The crypto industry has seen a recent boom in attention and growth, with new projects and innovations driving the space following the media attention associated with the recent bull market and subsequent crash. Many in the industry in Canada are in search of regulatory clarity, and as the crypto market moves towards legitimacy and stability, regulators are working side-by-side with proponents and experts to develop frameworks around investor protection and issuer disclosure. The two major focal points for regulators surround:
- which crypto assets constitute a “security” under securities laws, and
- what requirements exist for entities operating in the crypto space with regard to registration and disclosure.
This article will discuss these focal points, highlighting the challenges the crypto industry presents to regulators in its complexity, novelty, and rapid evolution.
- Is crypto a security? Canadian securities regulators have not taken a definitive position on whether any individual crypto asset is a “security”, instead indicating that individual facts always matter: if investors’ rights to a particular crypto asset are in the nature of an “investment contract”, then those contractual rights will be regarded as a security and subject to regulation.
- Not your keys, not your coins: If an investor in Canada holds crypto assets on a centralized exchange that keeps custody of those assets in wallets with private keys controlled by the exchange, the investor does not hold those assets, but rather a Crypto Contract representing an interest in those assets. This Crypto Contract is an investment contract under Canadian securities laws even if the underlying asset is not a security, because that contract is subject to the performance, custody, counterparty and liquidity risks of the exchange.
- Drawing a line in the sand: Recent decisions of the Ontario Securities Commission’s Capital Markets Tribunal have found Bybit and KuCoin, two foreign exchanges providing services to Canadian investors, to be in breach of Ontario securities laws with regard to issuing securities.
The state of crypto
Much of the attention surrounding the crypto world has been focused on the price fluctuations of the major digital assets (“tokens” or “crypto assets”), namely Bitcoin and Ethereum, and the advent of non-fungible tokens (“NFTs”). An ecosystem is being built on top of these pillars, including lending and borrowing platforms, centralized and decentralized exchanges, video games, and communities of individuals sharing similar interests. Much of this development has been “tokenized” to represent shared interest and ownership in these projects, with the token generally representing something between a vehicle for speculation and a membership to a community. The network effects and profit potential of these communities have inspired developers and entrepreneurs to continue to build on the core primitive innovations of blockchains, cryptographic proofs, and digital ownership, providing opportunities for both creativity and speculation.
A key area of development has occurred in Decentralized Finance (“DeFi”), a burgeoning digital marketplace developed to provide an alternative to traditional banking. This ecosystem includes “stablecoins” pegged to the US dollar for ease of denomination and transaction. Some of these stablecoins are collateralized one-to-one with dollars for stability, while others rely on fractional reserve banking methods or even algorithms to keep price stable (the latter with mixed results). Decentralized trading exchanges utilize the advent of Automated Market Makers to match buyers to sellers without an intermediary, with users providing liquidity and enjoying a share of trading fees. Lending and borrowing platforms bring leverage onto the blockchain, with users providing collateral to borrow liquid assets from other users who earn banking fees.
These developments have provided for a rapid financialization of the industry, flooding the market with a combination of novel and promising projects, thinly veiled clones, and outright Ponzi schemes. There is an opportunity for growth and speculation, but also a high degree of risk because currency, trading, and lending are heavily regulated sectors in traditional finance but largely unregulated in crypto markets to date.
While the primary innovations in the space have occurred in DeFi, most retail investors lack the capacity to invest directly in this area due to its complexity and technical barriers to access. Most institutional investors are unable to invest due to their limited mandate and the inherent risks in holding custody of large amounts of crypto assets. Instead, retail and institutional investors alike have turned to centralized exchanges that provide exposure to the DeFi space without having to transact “on-chain” and hold custody over private keys.
These centralized exchanges provide many benefits to institutional and retail investors in what can otherwise be an ocean of uncertainty. Centralized exchanges provide access to liquidity, a counterparty to lend and borrow, and custodial and clearing services for tokens.
