Cryptocurrencies and ICOs

Challenging the regulatory perimeter

Our analysis looks at what makes cryptocurrencies and ICOs different from traditional currencies and public offerings and how the regulators have responded to these activities so far.

Regulatory Newsflash | July 2018


Cryptocurrencies have grabbed the attention of both regulators and investors. The Bitcoin, the first and now most traded cryptocurrency, was created in 2008; there are now around 1590 cryptocurrencies exchangeable on the market(1). Similarly, in 2017, 210 Initial Coin Offerings (ICOs) were completed and raised around $3 billion, compared to $95 million raised through 43 ICOs in 2016(2).

Despite this rapid growth, the market for cryptocurrencies is still small. On a daily basis, the global volume of transactions in bitcoin, the most traded cryptocurrency, represents less than 0.1% of total retail payments in the euro area(3). This is partly because most cryptocurrency networks suffer from scalability constraints and are currently unable to support higher transaction volumes(4).

Nevertheless, the growing interest in and investment by consumers and firms in cryptocurrencies and tokens issued through ICOs as a new form of asset class usually outside the regulatory perimeter have caught regulators’ attention over the last few months.

Our analysis looks at what makes cryptocurrencies and ICOs different from traditional currencies and public offerings, and how the regulators have responded to these activities so far. We explain some of the key principles and regulatory concerns in relation to cryptocurrencies and ICOs and where further regulatory scrutiny is expected. It is particularly relevant to unregulated firms offering cryptocurrencies, but regulated firms which are exploring how to use or participate in the cryptocurrency ecosystem may also find the issues raised in this article useful.


(1) List of cryptocurrencies.
(2) Data on the ICO market.
(3) Refer to the speech by Yves Mersch, Member of the Executive Board of the ECB, at the 39th meeting of the Governor’s Club Bodrum, Turkey,14 May 2018.
(4) For example, Bitcoin and Ethereum networks can support up to 7 and 15 transactions per second respectively, while the Visa network can handle more than 24,000 transactions per second. More info on data on the scalability of the Bitcoin networkEthereum and Visa.

Regulatory Newsflash


For the purpose of this newsflash, we define a cryptocurrency as a digital representation of value, designed to work as a medium of exchange. It is not issued by any central authority such as a central bank, and typically uses distributed ledger technology(5) (DLT) to control the issuance of new units and record each transaction.

In an ICO, a company, usually in early development stage, provides a “token” or “coin” denominated in a cryptocurrency to investors in exchange for their capital investment. The business models of firms using ICOs are diverse and so is the basis on which the tokens are valued. Tokens may constitute a share in the company, a voucher for investors to benefit from the firm’s project or product in the future, or may not give any right or value at all. This diversity has made it challenging to apply the existing regulatory framework to all ICOs, and regulators have instead decided to regulate them on a case by case basis(6). This approach was highlighted in FINMA’s recent guidelines on ICOs which is one of the first pieces of regulatory guidance specific to ICOs(7).

More recently, cryptocurrency derivatives such as futures and contracts for differences have been developed by large trading firms and exchanges, including Nasdaq Inc. and Cboe Global Markets Inc(8). In contrast with cryptocurrencies and ICOs, there has been broader consensus from regulators about the need to consider cryptocurrency derivatives as financial instruments and therefore to bring them within the regulatory perimeter(9).


(5) For a definition of distributed ledger, refer to Deloitte Malta article.
(6) Refer to the FCA’s position and ESMA’s position
(7) Refer to the FINMA press release of 16 February 2018 "FINMA publishes ICO guidelines"
(8) For more information on trading firms’ initiatives around cryptocurrencies, see Bloomberg article of 29 November 2017 "Nasdaq Plans to Introduce Bitcoin Futures"
(9) Refer to the FCA’s position and ESMA’s position on contracts for differences with cryptocurrencies as the underlying.

Cryptocurrencies and ICOs: what differentiates them from traditional investments and why it matters

Cryptocurrencies are not equivalent to fiat currencies because they do not meet the three defining criteria of money, i.e. being a store of value, a unit of account and a medium of exchange(10). Regulators prefer the term “crypto-assets” to describe cryptocurrencies used for investment purposes, and traded on exchanges operating outside the regulatory perimeter.

But cryptocurrencies are also technically different from fiat currencies.

First, cryptocurrencies are not backed by a central authority, but are created and distributed through a decentralised network of computers (i.e. distributed ledgers). They do not have an intrinsic value linked to tangible assets, which can make their value very volatile over time. In the case of ICOs, tokens are not legally backed by any authority(11). The transfer of tokens’ ownership is recorded on the distributed ledger and can be checked by all participants of the ledger.

