INSIGHT

Regulating crypto: Government releases consultation paper on proposed licensing and custody requirements

By Simun Soljo, David Rountree, Kerensa Sneyd, Gabor Papdi, Isaac Nankavill
Banking Cybersecurity & Privacy Financial Services Fintech Technology

Proposed licensing regime for crypto asset services providers and requirements for custody of crypto assets 13 min read

The Federal Government is seeking feedback on a proposed new licensing regime for crypto asset secondary service providers (CASSPrs) and new requirements regulating custody of crypto assets. The new regime would potentially sit alongside the existing AFS licensing regime, with possible overlap and inconsistency in treatment of service providers. The Government is also seeking early views on how crypto assets should be defined and categorised as part of a 'crypto mapping' exercise. The consultation period runs until 27 May 2022.

Key takeaways

  • The Federal Government recently released 'Crypto asset secondary service providers: Licensing and custody requirements' (the Consultation Paper), seeking feedback on a set of proposals for regulating crypto asset service providers (CASSPrs) and custody of crypto assets.
  • Key features of the proposed regime include:
    • A new CASSPr licensing regime, separate from the AFS licensing regime, which would impose obligations on CASSPrs that mirror many existing obligations on AFS licensees
    • New obligations on providers of custody services to provide minimum standards for safe custody of crypto assets
  • The Government is also consulting on how CASSPrs and crypto assets should be defined, as well as seeking early views on its 'crypto mapping' exercise.
  • The consultation is important for any entity currently providing services or dealing in crypto assets (or considering doing so). The proposals in the consultation paper have been positioned at a high level, and there are many important points of detail to work through before any new regime is implemented. This includes how the new regime will interact with existing legal obligations and the extent to which a new licensing regime will overlap with the AFS licensing regime, potentially resulting in inconsistent treatment for service providers (those with and without an AFS licence).
  • Interested parties should consider making a submission. The consultation period runs until 27 May 2022.

Background

The Federal Government released the Consultation Paper on 21 March 2022. This follows on from the Government's Transforming Australia's Payments System response paper (see our Insight), as well as the report of the Senate Select Committee on Australia as a Technology and Financial Centre (see our Insight), and adds some substance to the policy positions and recommendations.

The Government is seeking feedback on a proposal to introduce a licensing regime administered by ASIC that would apply to CASSPrs. The regime would be based on, but separate from, the Australian financial services licence (the AFSL) and Australian market licence regimes.

Under the proposed new model, the licensing regime would apply to services provided to retail clients in relation to crypto assets that are not financial products. Services provided in relation to crypto assets that are financial products will remain regulated by the AFSL and Australian market licence regimes. This has the potential to introduce significant overlap between the regimes, and for service providers to be subject to different standards depending on the nature of the crypto assets they deal in.

As part of the proposed CASSPr licensing regime, custodians of crypto assets – ie holders of consumers' private keys – are expected to be subject to similar requirements to custodians of the assets of registered schemes.

Alternatively, the Consultation Paper is also considering extending the existing financial services regulatory regime to all crypto-assets.

Key concepts

Crypto assets

The Consultation Paper proposes that a single definition of 'crypto assets' applies across all Australian regulatory frameworks.

Based on this proposal, the definition would likely replace the existing definitions 'digital currency' under both anti-money laundering/counter-terrorism financing (AML/CTF) legislation and GST law (which both provide different definitions), and operate in a much broader fashion. While it is superficially appealing to contemplate a uniform concept across all regulatory frameworks, considerable work is needed to assess whether this would be appropriate across each regime. It also runs the ongoing risk of needing to play continual catch-up to innovation and change in the crypto-asset ecosystem, which continues to move quickly.

The Consultation Paper seeks feedback on the definition proposed by ASIC in Consultation Paper 343: 'Crypto-assets as underlying assets for ETPs and other investment products', which is

a digital representation of value or contractual rights that can be transferred, stored or traded electronically, and whose ownership is either determined or otherwise substantially affected by a cryptographic proof.

We query whether this definition would adequately capture all types of crypto assets that should be captured by the regulatory regimes. Many crypto assets function neither as a 'representation of value' (as they are not linked to any underlying asset and do not have a fixed dollar value) nor as a representation of 'contractual rights' (as digital assets may provide no contractual rights against a counterparty). Further work will be required to come up with an adequate definition, and it may be that a single definition for all purposes is not appropriate.