Several exchanges are registered with the relevant securities regulators, either fully licensed or alternatively in the Canadian Securities Administrator’s (“CSA”) “Regulatory Sandbox”, which gives exchanges the opportunity to operate whilst they work collaboratively with the CSA to ensure compliance. Others have failed to register in Canada entirely, and are continuing to operate internationally despite warnings from securities regulators in multiple jurisdictions. For example, the British Columbia Securities Commission regularly issues “Investment Caution” lists to warn the public about various crypto investment and trading vehicles operated in BC, but which are not registered to trade in, or advise on, securities or derivatives in BC.
The DeFi space has spent the last five years digitally recreating innovations in traditional finance that developed over hundreds of years, innovations that regulators have had decades to grasp and provide guidance on. The crypto industry is speed-running many of the critical areas of finance in a largely unprecedented way, while the rest of the world tries to get a grasp on what crypto even is. While practices have developed that are sustainable and useful, the industry has been mired by behaviour that is potentially dangerous or essentially a grift. Regulatory treatment of these matters will help to determine the trajectory of crypto moving forward, both in helping to legitimize developments that are beneficial to society and limiting elements that could pose an existential risk to financial markets and investor protection.
Which tokens are securities?
CSA Staff Notice 46-308: Securities Law Implications for Offerings of Tokens provides guidance on the way Canadian securities regulators approach the question of whether any individual token is a security or something else entirely. More recent CSA guidance, including Consultation Paper 21-402: Proposed Framework for Crypto-Asset Trading Platforms (“CP 21-402”), has not taken a position on whether any individual crypto asset is a security or otherwise. Instead, securities regulators in Canada have honed in on identifying the means through which a crypto asset is held on a centralized exchange to assert jurisdiction.
The United States Securities and Exchanges Commission (the “SEC”) has indicated that it considers both Bitcoin and Ethereum to be a commodity for the purposes of regulation. Currently in Canada, crypto assets are generally taxed as commodities. Whether a particular asset is a commodity or a security will likely depend on a number of factors, including the ways in which network revenues or fee generation can be attributed to a token (an expectation to profit), whether the mechanism through which validators secure the network is sufficiently decentralized, and whether there is a central third party operating the network and making decisions (depending upon the efforts of third parties).
Defining “security” in Canada
In Canada, securities laws take a “catch and release” approach by providing a wide definition of “security”, but including numerous exceptions based on the policy purposes of enforcing the rules. In edge cases, the definition of an “investment contract”, a type of security, is used to bring instruments that act as securities or derivatives under the jurisdiction of securities regulators. To determine whether an instrument is an investment contract, regulators typically apply the test found in Pacific Coast Coin Exchange of Canada v Ontario (the “Pacific Coast test”).
The test contains four elements as follows:
a. an investment of money;
b. with an intention or an expectation of profit;
c. in a common enterprise in which the fortunes of the investor are interwoven with and dependent upon the efforts and success of those seeking the investment or of third parties; and
d. where the efforts made by those other than the investor are undeniably significant, essential managerial efforts which affect the failure or success of the enterprise.
The Pacific Coast test is a Canadian adaptation of the well-know Howey test in the United States, expanding on the idea of the “efforts of others” to specify that those efforts that are “undeniably significant” are the efforts in question, leaving room for smaller contributions by the investor while still meeting the test.
Regulators have indicated that they will take a fact-based approach considering the purposes of investor protection; it is not an assurance that this test will be met in any given case. However, several factors common to crypto projects point in favour of many crypto assets potentially being securities.
“An expectation of profit”
Speculative demand has admittedly driven much of the attention surrounding crypto – many participants simply want to see the number go up. Proponents of projects with tokens have responded by deploying various methods of value-accrual, colloquially referred to as “tokenomics”, to attempt to link their token to some form of revenue generation or price appreciation that drives demand. Most of these value-accrual methods are comparable to methods used in traditional markets, such as stock buybacks and dividend payments.
In crypto, a token will often be issued by a project proponent, with percentages of ownership being apportioned to early users (often claimable through an “airdrop”), early investors like Venture Capital firms, founders of the project, and to a treasury to be used to develop the project, for example by paying out grants to contributors. These tokens are then released onto the open markets over time, sometimes through vesting schedules, for retail investors.
