10.01  The dematerialization of securities has been the dominant topic in securities law and regulation since the paper crunch¹ in the late 1960s. The driving force behind this process is and was the digitization of value chains, where the existence of a physical information carrier (ie a physical certificate in a case of certificated securities) is a disruptive and costly factor, preventing to realize the full benefits of digitization. From a conceptual point, the dematerialization of securities is not very fastidious and consists, at its core, in the mere substitution of the certificate by an electronic database or registry. However, unlike physical goods, digital information can be replicated and distributed at marginal cost of almost zero. Exclusivity and rivalry—fundamental prerequisites for the creation of private goods—are not satisfied under these conditions.² Dematerialization of securities therefore required the intervention of trustworthy intermediaries or government agencies up to now.³

10.02  The blockchain or distributed ledger technology (DLT) now permits to overcome these limitations. The essential innovation of DLT is that it can make digital goods scarce and exclusive by means of its technical design.⁴ Due to these properties, DLT systems are ideally suited to documenting, securing, and transferring digital goods as well as ownership rights in such goods. Many therefore see the issuance, custody, administration, and transfer of securities and other financial instruments as one of the most promising use cases for DLT-based systems.⁵ There is also a consensus emerging that these applications will fundamentally change the trading and post-trading infrastructure of capital markets,⁶ much like the internet has radically changed the distribution of books and other media content, travel, shoes and clothing, and many other goods and services. The driving force behind the adoption of DLT-based systems as a technical infrastructure for securities markets and services is the expectation of significant efficiency gains resulting from the consolidation of previously separated (p. 303) infrastructures for the issuance, the custody, the trading, and the clearing and settlement of securities transactions on one single platform.⁷ This evolution might also permit faster and cheaper corporate actions and possibly a direct interaction between issuer and investor.⁸

10.03  One necessary, but not sufficient, condition for the widespread adoption of DLT-based securities is a clear and transparent legal framework. This is particularly true for jurisdictions like Germany, Switzerland, or Austria where a physical certificate is still a key component of the concept of securities. Perhaps surprisingly, this is equally true for jurisdictions like France or the Nordic States, where securities have been dematerialized at an early stage, but which had to rely on trusted third parties in order to guarantee exclusivity and rivalry.

10.04  Several jurisdictions have recently enacted legislations to facilitate or enable the application of DLT for the issuance and transfer of digital securities, including, in approximate chronological order, France (see section C(2)), Luxembourg (section C(3)), Liechtenstein (section C(4)) and Switzerland (section C(5)), some US states (section C(6)), and Germany (section C(7)). While the legislative actions taken by these jurisdictions are differing widely in terms of format and scope, they clearly converge with respect to the concepts underpinning the codification of securities issued on the basis of a DLT system (hereinafter referred to as digital or crypto securities). In particular, most reform acts are relying heavily on notions and concepts of traditional securities law. On the international level, Unidroit, in cooperation with UNCITRAL, is developing a set of principles that address private-law aspects of digital assets (in particular, proprietary interests).⁹

10.05  The remainder of this chapter is organized as follows: a first part provides some important key concepts and definitions (section B) followed by an overview of development in selected jurisdictions (section C). The first main part will then discuss common issues in the substantive legal framework for digital securities (section D). The second main part provides an overview over the regulation of digital securities (section E). This chapter is limited to a high-level overview, since developments in this field are too diverse and quick to be fully captured. A few conclusions in section F will complete the chapter.

10.06  Although blockchain or distributed ledger technology (DLT) is on everyone’s lips, a correct and concise definition is anything but trivial. This is due to the fact that there is not one single, but many types of blockchains and that its technical development is still at an early stage. Some experts therefore question whether it makes sense at all to refer to it as a uniform technology.¹⁰

10.07  DLT refers to a group of technologies which have in common that a database is shared across a network of multiple sites, with all participants within a network having their own identical copy of the ledger.¹¹ Any changes to the ledger are validated by participants in accordance with an agreed-upon validation mechanism and are reflected in all copies of the ledger. The security and accuracy of the assets stored in the ledger are maintained by using crypto technologies, in particular keys and signatures to control changes to the state of the ledger. The blockchain is one of several possible data structures in a DLT system, characterized by the fact that its entries are combined (linked) in blocks.¹²

10.08  It is neither possible nor useful to comprehensively discuss technical aspects of DLT in the present context. What is relevant is that this technology offers the possibility of digitally mapping information in such a way that, under certain conditions, it can neither be copied nor manipulated and can be securely transmitted between people. In doing so, it solves a central problem that previously prevented the digitization of property rights. Unlike physical goods, digital goods can be replicated and distributed at marginal costs close to zero. This means that basic prerequisites for the creation of private goods (excludability and rivalry) are not met. Therefore, up to now, trustworthy intermediaries or government agencies had to be called in to create, transfer and store private digital goods. The essential innovation of DLT is that it can make digital goods scarce and exclusive by means of technical precautions.¹³ Due to these properties, DLT systems are ideally suited for documenting, securing, and transferring ownership rights in digital goods.

10.09  Some blockchains are supporting smart contracts, computer programs, or a transaction protocol which can automatically execute, control, or document legally relevant events (p. 305) and actions.¹⁴ For example, if the transfer of a digital security is contingent on the approval by the issuer, the token digitally representing the security can be programmed in such a way that a transfer is effective only once the approval has been given. To execute automatically, smart contracts need to be able to interface with external data sources, usually referred to as an ‘oracle’. According to a popular saying, smart contracts are neither contracts nor particularly smart.¹⁵ Moreover, not all clauses of an agreement are susceptible to automation and self-execution. Even where a clause might technically be capable of being automated, it might not always be desirable to automate it.¹⁶ Also the possibility to formally represent an agreement in a non-ambiguous way is clearly limited, reducing the scope in which smart contract might be usefully applied even further.¹⁷ Despite these limitations smart contracts are an important element to realize efficiency gains in securities transactions. This is particularly true for transactions where payments and deliveries are heavily dependent on conditional logic, including securities and derivatives transactions.¹⁸

10.10  A key concept in the context of DLT-based digital goods are so-called ‘tokens’. In computer science, a token describes an object (software or hardware) that contains the right or instructions to carry out a certain operation (for example, to access tokens). In connection with DLT applications, tokens are smart contacts used to process transactions, for example by defining the rules according to which assets assigned to a public key can be transferred. In legal terminology, the term token is understood more narrowly, namely as a ‘digital representation of an intrinsic or market-related value’.¹⁹ The concept of tokens was also developed as part of the Ethereum blockchain, where widely-used standards such as the ERC-20²⁰ for fungible and the ERC-721²¹ for non-fungible tokens have emerged. Standardization allows tokens to be created quickly and cheaply.

10.11  In supervisory practice a distinction has emerged between payment, investment, and utility tokens. This ‘holy trinity’ was first formulated in guidelines of Switzerland’s Financial Market Supervisory Authority (FINMA) on Initial Coin Offerings.²² It is now (p. 306) largely established internationally.²³ Broadly speaking, the token categories can be defined as follows:

1. (i)  Payment tokens are intended to be used as a means of payment, ie serve as a medium of exchange, store of value, and/or unit of account. They usually have no intrinsic value. In AML regulations, the payment token corresponds to the term ‘virtual currency’ or ‘crypto currency’.²⁴ The most prominent example of a crypto currency is Bitcoin, the first major application of a blockchain and in terms of market capitalization still by far the most important crypto asset.

2. (ii)  Investment tokens (or asset tokens, securities tokens) are representing monetary or non-monetary claims or rights against an issuer and/or membership or corporate rights under company laws, or derivatives of any of such rights. Investment tokens can be a digital representation of financial assets like a bond, a share, or a derivative financial instrument. Investment tokens can also represent rights or interests in non-financial assets like real estate, diamonds, or fine art.

3. (iii)  Utility tokens are providing access to a digital service and can only be used in the issuer’s network to purchase goods or services.

10.12  The classification of tokens as payment, investment, or utility tokens may be useful as a first approximation for determining the regulatory framework applicable to the issuance, public offering, or trading of tokens. Investment tokens may be classified as securities for regulatory purposes, whereas payment tokens are usually subject to the regulation of payment services providers and/or anti-money laundering laws. However, the trifurcation of payment, securities, and utility tokens is not suitable for a reliable assessment of the regulatory legal framework applicable to tokens or other DLT-based assets. Only the relevant supervisory categories can provide a reliable point of reference for a regulatory assessment of a given token. Furthermore, many tokens have properties of one and the other class (so-called ‘hybrid tokens’). In particular, the demarcation between payment and investment tokens is entirely blurred since, on the one hand, hardly any of the numerous crypto currencies effectively fulfils any of the functions of money, and on the other hand, many buyers of payment tokens are motivated by speculative expectations.²⁵

10.13  Even more dubious is the term stablecoin. Stablecoins are, broadly speaking, crypto currencies which are somehow backed by, or linked to, an underlying reference asset (like an (p. 307) official currency or precious metals) in order to limit the volatility against official currencies which is typical for crypto currencies.²⁶ A broad variety of stabilization mechanisms is being used, ranging from an immediate backing with full convertibility through numerous more or less intermediate backings with restricted convertibility to stablecoins where stabilization is achieved (or not achieved) with trading or hedging strategies.²⁷ In view of this very wide spectrum, the term stablecoin is void of any tangible common characteristics and should therefore, at least in a legal context, best be avoided.

10.14  Assets or securities issued on the basis of a DLT system are sometimes referred to as digital or crypto assets or securities (as in the title of this chapter). We will be using the term digital securities to designate instruments which are issued and transferred on a DLT or comparable technology-based protocol or application, and which are functionally equivalent to physical securities (which will be referred to as certificated securities). We fully recognize that the term as such is not very concise since virtually all relevant forms of financial assets have been in existence in only digital or electronic form for decades. However unprecise, the term digital asset or digital securities is more and more used with this meaning. The term crypto securities emphasizes the widespread use of crypto technology in DLT systems and is employed synonymously to digital securities.

10.15  Digital securities are controlled through a private key infrastructure. The holder of the private key, and only the holder,²⁸ has the power to change the status of the distributed database, ie to effect a transaction. The holder of the private key has therefore a power similar to dominion, control, or possession in relation to a movable, physical asset.²⁹ The holder of the private key has also the power to directly transfer such control to another person (peer-to-peer).³⁰

10.16  Digital or crypto securities must be distinguished from dematerialized securities in the broader sense, usually referred to as uncertificated (or electronic or register) securities. (p. 308) Like digital securities, uncertificated securities have no physical representation, but unlike digital securities the ledger or registry can be based on any kind of technology (for example, an excel sheet maintained by the issuer or a centralized database). If they are not issued on a DLT protocol, they will usually not have the properties distinctive for digital securities (see paragraphs 10.68 et seq).

10.17  Digital or crypto securities must also be distinguished from intermediated securities, even though intermediated securities also exist in electronic or digital form only. Intermediated securities are—very much simplified—credits to securities accounts maintained by a securities intermediary (a custodian, a bank, a securities firm, a central securities depository or CSD), representing securities, or rights in securities, that the securities intermediary is holding for the account holder (the ‘investor’).³¹ The name derives from the fact that intermediaries are interposed between the issuer and the investor, and that the investor can transfer securities or assert rights in relation so such securities only through its own securities intermediary.

10.18  The legal frameworks for digital and intermediated securities are dealing with different legal relationships at different levels. Intermediated securities are representing legal positions resulting from the custody of (physical or dematerialized) securities by securities intermediaries. The law of digital securities, on the other hand, is tackling the completely different issue of how the person controlling an entry in a distributed database is identified by the issuer as the legitimate creditor, how payment to such person discharges the issuer, and how the position of such person is transferred to another person. Digital securities are therefore performing exactly the same functions as certificated securities.³²

10.19  A clear conceptual distinction between intermediated and digital securities is all the more important as it is absolutely conceivable that digital securities are held with securities intermediaries, thus serving as an underlying for the creation of intermediated securities. While this seems to be outlandish at first sight, it is highly relevant in practice because institutional investors in particular are still wary of holding relevant assets in self-custody, and holding digital securities with custodians makes it easier to use existing infrastructure. Many other investors also resort to intermediated holding because the infrastructure for holding digital securities directly still is not very user friendly and also comes with certain risks. An explicit interface between digital and intermediated securities therefore is a key requirement for a well-defined legal infrastructure for digital securities.

10.20  The following chapter is providing a high-level overview of legislative developments in selected jurisdictions relevant for the emergence of a legal framework for digital securities. The jurisdictions are presented in chronological order.

10.21  France was one of the first jurisdictions to introduce a mandatory dematerialization of securities in the 1980s.³³ Since then, securities have been issued exclusively in the form of book-entry securities and transferred by way of an entry into a securities account maintained by the central securities depository or a financial intermediary.³⁴ The securities account could also be maintained by the issuer, especially for non-listed securities.³⁵ Dematerialization is mandatory under French law; it is not possible to hold securities other than through financial intermediaries or the issuer.³⁶

10.22  It goes without saying that such a closed and centralized system is difficult to reconcile with the decentralized approach of the blockchain. The French government therefore started earlier than others to make the legal framework for the issue and custody of securities compatible with decentralized ledgers. A first step was taken with Ordinance n° 2016-520 of 28 April 2016³⁷ (‘Minibons Ordinance’), which created the possibility of issuing so-called minibons on the basis of DLT systems.³⁸ Minibons are fungible borrower’s notes that are issued by small and medium-sized companies through crowdfunding platforms (Article L.223-6 et seq CMF). Regulation n° 2017-1674 of 8 December 2017³⁹ (‘DLT Regulation’) then extended the possibility to issue and transfer securities on the basis of a DLT system to all unlisted securities. The DLT Regulation is supplemented by a decree n° 2018-1226 of 24 December 2018,⁴⁰ which specifies technical requirements for DLT systems.

(p. 310) 10.23  From a legislative point of view, these amendments were made by modifying the relevant provisions of the Code monétaire et financier (CMF) on the management of securities accounts (Article L.211-3 et seq CMF) and the pledging of securities accounts (Article L.211-20 et seq CMF). The issuance and transfer of securities on the basis of DLT systems is therefore now legally equivalent to the crediting of securities in securities accounts maintained by intermediaries or the issuer. The scope of the DLT regulation therefore corresponds to the scope of the regulations on securities held by intermediaries (Article L.211-3 et seq CMF).