Cryptocurrencies also differ from fiat currencies in that, in the vast majority of cryptocurrency networks, transactions are completely anonymous. Users of a distributed ledger do not identify themselves with a name but with a combination of public and private keys(12). Neither the private nor the public key are associated with a real person’s name or personal data. Moreover, DLTs make it impossible to reverse a transaction once it has been validated by all the computers in the network and recorded in the ledger.


(10) Refer to Mark Carney’s speech at the inaugural Scottish Economics Conference
(11) In the US, William Hinman, director of the SEC’s corporation finance division, recently gave a speech at a conference in San Francisco in which, while using the SEC disclaimer that his speech did not necessarily reflect the views of the SEC, he argued that it was possible that a cryptocurrency initially offered as a security through an ICO could further evolve into something different from a security, and closer to a commodity. In this perspective, and given the decentralised nature of cryptocurrency networks, applying the disclosure regime traditionally applicable to federal securities could prove irrelevant.
(12) These are digital passwords that enable users to receive and send encrypted information (or payments) so that unauthorised users cannot access or intercept it.

Blurring the limits of the regulatory perimeter

As the FCA recently pointed out, the packaging and use of cryptocurrencies as investments could pose significant risks to market integrity and customer protection, therefore increasing the necessity of bringing these activities into the regulatory perimeter(13). In Belgium, the FSMA imposed a ban on the marketing of products of which the return depends on virtual money to retail investors(14).

EU and UK regulators have highlighted ICOs and cryptocurrencies as one of their priorities for the next few years(15). Their focus will be dual: first, assessing whether cryptocurrencies and tokens fall within the definition of traditional financial instruments, and should be subject to the existing regulatory framework; second, evaluating the risks that these activities present for consumer protection and market integrity as they become more “mainstream”.

Some of the risks highlighted by regulators are set out below:

Money laundering

The anonymity of cryptocurrency and token transactions has raised concerns about their use for illegal activities such as money laundering and tax evasion. In the EU, Member States agreed in December 2017 to include cryptocurrencies within the scope of the Fifth Anti-Money Laundering Directive, which was adopted by the EU Parliament in April 2018(16). This will require cryptocurrency exchange platforms and custodian wallet providers(17) to be registered, apply customer due diligence and Know Your Customer controls when on-boarding new investors. The revised Directive should come into force in the course of 2019. In the UK, the FCA recently highlighted the good practices it expects from banks offering services to clients who derive revenues or business activities from cryptocurrency-based activities(18).

Cyber risks and financial stability

As recent attacks on cryptocurrency exchanges showed, the rising number of users and the high value of transactions make these exchanges an attractive target for cyber attacks(19). The potential contagion of risks to the financial system is likely to attract regulators’ attention, especially as incumbents start increasing their exposure to cryptocurrency exchanges by providing bank accounts or loans to cryptocurrency platforms.

Information and transparency

The widespread advertising of cryptocurrencies and ICOs has encouraged a range of consumers to invest in them, without necessarily understanding or being notified of the risks. EU, UK and Belgian regulators issued warnings to inform investors of the need to check their investments’ viability and protect them against “scams”(20). The FSMA supplements these warnings with a list of platforms concerning which it received questions or complaints, and regarding which it has identified signs of fraud(21). Additionally, some of the large tech firms have banned adverts for cryptocurrencies and ICOs on their websites(22). This focus on the education and awareness of investors about the risks posed by cryptocurrencies is likely to be a greater priority for regulators in the future.

Nevertheless, regulators are aware of the opportunities that cryptocurrencies can present for broader policy objectives. If appropriately supervised, ICOs could be an alternative way for small firms to raise capital or for bigger firms to raise smaller sums of money at a lower cost.

A flexible regulatory framework will be necessary to keep pace with the rapid developments in cryptocurrencies and ICOs while addressing their risks. In the short term, regulators have to consider how the existing regulatory framework applies to ICOs and cryptocurrencies or the platforms on which they are exchanged or issued. Both EU and UK regulators have committed to doing so by the end of the year(23). The longer-term challenge for regulators will be, as the risks of cryptocurrencies and ICOs are better understood and identified, to develop relevant policies in a timely way which balances their consumer protection and market integrity objectives with fostering innovation and competition in the market.


