Priya Aiyar, former acting general counsel of the Treasury Department, is a partner at Willkie Farr & Gallagher LLP
Regulating cryptocurrencies today poses many of the same questions that regulation of the internet posed in the 1990s. Is it a matter of applying existing regulation to new facts, or coming up with a new body of law? For the most part, U.S. agencies seem to think the former. The SEC considers whether cryptocurrencies meet the definition of securities set forth in the 1946 Howey case; FinCen provides guidance on whether users, exchangers, and administrators of cryptocurrencies are “money transmitters” under the Bank Secrecy Act; and the IRS opines on whether cryptocurrencies are “property” or “currency” for federal tax purposes.
Judge Frank Easterbrook famously advocated for an analogous approach to regulation of the internet in 1996. He claimed that there was no more a “law of the internet” than there was a “law of the horse” – a phrase that he attributed to former dean of the University of Chicago law school Gerhard Casper – because “the best way to learn the law applicable to specialized endeavors is to study general rules.” To learn the law applicable to horses – sales of horses, people being kicked by horses, treatment of horses – one studies contracts, torts, criminal law, and property, not “the law of the horse.” Following Judge Easterbrook’s reasoning, the “law of the internet” or “law of cryptocurrency” is not a unique set of principles or subject of study but simply a matter of applying general rules.
Yet applying general principles of financial regulation to cryptocurrencies poses a basic structural challenge. Financial regulation is the regulation of financial intermediaries: banks, broker-dealers, exchanges, and so forth. Cryptocurrencies, however, emerged out of a desire to eliminate the need for trusted intermediaries to execute or validate transactions. Bitcoin, for example, is a peer-to-peer payments system whose participants are incentivized to validate transactions through self-interest. It is often described as a system of “decentralized trust”: its core innovation was its mechanism for achieving consensus within an open network that anyone can join.
Decentralized cryptocurrencies challenge the premise of a regulatory system that focuses on intermediaries. When transactions are validated and effectuated by a decentralized network, there may be no central entity that a regulator can identify, exercise jurisdiction over, and hold responsible for losses, hacking, fraud, or use of the network by illicit actors. SEC Director of Corporation Finance Willian Hinman recently suggested, in a speech that received much attention, that cryptocurrencies with a “decentralized structure” fall outside the realm of securities regulation. Even if there are entities that exert disproportionate influence within a decentralized structure – for example, software developers, mining farms, or large owners – it may be too great a regulatory stretch to consider such entities, for example, “issuers” or “money services businesses” within the framework of securities or anti-money laundering laws. Those entities will be ever-changing and difficult to identify and exercise jurisdiction over as well.
A primary entry point for regulators with respect to cryptocurrencies – a way in which they have been able to apply existing rules to these new instruments – has been exchanges. Currently, decentralized cryptocurrencies, which do not have an administrator that can be subjected to regulatory requirements, still trade for the most part on centralized exchanges, where the exchange takes custody of the trading parties’ funds. Such exchanges can be subjected to know your customer, capital adequacy, consumer protection, and cybersecurity requirements (for example, under New York’s BitLicense regime); subpoenaed for records to investigate users’ compliance with tax laws (for example, as Coinbase was by the IRS); and regulated as broker-dealers if they offer cryptocurrencies that are securities.
Recently, however, exchanges have emerged that facilitate peer-to-peer transactions on the blockchain without taking custody of users’ funds. Some of these exchanges aim to be fully decentralized, with either no order book or an order book existing and trades settling only on the blockchain. In other decentralized exchanges, trades are executed through smart contracts on the blockchain but the order book is maintained off-chain by third parties, which can pool their liquidity, in exchange for transaction fees.
It is an open question as to whether (and which) regulatory obligations are triggered by such activities. Fully decentralized exchanges could claim that they are simply publishing open-source code and are not operating as businesses at all in an attempt to avoid FinCEN oversight and the New York BitLicense rules. Similarly, both they and the creators of the cryptocurrencies in which they facilitate trades may seek to avoid SEC oversight to the extent that traders are not, per Howey, investors in a common enterprise with expectations of profits derived solely from the efforts of others.
Regulators may conclude that holding oneself out as an exchange of any type is enough to trigger the applicability of rules governing money services businesses. But whichever side of the argument succeeds, the challenge will be whom to hold responsible for the operations of a fully decentralized exchange, if indeed they are brought within the same regulatory perimeter as traditional financial services. If the exchange is as fully decentralized as a permissionless cryptocurrency itself – if it is simply open-source code, with transactions executed by code and no continuing control by the original developers – there may be no person or entity to subject to regulatory jurisdiction. The technical challenges of full decentralization may mean this is mostly a theoretical possibility for now. But regulators should be thinking about both (1) whether existing regulations should apply to such exchanges and (2) how either existing or new rules could apply.