10.24  The substantive scope of the DLT Regulation is limited to non-listed securities (Article L.211-1 CMF). The use of DLT system is therefore currently permitted for the following classes of securities:

1. (i)  Debt securities, namely bonds, commercial paper and the French Billets de Trésorerie and Certificats de Dépôt;

2. (ii)  Units or shares in undertakings for collective investment (UCITS) and alternative investment funds (AIF);

3. (iii)  Securities issued by special purpose vehicles and companies in accordance with Ordinance n° 2017-1432 of 4 October 2017;

4. (iv)  Shares of joint-stock companies (Société Anonyme, SA).

10.25  The decision to issue securities on the basis of a DLT registry is taken by the issuer (Article L.211-7 CMF). A legal basis in the articles of association is required in the case of shares, and a corresponding clause in the terms and conditions for debt securities. The issuer can then enter the financial instruments in a DLT registry in the name of the holder (Article L.211-4 CMF).

10.26  French law regulates in some detail the technical and functional requirements a DLT system must meet in order to be used for the issuance of securities. Minimum requirements must be met in particular with regard to authentication, which correspond to those of a securities account (Article L.211-3 CMF). These conditions are further specified by a decree of the State Council of 24 December 2018.⁴¹ The decree names a total of four requirements that a DLT system must meet: integrity; identification of the owner and the type and number of financial instruments it owns; a business continuity plan; and ensuring access to transaction data. The types of DLT systems that can be used for the issuance and transfer of financial instruments are not specified in the decree itself, but the result of these requirements most likely is the exclusion of public blockchains.

10.27  Luxembourg is home to an international central securities depository and a central hub for the European securities and fund business. It created a modern legal framework for intermediated securities in 2001.⁴² This act was amended in 2019 to create a legal basis for the use of secure electronic registry systems (‘dispositifs d’enregistrement électroniques sécurisés’) for the custody and transfer of securities.⁴³ In 2020, the government submitted a further amendment that allows issuer accounts to be managed on a DLT basis and allows credit institutions and investment firms from the EEA to do so.⁴⁴

10.28  The 2001 Securities Act applies to securities that are credited to a securities account and can be transferred by way of debits and credits to securities accounts (Article 1(1)-(2) L.1.8.2001). Only banks, investment firms, and other financial intermediaries are permitted to act as account operator (‘teneur de comptes’) and to maintain securities accounts (Article 3(7) L.1.8.2001).⁴⁵

10.29  Article 18^bis L.1.8.2001, introduced in 2019, equates booking and transfer processes in DLT systems with credits to conventional securities accounts and transfers in securities clearing and settlement systems. According to the explanations on the draft law, DLT systems are understood as a new way of managing securities accounts and as an alternative to established forms of dematerialization.⁴⁶

10.30  Only fungible securities can be held in securities accounts under the 2001 Securities Act (Article 1(3) L.1.8.2001).⁴⁷ Article 18^bis L.1.8.2001 explicitly states that this requirement also applies to securities held on the basis of a DLT system. By way of explanation the legislative materials state that tokens are by definition fungible, a statement which is incorrect in this generality.

10.31  The Luxembourg regime is a good example for a legislative approach which tries to integrate DLT into the organization and operational framework of the existing securities industry. Securities accounts maintained by financial intermediaries are the bedrock of a manner of industrial organization, which has emerged over the last decades, and which is essentially based on centralized IT systems and communication networks. The big promise of DLT in the securities industry is an alternative, decentralized industrial organization. The horse is therefore behind the cart when DLT is squeezed into centralized structures. It is moreover questionable from a legal perspective whether it is (p. 312) appropriate to regulate tokens in an intermediated securities act. Intermediated securities laws address issues and risks that arise from the fact that the direct relationship between the (end)investor and the issuer has been dissolved beyond recognition through the interposition of intermediaries.

10.32  Liechtenstein was one of the first States to enact a comprehensive legislative framework dealing with the DLT-based token economy. The parliament of the small principality edged between Switzerland and Austria adopted the act with the rather cumbersome name ‘Token and Trustworthy Technology Service Provider Act’ (TVTG) on 3 October 2019; it has entered into force on 1 January 2020.⁴⁸ The TVTG includes a legal framework for the issuance and transfer of tokens (Articles 3–10 TVTG) on the one hand, and a part dealing with the regulation and supervision of service providers in a token economy (TT service provider; Articles 11–29 TVTG) on the other hand. The law also stipulates transparency regulations for tokens similar to prospectus regulations for transferable securities (Articles 30 et seq TVTG). The scope of the TVTG is limited in so far as it does not deal with any issues covered by financial market regulations. Since Liechtenstein is an EEA Member State, it is bound by the EEA financial market acquis.

10.33  According to Article 1, the TVTG defines ‘the legal framework for transaction systems based on trustworthy technologies’. The term ‘trustworthy technologies’ is defined as technologies that guarantee the integrity of tokens, their allocation, and secure exchange (Article 2(a) TVTG). The law does not elaborate on these requirements. However, the legislative materials indicate that they mean technologies which ‘guarantee the uniqueness and manipulation security of the tokens . . . It must not be possible for tokens to be copied or changed without authorization; in particular, the TT System must ensure the integrity of the tokens. The term “integrity” comes from computer science and is usually used for the correctness and integrity of data. Systems that do not guarantee this uniqueness and security against manipulation by unauthorized persons are not trustworthy. …’.⁴⁹ It is therefore clear that currently only DLT systems can meet the Act’s requirements for trustworthy technologies.

10.34  The private law part comprises Articles 3–10 TVTG. The innovative core of this part is the recognition of tokens as an asset in relation to which legal subjects can have ownership rights, and which can be disposed of. A token is defined as information on a (p. 313) TT system that can represent fungible claims or membership rights vis-à-vis a person, rights to property, or other absolute or relative rights and that is allocated to one or more TT identifiers—meaning the public key⁵⁰ (Article 2(1)(c) TVTG). The holder of the TT key (private key)⁵¹ has power of disposal over the token (Article 5(1) TVTG); and the person who has power of disposal is presumed to be the person entitled to be the owner of the token (Article 5(2) TVTG). Article 3(3) TVTG makes it clear that Articles 4–6 and 9 also apply mutatis mutandis to tokens that do not represent any rights against a third party (native tokens). In this context, the legislative materials are using the image of a container, which can also be empty.⁵² The law, including the civil law part, therefore clearly also applies to crypto currencies such as Bitcoin.⁵³

10.35  The disposition of tokens requires first the completion of the technical transfer process in accordance with the rules of the relevant DLT system (Article 6(2)(a–c) TVTG). The transfer must be based on an agreement between the transferor and the transferee that ownership be transferred (Article 6(2)(a–c) TVTG; dingliche Einigung). Only dispositions of an authorized person effect the transfer of ownership; if the transferor does not have the required authority, the transferee can acquire ownership by virtue of good faith (Articles 6(1)(c) and 9 TVTG).

10.36  Article 7 TVTG defines the effects of a disposition of the token with regard to the right represented in such token. Article 7(1) TVTG specifies in a programmatic way that the ‘transfer of the token shall effect the transfer of the right represented by the token’. However, this is only true if the law governing the represented right follows suit. If this is not the case, Article 7(2) TVTG obliges the issuer to ensure that the transfer of a token directly or indirectly results in the transfer of the represented right; and that conflicting dispositions of represented rights are prevented. Article 8 TVTG provides that the issuer shall acknowledge the holder of a token as evidenced by the system as the legitimate creditor, and that payment to that holder shall discharge him. Finally, Article 10 TVTG provides for a judicial process to invalidate tokens if a private key is lost, or if the token becomes inoperable for other reasons.

10.37  The TVTG also codified the concept of dematerialized securities by amending the Final Clauses of the Persons and Company Act (see § 81a SchlA PGR), creating the possibility to issue bearer or order securities in fully dematerialized form, called register securities (‘Wertrechte’). Register securities are issued by way of an entry in a book maintained by the issuer, where the number and the nominal value of the securities as well as the creditors are registered (§ 81a(1) SchlA PGR). The book may or may not be maintained on the basis of a DLT system; if not, it must in any case be organized in such a manner that unauthorized interventions by the issuer are being prevented. Register securities are transferred by way of an entry into the securities book (§ 81a(4) SchlA (p. 314) PGR). Register securities can also be acquired by virtue of good faith from the person registered in the book (§ 81a(5) SchlA PGR). Finally, the issuer is only obliged to pay to the creditor entered in the book and is discharged by making payments to that creditor (§ 81a(3) SchlA PGR).

10.38  Switzerland is home to one of the largest blockchain clusters and was one of the epicentres of the Initial Coin Offering (ICO) hype in 2017/18. The Swiss Financial Market Supervisory Authority (FINMA) therefore had to position itself earlier than other regulators and was one of the first authorities to issue clear regulatory guidance for the treatment of ICOs and tokens.⁵⁴ The Swiss Federal government has taken a pronounced positive stance in relation to DLT early on. In 2018 it started a comprehensive review of the federal law in order to identify and remove entry barriers and obstacles for the use of DLT systems.⁵⁵ A preliminary draft for a Federal Act on Adapting Federal Law to Developments in Distributed Ledger Technology (DLT Act) was submitted to public consultation in spring 2019.⁵⁶ A revised version was sent to Parliament in December 2019⁵⁷ and was adopted unanimously by both chambers in September 2019.⁵⁸ Both the speed of the legislative process–lightning speed for Switzerland—as well as the overwhelming support by the parliament for the DLT Act are clear evidence for a very positive political environment for DLT in Switzerland.

10.39  The DLT Act is not aimed at creating a bespoke legal framework for DLT applications but is rather an umbrella act with the purpose of removing obstacles for DLT applications. It is amending a total of ten existing Federal acts, with a focus on the Code of Obligations (CO) where DLT-based register securities are codified as a new form to issue securities, on insolvency law where the segregation of crypto assets in the insolvency of a custodian is clarified, and on financial market regulations where a license for a DLT trading system is introduced.

10.40  Swiss securities law is in principle still relying on physical (certificated) securities. Uncertificated securities (Wertrechte; droits-valeurs) have been used since the 1980s (p. 315) as a substitute for physical registered shares of listed companies (Namenaktien mit aufgeschobenem oder aufgehobenem Titeldruck). The concept has been codified in 2010 by the Federal Intermediated Securities Act (FISA), as an underlying component for the creation of intermediated securities.⁵⁹ However, the concept of uncertificated securities was never fully developed, and was therefore not suitable for capital market instruments. Uncertificated securities are created by way of an entry into an uncertificated securities book, which may be maintained in physical or electronic form (for example as an excel sheet) and is not public. They are transferred by way, and with the effects, of an assignment,⁶⁰ and are pledged in accordance with provisions governing the pledge of claims.⁶¹ Both the assignment of and the pledge of uncertificated securities require the execution of the assignment and the pledge, respectively, in writing.⁶²

10.41  In 2010, the Federal Intermediated Securities Act codified and modernized the legal framework for intermediated securities, mostly in line with the Geneva Securities Convention. The concept of intermediated securities (Bucheffekten, titres intermédiés) was introduced as a new form of property to reflect the rights resulting from a credit of securities to a securities account.⁶³ According to Article 3(1) FISA, intermediated securities are (i) personal or corporate rights of a fungible nature against an issuer; (ii) credited to a securities account; (iii) that may be disposed of by the account holder in accordance with the provisions of the FISA (ie, by way of credit to a securities account⁶⁴ or by way of a control agreement⁶⁵). According to Article 6(1) FISA, intermediated securities are created by (i) the deposit of certificated securities (which may be a global certificate) into collective custody with a custodian or by registering uncertificated securities in the main registry of a single custodian and (ii) the credit of such securities to one or several securities accounts. The main registry, which is different from the uncertificated securities book, is maintained by a custodian (normally by the central securities depository) and is public.⁶⁶

10.42  The DLT Act completed the dematerialization of securities law and introduced the concept of register, or ledger-based, securities as a new form of truly digital securities fulfilling all functions of certificated bearer or order securities.⁶⁷ Register securities are issued on the basis of a securities registry which must meet certain minimum requirements set forth in Article 973d(2) CO. These requirements include (i) control by the creditor, but not the debtor; (ii) protection of the integrity of the registry by appropriate technical or organizational measures; (iii) availability of information regarding (p. 316) the registered right and the operation of the registry; and (iv) the creditor’s right to read relevant information and verify relevant content. It is generally agreed that these requirements, under the current state of technology, can be met only by DLT-based systems. The securities registry can be either a public blockchain (like the Bitcoin or the Ethereum blockchain) or a permissioned blockchain (like Corda or Hyperledger Fabric). The registration is based on an agreement (called a registration agreement) which includes the consent of the parties to issue securities in the form of register securities and information about the securities registry.⁶⁸

10.43  Register securities (unlike simple uncertificated securities, see paragraph 10.16) are functionally fully equivalent to certificated bearer or order securities. They are transferred by way of an entry in the securities registry in accordance with the registration agreement.⁶⁹ The obligor of register securities is obliged to pay, and is discharged only by paying, the creditor registered in the securities registry.⁷⁰ A purchaser in good faith from the person registered in the securities registry is protected even if the seller had no power to dispose of the register securities.⁷¹ The obligor of register securities may raise against the claim of the person registered in the securities registry only defenses (i) that relate to the validity of the registration or that are derived from the securities registry; (ii) that the obligor is personally entitled to raise against the registered creditor; or (iii) that are based on the direct relations between the obligor and a former creditor, if the current registered creditor intentionally acted to the detriment of the obligor when acquiring the register securities.⁷²

10.44  The DLT Act expressly acknowledges that register securities can be used as collateral similar to certificated securities.⁷³ A security interest in register securities can either be a possessory or a non-possessory security interest. In each case, the security interest can be a full-title security interest or a pledge. A possessory security interest is created by way of transferring control over the register securities to the secured party, based on a security agreement. The perfection requirements are the same as for certificated securities.⁷⁴ Non-possessory security interests are perfected by flagging the security interest in the securities registry and providing that the secured party can assume control over the register securities in case of a default by the debtor.⁷⁵

10.45  Most issues in connection with the private law framework for securities fall within the legislative competence of US states. The relevant legal provisions are largely (p. 317) harmonized by the Uniform Commercial Code (UCC). The UCC is a uniform law developed by the Uniform Law Commission (ULC) in collaboration with the American Law Institute (ALI). It only becomes legally binding by virtue of being adopted by the individual states, which are free to make more or less extensive modifications. Article 8 UCC has been adopted in all states, the District of Columbia, and Puerto Rico with a few non-uniform variations.⁷⁶

10.46  Private law for securities is codified in Article 8 UCC, which covers both physical securities (certificated securities, § 8-102(4) UCC) as well as uncertificated securities (§ 8-102(18) UCC) and securities held with intermediaries (Part 5: § 8-501 et seq UCC). While uncertificated securities (similar to certificated securities) are based on the idea of a direct legal relationship between investor and the issuer, Part 5 (added in 1994) codified the concept of securities held with an intermediary as a separate type of property interest, called ‘security entitlement’. A security entitlement comes into existence when financial assets are credited to a securities account (§ 8-501 UCC) managed by a securities intermediary. The securities entitlement can be understood as a bundle of rights that can only be asserted in relation to the account-holding securities intermediary, but not in relation to the issuer or other intermediaries.

