject to implementing rules being promulgated. The success of such changes will depend on how well the implementing rules are able to be meaningfully developed and applied to the characteristics of digital assets. Extant issues affecting commercial certainty and consumer protection range from drawing the exact boundary lines between digital assets caught under the PSA or the FIEA, to differentiating between cryptoexchange and digital asset custody services, to how asset segregation will be effected.125
Standards that are absent or unclear leave intermediaries to pursue best-practice solutions. While that may meet customer expectations, it may or may not be sufficient to meet the requirements of a regulatory agency that must have regard to its statutory duties and functions. The SFC’s approach to licensing virtual asset trading platforms126 acknowledges this difficulty, requiring cryptoexchanges to use best endeavors on issues that are not subject to established standards (such as audit and custody).
This is a case where progress may be made along two routes. First, intermediaries, customers and regulators could converge on acceptable best practices under the prevailing conditions. Second, recognizing the possibility of addressing regulatory concerns in the development of the digital assets themselves—because digital assets are built on CCTech, it is possible to embed a range of rules and tests in the asset itself (unlike with traditional securities). This is discussed further in Section 8.3.
Difficulty for involvement of traditional intermediaries
Intermediation in relation to established asset classes is subject to regulatory oversight. The involvement of traditional intermediaries as providers of digital asset services would offer the opportunity to bring activities within a well-established regulatory framework. Being able to interact with an intermediary that is subject to conduct requirements would provide assurances to investors that are otherwise absent or uncertain when they deal with cryptoexchanges. For example, an order to buy a cryptocurrency would be subject to: best execution; management and/or disclosure of conflicts of interest; prompt and proper accounting for client assets that are safeguarded; record-keeping sufficient to account for client assets and enable the tracing of movements of client assets. Finally, the intermediary would be subject to oversight controls such as supervision and enforcement mechanisms.
However, because the existing regulatory framework makes assumptions about the nature of assets being handled by a traditional intermediary, it is difficult or impossible for the traditional intermediary to act for a client trading digital assets and remain in compliance with its regulatory obligations.
The trend toward issuing security tokens in response to laws governing the primary market does not alter the fundamental problem—this is because a security token remains subject to the same audit and custody problems as does any other digital asset. In short, a security token is sufficiently different from a security, as traditionally understood, and existing conduct regulations do not apply.
Leveraging off the existing licensing regime would facilitate the participation of licensed intermediaries and serve to bring well-established duties and practices to bear on the issuance and secondary trading of digital assets. It would also resolve the present isolation of investors in digital assets from adequate regulatory safeguards, which is contrary to investor protection policy objectives. However, this must be weighed against other policy considerations. In the absence of adequate digital asset regulatory development, there is a risk of blurring the regulatory perimeter of the securities industry and promoting public engagement in acquiring digital assets in the absence of effective protective laws and regulations.
To the extent the development of cryptoexchange regulation meets the objectives of regulatory agencies, it is foreseeable that traditional intermediaries will become involved. This may require amendments to the laws and regulations that govern their activities.
Involvement of cryptointermediaries
The emergence of cryptointermediaries is problematic because if they only handle digital assets and do not fall under any umbrella of regulation, there is no avenue for regulatory recourse. However, if a cryptoexchange is regulated, a cryptointermediary could be indirectly regulated by imposing on cryptoexchanges selection criteria. This does not resolve the problem when cryptointermediaries are client-facing; for example, providing custodial, trading execution and portfolio management services. Legislative development will be required—as already noted, amendments to the PSA in Japan served to bring certain custodial functions, i.e. “cryptoasset exchange providers,” under regulatory oversight. However, as the details of granular regulation remain outstanding, the legislative amendments are best characterized as being preparatory in nature.
8.1 Regulatory responses
As the market in digital assets continues to develop the usual accoutrement of services to investors, regulatory agencies are increasingly challenged to respond. The discussion has moved beyond existing regulatory silos to the question of how regulators will be able to apply meaningful oversight mechanisms using regulations developed in a pre-CCTech era, which may be incapable of being universally applied to achieve regulatory objectives.
This is a problem with digital assets because when designated as securities, they possess characteristics that may differ significantly from traditional securities. Consequently, although services may be developing along traditional pathways because the underlying needs are the same, the particular characteristics of digital assets can give rise to issues that are both familiar and novel.
Private and public regulation
Today’s regulated exchanges are a product of evolution in which regulation by private law, built on established customs and practices, has given way to public regulation—that is, regulation imposed by a central agency charged with administrative powers. This reflects development driven first by commercial self-interest and subsequently by externally-imposed standards, either by transaction counterparties who are able to control resources desired or needed by the actor, or by industry associations or independent parties acting as certifiers of standards.127 While private-based regulation can be effective in developing commercially-acceptable market standards, it lacks the ability to exert enforcement controls able to be exercised by the state with a monopoly on the enactment of binding laws and regulations backed by the legitimate exercise of force. Regulation by the state is the ultimate form of risk management.128
There is an important question of ordering to consider in this cascade of development. In a rapidly changing environment—such as with digital assets and cryptoexchanges—policy development considerations suggest that prescriptive regulations may be less effective in fostering development as compared to market-led developments.129 What has been called emergent coordination—letting the market explore through trial and error subject to a backstop of state-imposed disclosure and enforcement—may be more responsive to change as compared to bureaucratic oversight and regulatory diktat.130
Regulation typically develops in tandem with industry development, the latter often anticipating the requirements of the former as each edge toward a deeper understanding of the dynamics and constraints of the other. However, there is no “one size fits all” that dictates how a financial market must be organized in order for legitimate public regulatory concerns to be effectively addressed, and this is amply demonstrated in the case of digital assets.