Crypto asset secondary service providers

The proposed targets of regulation are CASSPrs (an appropriate acronym for regulating incorporeal and often opaque businesses). The Consultation Paper defines this as a person who conducts as business any of the following activities on behalf of another person or entity:

  1. exchange between crypto assets and fiat currencies;
  2. exchange between one or more forms of crypto assets;
  3. transfer of crypto assets;
  4. safekeeping and/or administration of virtual assets or instruments enabling control over crypto assets; and
  5. participation in and provision of financial services related to an issuer’s offer and/or sale of a crypto asset.

It seems to us that part (v) of the definition is redundant to the extent it applies to 'financial services' as currently defined in Chapter 7 of the Corporations Act 2001 (Cth), as these services are likely to be already captured by the licensing and disclosure regime in Chapter 7. However, it may be that the term is used here more generally to refer to services in relation to the issuance of crypto assets – including those that are not financial products.

CASSPr licensing regime

The core proposal in the Consultation Paper is to introduce a specific licensing regime for CASSPrs who provide retail consumers with access to crypto assets that are not financial products. It would cover persons who operate as brokers or dealers, operate a market for crypto assets or provide custodial services in relation to crypto assets. There would be one kind of licence applying to all kinds of CASSPrs, but obligations would be graduated on the basis of risk, so that CASSPrs who provide custodial services are subject to additional obligations over those who only facilitate dealing in crypto assets.

This licensing regime is proposed to be separate to the existing AFSL and Australian market licence regimes. Those who provide services in relation to crypto assets that are financial products will need to comply with the existing financial services regulatory regimes.

The regime would also not apply to any decentralised protocols or platforms. Given the challenges of regulating decentralised entities (which were acknowledged in the Recommendations of the Senate Select Committee on Australia as a Technology and Financial Centre), this presents a short-term practical solution, though does open the door for potentially sidestepping regulatory obligations by establishing services on a decentralised basis. This is likely more than a theoretical risk, given the general push of the 'Web 3.0' is to decentralisation (including of core ecosystem infrastructure and services).

The proposed CASSPr licensing regime would be administered by ASIC.

While separate from the AFSL regime, the design of the proposed CASSPr licensing regime borrows heavily from the AFSL regime, with added requirements specific to crypto assets.

Proposed CASSPr licensing regime requirements

Under it, CASSPrs will be required to:

  1. do all things necessary to ensure that the services covered by the licence are provided efficiently, honestly and fairly, and to ensure that any market for crypto assets is operated in a fair, transparent and orderly manner – mirroring obligations attaching to AFSLs and Australian market licences;
  2. maintain adequate technological and financial resources to provide services and manage risks – whether this includes insurance arrangements remains to be seen;
  3. have in place adequate internal and external dispute resolution systems;
  4. ensure that directors and key persons responsible for operations are fit and proper persons;
  5. comply with minimum financial requirements prescribed by ASIC;
  6. comply with client money obligations (ie to hold client money separately on trust);
  7. comply with all relevant Australian laws;
  8. take reasonable steps to ensure that crypto assets to which access is provided are 'true to label' (ie not misrepresented or misleadingly described);
  9. respond in a timely manner to ensure that scams are not sold through their platform;
  10. not hawk specific crypto assets – mirroring the financial product hawking provisions in the Corporations Act;
  11. be subject to regular independent audit;
  12. comply with AML/CTF obligations; and
  13. if providing custodial services, maintain adequate custody arrangements prescribed by ASIC.

As in the AFSL regime, financial requirements would be prescribed by ASIC, with more onerous requirements applying to CASSPrs who maintain custody of crypto asset private keys.

This proposal would involve significant overlap between the existing and new licensing regimes. It is not clear how the regime would apply to existing licensees, or those who deal in crypto assets that include both financial products and assets that are not financial products. The parallel licensing regimes could create additional complexity and inconsistent treatment of similar businesses.

The stated rationale for a separate CASSPr licensing regime, as opposed to an extension of the AFSL regime to crypto assets as foreshadowed in previous Federal Government reviews and response papers, is a difference in the purpose and function of financial product and crypto assets, and a desire to look through the technology of crypto asset to their underlying substance. This contrasts with the UK proposal, which intends to extend existing regulations on financial promotions to crypto asset services.

The Consultation Paper states that the purpose and function of financial products – to allocate savings and capital – is not applicable for all crypto assets, and the trust-based relationship between a financial product issuer and acquirer is not necessarily present between the issuer and acquirer of a crypto asset. The Consultation Paper refers to the inherent 'trustless' nature of crypto-assets, which are often implemented through open source blockchains with visibility of information and implementation based on open technical protocols. However, we think this assumption deserves testing, given the information asymmetry that exists in parts of the crypto-ecosystem notwithstanding open protocols, and the lack of understanding by many consumers of the structure and features of crypto assets they are trading in.