10.47  The UCC has so far not been amended to take into account securities issued on the basis of DLT systems (although that work is underway, as described below). However, the ULC adopted a uniform law regulating crypto service providers in 2017, the Uniform Regulation of Virtual-Currency Businesses Act, or URVCBA.⁷⁷ The URVCBA applies to the trading, transfer, and custody of virtual currencies (§ 102(25) URVCBA) and essentially deals with supervisory issues. An exception can be found in § 502 URVCBA, which tries to clarify the legal relationship under property law when a crypto service provider has virtual currencies under its control. According to the official commentary on § 502 URVCBA, the provision is based on § 8-503 and 8-504 UCC, ie on the provisions on security entitlements.⁷⁸ § 502 URVCBA stipulates that virtual currencies that a crypto service provider holds or transfers for its customers are the property of the customers and not of the service provider, and that accordingly creditors of the service provider cannot access these assets. However, the customer has no direct ownership right to the virtual currencies held for him, but only a right that corresponds to the securities entitlement within the meaning of § 8-501 UCC. Accordingly, the URVCBA also reproduces the tiered safekeeping relationships of securities and obliges the crypto service provider to cover customer stocks with corresponding credits with other service providers (§ 502(a) URVCBA). If the crypto service provider does not comply with this obligation, the customers acquire proportional claims to the service provider’s portfolio (§ 502(b) URVCBA).

(p. 318) 10.48  § 502 URVCBA was replaced in 2018 by another uniform law entitled Supplemental Commercial Law for the Uniform Regulation of Virtual-Currency Businesses Act (SCL-URVCBA).⁷⁹ The purpose of this supplement was to make the provisions of Part 5 of Article 8 UCC directly applicable, so that the rights of customers of crypto service providers correspond in every respect to a security entitlement.⁸⁰

10.49  The URVCBA and the 2018 SCL-URVCBA have been enacted by only one US state, Rhode Island. At least one state (Wyoming) made a deliberate decision against adopting these uniform laws based on the reasoning that the legal framework for securities held with intermediaries is not suitable in the DLT context.⁸¹ Wyoming is one of the most active states in its attempts to create a favourable legal and regulatory framework for crypto businesses. The state has passed and amended no fewer than 13 laws to date to create a legal framework that aims to enable and facilitate digital assets and related business models.

10.50  Of particular relevance in the present context are provisions of Wyoming law that endeavour to fit digital assets into the taxonomy and structure of Articles 8 and 9 of the Wyoming Uniform Commercial Code (UCC-Wyoming).⁸² Digital assets are defined as ‘a representation of economic, proprietary or access rights that is stored in a computer readable format’ (WS 34–29–101(a)(i)). In addition to virtual currencies, this definition also includes digital securities and usage tokens (digital consumer assets, WS 34–29–101(a)(i)-(ii)).

10.51  Under UCC-Wyoming, digital securities are considered securities within the meaning of § 8-102(a)(15) UCC; ie they are treated by analogy to physical securities or dematerialized securities (WS 34-29-102(a)(ii)). The law allows the parties to treat digital securities as subject to security entitlements within the meaning of Part 5 of Article 8 UCC. However, the Wyoming legislature’s reluctance to accept this regime and its preference for direct custody is reflected in the duty imposed on securities service providers to inform investors about the risks of indirect custody (WS 34-29-104(g)). UCC-Wyoming also clarifies that security interests in digital assets may be subject to control. Control is synonymous with possession, so that a security interest may be perfected by control (WS 34–29-103(e)(i), (f)).

10.52  The different approaches taken by Wyoming and the law harmonization organizations illustrate nicely the fundamental differences between a legal framework for securities held with an intermediary and the framework for directly held digital securities. (p. 319) Whereas multi-tiered custody chains arise in the first case, the holder of digital securities can control them directly and immediately.

10.53  The ULC and ALI currently are preparing revisions to the UCC that would add a new Article 12 dealing with certain digital assets, defined as ‘controllable electronic records’ (CERs), including conforming amendments to UCC Articles 8 and 9.⁸³ The draft provisions include a definition of ‘control’ of CERs that is functionally the rough equivalent of ‘possession’ of tangible movables. Control also would be a method of third-party effectiveness (perfection) of security interests in CERs and a necessary element for qualifying for protection as an innocent acquirer of CERs (a ‘qualified purchaser’).

10.54  Germany has recognized the concept of dematerialized securities already since the late nineteenth century,⁸⁴ but only in relation to Government debt securities.⁸⁵ For securities issued by private entities German law has staunchly maintained the requirement of a physical certificate.⁸⁶ This is even true for securities held with an intermediary, for which a global certificate must be deposited with the central securities depository Clearstream Banking.⁸⁷ A first step to permit the dematerialization of privately issued securities has been taken by the Bundestag on 6 May 2021 with the adoption of the Act on Electronic Securities (eWpG).⁸⁸

10.55  The law consists of two parts which must clearly be distinguished. First, it creates a legal basis for the complete dematerialization of securities held with an intermediary through the introduction of so-called central register securities (§ 4(2) eWpG). The registry for central register securities can only be maintained by central securities depositories or financial institutions admitted to the custody business in Germany (§ 12(2) eWpG). The practical significance of this part is limited since it permits only to waive the need to deposit a global certificate with Clearstream Banking. A second, possibly much more relevant part provides for the introduction of decentralized electronic securities (so-called crypto securities). A crypto security is an electronic security that is entered in a crypto security registry (§ 4(3), § 16 eWpG). This part creates a legal basis for the tokenization of securities.

10.56  The material scope of the eWpG is initially limited to bearer bonds (§ 1 eWpG), fund units (§ 95 Capital Investment Code), and covered bonds (Pfandbriefe; § 4(5), § 8(3) (p. 320) Covered Bond Act). The dematerialization of shares was considered too complex to be codified at this stage, due to interfaces with company law, where problems were identified primarily in connection with the incorporation of the company, the issuance and transfer of shares, the general meeting of shareholders, corporate actions, and the dissemination of information from the company to the shareholder. For checks and bills of exchange, the Federal Government is of the opinion that an electronic form cannot be considered from the outset due to international agreements.

10.57  § 2 eWpG regulates the basic properties of electronic securities. § 2(2) eWpG first clarifies that ‘an electronic security [deploys] the same legal effect as a security that has been issued by means of a certificate’. This sentence makes it clear that electronic securities are not a new type of security, just a new form to issue debt or any other right. While the eWpG does not explicitly state the effects, the approach is the same as the one taken in Liechtenstein (section C(4)) and Switzerland (section C(5)).

10.58  § 2(3) eWpG then succinctly states that ‘an electronic security . . . is an asset within the meaning of § 90 of the German Civil Code’. Electronic securities are therefore considered to be a corporeal movable (bewegliche Sache) for property law purposes. This fiction is highly remarkable from a dogmatic point of view since German (as well as Swiss, Austrian, and Liechtenstein) property law has been firmly constricted to corporeal movables, but not to choses in action or other non-physical assets.⁸⁹ The Liechtenstein and Swiss legislators have shied away from breaking with this dogma, leaving issues about the legal nature of digital securities unresolved. Under German law, it is now clear that ownership interests can be created in electronic securities (see also § 27 eWpG: presumption of ownership). Electronic securities can also be segregated in the insolvency of a custodian based on general insolvency law principles (§ 47 InsO), without the need for further adjustments of insolvency laws.

10.59  Electronic securities are issued when the issuer makes an entry in an electronic securities registry (§ 2(1) eWpG), which is called the crypto securities registry in the case of crypto securities (§ 4(1)-(2) eWpG). The Act establishes only very general requirements for the crypto securities registry and places the burden for compliance squarely on the issuer. According to § 16 eWpG, the registry must be kept on a manipulation-proof recording system on which the data are logged in chronological order and secured against unauthorized deletion and subsequent changes. Further requirements will be set forth in an ordinance the Ministries of Justice and Finance will issue (§ 23 eWpG).

10.60  A key feature of the Electronic Securities Act is that it places responsibility for compliance with these requirements with the body maintaining the registry (Registerführer; registrar). According to § 16(2) eWpG, this is the body that the issuer designates as such; if there is no designation, the issuer is deemed to be the registrar. According to § 7 eWpG the registrar must maintain the crypto securities registry in such a way that the (p. 321) confidentiality, integrity, and authenticity of the data are guaranteed (§ 7(1) eWpG). It is also responsible for any damage caused by an incorrect management of the registry (§ 7(2)-(3) eWpG). The registrar has also the duty to provide an extract from the registry in text form to the holder of a crypto security if this is necessary to exercise its rights (§ 19(1) eWpG).

10.61  The issuer must publish the entry of crypto securities in a crypto securities registry in the Federal Gazette—the official publication organ of the Federal Republic of Germany (§ 20(1) eWpG). The issuer must furthermore notify the German Federal Financial Supervisory Authority (BaFin) of any publication; BaFin maintains a public list of published entries (§ 20(2)-(3) eWpG). Similar publication requirements do not apply to the issuance of physical securities.

10.62  The Act and the legislative materials do not clarify the critical issue of what the legal consequences are if a system used for the issuance of crypto securities is found not to meet the very general standards set forth in the eWpG. One obvious conclusion would be to conclude that a right registered in a system which does not meet the minimum requirements set forth in the act are not crypto securities at all. However, such an approach would be clearly against the best interests of investors who might be left with nothing but a liability claim against the issuer. What seems clear, however, is that any issue not published in the Federal Gazette and notified to BaFin does not qualify as an issue of crypto securities. This leaves BaFin in the uncomfortable situation of having to review such notification and intervene in cases where it concludes that the basic requirements of § 16 eWpG have not been met.

10.63  The Electronic Securities Act also makes the commercial management of crypto securities registries for third parties a regulated activity subject to the supervision of BaFin. Entities maintaining crypto securities registries are deemed to be a financial services institution within the meaning of § 1(1a) KWG and are therefore subject to the supervision of BaFin. § 2(7b) KWG provides for exceptions, but the regulatory burden is still considerable. In addition, the registries are subject to anti-money laundering requirements and must comply with regulations on internal controls (§ 25h KWG) as well as increased due diligence (§ 25k KWG).

10.64  The federal government justifies this supervision ‘on grounds of investor protection, market integrity, transaction security and the functionality of the markets’.⁹⁰ However, it fails to recognize that DLT systems can guarantee integrity and transaction security due to their architecture and their properties without the need for trustworthy third parties. The draft for an EU Regulation on Markets in Crypto-assets (MiCA) therefore does not include the maintenance of a crypto registries in the list of crypto services subject to licensing requirements and supervision. It remains to be seen whether the authorization requirement under the eWpG will therefore prevail over future EU law.

(p. 322) 10.65  Overall, the regulatory burden for the registration of crypto securities and the keeping of the registry is very high. Whereas German law does not regulate self-issuance in the context of physical securities, the registrar of crypto securities is subject to numerous duties and responsibilities under the eWpG, which are accentuated by strict civil liability. The obligation to publish a registration in the Federal Gazette also seems anachronistic. It is therefore more than doubtful whether this approach is technologically neutral.

10.66  The Electronic Securities Act regulates the disposition of electronic securities (including crypto securities) in §§ 24 et seq. A disposition (including the perfection of a pledge or another limited right and the disposition of rights arising from electronic securities) first requires an entry in the crypto securities registries. The entry must be made on the basis of a person having the power to issue such an instruction, and both the transferor and the transferee must agree that ownership shall be transferred or a limited right be perfected (dingliche Einigung). Until the transfer to the transferee has been completed, the transferor does not loose its ownership (§ 25 eWpG).

10.67  § 26 eWpG makes it clear that ownership of electronic securities can be acquired based on the good faith of the transferee. For this purpose, the content of the electronic securities registry is deemed complete and correct, and the owner is deemed to be the authorized person. § 27 codifies the presumption of ownership in favour of the holder of an electronic security. According to § 28 eWpG, the holder of an electronic security is entitled to be recognized as the legitimate creditor by the debtor, and the debtor is discharged by paying this person.

10.68  The following sections will discuss in more detail core elements of a legislative framework for digital securities. A first issue virtually all jurisdictions are struggling with are the requirements the technical infrastructure underpinning digital securities has to meet. This is a multi-dimensional discussion at the cross-roads of technical, legal, and regulatory considerations (section D(2)). Section D(3) discusses the creation of digital securities. The transfer thereof, including the acquisition of digital securities based on the good faith of the acquirer, and the creation of security interests in digital securities, is another core element (sections D(4)–(6)). Thorny conflict-of-laws issues that arise in the context of digital securities are discussed in section D(7).

10.69  Probably the greatest challenge in designing a legal framework for digital securities is to define the requirements an electronic registry needs to satisfy in order to ensure full (p. 323) functional equivalence with certificated securities. As explained in paragraph 10.08, the registry must be designed in a manner that it ensures exclusivity and rivalry as fundamental prerequisites for the creation of private goods. A centralized digital database run by the issuer will hardly meet these conditions, even if fully secured, encrypted, and audited, if the issuer maintains the power to unilaterally change entries in the registry or tamper with the transaction history or if the holder of a security depends on the issuer for transferring it to a transferee. This is the reason why electronic securities registries so far had to be operated by trusted third parties, ie a governmental organization or a financial intermediary. It is the most important feature of DLT that it enables the design of registries which are tamper-proof and permit direct control and verification by the holders of securities without involvement of a trusted third party.