8.2 The goalie’s anxiety at the penalty kick
“Should he dive to one side, and if he does will the kicker aim for the other?”131
Regulatory agencies frequently face difficult choices. No agency wants to have a cryptoexchange failure happen in its jurisdiction. The argument that the cryptoexchange may fall outside its statutorily defined ambit of authority is becoming less tenable. Digital assets and cryptoexchanges continue to penetrate the marketplace despite concerns about cryptoexchange standards and practices. After another cryptoexchange failure one hears the question: what was the regulator doing? Equally, many jurisdictions do not want to miss out on the possibility of becoming a hub for an industry that could become significant in size and influence.
In the absence of installing effective oversight, there is a risk that an exchange failure may damage the reputation of that jurisdiction as a well-regulated venue for industry development. Alternatively, regulating cryptoexchanges can lead to industry validation that propels more investment in digital assets despite the conceptual uncertainties about the asset class, their valuation, and their relationship with a digital ecosystem that is yet to be properly formed. However, regulation could also cause the industry to go where they cannot be supervised—the latter is a particular concern as regards cryptoexchanges being used to service the needs of criminal activity.
How regulatory oversight is established in practice will have direct consequences on the development of different exchange models and the decision of investors choosing to participate in one model as compared to another. It is important that public regulation is not prematurely imposed on innovative new ways of developing commercial activity in a manner that may inhibit the ability of private market regulation to develop effective outcomes that align with public policy.
While there is a powerful argument for bringing oversight to the cryptoexchange industry, there is an equally powerful argument that at this stage of industry development it should remain minimal and focused on risks essential to address. To do otherwise may create barriers to innovation that do not serve the overarching social and economic objective of facilitating the development of commercial and financial possibilities. It should be focused on functions and establishing accountability for wrongdoing. The development of functionally focused regulation will need to countenance how different types of acts undertaken by the same person can be best managed. For example, how the operator of a Trading Mechanism that also acts as an intermediary and a promoter can manage conflicts.132 Accordingly, regulation should be model-neutral and form-independent—as discussed previously, tags such as centralized and decentralized provide less informational value than a consideration of function, although form may guide what regulation can in practice be easily attached to.
If oversight extends beyond minimal and essential regulation, or is applied in a model-specific manner, this may lead to counterproductive consequences. In regulated jurisdictions it could stall the development of optimal models by causing the industry to retreat toward extant models (i.e., pre-CCTech era). Cryptoexchanges engaging in regulatory arbitrage in unregulated jurisdictions that permit standards and practices regarded as abusive in regulated marketplaces could delay the development of market integrity in this asset class.
An important test for regulatory development is the degree of sustainability and flexibility as the industry develops. Models of commercial activity in digital assets are changing rapidly. These encompass the design of digital assets, how they access the primary market, the investment products that they might give rise to, and related services.
It is not a foregone conclusion that traditional, centralized structures must continue to be reflected in the market for digital assets. Applying the existing legal framework risks not encouraging the industry to maximize the potential of CCTech to form new commercial solutions to old commercial problems. Introducing legislation too early in the cycle of industry development may be counterproductive and/or result in later obsolescence.
Regulatory agencies are yet to fully respond to the nature of CCTech as a borderless technology that presents a fundamental oversight problem—persons wishing to avoid oversight can. The development of regulatory oversight will drive development but must be inclusive and beneficial to capture the largest slice of activity—any expectation of capturing all activity is misguided.133
8.3 Are we looking at the whole picture?
The unique property of digital assets as a designed asset embodied in computer code offers a different way of thinking about how regulatory oversight of the market can be implemented.
To fully utilize the potential advantages of CCTech, it is necessary to cease looking at the regulation of exchange systems and intermediary conduct in isolation from the digital asset being transacted—some of the hurdles to developing a regulated secondary market may need to be resolved through the technology itself. There is a prospect for a more fundamental interaction between the secondary market and the asset design process that could better service regulatory objectives on a sustainable basis. For example, by embedding within the digital asset functionalities that could facilitate the asset interacting directly with the regulatory requirements applying to the cryptoexchange or cryptointermediary handling it.
Such interactivity could enable a variety of issues to be better effectuated, from manipulative practices to conduct regulation—if one needs an analogy, a digital asset sought to be transacted in breach of some requirement or abusively might behave similarly to the self-driving car that refuses to move forward if an object lies in its path.
The prospect of complex regulatory requirements being built into cryptoexchanges, related services and digital assets is a real possibility, albeit difficult and in its nascent stages. While technologists recognize the possibilities, commercial realities make it not worthwhile—why do so when one’s competitors are not, and when regulations might not provide any competitive advantage for doing so?
While regulation is often perceived as burdensome, regulatory validation can operate as a competitive advantage. Extending regulatory benefits to compliant digital assets traded on licensed cryptoexchanges would create an opportunity for stimulating development of the relevant functionalities. Clear guidelines based on regulatory objectives well-established in the traditional markets would need to be formulated. Solving the current regulatory building blocks problem would be transformative. The extension of regulatory benefits would make sense because the presence of secure regulatory building blocks would significantly reduce a number of current risks in the secondary market. It would be an example of attraction regulation.134
This is not going to happen anytime soon because, amongst other things, it requires interconnectivity between the functions applied to digital assets and market infrastructure. The UK’s Financial Conduct Authority (“FCA”) has been exploring the use of technology to improve regulatory reporting requirements, including the development of machine-readable regulations, which is technologically feasible.135 While the FCA’s initiative is largely in response to the difficulty of keeping up with the growing body of regulations,136 it presents a significant learning opportunity for establishing a deeper structure of asset-intermediary interaction.