Tokens are often marketed as “utility tokens” having a governance function on their network. Owners can use their tokens to vote on governance proposals in forums designed to provide a decentralized method of decision-making. The aim of this method is to ensure that no one proponent dictates the direction of the project.
However, while governance is an internal use-case for a token, it does not necessarily drive value. To make a token valuable, many projects ensure that the fees or revenues generated from the project are paid back to the owners of the token.
One example of this is through “buyback and burn” mechanisms. In a buyback and burn mechanism, the entity that receives the fee generation or revenues from the project will use this profit to buy, on the open market, an equivalent amount of the token from the outstanding float. When they do this, they send the tokens to a “burn address”, a crypto wallet that no one has access to, thus rendering these coins out of circulation, similar to cancelling shares in traditional markets. This temporarily increases demand for a token, thus theoretically raising the price of the remaining tokens and rewarding holders.
A second method of value-accrual is to directly pay token holders a percentage of profits generated. There have been several novel ways of doing this, all of which operate like dividends. One way is to offer for holders to “stake” or “lock” their tokens for a certain period, and pay them a percentage yield on their staked tokens proportional to the amount they own and the length of time they stake or lock for. This percentage yield represents an inflation of the supply of a token, as the yield is generally paid out in new issuance of the token.
Both of the above methods trigger various reporting requirements under existing securities regulation in traditional markets, including the need to comply with “issuer bid” requirements for buybacks and the prospectus requirement for distributing securities. These methods also potentially indicate that there is a central entity making the decisions, and that the network is not truly decentralized.
Decentralizing the “significant managerial efforts”
The decentralization of crypto projects serves as a way to call into question the last two factors of the Pacific Coast test. If a project is fully decentralized such that there is no central authority with the ability to dictate the direction of the project, the value of the token, or any particular policy proposal, it is possible that that there are no “undeniably significant, essential managerial efforts” of third parties.
However, in practice, only a select few crypto assets have been able to achieve true decentralization, with Bitcoin being the closest to date. The quality of decentralization of most projects has been hotly contested and debated. A project would need a dispersion of ownership of tokens, a volume of network validators such that no one group of validators has control, and true consensus decision-making through direct democracy to the extent that no leadership group can dictate outcomes. This is a daunting challenge for any crypto project.
One should question whether a project is truly “decentralized” when considering the applicability of securities laws.
Crypto Contracts as investment contracts
Regardless of whether any individual token is a security, securities regulators will have jurisdiction over most activity occurring on centralized exchanges, referred to by the CSA as a “Crypto Trading Platform” (“CTP”), based on the method through which these transactions occur.
Regulators have identified a “Crypto Contract” as being the contractual right to a crypto asset that an end user has when they hold a deposit on a CTP. A Crypto Contract is an investment contract under the definition of security, even if the underlying crypto asset is not itself a security.
CP 21-402 and subsequent CSA Staff Notice 21-327: Guidance on the Application of Securities Legislation to Entities Facilitating the Trading of Crypto Assets elaborate on where a Crypto Contract exists, and whether securities laws apply. If the crypto asset is immediately delivered to the end user such that the end user is free to use the asset without the involvement or reliance of a CTP, then no Crypto Contract exists. This means that transactions that end in a user-controlled wallet (i.e. browser extension wallets or cold storage wallets where the user maintains their own private keys) independent of the CTP are not Crypto Contracts.
However, the vast majority of CTPs hold custody over crypto assets on behalf of users, holding them in wallets controlled by the CTP and only providing them to a client-controlled wallet when the end user requests a withdrawal. These arrangements are likely to be investment contracts, triggering the requirements for registration and a prospectus (or an exemption from those requirements) under the relevant securities laws.
Securities regulators have provided key investor protection and systemic risk management rationales for their assertion of jurisdiction over Crypto Contracts. While the crypto assets remain on the exchange, they are subject to custodial, counterparty, solvency, credit, misappropriation and hedging risk, among other risks. The end user’s funds are inextricably tied up in the significant efforts of the CTP and are subject to its success or failure. These risks are highlighted in CP 21-402 and elaborated on in Staff Notice 51-363: Observations on Disclosure by Crypto Asset Reporting Issuers (“SN 51-363”).