10.70  All reform bills taken into consideration in this chapter are trying to define these requirements in a more or less extensive manner. The Liechtenstein Blockchain Act applies only to ‘Trustworthy Technologies’ (‘vertrauenswürdige Technologien’), which are defined as technologies ‘ensuring the integrity of tokens, the unequivocal allocation of tokens to public keys, and the disposition of tokens’ (Article 2(a) TVTG). In its bill to the Liechtenstein parliament, the government emphasized that this definition refers to technologies which are trustworthy based on their design, without the need for a central operator.⁹¹ However, the Liechtenstein Blockchain Act did not try to define more precisely the features of ‘Trustworthy Technologies’. As explained in the government bill, the codification of specific features would quickly result in interpretation issues and legal uncertainty.⁹² The French State Council Decree of 24 December 2018 (codified in Articles R.211-1-5, R.211-9-4, and R.211-9-7 CMF) names a total of four requirements a DLT system must meet: (i) integrity; (ii) identification of the owner and the type and number of financial instruments; (iii) a business continuity plan; and (iv) ensuring access to transaction data. The Swiss DLT Act also requires that a database meets at least four conditions in order to qualify as a digital securities registry: (i) the creditors, but not the debtor, have control over the digital securities; (ii) the integrity of the securities registry is protected; (iii) the securities registry provides publicity in relation to the securities and the operation of the registry; and (iv) creditors have inspection rights in order to verify the integrity of the registry (see Article 973d(2) CO). The preliminary draft of the DLT Act had included even more constitutive requirements, including that the operational capacity and integrity be ensured in accordance with the latest state of technology. This overbroad approach was fiercely criticized in the consultation process,⁹³ and in the bill submitted to parliament the government made a clear distinction between the four constitutive requirements referred to in Article 973d(2) CO, which are also defining the scope of application of the securities law provision of the DLT Act, and other, non-constitutive requirements, which may result in the issuer’s liability if not met (Article 973d(3) CO). The German Electronic Securities Act requires that a (p. 324) crypto securities registry must be kept on a tamper-proof recording system in which data are logged in time sequence and are protected against unauthorized deletion and subsequent changes (§ 16 eWpG). The crypto securities registry must provide detailed information about the crypto securities registered, including third-party rights (§ 17 eWpG), and about any change in ownership (§ 18 eWpG). Liability for damages caused by insufficient or malfunctioning securities registries are also dealt with by different reform bills (see Article 973d(3) CO, § 7 eWpG).

10.71  In view of the early stage and the quick evolution of distributed ledger technology, legislators should avoid the temptation to design a perfect registry and limit statutory requirements to what is indispensable in order to ensure full functional equivalence of digital with certificated securities. It is also crucial to clearly distinguish requirements determining the application of the statutory framework for digital securities and requirements which are a statutory or contractual obligation of the issuer and which may trigger the issuer’s liability if not complied with. Requirements which must be met in order to make the statutory framework applicable must be defined as clearly and as narrowly as possible since investors will normally be left worse off if an instrument does not qualify as a digital security. It must also be possible to determine compliance with these criteria in advance and without the cooperation of the issuer or another third party. In our view, only two criteria are truly indispensable functional requirements for an electronic securities registry: manipulation resistance and publicity.

10.72  The first and most important functional requirement for a digital securities registry is that it protects against manipulation by the issuer or the administrator of the system. Physical securities are per se protected against tampering because they are under the control of the creditor (or a custodian acting for the creditor) after issuance. In order to be functionally equivalent, the digital securities registry must be designed in a manner that any unauthorized changes in the transaction history or the reallocation of control rights not provided for in the functional description are prevented.

10.73  Manipulation resistance goes beyond integrity in the technical sense, which generally refers to the accuracy and completeness of data.⁹⁴ Manipulation resistance also requires protection against changes to registry entries not authorized by the holder of the securities, or a person authorized by the holder. The parties must also be able to verify the integrity of a registry entry without the involvement of the issuer.

10.74  In DLT systems, manipulation resistance is achieved by way of decentralization.⁹⁵ In a distributed ledger, no single entity in the network can amend past data entries in the ledger, and no single entity can approve new additions to the ledger. Instead, a pre-defined, decentralized consensus mechanism is used to validate new data entries that are added to the blockchain and thus form new entries in the ledger. However, (p. 325) centralization or decentralization is problematic as a qualification criterion for a securities registry because decentralization of a DLT system is not a simple binary property.⁹⁶ The degree of decentralization depends, among other things, on the number and type of validators (nodes) and any dependencies between them. It can also be shown that if a ledger is required to deal with the failure of a single participant, it must consist of at least three participants.⁹⁷ Closed networks (permissioned blockchains) are potentially more susceptible to manipulation than open ones (unpermissioned blockchains), but these shortcomings may be balanced out by appropriate governance structures. The number and distribution of validators can also change over time. Any attempt of a legislator to substantiate the criterion of manipulation resistance through technical specifications will therefore result in unintended consequences or will become quickly obsolete.

10.75  A second set of requirements securities registries should meet results from the fact that they are designed to reflect property rights in a legally conclusive manner. A property right (a right in rem) is, by definition, a right effective against third parties (erga omnes), including secured and unsecured creditors of, and acquirers from, the holder of a security. Third parties must be capable, in principle, to recognize existing rights. Publicity of existing rights which shall have priority against competing rights is therefore another key condition a digital securities registry must meet in order to provide full equivalence with certificated securities. Just like the possession of a certificated security reflects the holder’s ownership, the holder of a digital security must be able to prove its legal position independently and without the involvement of the issuer to any third party. DLT-based securities registries are uniquely well suited to provide publicity in relation to existing property rights, at least if a public blockchain is being used. This is less clear in the case of private or permissioned blockchains, since the access to such systems is controlled by a gate-keeper and thus limited. However, read-only functions may be granted to persons who have no writing or administration rights.

10.76  From a securities law perspective, the information to be provided by the securities registry in order to satisfy the publicity requirement is limited. What is required, from a functional perspective, is first that the object of a transfer can clearly and univocally be identified and, secondly, that a transferor could identify any right or encumbrance which would have priority over the right he acquires.

(p. 326) 10.77  Publicity, as it is understood here, must clearly be distinguished from other transparency requirements relating to the rights represented by the security. Specifics about the right represented is provided by terms of issue, offering memoranda or prospectuses, or (in the case of equity instruments) from company registries, but not the securities registry (even though the registry may include a hyperlink to such documents). Nor can transparency obligations regarding the architecture and functionality of the registry be justified by the publicity requirement, as it is understood here. While it is wholly sensible to impose transparency obligations upon the issuer in this respect, they should by no means be codified as systemic, application-defining requirements.

10.78  Whether rights represented in digital securities can effectively be controlled and transferred depends entirely on the possibility to access the system on a continuous basis. Most reform acts therefore impose certain duties and obligations upon the issuer or the system operator to ensure data integrity and business continuity. The Swiss DLT Act therefore places the obligation upon the issuer ‘that the securities ledger is organized in accordance with its intended purpose’ and that in particular ‘it must be ensured that the ledger operates in accordance with the registration agreement at all times’ (Article 973d(2) CO). The German Electronic Securities Act requires the issuer to ‘take the necessary technical and organizational measures to ensure the integrity and authenticity of the crypto securities’ (§21(1) WpG). If the issuer fails to comply with this duty, BaFin may request it to transfer the crypto securities to another (centralized) securities registry (§21(2) eWpG).

10.79  While the emphasis on data integrity and business continuity is fully justified in relation to DLT-based securities registry (as is true for any kind of electronic database), it is important not to define such requirements as a condition for the application of a legal framework. If data integrity, business continuity, or other technical requirements are part of the legal definition of a securities registry, a DLT system does not qualify as a securities registry if the requirements are not met. This, however, would be against the best interest of investors, since they would be left in limbo, without the protection of a well-defined legal framework. Moreover, technology and risks are evolving so quickly that a set-up meeting best-practice standards at the time of issue may be considered to be outdated shortly thereafter.

10.80  Legislators have mostly tried to draft the minimum requirements for securities registries in a technologically neutral manner, rightly trying to avoid relying on technologies which may be outdated in short order. However, at the current stage of technological development it appears that only DLT can fully meet all of the constitutive requirements for a securities registry. According to the current state of the art, it can therefore be assumed that the systemic, application-determining requirements of the law can only be satisfied if the securities registry is based on some form of a DLT protocol.

(p. 327) 10.81  The Swiss Federal Council’s bill to the parliament includes a detailed discussion of blockchain or DLT protocols, which are basically suitable for meeting the requirements of Article 973d(2) CO. Accordingly, both the Bitcoin and the Ethereum blockchain are suitable for guaranteeing the integrity of the data it contains. The prerequisite, however, is that the relevant protocol ‘actually provides a minimum level of decentralization and thus resilience at all times’.⁹⁸ For this, the system must have several participants who, in turn, actually participate in the consensus mechanism used and who are independent of one another. In addition, the bill also mentions proof-of-stake mechanisms that can meet the requirements of a value rights registry, namely the Cardano blockchain or Algorand.⁹⁹ Finally, the bill makes it clear that DLT systems with a limited group of participants (so-called permissioned blockchains) can in principle meet the requirements of a value rights registry. Two protocols, namely Corda and Hyperledger Fabric, are expressly mentioned in this context, which protocols delegate the decision to resolve conflicts to special participants who ensure that only one of the set of conflicting transactions is considered binding.¹⁰⁰

10.82  Creating a digital security means that a right (a claim, a corporate right etc.) is entered into a registry meeting the statutory minimum requirements for securities registries. The registration has the legal effect that the right is subject to specific rules for the transfer and assertion of the right, as defined by the underlying system.

10.83  The technical modalities for the registration depend on the DLT protocol and application layers being used. If the securities registry is based on the Ethereum protocol, the registration is effected by way of publishing a token smart contract which incorporates the key terms of the relevant instrument (type of instrument, number of securities issued, nominal amount). A token contract is a special kind of smart contract that defines a token and keeps track of its balance across user accounts. Ethereum has two main technical standards for the implementation of tokens, known as the ERC20 standard for fungible tokens and the ERC721 standard for non-fungible tokens. The standardization allows contracts to operate on different tokens seamlessly, while also fostering interoperability between contracts. Since the information which can reasonably be stored on a blockchain is limited, additional documentation like a whitepaper, a private placement memorandum, or even a prospectus are linked to the smart contract (usually by way of a hash link).

10.84  The publication of the smart contract is a unilateral act performed by, or on behalf of, the issuer. In itself, it does not create a digital security. What is required in addition is (p. 328) the consent of the first acquirer (who may be the issuer) to have the relevant right represented in a digital security and therefore subject it to the rules for the transfer and assertion of such right as defined by the underlying system. The Swiss DLT Act emphasizes this consent requirement by introducing the concept of a ‘registration agreement’ as a necessary condition for the creation of digital securities (Article 973d(1) CO). The registration agreement covers the agreement of the parties that the right be registered in a securities registry, and can be transferred and asserted only by way of an entry into such registry.¹⁰¹

10.85  The registration of a right in a securities registry has the legal effect that the right is transferred by way of an entry in the securities registry. The technical modalities for the transfer depend on the DLT protocol being used and can vary considerably. In the case of an ERC-20 token, one of the most common standards for fungible tokens, a token is transferred by the holder sending the token to the transferee’s public address. The transaction is authorized by the transferor signing it with its private key. The signature is an expression of the transferor’s will to transfer the token to the transferee.

10.86  Only the person holding the private key for the tokens can initiate a transfer. The holder of the private key may or may not be the legal owner of digital securities. What is therefore transferred from a legal and conceptual perspective is the right to control entries in the securities registry, similar to the possession of certificated securities.

10.87  Since it is possible to transfer a physical copy of the private key, it is also possible that a transfer takes place outside the DLT system (off chain).¹⁰² This is, for example, the case when the transferee receives a physical copy of the private key from the transferor. The assumption that every transfer of tokens is directly reflected in the registry is therefore not correct. However, unless and until the transferee updates the registry by using the private key, the transferor keeps the power to transfer the token a second time to a second transferee (who will then prevail over the first transferee). Moreover, as long as the registry is not updated, the original transferor qualifies as the legitimate owner of the token. Payment to the registered owner discharges the issuer, and a purchaser in good faith from that person acquires full title.

10.88  The rules of a DLT protocol can also make the completion of the transfer dependent on further requirements, such as its approval by the issuer or certain authorities. Such conditions and requirements can be easily integrated into the token smart contract, with the effect that a transfer is technically not possible unless the condition has been met.

(p. 329) 10.89  The transfer of digital securities is completed once the transaction has been validated by the number of participants (nodes) required by the rules of the underlying protocol. Depending on the degree of decentralization and other properties, the validation can take a certain amount of time (block time). Block time is a measure of the time it takes to produce a new block, or data file, in a blockchain network. Each protocol has its own defined block time. For instance, the Bitcoin network’s block time is around 10 minutes¹⁰³ while the Ethereum network’s block time is about 13 seconds.¹⁰⁴ The actual time necessary for the validation of a transaction may also depend on the traffic on a particular DLT system and other factors like transaction pricing.¹⁰⁵ A legislative framework must take such factors into account when providing for the finality of transactions.

10.90  Dispositions of digital securities are only effective if made by, or on behalf of, the owner. In other word, the ‘nemo dat’ or ‘nemo plus’ rule also applies to transfers of digital securities. Securities laws have always provided strong protections to good faith purchasers in order to shield commercial transactions.¹⁰⁶ The legislation on digital securities also protects a purchaser who acquires digital securities from a transferor who is registered in the securities registry.¹⁰⁷

10.91  The protection of the good faith purchaser of physical securities is based on the transferor’s possession of the instrument. In the case of digital securities, it is founded on the entry of the transferor in the securities registry. As a result, a transferee who acquires from the person registered in the securities registry acquires good and valid title even if the registered holder had no power to dispose of the securities. In accordance with general securities law principles this is true even if the securities have been stolen by the person registered as the holder.¹⁰⁸

10.92  In line with general commercial principals, a transferee is protected only if it acted in good faith in relation to the transferor’s ownership. The legislation on digital securities tends to follow the relatively general test developed for order securities where good faith is denied only if the transferee knew of ought to have known that the transferor lacked the required power to dispose of the securities.¹⁰⁹

10.93  Digital securities can also be subject to security interests in accordance with general principles of secured transaction laws. Since digital securities are regulated in analogy to certificated securities for purposes of transferring ownership, it is also possible to create and perfect a security interest in digital securities by transferring control to the secured party. It is, in other words, possible to create possessory security interests in digital securities.

10.94  Since ownership of digital securities is reflected in a public registry, it is moreover possible to create non-possessory security interests. This is expressly recognized by both the Swiss and the Liechtenstein Acts, although under slightly different conditions.¹¹⁰ Both acts require that the security interest is made public by way of an entry in the securities registry, ie can be recognized when searching the registry. The time when the security interest is perfected must also be clearly recognizable.¹¹¹ Since a timestamp is part of the basic equipment of any blockchain, this requirement is easy to comply with. The Swiss Act finally requires that in case of a default the secured party has the exclusive right to dispose of the securities. In order to enforce a non-possessory security interest in case of default, the security arrangement must provide for a procedure or a process for removing control from the debtor. Since digital securities can be programmed, the underlying smart contract can automatically transfer control to the secured party if an oracle determines that the debtor is in default.

