A How-to Guide for the Self Regulation of Digital Asset Markets

HodlX Guest Post  Submit Your Post

Over the course of late 2018 and early 2019, while in the throes of working on the Bermuda Monetary Authority’s (BMA’s) initial coin offering and Digital Asset Business license applications, I was challenged by the rapidly shifting regulatory landscape for digital assets, despite having been general counsel and chief regulatory officer for a US stock exchange. Mostly, I was impressed by the BMA’s ambitious efforts to lead the world with comprehensive digital asset regulatory standards.

Multiple jurisdictions endeavor to attract digital asset businesses by establishing licensing requirements in conjunction with more prescriptive or rules and standards-based regulation designed to foster investor confidence and provide regulatory clarity. Based on practical experience and research, the most notable jurisdictions opting for the prescriptive approach include  Malta and  New York.

Digital asset markets are nascent, and, like many emerging technologies and markets, evolution is hard to predict. For many jurisdictions adopting the prescriptive regulatory approach, the initial costs of licensing and ongoing compliance can be costly. Newer entrants can be dissuaded by these barriers and seek out less regulated jurisdictions.  On the other hand, jurisdictions need to protect their reputation and market participants to advance their economies.

To date, most jurisdictions have opted a proscriptive or principles-based approach to digital asset regulation to provide more flexibility to digital asset markets to continue to evolve and leaving the question of how to execute on those principles largely to the participants or future interpretation, except where regulations overlap (i.e., securities, commodities, and AML).

Irrespective of the regulations governing a digital asset business, forward thinking businesses should consider adopting their own principles-based code of conduct as well as selectively draw from prescriptive standards and frameworks for their implementation of those principles for the following reasons.

• Attracting institutional business – As maturing asset classes attract more institutional investment, businesses demonstrating proper controls will build their advantage over those who do not.
• Legal and regulatory risk mitigation – The lack of regulatory certainty across so many jurisdictions, such as the US and Europe, creates significant business risk. Adopting the right self-regulatory frameworks will bolster the confidence of regulators and reduce litigation risk.
• Reducing regulatory uncertainty – Implementing baseline controls early better positions a business’s ability to react to rapidly evolving regulations.
• Positioning for market opportunity and optionality – As businesses pivot into new lines, strong controls will speed the implementation of supporting operations.
• Improved organizational processes – Prescriptive regulatory guidance, where appropriately implemented, can harden and improve related operational processes.

As a starting point, we recommend the principles in Association of Digital Asset Market’s (ADAM) Code of Conduct published last November.

ADAM’s Code of Conduct

ADAM is a coalition of leading digital asset companies focused on the promotion of “integrity, fairness, and efficiency in digital asset markets.” ADAM’s Code represents their efforts to establish a framework to facilitate the institutionalization of the digital asset market as well as provide assurances to regulators. Each ADAM member agrees to the Code of Conduct as a condition of membership.

The ADAM Code is organized based on eight primary areas (or domains).

• Compliance and Risk Management
• Market Ethics
• Conflicts of Interest
• Transparency and Fairness
• Market Integrity
• Custody
• Information Security and Business Continuity
• Anti-Money Laundering and Countering the Finance of Terrorism
• Frameworks and Standards for Implementing the ADAM Code

Digital asset businesses that choose to adopt a code of best practices such as ADAM’s Code will need to next address how to implement the underlying supporting controls. Failure to do so will create more risk as clients and regulators are likely to view documented but disregarded principles as a red flag, in addition to the potential legal implications.

For some, the solution may be to simply hire big law, accounting or consulting firms that can boast of their experience. Doing so, however, fails to contemplate other freely available resources that have been put together by the regulators themselves, in addition to potentially reducing their sense of ownership. Leveraging prescriptive regulatory rules and guidance specific to digital asset businesses (even where not governing) together with other publicly available standards and frameworks such as, for example, NIST and ISO/IEC 27001, can enable these businesses to both establish or improve upon their controls by selectively borrowing from the work already done by highly credible regulators and experts.