SN 51-363 highlights key material information that should be disclosed by crypto asset reporting issuers. This includes information about custody, including self-custody through multi-signature cold storage wallets, or if the issuer is using a third party custodian or CTP, then the identity and location of the custodian, as well as information on the contractual claims against the custodian and treatment of assets on the insolvency of the custodian.
The reliance relationship between the end users and the CTPs has been underscored by news events in recent months, including major crashes and liquidity crises in crypto markets, and multiple major international CTPs pausing withdrawals of client funds due to liquidity issues stemming from counterparties failing to meet margin calls. The SN 51-363 disclosure would undeniably have been helpful in identifying the risks that caused the crash. Without conforming to regulatory guidance, platforms have been loaning user funds out to hedge funds without the requisite collateral to call in the loan when the hedge fund’s investments go sour, and without the relevant disclosure to determine the credit-worthiness of the hedge fund. These events provide a regulatory justification for more extensive disclosure requirements in future.
Two recent decisions of the Ontario Securities Commission’s (the “OSC”) Capital Markets Tribunal (the “Tribunal”) have shown how securities regulators are applying their guidance. The Tribunal reached a settlement agreement including a comprehensive undertaking with Bybit Fintech Limited (“Bybit”), and filed administrative penalties, a cease trade order and a permanent ban on Mek Global Limited and PhoenixFin Pte Ltd (collectively, “KuCoin”) for failing to begin conversations around registration and regulation with the OSC by their stated deadline.
Both of these institutions are foreign entities operating within Canada without registering with the relevant securities regulators. Both of them provide centralized exchange functions to Canadian retail investors, and both hold custody over assets on behalf of end users. In both cases, the Tribunal found that Crypto Contracts existed between the entities and Ontario residents, and thus the entities were in breach of Ontario securities laws.
The difference between the cases is that Bybit cooperated with the Tribunal’s investigation, whereas KuCoin continued to ignore the Tribunal’s requests. As such, Bybit’s undertaking restricts its Ontario business, prohibiting them from taking on new customers and winding down the accounts of existing customers while it pursues registration with the OSC, while KuCoin is permanently banned from participating in Ontario markets.
In their Bybit decision, the Tribunal found that Bybit maintains custody of crypto assets deposited and traded on their platform in wallets Bybit controls. In practice, though they purport to facilitate trades, Bybit only provides its investors with instruments or contracts involving crypto assets, which are securities and derivatives for the purposes of securities laws. Engaging in these Crypto Contracts means that Bybit is engaging in the business of trading in securities without registration and distributing securities without a prospectus or prospectus exemption.
In the KuCoin decision, the Tribunal analyzed the Pacific Coast test to determine whether KuCoin’s operations amounted to trading and distributing securities. The Tribunal restated that the OSC does not take a position on whether any individual crypto asset is a security, but rather found that an investor’s contractual rights to the assets that the investor trades are securities. The Tribunal found that making these trades available to investors represents a risk to the OSC’s purpose of investor protection, as investors are dependent on KuCoin’s actions, custody and solvency to manage and deliver on the Crypto Contracts issued to investors.
The Tribunal’s findings in the Bybit and KuCoin decisions confirm that trading platforms are likely caught by the wide net of securities regulation when they engage in providing custody of crypto assets for clients.
The crypto industry provides a unique challenge for regulators in that it is internet-native, fast-moving, international and decentralized, making assertion jurisdiction and enforcement of regulations challenging. Canadian securities regulators have identified a clear area of jurisdiction where exchanges are keeping custody of the assets of end-users, and have now shown a willingness to take enforcement action in this area. While further guidance on the status of specific assets may or may not be forthcoming in Federal or Provincial legislation, in the interim serious and responsible operators in the industry will work alongside regulators to find a path to compliance. The crypto industry in Canada stands to benefit from regulatory clarity and further transparency on the various risk factors associated with being involved in the crypto space, and efforts to legitimize crypto activities from proponents and activists continue to be welcomed across the board. While attention rises and falls, clarity between the private sector and regulators on what practices are compliant will be key to creating a sense of stability and legitimacy in the Canadian crypto economy.