10.95  The use of DLT systems also raises major challenges for determining the law applicable to the transfer of digital securities.¹¹² The main reason is that the decentralization of many blockchains make it difficult or impracticable to determine a jurisdiction with which the system, or a transaction made on this system, has a relevant or close relationship. Traditional connecting factors relying on an objective ‘closest relationship’-test are therefore difficult to apply to DLT-based digital securities. However, these challenges are not new. They have in particular also arisen in relation to intermediated securities where the determination of the applicable law is still a largely unresolved issue in cross-border situations, at least for the jurisdictions which have not yet ratified the Hague Securities Convention.

(p. 331) 10.96  In a context where no clear relationship to a specific jurisdiction can be established based on an objective connecting factor, party autonomy¹¹³ is a tried and tested means for ensuring legal certainty.¹¹⁴ It is globally recognized that granting the parties the freedom to choose the applicable law is—in principle—an efficient approach solution for determining the applicable law.¹¹⁵ Assuming equal negotiation powers and the absence of information asymmetries, the parties are best suited to make a rational choice of the law governing a contractual relationship.¹¹⁶

10.97  Party autonomy is much more limited in international property law for a variety of reasons,¹¹⁷ including the protection of persons not privy to a transaction and public policy interests like the publicity of rights in rem.¹¹⁸ Party autonomy has in particular been acknowledged by the Hague Securities Convention as the primary connecting factor, even if the laws which may be chosen by the parties are limited (Article 4 Hague Securities Convention).

10.98  In the case of DLT-based securities, the issue of the protection of third parties does not arise in the same way as in the case of movable objects or physical securities, because third parties can only participate in transactions if they have directly or indirectly become system participants. This requires them to have agreed to the terms and conditions for participants, which may include a choice of law. The interests of the creditors, supervisory authorities, or the public are adequately safeguarded by the reservations of the lex fori concursus or supervisory regulations (which usually qualify as loi d’application immédiate) and ordre public.

10.99  The Swiss DLT Act includes an amendment to the Private International Law Act (PILA) which recognizes party autonomy in relation to rights represented by a (physical or electronic) title (see Article 145a PILA). The provision is drafted in a rather cumbersome manner, but according to the legislative materials its clear purpose is to acknowledge the parties’ right to freely choose the law applicable to the transfer of digital securities, at least if the security represents a contractual right. Party autonomy in international property law has long been recognized in Swiss conflict of laws (see Articles 105, 106 PILA), but the choice of law was not effective against third parties.

10.100  The Liechtenstein DLT Act does not provide a universal conflict-of-laws provision, but rather a unilateral provision regulating the territorial scope of the TVTG’s private law provisions. According to Article 3(2) TVTG, the private law provisions are applicable (p. 332) to tokens generated or issued by a service provider or an issuer in Liechtenstein (letter a) or if the parties to a transaction in relation to tokens have expressly agreed to its application (letter b). Article 4 TVTG provides moreover that a token qualifies as an asset located in Liechtenstein if it is governed by Liechtenstein law in accordance with Article 3. This fiction permits to establish the jurisdiction of the Liechtenstein courts, which have jurisdiction in relation to assets located in Liechtenstein. Article 3(2)(b) TVTG permits parties to a transaction in relation to tokens (whether or not issued by an issuer in Liechtenstein) to freely choose Liechtenstein law to govern their transaction and thus to establish the jurisdiction of the Liechtenstein courts.

10.101  The German eWpG also includes a conflict-of-laws rule and provides in § 32 that rights to an electronic security and disposal of an electronic security are subject to the law of the State which supervises the electronic securities registry. The Federal Government explains correctly that the connection to the location (lex cartae sitae, Chapter IV margin no. 201 et seq) is ruled out in the case of electronic securities and that the securities registry is difficult to locate in the case of electronic registry management. So far, however, no State has declared the maintenance of DLT registries to be an activity requiring a license; MiCA does not count this activity as crypto services either. In addition, DLT systems are precisely characterized by the fact that a single, central point cannot be determined. § 32 eWpG will therefore not lead to clear results in many, if not most, cases. It would make more sense to make dispositions of electronic securities subject to the law of the State under which the relevant registry is organized.

10.102  The discussion about conflict-of-law issues in connection with the blockchain and in particular the determination of the best connecting factor is only at the beginning. A quick consensus is not expected, so that there will be considerable uncertainty in this regard for the time being. In this respect, digital securities do not differ from intermediated securities, where the determination of the law applicable to cross-border securities transactions is still causing considerable problems, at least in States that have not ratified the Hague Securities Convention.

10.103  As financial technology evolves and the trend towards digitization, including tokenization of assets and the use of platforms based on distributed ledger technology, accelerates, the regulation of financial services has to adapt as well.

10.104  Existing securities regulation predates the advent of new technologies and services leveraging such technology. Concepts that are traditionally applied in the regulation of securities and related activities often presuppose certain functions and services to be provided in specific ways (such as centralized governance, specific form requirements, (p. 333) intermediation) and usually rely on identifiable responsible actors to be the focal point of regulatory requirements.

10.105  Given that digital assets may entail a high degree of decentralization, an absence of intermediaries, or a blurring of traditionally segregated functions such as trading, clearing, and settlement, as a result, many jurisdictions have encountered challenges when addressing regulatory issues resulting from digital assets such as crypto securities.¹¹⁹

10.106  There are some fundamental issues that arise when trying to apply traditional concepts and classifications to digital assets and related activities. A general benchmark on whether and how to apply regulatory requirements is the principle that if a particular asset, activity, or service is economically equivalent to an already regulated one and entails the same types and degrees or risk, then the same regulatory standards should apply.¹²⁰

10.107  However, this necessitates that regulatory authorities have a comprehensive understanding of the structure, complexity, and intricacies of digital assets and the underlying technology used, such as DLT. This in turn requires regulators to follow closely the quickly emerging field of technical innovation in the financial sphere and acquire a thorough knowledge of technical features of digital assets and services that are being developed.

10.108  The primary aim of financial regulation is to maintain the stability of the financial system and contain risks. As noted in Chapter 9, paragraph 9.07, as concerns securities, key regulatory policy objectives are (i) investor protection, (ii) enhanced safety and efficiency of holding and settlement arrangements, and, more broadly, (iii) limiting systemic risk. Whilst not necessarily creating new types of risks, the use of new technologies might create new sources or emanations of risks that are not yet included in the scope of existing regulatory frameworks. In the area of securities, an enhanced reliance on digitization, distribution, and cryptography may raise issues as regards various types of risks. For instance, as regards operational risk, there may be issues of cyber resilience (reliability of cryptography) and maturity of technology (role of nodes in a DLT arrangement), operational capacity, and scalability. There may be issues of data integrity, privacy and confidentiality, or concerning the immutability of (p. 334) data (error handling). There may be new aspects not known to the traditional securities infrastructure, such as modes of settlement relying on consensus or proof-of-work as well as probabilistic finality that are not yet addressed in existing regulatory requirements. Distributed record keeping or transaction processing may blur regulatory and legal responsibilities that were traditionally based on bilateral principal-agent relationships.

10.109  This poses challenges to regulatory authorities trying to cover, address, and mitigate these risks in an appropriate manner. Apart from a radical approach of banning digital assets outright, there are three basic approaches to regulation and authorization of digital assets and services surrounding them: A regulatory authority may try to apply existing regulation such as regulation surrounding the issuance, trading, holding, and settlement of securities to digital assets that are considered to be financial instruments. Alternatively, a regulator may try to adjust existing regulatory frameworks to provide adjustments for specific activities based on new technology. Lastly, a regulator may decide to create a bespoke new regime specific to digital securities (for example, for DLT based exchanges or depositories or for custodial wallet service providers).

10.110  All of these approaches may come with their own challenges, even if the aim of all is to provide certainty on the applicable rules and mitigate risks related to the performance of activities surrounding digital securities. On the one hand, the application of existing regulation may lead to problems of interpretation and application to the extent that new technology may entail features not falling clearly within known regulatory definitions. On the other hand, an adapted or tailor-made regime may give rise to a non-level playing field between incumbents and new market entrants, either by providing a more lenient or a more stringent regime for services based on new technology.

10.111  Looking at the application of securities regulation to digital securities and services based on new technology, beyond the basic concepts of ‘same business, same risk, same regulation’ and ensuring a level playing field, the regulatory discourse centres around a number of central considerations, in particular technological neutrality, proportionality, and regulatory perimeter.

10.112  The principle of technology neutrality is meant to describe the principle that regulation should ‘neither impose[s] nor discriminate[s] in favour of the use of a particular type of technology’,¹²¹ ie rules should not require or assume a particular technology and should not hinder the use or development of technologies in the future. This principle enjoys wide acceptance in principle but its practical application is not always straightforward. Whilst direct requirements of the use of a certain technology exist to a certain extent (such as the usage of specific message formats in the (p. 335) transmission of transaction data),¹²² in many instances the exclusion of certain technologies may be less evident.

10.113  One such example is the underlying regulatory assumption in the field of securities issuance and settlement that certain activities such as the maintenance of issuance registries or settlement systems are a given, implying centralized operations under the governance of a responsible legal entity (the operator).¹²³ A platform or network arrangements relying on fully decentralized DLT set-ups without any identifiable entity responsible for the governance, access rules, or risk management is likely to run afoul of requirements concerning such a centralized set-up when trying to provide registration or settlement of digital securities. Another example is the question whether a digital security issued in tokenized form would qualify as traditional security in the meaning of traditional securities law and regulation in a specific jurisdiction. A change in the form of an asset does not necessarily change its economic substance, but may result in a different legal and regulatory classification (should a digital bond be treated similarly to a bond written on paper? Should a digital asset in tokenized form be considered as property and transferred as such or not?). To resolve such issues, recourse may be needed to interpretation of rules, entailing legal uncertainties in the absence of legal clarification or regulatory guidance.

10.114  A further regulatory consideration when it comes to the application of requirements to new products and new service providers is the principle of proportionality. In regulation, a proportionate approach means tailoring regulatory requirements to a financial institution’s size, systemic importance, complexity, and risk profile. The aim is to avoid an excessive regulatory burden for smaller and non-complex financial institutions that could unduly hamper their competitive positions without a clear prudential justification.¹²⁴

10.115  Indeed, the costs of regulatory compliance can be prohibitive for a small start-up. To the extent that the scope and size of activities of a particular entity entails less risk than for instance a globally active complex financial institution, it could be envisaged to apply a lighter targeted regulatory regime commensurate to the particular risk profile. This is being done for instance in EU payments regulation, where depending on the concrete activities, lighter specific authorization regimes apply for e-money institutions or payment institutions.¹²⁵ However, the application of such proportional regimes requires specific attention, as for instance in the field of digital finance, the financial situation and risk profile of a small fintech start-up may be very different to the one of a global technology firm entering the financial services domain by leveraging on their massive internet platforms.

(p. 336) 10.116  A specific consideration to address the specificities of new market entrants is around the creation of so-called regulatory sandboxes. Regulatory sandboxes enable a direct testing environment for innovative products, services, or business models pursuant to a specific testing plan, which usually includes some degree of regulatory lenience combined with certain safeguards.¹²⁶ Regulatory sandboxes (which should be distinguished from so-called innovation hubs primarily aimed to promote a particular financial market as a centre for financial innovation) bring along potential benefits and risks. For regulators, sandboxes allow enhancing understanding of new or changed risks brought by new technology which can facilitate an adequate policy response. For innovators, they can reduce regulatory uncertainties and help lower the high barriers to entry in the sector. However, among the main possible risks, some are specific to innovation facilitators and regulatory sandboxes such as level playing field concerns, whereas another risk relates to regulatory arbitrage to the extent that strategies applied by jurisdictions to raise their attractiveness as a fintech hub may lead to a race to the bottom when it comes to appropriate risk management.

10.117  Traditionally, regulatory approaches in the financial domain are entity based, ie the application of a particular regulatory regime is linked to the authorization or license for a specific entity to provide a defined set of financial services. Depending on the business model, an entity can be subject to regulatory requirements in relation to the carrying out of regulated financial services; for other activities that are not regulated financial services, the entity may or may not be subject to regulatory requirements.¹²⁷

10.118  Questions may arise if a particular activity does not squarely fall within the remit of a defined regulated financial service, for instance, for activities relating to digital assets (such as issuance and trading of digital securities), because of such activity failing to qualify for a constitutive element (for example a particular form requirement) of the regulatory framework in question despite being equal in terms of economic purpose and effect. In such situation, a determination needs to be made whether such activity is permissible without authorization and application of regulatory rules because it is falling outside the regulatory remit or whether regulatory responses are needed. In the latter case, some jurisdictions have considered bans whereas others have been looking at adjusting the regulatory perimeter by extending the need for a regulatory license or authorization explicitly to new types of digital financial assets or services.

10.119  One particularly interesting response that is increasingly discussed by competent authorities is a shift from traditional entity-focused regulation to a more functional approach, whereby a defined service or activity is subject to specific requirements irrespective of the regulatory status of the entity or entities performing the activity or (p. 337) service. An example for this approach is the proposed new Eurosystem oversight framework for electronic payment instruments, schemes, and arrangements.¹²⁸ The Eurosystem follows a functional and holistic approach to oversight, which covers all types of payment instruments resulting in a transfer of value (whether credit transfers, card payment, e-money transfers, or tokenized payments) and includes the governance function and the functionalities of a payment arrangement, as well as all the functions of a payment scheme. The approach covers both licensed and non-licensed governance bodies. For cases in which a governance body is responsible for the functioning of several payment schemes or arrangements, the overseer may assess these jointly.

10.120  A major impediment to the analysis and the formulation of clear policies for the emerging digital asset industry is the lack of clear and common terminology. As of today, there are no commonly accepted definitions, or a generally agreed classification of digital assets. Terms used differ considerably depending on the background and often the motivations of the user, whether it is crypto asset, virtual asset, crypto security, digital token, or other variants. The absence of consensus over terminology is a key obstacle to certainty over legal characterization and in turn the regulatory treatment, which frequently, but not necessarily follows a legal qualification. Regulators therefore face the challenge to identify the terminology most suitable for their regulatory objectives and to develop suitable and robust definitions and classifications. This is usually done by gathering empirical evidence and engaging key stakeholders, followed by engagement among competent authorities and regulators.

10.121  However, even if a particular jurisdiction were to develop a consistent and comprehensive approach to the legal and regulatory categorization, given the inherent cross-border nature of digital assets and services transactions, diverging terms and concepts among regulatory bodies may facilitate regulatory arbitrage. The lack of harmonized and coordinated regulatory responses allows actors in the digital assets space to exploit regulatory loopholes and circumvent stringent regulations. Thus, there is a need for global co-ordination aligning domestic approaches.