(13) The FCA stated in its Business plan 2018/19: “Cryptocurrencies themselves (i.e. those designed primarily as a means of payment/exchange) are not currently within our perimeter. However, some models of use or packaging cryptocurrencies bring them within our perimeter, making the landscape complex”.
(14) Refer to the FSMA press release of 21 May 2014 "Ban on the marketing of certain financial products".
(15) The risk assessment around cryptocurrencies and ICO features in the European Commission’s FinTech Action Plan, the EBA FinTech Roadmap, the FCA’s Business Plan, and the UK FinTech Sector Strategy.
(16) Refer to the text of the AML5 adopted by the European Parliament.
(17) The text of the AML5 defines a custodian wallet provider as “an entity that provides services to safeguard private cryptographic keys on behalf of their customers, to hold, store, and transfer virtual currencies”.
(18) Refer to the FCA letter of 11 June 2018 "Cryptoassets and financial crime"
(19) Refer to the Financial Times article "Problems at two cryptocurrency exchanges raise security concerns".
(20) The FCA warned about the risks of investing in cryptocurrency derivatives; as did the ESAs on the risks of buying virtual currencies; and the FSMA on the risk of fraud using cryptocurrency trading platforms and ICOs.
(21) Refer to the FSMA list of companies operating unlawfully in Belgium.
(22) Refer to the Financial Times article "Google bans cryptocurrency advertising"  
(23) The UK Cryptoassets Task Force, which brings together the FCA, BoE and HMT, committed to report back in Q3 2018; in its FinTech Roadmap, the EBA said it would collaborate with EIOPA and ESMA to assess whether the current EU framework is appropriate to cryptocurrencies, and will publish a report and/or opinion addressed to EU legislators on the topic.

Implications for firms

In addition to the upcoming anti-money laundering requirements at the EU level, it seems likely that more stringent oversight will come from the regulators, although the pace at which this will happen is uncertain.

Currently unregulated cryptocurrency firms could benefit from preparing for this enhanced regulatory control. First, aligning their practices to the existing requirements applicable to regulated firms could improve their resilience and help demonstrate the seriousness of their intentions to a broad range of stakeholders, which could in turn help them scale up and reach out to more investors and customers. Second, the crystallisation of a major problem or risk to customers and/or markets will undoubtedly prompt rapid regulatory action, and those cryptocurrency firms which will have already aligned themselves voluntarily with the relevant requirements for regulated firms will be well placed to respond more effectively.

Demonstrating robustness in the underlying business model and governance and adhering to the principles set out in regulation for comparable assets would enable firms to establish a more sustainable cryptocurrency or ICO programme. Relevant considerations include:

Effective systems, processes and governance frameworks

Cryptocurrency and ICO firms should have robust operational resilience (specifically to cyber risks), governance and control frameworks. The protection and governance of investors’ private keys and personal data are likely to be areas of specific focus. For firms facilitating a trading service in cryptocurrency derivatives, safeguarding the asset from being hacked and stolen will be a key requirement.

Accountability and auditability

Firms should focus on developing sound reporting and monitoring capabilities, specifically in relation to tracking and documenting the ownership of cryptocurrencies and ICO tokens.

Transparency of information provided to investors

Assuming regulators work on applying the existing regulatory framework to cryptocurrencies and ICOs, where relevant, firms may be obliged to provide Key Information Documents (KID) and prospectuses to ensure that investors are aware of the risks they are taking. Firms could prepare for regulatory scrutiny by aligning the information they provide to investors for cryptocurrency-based investment with the KID and prospectuses currently required for comparable assets, denominated in fiat currencies, which are currently regulated. The implementation of procedures for dealing with investors’ questions and complaints will also be important.

Applicability of universal regulation

Even if a firm is unregulated there are specific pieces of regulation such as GDPR and compliance with sanction regimes that will currently apply.

Cryptocurrency exchanges

These firms are likely to be the first to be brought within the regulatory perimeter. Cryptocurrency exchanges have been likened to exchanges of traditional traded securities and there is a call to hold them to the same regulatory standards(24).


(24) Refer to Mark Carney’s speech.


Regulators will continue assessing the opportunities of cryptocurrencies and ICOs against the risks they can pose to financial stability, customer protection and market integrity. This assessment will determine whether additional regulatory action or guidance is required in the future. In the meantime, the reports from EU and UK regulators at the end of the year will give more clarity around their expectations and potential actions in the medium term.

However, the international and decentralised dimension of cryptocurrencies’ underlying technology, and the lack of regulatory harmonisation, make the regulatory task more challenging.

In this uncertain context, there is a case from both a regulatory and business perspective for cryptocurrency and ICO firms – both regulated and unregulated – to comply with the spirit and letter of the law for comparable regulated assets and services. Building relevant regulatory requirements into product design, governance and control frameworks of a firm will help it be better prepared for what we see as the inevitability of regulation.


This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

Did you find this useful?