Most ICOs are Securities Requiring AML and Compliance
Last week, the Canadian Securities Administrators (CSA) released notice 46-307 to initial coin offerings (ICOs) that impacts:
- ICO’s everywhere in the world with Canadian buyers
- Exchanges that trade ICO coins to Canadian customers
- Companies in Canada that are conducting an ICO
In this notice they list:
- How to tell if your ICO is a security
- Security regulations & potential exemptions to those regulations
- Why tokens for businesses are still regulated
- Why exchanges are now regulated
- Cybersecurity requirements
1) How to tell if your ICO is a security.
To determine if an ICO is a security in Canada has four requirements. It's the 'Howey Test,' the same requirements as the United States. All the following must be met
i) An investment of money (including virtual currency)
ii) In a common enterprise
iii) With the expectation of profit
iv) [Work] to come significantly from the efforts of others
One good thing about this definition is that if you're not a security in the US, you won't be a security in Canada. Conversely, if your ICO is a security in US because of the Howey test, you're also a security in Canada.
2) Security regulations & potential exemptions to those regulations
If your ICO or ITO is deemed a security you must:
A) Create a Prospectus - a tremendous amount of work
i) no firm conducting an ICO or ITO has done this - The CSA has noticed, and are saying companies who have previously conducted ICO's are securities and aren't complying with the necessary regulation
ii) A whitepaper is not sufficient - Whereas a white paper specifies the technology behind the ICO and what you’re trying to build, the Canadian prospectus says that "investors must be provided with a document that complies with the requirements of securities laws". This means that you need to know security laws to know what’s required
iii) Investors can sue for losses - The notice provides for "civil remedies against companies that fail to comply with securities laws, including a right to withdraw from the transaction and/or damages for losses."
i) ICO issuers can only sell to accredited investors - Accredited investors are considered savvy enough to know the risk involved with their actions, however this limits the buyer pool significantly
ii) Offering memorandum - have slightly less regulations, but they are still onerous. You must:
3) Why tokens for businesses are still regulated
Companies that claim their ICO isn't a security because it's for business purposes have provided the following factors, among others, for whether a person or company is trading in securities for a business purpose.
What this likely means is that every ICO that touches Canada for business purposes has regulatory requirements. They must:
The CSA notes that businesses can fulfil their obligations through a robust, automated, online process. IdentityMind already has an online KYC process that supports these requirements.
4) Exchanges are now regulated
Canada requires that any exchange that lists securities be regulated. As ICO’s are considered tokens, this means that any cryptocurrency exchange is likely a marketplace and is required to comply with the rules governing exchanges including.
5) Cybersecurity requirements
Persons or companies facilitating ICOs/ITOs of coins/tokens that are deemed to be securities must have strong compliance systems in place, with policies and procedures to include addressing cybersecurity risks.
Businesses in the cryptocurrency space should ensure that they have strong cybersecurity measures to safeguard the business and its investors personal and financial information.
The Notice doesn’t say what the remediation options are if there is a cyber loss, but the vagueness doesn’t preclude investors from successfully suing anyone whose personal information is breached or worse; loses money due to cyber-attack.
In summary, Canada has clearly specified that most ICOs are a security and will be regulated as such. Therefore, going forward, If a Canadian customer does manage to buy, they can sue for any losses if a prospectus isn’t filed. Therefore, going forward, companies are going to need to do the following:
- Determine their status,
- Register their business with the applicable provincial regulator,
- Determine if an “advisor registration” is needed,
- Create and file a prospectus with the provincial regulator,
- Implement compliance controls,
- Implement a robust KYC process,
- Create an AML program, and
- Report regularly where and when applicable
- Single Source Verification: verify the customer’s personal information such as name, address, and date of birth, using a credit file that has existed for at least three years
- Dual Source Verification: verify the name and address from one source, and name, address, and date of birth, using information from two or more independent and reliable sources
- Sanctions watchlist screening
- PEP Screening
- Record retention requirements
IdentityMind helps virtual currency firms comply with Canadian KYC regulations in an automated fashion so that manual reviews are minimized and companies can be confident they will not get in trouble with the law.