10.122  Taxonomy is the science of classification by identifying different entities or objects, establishing criteria for classifying them into distinct categories and sub-categories, and naming them.¹²⁹ This practice introduces common definitions, terminologies, and (p. 338) semantics which can be used across multiple systems. A common system of categorization allows to provide a harmonized view and facilitates the handling of new and evolving additions as they appear. The existence of a taxonomy for digital securities, in particular in a DLT environment is pivotal to understanding the landscape of digital assets. However, the categorization of assets available on distributed ledgers still poses significant challenges for market regulators.

10.123  Some basic questions are relevant to support the development of a conceptual framework. First the extent to which digital assets are similar in nature to traditional assets such as securities needs to be assessed. If so, a determination has to be made whether the existing regulatory framework can be applied directly or whether adaptations are required due to specific technical features such as the use of open and permissionless distributed ledgers. Further, should a differentiation be made between digital assets that are a tokenized representation of traditional assets and those that constitute new assets by themselves? What will happen if a digital asset entails hybrid features such as being usable both as a security or as a means of payment? Should sectoral regulation be applied cumulatively, or only the stricter requirements, or would a new set of requirements be appropriate?

10.124  At this juncture, a common system of categorization for digital assets is still emerging. A number of regulators have issued classification frameworks for digital assets, which have been generally inspired by the particularities of open and permissionless networks and the usage of tokens, and which typically consist of three broad types categorized by the primary use cases/functions: payment/exchange tokens (a means of value exchange), utility tokens (granting access to a digital platform or service), and security tokens (an investment instrument).¹³⁰

10.125  This three-category classification has been useful as a first guidance for regulatory responses to digital assets. However, there remain considerable practical difficulties with this basic framework to capture the complexities of a quickly evolving innovation landscape. First, this classification may not cover all digital assets (see paragraphs 10.117-9 on the regulatory perimeter). Securities tokens failing to meet one of the constitutive elements of a traditional financial instrument may remain outside the regulators’ scope. Second, some tokens could fall under more than one of these categories. For such so-called hybrid tokens, it may be unclear whether the legal and regulatory requirements associated with each category should be applied cumulative or hierarchical.

10.126  For example, for a security token that is also a payment token, regulators could adopt different positions. They could apply a cumulative approach, whereby the hybrid token has to comply with both securities and payment regulation (which may be difficult to do as some requirements may be conflicting). Alternatively, they may take a hierarchical (p. 339) approach whereby hybrid tokens have to comply with either securities or payment regulation. In the latter case, the regulator may be either looking at the predominant feature (is the token mainly a payment or an investment instrument?) or apply the more stringent regime (which in most jurisdictions would be securities regulation). A further element of differentiation applied by regulatory authorities may be whether a digital security in the form of a securities token is native to a distributed ledger (ie it is only constituted by the token on the ledger itself) or whether it is a reference to a security which has been issued and recorded in a traditional manner. A few regulators have specified their approach in this regard (see section E(5), paragraphs 10.150 et seq), however, in many jurisdictions there is still no clarification or guidance available.

10.127  The application of existing regulation pertaining to securities issuance, trading, and settlement to assets in the digital space comes with a number of challenges as highlighted in the previous sections. Most activities related to digital securities resemble closely existing traditional activities found in securities markets, such as exchange and trading platforms, custodians or service providers. However, the use of new technologies entails a number of novel elements such as decentralization, the use of cryptographic keys, mining activities, etc., that do not fit always seamlessly into existing regulatory regimes. Even where regulation is to a large extent formulated in a manner that is technology agnostic, the particular characteristics of given designs of digital assets and the underlying technologies used can give rise to uncertainties on the application of specific regulatory requirements.

10.128  When it comes to the application of issuance requirements, traditional regulation is looking at a responsible entity, a legal or natural person, to be identified as the legal issuer of a security. Such identified issuer is the obligor of rights arising from the security, whether it is a debt or a participation right. Such assignation of an issuer role is also the precondition for the application of a number of subsequent responsibilities such as distribution limitations or anti-money laundering obligations. Digital assets, however, may be created not only by any individual or entity that has been granted access to the data layer¹³¹ (for example, where an application is run on a DLT), by corporations, public-sector institutions, and enterprise consortia among others, but also by informal groups (for example, an open source community of developers) or associations without legal personality. This may raise challenges for regulators, such as identifying who can be held liable for a breach of securities regulation such as limitations on investor types. Regulation may need to be adapted to clarify whether such forms of issuance are (p. 340) permissible or not and whether stricter requirements may apply to certain variants of digital issuance.

10.129  Once digital securities have been created, there are various means for distributing these to potential holders, such as initial offerings, mining, air drops, or forks.¹³² Depending on the technical environment used, the access to such methods may be limited. This may give rise to regulatory compliance questions such as whether the issuer has to issue a prospectus or what additional documentation¹³³ is needed for the distribution of digital assets (such as underwriting/purchase agreements, limitations on classes of investors). This in turn raises issues as to whether there should be stricter requirements for the distribution of digital securities and how these requirements are checked, and if necessary, enforced.

10.130  When it comes to registration requirements, in traditional ledger, registry, or account-based systems, the entry of information into an official information repository plays a constitutive role in the creation of a financial asset,¹³⁴ and provides the top-tier level based on which subsequent secondary market operations with digital assets can be carried out. In such traditional models, specific entities, often centralized for a specific market, are authorized to maintain the relevant registry(/ies) which record securities issuances. The operator of such register has the legal duty to ensure that the registry is accurate (ie reflects the legal position at the relevant time) and that all changes to the registry are made in accordance with the law.

10.131  In a digitized environment, for instance where tokens representing securities are created on a distributed ledger, the question arises whether there is an identifiable entity that can be attributed with the requirements of an operator of a securities registry. Given that the performance of such operator function usually requires some form of authorization by a competent authority, there may be uncertainties whether for example a distributed ledger is subject to such authorization requirement and whether a responsible operator could (or should) be identified. On a more technical level, existing regulation may need to be reviewed in view of the need for specific requirements regarding digital registries such as operational or cyber resilience.

10.132  Once created and distributed, digital securities can be traded, exchanged, and transferred in multiple ways on secondary market. The trading of digital securities, in particular if done over-the-counter, raises first and foremost questions on the substantive law regime for holding and transferring digital securities.

(p. 341) 10.133  However, increasingly digital securities are traded through exchange platforms, ie digital marketplaces that provide transfer and exchange services, with or without requiring corresponding on-chain transfers. Whether such a marketplace qualifies as a traditional stock exchange, with the consequence of triggering licensing or authorization requirements for operators of such exchanges, may depend on the specific features of the exchange platform, such as whether it entails price discovery elements or bid and sell matching, but also on the legal qualification of the digital assets traded on such exchange. Given the differences in approach to the legal qualification of digital assets, regulatory authorities across jurisdictions have developed a wide variety of regulatory response to regulate trading activities. For instance, regulators may regulate entities differently depending on whether they are offering exchange services against digital asset and/or against a fiat currency.¹³⁵

10.134  The regulatory qualification of the exchange service in turn may lead to the application of other requirements such as investor protection rules (fraud prevention), monitoring and reporting of transactions, or price transparency rules.

10.135  Traditional financial market structures involve intermediaries holding financial assets in custody on behalf of clients. This is particularly prevalent in the domain of securities. The complexities of intermediated holdings of securities, both domestically and in particular cross-border, are well known. These entail property law issues, often compounded by the dematerialization of financial assets. In intermediated holding structures, there is often a split of possession/control and ownership, or, in some legal systems, between ‘legal’ and ‘beneficial’ title. Sometimes, property rights in a financial asset are functionally replaced by obligational rights against an intermediary in complex, layered structures.

10.136  Whilst dematerialization also is an obvious inherent feature of digital securities, the additional element of decentralization (and the implied discarding of traditional forms of trusted intermediaries) originally dominated the digital securities space such as securities tokens based on DLT technology. However, mirroring earlier developments in the traditional securities markets, the crypto ecosystem has seen a rapid emergence of a variety of intermediaries. These often operate without being authorized by regulators; in many cases because there was, at least initially, no legal requirement for them to do so.¹³⁶

10.137  Some variants, in particular in the context of what is generally labelled as the provision of ‘digital wallets’,¹³⁷ do pose particular issues in this regard as they enable new types (p. 342) of custody, such as wallet services where the provider technically cannot move funds without user action¹³⁸ or services such as decentralized exchanges that do not entail a central operator and thus do not offer a regulatory anchor point for the application of regulatory requirements such as client asset protection rules.

10.138  From a risk perspective, the holding of any financial asset entails an element of risk, and the storage of digital securities is no exception. With the emergence of digital securities, existing tools for custody are replaced by new technical solutions to address the risk of misappropriation of those digital assets, with a different risk profile compared to traditional securities. A widespread technique in digital securities holdings is the use of cryptographic encryption consisting of private and public keys. Such keys can be stolen by attackers, or hacked from wallets or exchanges, if not properly secured. Similarly, keys can be lost, which prevents holders (or their legal successors) from accessing their assets permanently.

10.139  As the secure key storage and management is a cumbersome and complex task which requires a high level of technical proficiency, it is often outsourced to third-party custodial service/wallet providers.¹³⁹ This re-introduces a layer of intermediation to the way that digital assets are being held, which necessitates adequate regulatory rules to ensure client asset protection, handling of positions, and accurate records for instance in the event of disruptions, cyberattacks, or insolvency of the service provider.

10.140  Furthermore, given that the providers of wallet services or digital securities custody frequently also conduct transactions in own positions, the distinction between self-custody and third-party custody may become blurred. This warrants the application of regimes for the avoidance of conflicts of interests and client asset protection.

10.141  Finally, and more generally, the potentially highly tiered or opaque holding patterns that may result from the interposition of various players performing diverse functions in intermediating digital securities supports the application of stringent transparency requirements for involved entities outlining the risk profiles and the rights and obligations of holders of intermediated digital securities.

10.142  The ecosystem for digital assets in many instances relies on specific technical platforms such as distributed ledger arrangements for the storage of the assets. If such arrangement serves also as a facilitator for the transfer of digital securities between entities that are directly or indirectly connected to such platform, this ‘transfer function’ closely (p. 343) resembles from an operational and regulatory perspective a traditional securities settlement system (SSS). This holds particularly true if the arrangement entails a set of rules for the transfer of digital assets among participants, and a mechanism for validating transactions. This gives rise to the question to which extent such transfer arrangements should be subject to licensing or authorization requirements applicable to SSSs and if so, how such arrangement would have to comply with applicable regulation and relevant international standards for financial market infrastructures (FMIs).¹⁴⁰ Triggered by the advent of potentially systemically relevant stablecoin arrangements, the global standard-setting community has been reflecting on the applicability of existing global standards for financial services to novel arrangements leveraging innovative technology and whether additional guidance may be necessary to foster compliance with relevant regulatory expectations (see section E(6), paragraphs 10.182 et seq).

10.143  The application of existing requirements for FMIs may not be straightforward due to specific novel features compared with existing FMIs, such as the degree of decentralization of operations and/or governance, and the potentially large-scale deployment of emerging technologies such as distributed ledger technology (DLT) or automated process protocols (‘smart contracts’). Other such features are the potential use of settlement assets that are neither central bank money nor commercial bank money and that carry additional financial risk, or the interdependencies between multiple functions performed by the arrangement. The applications of FMI rules may also be contingent on the legal qualification of the digital assets, ie whether in a particular jurisdiction, a securities token or a digital representation of a security that exists external to a digital platform would be qualified as a security in the meaning of FMI regulation.

10.144  In order to comply with regulatory expectations for governance,¹⁴¹ a systemically important¹⁴² arrangement for the transfer and settlement of digital securities would need to have a governance structure allowing for clear and direct lines of responsibility and accountability, which may entail the identification of responsible legal or natural persons. These entities would be responsible for the management and mitigation of all types of risks (whether legal, operational, financial, or others) related to the transfer function.¹⁴³ This also entails responsibility for defining and policing access rules as well as a potential liability for fraud, cyber attacks, erroneous transfers, or weaknesses of smart contract protocols or the underlying technology.

(p. 344) 10.145  A particular challenge with complex arrangements based on for example DLT is that—beyond the transfer function—the arrangement may also integrate other functions such as an issuance and registration function, an end-user interface function, or a stability mechanism (such as an underlying pool of assets) which may trigger the application of specific other sets of regulation such as investor protection rules, anti-money laundering regimes, prospectus requirements, etc. This entails an additional challenge for the responsible entities to consider the material risks that the transfer function bears from and poses to other functions and the entities (such as other FMIs, settlement banks, liquidity providers, or service providers) which perform other functions or on which the arrangement relies for its transfer function. At the same time, regulators should consider whether additional guidance may be warranted to avoid overlaps or duplications of potentially relevant regulation.

10.146  Similar issues arise in case of interdependencies with other infrastructure functions such as payments. To the extent that the payment function is integrated in the same technical platform as the securities settlement to support delivery-versus-payment (DvP), questions arise as to whether the platform will have to comply with payment system rules or security settlement system regulation or both regimes at the same time. Furthermore, as with traditional systems, there may be links between a digital securities settlement arrangement and other post-trade infrastructures (for payment, clearing, or settlement, traditional or innovative) to enable DvP or delivery-versus-delivery. This necessitates an appropriate framework for the management of risks posed by or to external infrastructures and the alignment of rules for settlement processes and cross-system finality.

10.147  In all instances, particular attention should be paid to the assets used for money settlement purposes. In accordance with the PFMI, settlement assets should have little or no credit or liquidity risk,¹⁴⁴ such as claims on a central bank (central bank money) or credit institution (commercial bank money). In particular to the extent that the money settlement asset constitutes a new form of representing monetary value (such as a cash/payment token), such usage would not be ruled out per se by the PFMI, but the risk presented by the money settlement asset would need to be carefully assessed. This includes an analysis of whether the money settlement asset provides its holders with a direct legal claim on the issuer and/or claim on, title to, or interest in underlying assets for timely convertibility into other liquid assets such as central bank or commercial bank money, as well as clear and robust processes for fulfilling a holder’s claim in both normal and stressed times.

10.148  Finally, it would have to be determined whether the specific architecture of an arrangement such as DLT-based platforms using consensus mechanisms may only provide (p. 345) probabilistic finality (where there is always a possibility of transaction reversal due to the nature of the consensus model) may be compatible with the expectation to clearly define the point at which a transfer on the ledger becomes irrevocable and technical settlement happens. It should be transparent whether and to what extent there could be a misalignment between technical settlement and legal finality.