The proposal is also based on the underlying position that merely tokenising assets in general should not determine their regulatory treatment (ie an asset that is not a financial product should not become a financial product merely because ownership rights become represented by a tradeable cryptographic token). However, tokenisation can create additional features, such as ready transferability and additional risks from loss or fraud, which may deserve different regulatory intervention.

Secondary service providers, rather than issuers, are the target of regulation because they are the interface between retail clients and crypto assets. However, in many instances issuers of crypto assets will deal directly with consumers, and we think the regime should address the obligations of issuers and not just of service providers.

The Consultation Paper also flags two alternative regulatory options for feedback:

  1. regulating CASSPrs under the AFSL regime by deeming crypto assets to be financial products under section 764A of the Corporations Act (subject to specific exemptions to be granted later); or
  2. self-regulation via an industry-developed code of conduct (although consumer protection and AML/CTF regulation of crypto assets would remain imposed by law).

Extension of the AFSL regime has the advantage that it could be done quickly, with service providers and ASIC being familiar with the requirements under the regime, and the regulator being set up to assess licence applications. Some modifications to the regime may be appropriate for specific types of crypto assets, and it may be that some assets can be excluded from the licensing regime, where they involve little risk for consumers.

Additional requirements for custodians of private keys

Under the proposed CASSPr licensing regime, CASSPrs who maintain custody of crypto assets (ie hold investors' private keys, whether directly or by outsourcing to a third-party) will be subject to further obligations. These obligations will be principles-based, rather than prescribing particular technical security standards (eg expectations for the use of 'hot' or 'cold' storage of crypto-assets).

Proposed crypto asset custodian requirements

The Consultation Paper proposes that crypto asset custodians be required to:

  1. hold assets on trust for the consumer;
  2. ensure that consumers' assets are appropriately segregated;
  3. satisfy minimum financial requirements, including capital requirements;
  4. ensure that the custodian of consumers' private keys has the requisite infrastructure and expertise;
  5. store private keys used to access consumers' crypto assets in a way that minimises the risk of loss and unauthorised access;
  6. adopt signing approaches that minimise 'single point of failure' risk;
  7. maintain robust cyber and physical security practices;
  8. procure independent verification of cybersecurity practices;
  9. have redress and compensation processes for when crypto assets held in custody are lost;
  10. if using an external custodian, have the appropriate competencies to assess the custodian's compliance with the above requirements; and
  11. if using external custodians, ensure that they have robust practices for the receipt, validation, review, reporting and execution of instructions from the CASSPr.

These requirements are largely mirror the requirements and good practice guidance from ASIC for custodians of registered schemes, adapted to apply to the unique features of crypto assets.

The Consultation Paper focuses on custodians of customers' private keys. However, in practice, custodians may store customer crypto assets in aggregated wallets. As such, the customer's crypto assets are not held in association with a customer's private key. Following consultation, the final obligations may be imposed on asset custodians whether holding the assets in connection with a customer's private keys or not.

The Consultation Paper also flags self-regulation via industry-developed standards as an alternative approach to regulating custodians of crypto assets.

Token mapping

The Consultation Paper seeks early feedback on types of crypto assets and their classification, as part of the token mapping exercise previously foreshadowed by the Federal Government. A non-exhaustive list of types of crypto assets is provided for comment. Token mapping has also been undertaken in other jurisdictions such as Singapore, Switzerland, the United Kingdom and the European Union, which has been used to guide the application of securities law. It remains to be seen exactly how this mapping exercise will play out, and how it will interact with the 'cross regulatory' crypto-asset definition proposal set out in the Consultation Paper.

Whether or not a new licensing regime is put in place, it would assist all participants in the crypto asset 'ecosystem' if there were greater clarity about whether specific crypto assets (at least those that are more commonly traded) are financial products, and so subject to the licensing and disclosure obligations in Chapter 7. While ASIC has provided guidance about the existing regime and how it may apply to crypto assets, given the complexities involved in applying the existing definitions of financial products to crypto assets – which have unique features that often depend on the technical operation of the code embedded in the assets that is not accessible to all participants – we think there is more room for the regulator to provide specific guidance about the categorisation of crypto assets. We hope the more detailed 'token mapping' exercise to be conducted will bring greater clarity to these issues.

Next steps

Anyone involved in providing services or dealing in crypto assets should consider making a submission by the closing date, 27 May 2022.