Notable jurisdictions for digital asset business standards

Bermuda has leveraged its status as a reinsurance leader to build a digital asset regulatory framework that provides certainty through comprehensive prescriptive guidance. In addition, the Bermuda Monetary Authority is an experienced regulator well versed in risk management. Premier Burt, in speaking of this framework and the island’s reputation, stated “Bermuda, from its regulatory perspective, stands in a class amongst itself. There’s only two countries in the world that have regulatory equivalence in risk with both the United States and the European Union, and that’s Switzerland and Bermuda.”

This commitment is, in fact, reflected in their digital asset regulatory framework and, as a result, makes it an important reference. Even other regulators have looked to Bermuda…Wyoming, home to the most progressive digital asset regulation in the US, closely modeled their own digital asset custody rules from Bermuda’s draft Digital Asset Custody Code of Practice. To date, the island has approved licenses for five digital asset businesses.

Malta sought to build upon its status in the gaming industry to push into distributed ledger technologies. In 2018, it adopted the Digital Innovation Framework, comprised of three bodies of law relating to distributed ledger technologies. Its Virtual Financial Assets Act provided for licensing requirements and prescriptive rulemaking to mature its quickly developing digital asset or blockchain market. With much enthusiasm, in speech to the United Nations their Prime Minister dubbed Malta the “Blockchain Island” and claimed to have created the world’s first comprehensive blockchain legislation. In February of 2020, the Malta Financial Services Authority followed up with their VFA Rulebook that greatly expanded their regulatory prescriptions. Malta’s embrace of blockchain led to rush of businesses to “Blockchain Island,” many of whom have since left due to frustration with what is perceived as Malta’s inability to manage the framework that it had set up. For example, out of 340 “service provider” license applications initially filed pursuant to the Virtual Financial Assets Act, none have been granted, most have been abandoned and as of April 30th, only 26 remain active.

New York’s virtual currency rules were enacted in 2015 and provide helpful prescriptive value for business continuity planning and client disclosures. Some have criticized its licensing application burdens. As of May 6, 2020, only 25 licenses had been granted.

Each of the above jurisdictions have invested extensive resources into the creation of prescriptive digital asset regulations. One view is that the scope of these regulations and the challenges of the licensing process has potentially restrained the growth for an evolving and nascent market. Given the adjustment in expectations, in no jurisdiction is this view more prevalent today than in Malta. On the other hand, a slower initial pace for licensing approvals may reflect a more judicious approach by regulators and could ultimately prove to be the approach that creates a base for digital asset markets to build upon. While the truth no doubt lies somewhere in between, these bodies of law and associated guidance provide useful standards for forward looking digital asset businesses contemplating sustainable controls.

Standards to assist in the implementation of ADAM’s Code of Conduct

Below is a mapping of ADAM’s code to the most helpful rules and guidance from these jurisdictions, along with certain other helpful rules and standards, to assist digital asset businesses to develop their own self-regulatory framework and internal controls. Market ethics was not mapped as it is generally expressed as a principle without further prescriptive guidance (and this was borne out in the prescriptive regulatory frameworks examined as well).

Governance, compliance and risk management

• Best – Bermuda’s code of practice. With thoughtful coverage addressing the basics of sound corporate governance tuned for digital assets, businesses might consider cutting and pasting these requirements into their policies and procedures.
• Runner up – Malta VFA Rulebook. Extensive requirements make these standards a costlier implementation than Bermuda’s and better suited to more mature organizations.
• Deeper coverage – ISO 31000 series and the COSO ERM framework, neither of which are free and are a resource intensive implementation.

Conflicts of interest

• Best – Malta’s VFA Rulebook. With coverage addressing operational independence, inducements, and personal trading, Malta’s rulebook gets the nod over Bermuda’s principles-based conflicts rules.
• Deeper coverage – FINRA’s 013 report on conflicts of interest is a seminal reference for conflicts of interest management best practices in financial services firms.

Transparency and fairness

• Best overall – Bermuda’s client disclosure rules. These rules are a well-organized checklist of factors impacting client relationships.
• Best for client risk disclosures – New York’s virtual currency rules. Having established itself early as the standard, these disclosures represent the minimums that digital asset businesses should include in their client risk disclosure documentation.
• Good – The publicly available customer disclosures for two of ADAM’s members, ITBit (Paxos) and BlockFi, who are subject to New York’s BitLicense regulatory framework, are helpful references.