10.149  A last set of considerations that may be relevant in the context of regulation of digital securities is the role that third-party service providers may play in providing ancillary services to the issuers, intermediaries, infrastructures, or holders of digital securities. For instance, such role may be performed by the developers of DLT platforms or the providers of non-custodial wallet services. These activities may raise questions as to whether they require some form of license, for instance if the services were to be considered critical for a settlement infrastructure and subsequent supervision or oversight. This may be driven by risk concerns comparable to traditional outsourcing of risk, with a focus on the ability of the user of such services to understand and control risks stemming from the service. To the extent that DLT platforms are developed by anonymous groups of programmers, additional governance issues may occur such as questions of liability for cyber-attacks or weaknesses of the underlying technology. Specific attention needs to be paid to digital operational resilience, the availability of fall-back solutions, and financial stability considerations (single point of failure).¹⁴⁵

10.150  As noted in section E(3), paragraphs 10.120 et seq, regulatory approaches towards digital securities vary across jurisdictions. This holds true for the regulation of the issuance process, for trading and settlement platforms, or custody and secondary trading.

10.151  The approaches taken are reflections of various factors, including national market developments or underlying legal and regulatory frameworks as well as policy objectives and wider economic considerations. Attitudes as to whether preference is given to the mitigation of risks or to fostering financial innovation or supporting financial inclusion play a role as much as the societal consensus on the role of the private sector versus the public offering of certain functions as a public good.

10.152  Thus, on the one side of the spectrum, one can see outright bans on certain transactions or at least prohibitions for certain actors to engage in such activities, on the other end one can see permissive behaviour of regulators or cautious exploration through forbearance to active encouragement through the creation of regulatory sandboxes for (p. 346) new types of actors or services. In between, one can observe attempts to either adjust existing regulation for specific activities or extension of the scope of existing regulation to services leveraging new technologies or business models.

10.153  In the securities field, the regulatory treatment is very closely dependent on questions of legal qualification of certain assets as securities or derivatives and, in particular when it comes to applying existing securities regulation (such as market transparency, prospectus requirements, custody or segregation rules) and enforcement mechanisms. This impacts the determination of whether no new regulation may be needed or whether digital securities and services surrounding them may call for bespoke regulation. The latter may also be determined by fundamental positions on whether financial services should seek to conform with existing regulation (even if services have been designed to function outside established regulatory frameworks) or whether regulation should follow financial developments.

10.154  Overall, those jurisdictions which were primarily concerned about risks were the quickest to act, for instance by clarifying the application of AML rules or by issuing prohibitions. Otherwise, many jurisdictions applied some ‘quick fixes’ to specific areas by clarifying the applicable regulatory regime for certain activities, with only a small number of jurisdictions starting to try to take a more comprehensive view at the digital asset ecosystem and its integration into the wider financial market regulatory framework.

10.155  The below references to actions taken by specific countries and their relevant regulators is meant only to illustrate some prominent cases for different approaches and is by no means meant to be exhaustive.

10.156  A number of regulatory authorities have banned specific activities related to digital assets, albeit with different scope, sometimes focusing on prohibiting only specific entities to engage in certain activities and sometimes banning certain activities altogether.

10.157  In 2018, the Reserve Bank of India (RBI) prohibited any dealings in crypto assets by regulated financial entities, including banks, non-bank financial companies, or payment system providers. However crypto asset trading through other channels is still permitted.¹⁴⁶

10.158  In the same vein, a 2017 joint statement¹⁴⁷ by the People’s Bank of China (PBC) and other government ministries, building on an earlier notice directed at virtual (p. 347) currencies,¹⁴⁸ banned trading platforms from offering crypto assets to fiat currency exchanges and reiterated that Initial Coin Offerings (ICOs) are considered unauthorized public financing. However, trading platforms could still offer crypto-asset-to-crypto-asset exchange activities. In a 2018 notice,¹⁴⁹ the PBC reiterated China’s cautionary stance on crypto assets and ICOs as illegal financing.

10.159  Other jurisdictions have, at least for the time being, refrained from amending their regulatory requirements or introducing new rules, focusing instead in some instances on providing some degree of guidance on the applicability of existing securities regulation.

10.160  In 2017, the Australian Securities and Investments Commission (ASIC) released an information sheet, subsequently updated in May 2019,¹⁵⁰ providing guidance on the regulation of ICOs and crypto assets. The information sheet clarified that crypto assets qualifying as financial products under the Corporations Act will attract relevant regulatory obligations. ASIC stated its primary aim¹⁵¹ is to ensure that products are not misleading or deceptive.

10.161  The US regulatory landscape entails both the federal level and the state level. In the area of securities regulation, at the federal level, the primary regulator is the Securities and Exchange Commission (SEC). So far, the SEC has not yet issued any regulation specific to digital securities. So the question whether existing securities regulation would apply to certain types of digital assets, their custody and trading, depends on whether a particular digital asset would qualify as a security in the meaning of the Securities Act of 1933.¹⁵² In making that determination, the SEC applies the ‘Howey test’ as established by the US Supreme Court.¹⁵³ The Howey test defines securities as investment contracts that involve investment of money or property, in a common enterprise, with profits coming from the sole efforts of people other than the investor. Depending on the (p. 348) determination of digital assets as securities, issuers, custodians, and other relevant parties will have to comply with the relevant securities regulation. In 2020, the SEC issued a statement describing certain conditions under which a broker-dealer could comply with relevant requirements the Securities Exchange Act with respect to digital asset securities.¹⁵⁴

10.162  Key guidance issued by the Canadian Securities Administrators (CSA) in 2018¹⁵⁵ outlines how Canadian securities laws and ‘substance over form’ tests may apply to ICOs and crypto asset investment funds and exchanges. The staff notice noted that many purported ‘utility’ tokens were not eligible to be exempt from securities laws, therefore requiring both a prospectus and the registration of the securities issuer. Under the ‘Pacific Coin Test’, based on the US ‘Howey Test’, a crypto asset is a security if it involves an ‘investment of money in a common enterprise with the expectation of profit that is to come significantly from the efforts of others’.

10.163  In a few instances, the focus of supervisory authorities was limited so far on clarifications concerning the applicability of AML and terrorist financing requirements.

10.164  Following the introduction of a virtual asset (VA) exchanges regulatory regime by the Hong Kong Securities and Futures Commission (SFC) in 2019,¹⁵⁶ the SFC issued a proposal outlining a new regulatory framework that would bring operators of VA exchanges within the formal regulatory perimeter of the SFC, and aims to enhance anti-money laundering and counter-terrorist financing (AML/CTF) regulations in Hong Kong.¹⁵⁷

10.165  Having in mind the desire to enhance regulatory certainty and promoting the attractiveness of their financial centres for fintech companies and start-ups in the field of digital financial services, other jurisdictions have taken efforts to provide specific (p. 349) tailor-made regulation focusing on supporting and regulating the use of specific innovative technologies and technology supported financial services, primarily the use of distributed ledger technology and tokenization.

10.166  As part of a comprehensive legislative project to support a DLT-based token economy (Law on Tokens and Trustworthy Technology Service Providers),¹⁵⁸ in 2019, Liechtenstein addressed the regulation and supervision of technology service providers supporting a token ecosystem by providing specific transparency requirements for tokens similar to prospectus regulations for transferable securities¹⁵⁹ and by setting expectations for ‘trustworthy technologies’, namely DLT technology, as regards the integrity of tokens, their allocation, and exchange.¹⁶⁰ The scope of the TVTG does not deal with any issues covered by other existing financial market regulations.

10.167  Luxembourg took a rather specific approach to adapting its legal and regulatory framework to digital securities based on novel technologies such as DLT. It is reviewing its existing legal framework for intermediated securities through amendments to create a legal basis for the use of secured distributed registries, electronic ledgers and databases for the issuance, registration, and circulation of digital securities¹⁶¹ as well as allowing issuer accounts to be managed by EEA credit institutions and investment firms on a DLT basis without altering the regulatory framework and requirements for the security itself.

10.168  Gibraltar developed a bespoke regulatory framework regime for providers of DLT technology, which took effect in 2018.¹⁶² It applies to firms conducting activities that use DLT for the transmission or storage of value belonging to others and that are not subject to any other regulatory framework. Types of activities that require a DLT license include operating a crypto exchange, custodian service providers and asset storage service providers, crypto wallet providers, and operating DLT-based marketplaces that facilitate the buying and selling of goods and services. Firms carrying out such DLT activities need to be authorized and licensed as DLT Providers by Gibraltar’s Financial Services Commission (GFSC).

10.169  Malta in 2018 issued specific regulation, the Virtual Financial Assets Act,¹⁶³ concerning specific classes of DLT based assets , namely: (i) virtual tokens;¹⁶⁴ (ii) virtual financial assets;¹⁶⁵ (iii) electronic money; or (iv) financial instruments, that are intrinsically dependent on or utilize DLT. Where a DLT based asset is classified under the VFAA as a financial instrument or as e-money, then relevant EU legislation, namely the Prospectus Directive, MiFID II, and the E-money Directive applies. Otherwise, issuers are required to establish a legal entity in Malta, properly register a whitepaper, and comply with governance, security, and ongoing disclosure requirements. VFA Service Providers (which includes VFA exchanges) require a license from the Malta Financial Services Authority (MFSA), with licencing requirements including competency, capital, prudential, governance, risk management, conduct of business, and reporting requirements.

10.170  Furthermore, the Innovative Technology Arrangements and Services Act (ITASA)¹⁶⁶ regulates innovative technology arrangements (ITAs), such as DLT software and architecture or smart contracts, and designated innovative technology services providers (ITSPs), requiring recognition by the Malta Digital Innovation Authority (MDIA), whose role is to function as a regulator.

10.171  Following-up on the legal recognition of DLT-based so-called minibonds (‘minibons’) under the French Commercial Code and the French Monetary and Financial Code by Ordinance n° 2016-520,¹⁶⁷ in 2017 a specific DLT regulation (regulation n° 2017-1674,¹⁶⁸ the ‘DLT Regulation’) extended the possibility to issue and transfer securities on the basis of a DLT system to all unlisted securities. The DLT Regulation was supplemented by dedicated regulation (decree n° 2018-1226)¹⁶⁹ which specifies further requirements for DLT systems, such as integrity, identification of the owner and the type and number of financial instruments it owns, a business continuity plan, and ensuring access to transaction data.

(p. 351) 10.172  Furthermore, in 2019, France regulated the issuance of digital assets not classified as financial instruments (such as Initial Coin Offerings) and intermediaries providing crypto asset services through legislation for markets in digital assets (the ‘PACTE law’).¹⁷⁰ Issuers have the ability, but not the obligation to apply for a ‘visa’ from the French Financial Markets Regulator (AMF) in return for filing an information document and by complying with anti-money laundering (AML) duties. Likewise, intermediaries such as custodian wallet providers and crypto/fiat exchange service providers are subject to a mandatory AML registration, while all intermediaries including platforms and investment advisers may apply for an optional license.

10.173  In 2021, Germany adopted a law on digital securities and the custody of such digital securities.¹⁷¹ This legislation aims to provide a framework for issuing securities without issuing a certificate, including through the use of DLT or blockchain technologies, whilst submitting these securities are subject to the same legal requirements as certificated securities. It includes requirements relating to entry into specific digital securities registries. The respective digital registries may be operated by licensed central securities depositories (Wertpapiersammelbanken) or a new type of digital registrar, which will be subject to licensing, specific requirements for the administration and safeguarding of digital securities, as well as supervision by the German supervisory authority (BaFin).¹⁷² This new regime is meant to apply to any custody service providers operating in Germany, regardless of whether they are physically established in the country.

10.174  Finally, a group of jurisdictions has been trying to review and overhaul their regulatory frameworks to provide a comprehensive set of requirements for digital assets and digital asset services, including digital securities, digital payments, hybrid instruments, and related activities.

10.175  The Monetary Authority of Singapore (MAS) in 2017 issued comprehensive guidance on the application of relevant laws and regulation administered by MAS in relation to offerings or issuance of digital assets in Singapore (A Guide to Digital Token Offerings).¹⁷³ Whilst the guidance is ‘not exhaustive, has no legal effect and does not (p. 352) modify or supersede any applicable laws, regulations or requirements’, it clarifies in a detailed manner that digital assets and related services that qualify as capital markets products must comply with the Securities and Futures Act (SFA).¹⁷⁴ MAS is focussing on the concept of token,¹⁷⁵ considering that a token is a capital markets product under the SFA if it resembles either an ownership interest in a corporation or a product, debt, or a share in an investment scheme. Correspondingly, digital payment token services (account issuance, domestic money transfer, cross-border money transfer, merchant acquisition, e-money issuance, digital payment token, and money-changing services) are subject to payments oversight requirements issued by MAS.

10.176  If a digital token is deemed to be a capital market product, the offer or issue of such digital security will be treated by MAS identically to any other capital market product under the SFA, which includes the requirement that the offer be accompanied by a properly prepared prospectus registered with MAS, subject to certain exemptions.¹⁷⁶ MAS stressed that exemptions are subject to certain conditions, which includes advertising restrictions, authorization, and recognition requirements (when an offer is made in relation to units of a collective investment scheme).

10.177  The Guide further specified that certain intermediaries might be required to hold certain licenses or seek approval from MAS, unless otherwise exempt.¹⁷⁷ Any intermediary which facilitates primary offers or issues of digital securities tokens must hold a Capital Markets Services License for that regulated activity under the SFA. Further, any intermediary that establishes or operates a trading platform in Singapore in relation to digital securities tokens must be approved by MAS as an approved exchange or recognized by MAS as a recognized market operator under the SFA. SFA requirements apply to a person that operates a primary platform, or trading platform, partly in or partly outside of Singapore, or outside of Singapore.

10.178  The European Commission in 2020 adopted a ‘Digital Finance Package’,¹⁷⁸ which includes inter alia legislative proposals on crypto assets and digital operational resilience. The aim is to make Europe’s financial services more digital-friendly and to stimulate responsible innovation and competition among financial service providers in the EU.

10.179  The proposed legislation on crypto assets (defined as a digital representation of values or rights that can be stored and traded electronically) consists of a draft Regulation on Markets in Crypto-assets (MiCA).¹⁷⁹ It aims to provide legal clarity and certainty for (p. 353) crypto asset issuers and providers and allow operators authorized in one Member State to provide their services across the EU (‘passporting’). It foresees specific safeguards including capital requirements, rules for the custody of assets, a mandatory complaint procedure available to investors, and rights of the investor against the issuer.

10.180  The package also contains a ‘DLT pilot regime’¹⁸⁰ for market infrastructures that wish to try to trade and settle transactions in financial instruments in crypto asset form. The pilot regime foresees a so-called ‘sandbox’ approach that allows temporary derogations from existing rules applicable to exchanges and SSSs so that regulators can gain experience with the use of distributed ledger technology in market infrastructures, while ensuring that they can deal with risks to investor protection, market integrity, and financial stability. The intention is to allow companies to test and learn more about how existing rules fare in practice.

10.181  Another element of relevance is a legislative proposal on digital operational resilience, called ‘Digital Operational Resilience Act’ (DORA).¹⁸¹ The proposed legislation will require all firms to ensure that they can withstand all information and communication technology (ICT) related disruptions and threats and introduces an oversight framework for ICT providers, such as cloud computing service providers.

10.182  As outlined above, approaches taken by regulatory authorities in response to the advent of digital financial innovations can differ considerably. Fintech firms, in particular those which are highly agile and mobile, may converge towards jurisdictions with regulatory frameworks that are perceived to be comparably light-touch and accommodating. At the same time, in particular with the entry of major global players into the digital financial service markets, there may be an emergence of innovative arrangements leveraging digital technology and global customer bases to offer services in multiple jurisdictions. The results may lead to regulatory arbitrage and asymmetries which could be significant across jurisdictions if national regulatory responses continue to differ substantively and gaps, overlaps, and conflicts occur. Ultimately, there could be global policy inconsistencies if economically equivalent assets are treated differently for regulatory purposes.

10.183  International regulatory collaboration and co-operation can mitigate potential harms of regulatory arbitrage by creating a more consistent, harmonized, and co-ordinated regulatory framework, in addition to enforcement measures across jurisdictions. These have been the key objectives of global standard-setting bodies in the financial (p. 354) regulatory sphere, such as the Financial Stability Board, the Financial Action Task Force, the Basel Committee on Banking Supervision, the Committee on Payments and Market Infrastructures, the International Organization of Securities Commissions, or the Organisation for Economic Co-operation and Development. Digital asset related policy making and regulations at the domestic level can be shaped by global standards and best practices issued by these bodies, leading to regulatory convergence which, in turn, may facilitate international regulatory cooperation.

10.184  Global standard-setting bodies are working actively on a variety of issues relating to digital assets, with a particular focus on investor and consumer protection, market integrity, risk management, financial stability monitoring, and AML/CFT.

10.185  The FSB mandate is to promote international financial stability; it does so by co-ordinating national financial authorities and international standard-setting bodies as they work toward developing strong regulatory, supervisory, and other financial sector policies. It fosters a level playing field by encouraging coherent implementation of these policies across sectors and jurisdictions.¹⁸²

10.186  Starting in 2018, the FSB undertook work to consider risks to financial stability from crypto assets. Its work concluded that based on the available information, crypto assets do not pose a material risk to global financial stability at this time. However, vigilant monitoring is seen necessary in light of the speed of market developments. Should the use of crypto assets continue to evolve, it could have implications for financial stability in the future. Such implications may include: confidence effects and reputational risks to financial institutions and their regulators; risks arising from direct or indirect exposures of financial institutions; risks arising if crypto assets became widely used in payments and settlement; and risks from market capitalization and wealth effects.¹⁸³ The FSB is constantly monitoring the regulatory work undertaken by regulators,¹⁸⁴ however, since 2020 with a primary focus on global stablecoin arrangements, issuing 10 high-level recommendations concerning the regulation of such arrangements.¹⁸⁵

10.187  The FSB also prepared a directory of relevant regulators and other authorities in FSB jurisdictions and international bodies who are dealing with crypto asset issues, and the aspects covered by them.¹⁸⁶

10.188  The FATF is the inter-governmental body setting the international standards for anti-money laundering and countering terrorist financing (AML/CFT), the FATF (p. 355) Recommendations,¹⁸⁷ working to generate the necessary political will to bring about national legislative and regulatory reforms in these areas.

10.189  In 2018, the FATF adopted changes to its Recommendations to explicitly clarify that they apply to financial activities involving virtual assets, and also added two new definitions in the Glossary, ‘virtual asset’ (VA) and ‘virtual asset service provider’ (VASP). The amended FATF Recommendation 15¹⁸⁸ requires that VASPs be regulated for anti-money laundering and combating the financing of terrorism (AML/CFT) purposes, licenced or registered, and subject to effective systems for monitoring or supervision. In June 2019, the FATF adopted an Interpretive Note to Recommendation 15 to further clarify how the FATF requirements should apply in relation to VAs and VASPs,¹⁸⁹ in particular with regard to the application of the risk-based approach (RBA) to VA activities or operations and VASPs; supervision or monitoring of VASPs for AML/CFT purposes; licensing or registration; preventive measures, such as customer due diligence, recordkeeping, and suspicious transaction reporting, among others; sanctions and other enforcement measures; and international co-operation. The FATF also clarified the application of requirements on accurate originator information and required beneficiary information on virtual asset transfers, the so-called ‘travel rule’ to VASPs.

10.190  Whilst primarily covering digital representation of value that can be digitally traded, transferred, or used for payment, the Recommendations may also apply to securities service providers as well as virtual assets considered as securities in a particular jurisdiction.¹⁹⁰

10.191  The FATF is also actively looking into the opportunities that new technology can offer to improve AML/CFT efforts. In this regard, the FATF is focussing on innovative skills, methods, and processes that are used to achieve goals relating to the effective implementation of AML/CFT requirements by the private sector and innovative ways to use established technology-based processes to comply with AML/CFT obligations.¹⁹¹

10.192  The Basel Committee on Banking Supervision (BCBS) is the primary global standard setter for the prudential regulation of banks. Consequently, its primary interest in digital assets is to consider the risk implications for banks engaging in activities related to such assets.

10.193  In 2019, the BCBS published a number of high-level supervisory expectations for banks engaging in crypto assets,¹⁹² relating in particular to due diligence analysing the risks (p. 356) to crypto assets, governance and risk management, disclosure of material crypto asset exposures or related services, and a supervisory dialogue.

10.194  Furthermore, in 2021 the BCBS released a consultative document on the prudential treatment of crypto asset exposures,¹⁹³ which suggests to classify crypto asset exposures in two categories. Group 1 are assets which fulfil a set of classification conditions and as such are eligible for treatment under the existing Basel Framework (with some modifications and additional guidance), including certain tokenized traditional assets and stablecoins. Group 2 are crypto assets such as bitcoin that do not fulfil the classification conditions. Since these are seen to pose additional and higher risks, they should be subject to a new conservative prudential treatment.

10.195  IOSCO is the international body for securities regulators and is recognized as the global standard setter for the securities sector. IOSCO develops, implements, and promotes adherence to internationally recognized standards for securities regulation. In line with its mandate, IOSCO has been focusing so far mainly on investor protection issues related to offerings of digital assets and trading platforms that facilitate the secondary trading of crypto assets.

10.196  Building on earlier research work on financial technologies,¹⁹⁴ in particular DLT, IOSCO considered crypto assets as a type of private asset that depends primarily on cryptography and DLT or similar technology as part of its perceived or inherent value, and can represent an asset such as a currency, commodity, or security, or be a derivative of a commodity or security. Where a regulatory authority has determined that a crypto asset or an activity involving a crypto asset falls within its regulatory remit, the IOSCO’s Objectives and Principles of Securities Regulation (the IOSCO Principles)¹⁹⁵ should apply in principle.

10.197  In a report of 2020,¹⁹⁶ IOSCO provided more detailed guidance on issues and risks associated with the trading of crypto assets on crypto asset trading platforms (CTPs). The report provides key considerations and toolkits that are intended to assist regulatory authorities who may be evaluating CTPs within the context of their regulatory frameworks, in particular as regards access to CTPs, safeguarding participant assets, conflicts of interest, operations of CTPs, market integrity, price discovery, and technology.

10.198  IOSCO has also been focusing on investor protection, providing an overview of securities regulators’ statements on the risks of initial coin offerings.¹⁹⁷ Moreover, in 2020, IOSCO published a report on education of retail investors regarding risks of crypto (p. 357) assets,¹⁹⁸ outlining types of crypto assets and the main risks associated with these instruments and offering guidance on education and information of the public.

10.199  The CPMI is the international standard-setter in the area of payment, clearing, settlement and related arrangements. In line with its mandate, the main focus of the CPMI on matters related to digital assets has been in the areas of payments and financial market infrastructures (FMIs).

10.200  When it comes to digital assets, one key focal area is on payments-related emanations such as central bank digital currencies,¹⁹⁹ but also on the risks and implications of other form of digital means of payment such as crypto currencies or stablecoins.²⁰⁰ However, there is also the wider area of FMIs, which include security settlement systems and central securities depositories. Here, the work of the CPMI focussed in particular on the implications of new technologies such as DLT for FMIs.

10.201  In this respect, the CPMI has prepared an analytical framework²⁰¹ for central banks and other authorities to review and analyse the use of this technology for payment, clearing, and settlement. The main aim of the framework is to help understand the uses of DLT and, in doing so, identify both the opportunities and challenges associated with this technology in a critical part of the financial system. Whilst this is helpful in itself and also is a contribution to the dialogue on how industry can use innovation to support robust, efficient, and safe payment, clearing, and settlement systems, the primary purpose of this framework is that it can serve as a blueprint for central banks and other relevant authorities to structure regulatory requirements for the use of DLT technology. The framework looks at the safety and efficiency of FMIs as well as wider financial markets implications. Safety considerations include operational and security risk, settlement issues, legal risk, governance, data management and protection, while efficiency considerations encompass speed of settlement, costs of processing, reconciliation, credit and liquidity management, as well as automated contract tools.

10.202  Additionally, through a joint working group with IOSCO, the CPMI monitors innovations in clearing and settlement and their impact on the current standards for financial market infrastructures (the PFMIs),²⁰² with a view on potential guidance on the application of the PFMIs to transfer arrangements involving digital assets. Key issues of attention here are governance and risk management, the regulatory perimeter, settlement assets, finality, participation and access.

10.203  The OECD and its Committee on Financial Markets worked on crypto assets and applications of DLT in the financial markets. The Committee examined ICOs as one of the most prominent applications of DLT for financing, leading to the publication of a report in 2019²⁰³ looking at the potential benefits from the use of regulated ICOs for small business capital formation, issuing and trading of tokens, limitations in the structuring of ICOs, as well as risks to which investors subscribing to ICO offerings and small and medium-sized enterprises issuing tokens are exposed to. The report examined policy implications of such activity related to regulation and supervision of token issuances on a national and cross-border basis, financial consumer protection, and financial education, and called for clarity and proportionality in the regulatory and supervisory framework applied to ICOs.

10.204  DLT is a young, still developing technology that has only started to find broad, commercially significant application in commercial practice. It is therefore notable that legislators in several jurisdictions have been trying to create favourable framework conditions for this technology. The breadth and depth of this reform movement is extraordinary and possibly without parallel in the history of technical innovations. The backdrop of these developments is a widely shared understanding that DLT has the potential to fundamentally change the way securities are issued, held in custody, traded, and managed, as well as an emerging consensus that these applications will fundamentally change the trading and post-trading infrastructure of capital markets.

10.205  An appropriate private law framework for DLT-based securities is a necessary, but not sufficient condition for realizing the full potential of this new technology. While the scope and the technical approach of the reforms undertaken so far differs considerably, they are mostly based on concepts and notions of traditional securities law. Like certificated securities, digital securities are conceptualized as digital representations of a claim, a right, or another financial or non-financial asset. Like certificated securities, digital securities can be controlled by the holder of the private key in a manner which is fully equivalent to the direct possession of physical securities. The person reflected in the distributed ledger as the holder is considered to be the legitimate creditor, and the transfer of the digital security in accordance with the rules of the underlying DLT protocol transfers the right represented to the transferee. Digital securities therefore assume all relevant functions certificated securities have assumed so far.

10.206  Compared to the process for the codification and regulation of intermediated securities the legal framework for digital securities is much more straightforward. The complexity (p. 359) resulting from multi-tiered holding systems, which are typical for intermediated securities and which are greatly exacerbated in cross-border situations, is mostly absent in the holding structure of digital securities. The private-public-key infrastructure which is a core component of any blockchain or DLT system permits to distinguish factual control and legal ownership, again very similar to certificated securities. At the same time, the registration of the holder of digital securities in a public blockchain provides effective publicity, unlike the securities account to which intermediated securities are credited and which are accessible only to the securities intermediary maintaining the account and the account holder (if at all).

10.207  From a legal and operational perspective it seems highly likely that future generations of the infrastructure for the issuance, custody, trading, and the clearing and settlement of securities transactions will be built on the basis of DLT systems. They promise to be more efficient and much more interoperable than current systems and will therefore gradually replace the existing intermediated infrastructure in due course. This will put pressure on other jurisdictions to make their securities law fit for the future.

10.208  From a regulatory perspective, the emergence of digital securities is raising some fundamental questions on the scope and function of regulation as well as on the perimeter of existing regulatory requirements in view of novel arrangements or services crossing sectoral boundaries.

10.209  Key challenges triggered by technological innovation leveraging digitization, cryptography, tokenization, and decentralization in the field of financial markets and securities regulation encompass the determination of the regulatory addressee and the avoidance of gaps, overlaps, and duplication of requirements, in particular if new services or activities cross the boundaries of traditional regulatory categories.

10.210  Regulatory frameworks need to be constantly reviewed to ensure their continued effective functioning in a rapidly evolving market environment. This, in turn, requires legislators, regulators, and supervisors to acquire and keep up-to-date the relevant knowledge to comprehensively understand technology, underlying protocols/codes, and to adequately assess their functioning. The work of global standard-setters is instrumental here to identify international best practice and to provide harmonized regulatory standards to avoid regulatory fragmentation and arbitrage.

10.211  Furthermore, the intrinsic borderless nature of service offerings using the digital space raises questions as to the regulatory perimeter. The cross-sectoral and cross-jurisdictional dimension puts a particular emphasis on the need for authorities to closely co-operate and co-ordinate their respective regulatory and supervisory authorities. This holds true for the co-operation across different types of authorities within a given jurisdiction that have a legitimate interest in digital assets and related arrangements and services, such as securities market regulators, central bank overseers, bank supervisors, AML authorities, consumer protection authorities, data protection authorities, and competition authorities. But it also holds true for the need of those authorities from (p. 360) relevant jurisdictions having an interest in an arrangement or service with cross-border relevance, which may entail the creation of tailor-made co-operative arrangements ranging from bilateral co-operation to global colleges for global systemic digital securities arrangements.²⁰⁴ As the FSB notes: ‘Authorities should cooperate and coordinate with each other, both domestically and internationally, to foster efficient and effective communication and consultation in order to support each other in fulfilling their respective mandates and to ensure comprehensive regulation, supervision, and oversight . . . ’.²⁰⁵