Market Integrity

• Best – CBOE Futures Exchange’s (CFE) Rulebook. Given ADAM’s intentional reference to “Disruptive Trading Practices,” prohibited pursuant to Section 6c(a)(5) of the Commodities Exchange Act, and the lack of on point digital asset regulatory guidance, applicable rules of US commodities exchanges were reviewed for adaptability to digital assets markets.
• Best for building your own wash trade prevention system functionality – ICE’s self-trade prevention functionality policy. Helpful resource for developing wash trade system requirements.
• Good – Paxos’s market manipulation standards offers a lighter touch and perhaps can be used as a starting point in conjunction with the coverage in CFE’s Rulebook.

Custody

• Best – Bermuda’s custody code of practice. Bermuda’s custody code defines standards for digital asset private key custodians across custody safekeeping, custody transaction handling, and custody operations. As noted above, Wyoming’s digital asset custody rules largely incorporates provisions from Bermuda’s code.
• US regulatory approach – The Customer Protection Rule and Customer Fund Segregation Rules (promulgated pursuant to the Securities Exchange and Commodities Exchange Act (CEA), respectively). Of the two, the CEA’s customer fund segregation rules are more readily adapted to digital assets than the Customer Protection Rule, which is not saying much. Both the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (the “SEC”) have noted the challenges faced when trying to apply the Customer Protection Rule to digital assets. The SEC continues to examine how to apply existing non-DVP custodian frameworks to digital assets.

Information security and business continuity

• Best for building a cybersecurity program – NYS DFS’s cybersecurity requirements for financial services companies. Applicable to financial service providers registered with New York State’s Department of Financial Services, these rules offer a well-rounded checklist for financial service firms looking to build a cybersecurity program.
• Best for custody related security – Bermuda’s custody code of practice. Technical controls for custody are closely intertwined with cybersecurity controls.
• Good for business continuity – New York’s virtual currency rules. Serves as a checklist of key components.
• Business Continuity for beginners – FINRA’s small firm template for business continuity planning

Deeper Coverage

• NIST’s security & privacy controls for information systems & organizations
• Key management
• Cryptographic key generation
• NIST’s guide for cybersecurity event recovery

NIST provides a wealth of comprehensive cybersecurity guidance for building and maintaining cybersecurity programs, security event recovery and securing digital assets.

Anti-money laundering and countering the finance of terrorism

Best

• Bermuda’s prudential standards
• Bermuda’s sector specific guidance notes for digital asset business

Bermuda’s thoughtful AML guidance is comprehensive and their prudential standards even provides templates, but these should not be a substitute for the primary authorities, such as Financial Crimes Enforcement Network’s (FinCen) Guidance related to Convertible Virtual Currencies.

• Best for AML risk assessment – BSA/AML Examination Manual for Money Services Businesses. Irrespective of whether a digital asset business is required to register in the US as a “Money Services Business”, the guidelines in the BSA manual are the authoritative source for conducting the initial and ongoing AML risk assessments.

Conclusion

ADAM’s Code of Conduct is a helpful resource for an industry grappling with an uncertain regulatory environment. The leadership that its members have taken demonstrates another positive step in the evolution of digital asset markets and reflects the desire of responsible market participants to self-regulate. Adopting aspirational principles without more does not, however, advance confidence in the markets or protect its participants. ADAM members, as well as other participants who have adopted similar principles, have already instituted a number of controls associated with these principles, but should consider the good work done by regulators and others to define or identify appropriate controls for executing on those principles and selectively draw from them to create or build upon their own controls.

Eric Hess is the founder of Hess Legal Counsel and Helical, Inc.

Hess Legal serves securities and digital asset firms, primarily with regards to financial, information security, AML, and privacy regulation; corporate governance; technology licensing; and various financing arrangements. Helical, Inc. offers information security products as a service to small and mid-sized businesses.

Prior to forming the above, he was CEO for a start-up execution venue and listings-like platform in over-the-counter Bulletin Board securities.

Hess holds Series 7 and 24 licenses and is admitted to practice in the States of New York and New Jersey.

Featured Image: Shutterstock/sdecoret